Date: Thu, 19 Aug 2021 14:05:05 GMT From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 214d5852d425 - main - security/openssl: Update KTLS patches for Chacha20-Poly1305 Message-ID: <202108191405.17JE55Ov050232@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=214d5852d425659f89f6de1834b8bc662d7a29a7 commit 214d5852d425659f89f6de1834b8bc662d7a29a7 Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2021-08-19 14:01:53 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2021-08-19 14:01:53 +0000 security/openssl: Update KTLS patches for Chacha20-Poly1305 This pulls in several upstream KTLS patches from OpenSSL master: * A fix to the return values of BIO_get_ktls_*(). * Support for Chacha20-Poly1305. * Replacing the SSL_MODE_NO_KTLS_* modes which opted-out of KTLS with an opt-in SSL_OP_ENABLE_KTLS. Note that this means that KTLS is not enabled by default. Users can enable KTLS via a custom OpenSSL config file that enables the KTLS option. Reported by: jhb Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D31430 --- security/openssl/Makefile | 2 +- security/openssl/files/extra-patch-ktls | 683 ++++++++++++++++++-------------- 2 files changed, 389 insertions(+), 296 deletions(-) diff --git a/security/openssl/Makefile b/security/openssl/Makefile index ab678c4087b1..ec3e8a967d0f 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -2,7 +2,7 @@ PORTNAME= openssl PORTVERSION= 1.1.1k -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ diff --git a/security/openssl/files/extra-patch-ktls b/security/openssl/files/extra-patch-ktls index 3df11e5b80ba..ce1f6242fd58 100644 --- a/security/openssl/files/extra-patch-ktls +++ b/security/openssl/files/extra-patch-ktls @@ -1,8 +1,8 @@ diff --git CHANGES CHANGES -index 1ab64b35c9..a4a63a9bea 100644 +index 7d0129e687..7f8057bb6f 100644 --- CHANGES +++ CHANGES -@@ -427,6 +427,11 @@ +@@ -471,6 +471,11 @@ necessary to configure just to create a source distribution. [Richard Levitte] @@ -153,7 +153,7 @@ index 335dfabc61..80ef348d92 100644 return sock; } diff --git crypto/bio/bss_conn.c crypto/bio/bss_conn.c -index 807a82b23b..d478644280 100644 +index 807a82b23b..10cf20871c 100644 --- crypto/bio/bss_conn.c +++ crypto/bio/bss_conn.c @@ -11,6 +11,7 @@ @@ -216,9 +216,12 @@ index 807a82b23b..d478644280 100644 data = (BIO_CONNECT *)b->ptr; -@@ -520,6 +541,27 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) +@@ -518,8 +539,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) + } + break; case BIO_CTRL_EOF: - ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; +- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; ++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; break; +# ifndef OPENSSL_NO_KTLS + case BIO_CTRL_SET_KTLS: @@ -228,9 +231,9 @@ index 807a82b23b..d478644280 100644 + BIO_set_ktls_flag(b, num); + break; + case BIO_CTRL_GET_KTLS_SEND: -+ return BIO_should_ktls_flag(b, 1); ++ return BIO_should_ktls_flag(b, 1) != 0; + case BIO_CTRL_GET_KTLS_RECV: -+ return BIO_should_ktls_flag(b, 0); ++ return BIO_should_ktls_flag(b, 0) != 0; + case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: + BIO_set_ktls_ctrl_msg_flag(b); + data->record_type = num; @@ -244,8 +247,21 @@ index 807a82b23b..d478644280 100644 default: ret = 0; break; +diff --git crypto/bio/bss_fd.c crypto/bio/bss_fd.c +index ccbe1626ba..8d03e48ce9 100644 +--- crypto/bio/bss_fd.c ++++ crypto/bio/bss_fd.c +@@ -189,7 +189,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) + ret = 1; + break; + case BIO_CTRL_EOF: +- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; ++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; + break; + default: + ret = 0; diff --git crypto/bio/bss_sock.c crypto/bio/bss_sock.c -index 6251f3d46a..a1fc23c7c9 100644 +index 6251f3d46a..8de1f58292 100644 --- crypto/bio/bss_sock.c +++ crypto/bio/bss_sock.c @@ -11,6 +11,7 @@ @@ -321,7 +337,7 @@ index 6251f3d46a..a1fc23c7c9 100644 switch (cmd) { case BIO_C_SET_FD: -@@ -153,6 +183,27 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) +@@ -153,8 +183,29 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_FLUSH: ret = 1; break; @@ -333,9 +349,9 @@ index 6251f3d46a..a1fc23c7c9 100644 + BIO_set_ktls_flag(b, num); + break; + case BIO_CTRL_GET_KTLS_SEND: -+ return BIO_should_ktls_flag(b, 1); ++ return BIO_should_ktls_flag(b, 1) != 0; + case BIO_CTRL_GET_KTLS_RECV: -+ return BIO_should_ktls_flag(b, 0); ++ return BIO_should_ktls_flag(b, 0) != 0; + case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: + BIO_set_ktls_ctrl_msg_flag(b); + b->ptr = (void *)num; @@ -347,8 +363,11 @@ index 6251f3d46a..a1fc23c7c9 100644 + break; +# endif case BIO_CTRL_EOF: - ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; +- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; ++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; break; + default: + ret = 0; diff --git crypto/err/openssl.txt crypto/err/openssl.txt index 7e1776375d..b22e8a735c 100644 --- crypto/err/openssl.txt @@ -440,41 +459,55 @@ index 2e438c3ce9..31b18b2879 100644 =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. -diff --git doc/man3/SSL_CTX_set_mode.pod doc/man3/SSL_CTX_set_mode.pod -index 85e3353e0e..27eaebad1e 100644 ---- doc/man3/SSL_CTX_set_mode.pod -+++ doc/man3/SSL_CTX_set_mode.pod -@@ -114,6 +114,22 @@ enables this behaviour to allow interoperability with such broken - implementations. Please note that setting this option breaks interoperability - with correct implementations. This option only applies to DTLS over SCTP. - -+=item SSL_MODE_NO_KTLS_TX -+ -+Disable the use of the kernel TLS egress data-path. -+By default kernel TLS is enabled if it is supported by the negotiated ciphersuites -+and extensions and OpenSSL has been compiled with support for it. -+The kernel TLS data-path implements the record layer, -+and the crypto algorithm. The kernel will utilize the best hardware -+available for crypto. Using the kernel data-path should reduce the memory +diff --git doc/man3/SSL_CONF_cmd.pod doc/man3/SSL_CONF_cmd.pod +index 900c4f3a56..a3f447a986 100644 +--- doc/man3/SSL_CONF_cmd.pod ++++ doc/man3/SSL_CONF_cmd.pod +@@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in + other ways and in such cases the built-in OpenSSL functionality is not required. + Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>. + ++B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported ++by the negotiated ciphersuites and extensions. Equivalent to ++B<SSL_OP_ENABLE_KTLS>. ++ + =item B<VerifyMode> + + The B<value> argument is a comma separated list of flags to set. +diff --git doc/man3/SSL_CTX_set_options.pod doc/man3/SSL_CTX_set_options.pod +index 969e0366c4..231fe92d8e 100644 +--- doc/man3/SSL_CTX_set_options.pod ++++ doc/man3/SSL_CTX_set_options.pod +@@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by + setting this option. This is a server-side opton only. It is ignored by + clients. + ++=item SSL_OP_ENABLE_KTLS ++ ++Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must ++have been compiled with support for it, and it must be supported by the ++negotiated ciphersuites and extensions. The specific ciphersuites and extensions ++that are supported may vary by platform and kernel version. ++ ++The kernel TLS data-path implements the record layer, and the encryption ++algorithm. The kernel will utilize the best hardware ++available for encryption. Using the kernel data-path should reduce the memory +footprint of OpenSSL because no buffering is required. Also, the throughput +should improve because data copy is avoided when user data is encrypted into -+kernel memory instead of the usual encrypt than copy to kernel. ++kernel memory instead of the usual encrypt then copy to kernel. + +Kernel TLS might not support all the features of OpenSSL. For instance, +renegotiation, and setting the maximum fragment size is not possible as of +Linux 4.20. ++ ++Note that with kernel TLS enabled some cryptographic operations are performed ++by the kernel directly and not via any available OpenSSL Providers. This might ++be undesirable if, for example, the application requires all cryptographic ++operations to be performed by the FIPS provider. + =back - All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by -@@ -134,6 +150,7 @@ L<SSL_write(3)>, L<SSL_get_error(3)> - =head1 HISTORY - - SSL_MODE_ASYNC was added in OpenSSL 1.1.0. -+SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0. - - =head1 COPYRIGHT - + The following options no longer have any effect but their identifiers are diff --git doc/man3/SSL_CTX_set_record_padding_callback.pod doc/man3/SSL_CTX_set_record_padding_callback.pod index 13e56f0c57..247a39fc03 100644 --- doc/man3/SSL_CTX_set_record_padding_callback.pod @@ -666,10 +699,10 @@ index c343b27629..521b5fa219 100644 +#endif diff --git include/internal/ktls.h include/internal/ktls.h new file mode 100644 -index 0000000000..622d7be76d +index 0000000000..5f9e3f91ed --- /dev/null +++ include/internal/ktls.h -@@ -0,0 +1,400 @@ +@@ -0,0 +1,407 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * @@ -710,12 +743,11 @@ index 0000000000..622d7be76d +# define OPENSSL_KTLS_AES_GCM_128 +# define OPENSSL_KTLS_AES_GCM_256 +# define OPENSSL_KTLS_TLS13 -+ -+/* -+ * Only used by the tests in sslapitest.c. -+ */ -+# define TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE 8 -+# define TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE 8 ++# ifdef TLS_CHACHA20_IV_LEN ++# ifndef OPENSSL_NO_CHACHA ++# define OPENSSL_KTLS_CHACHA20_POLY1305 ++# endif ++# endif + +typedef struct tls_enable ktls_crypto_info_t; + @@ -891,6 +923,11 @@ index 0000000000..622d7be76d +# define OPENSSL_KTLS_TLS13 +# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) +# define OPENSSL_KTLS_AES_CCM_128 ++# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0) ++# ifndef OPENSSL_NO_CHACHA ++# define OPENSSL_KTLS_CHACHA20_POLY1305 ++# endif ++# endif +# endif +# endif + @@ -924,6 +961,9 @@ index 0000000000..622d7be76d +# ifdef OPENSSL_KTLS_AES_CCM_128 + struct tls12_crypto_info_aes_ccm_128 ccm128; +# endif ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305; ++# endif + }; + size_t tls_crypto_info_len; +}; @@ -1127,32 +1167,21 @@ index a411f3f2f9..60103707d2 100644 /* Padding modes */ #define EVP_PADDING_PKCS7 1 diff --git include/openssl/ssl.h include/openssl/ssl.h -index fd0c5a9996..09620489bc 100644 +index fd0c5a9996..cfb87e6322 100644 --- include/openssl/ssl.h +++ include/openssl/ssl.h -@@ -493,6 +493,10 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); - * Support Asynchronous operation - */ - # define SSL_MODE_ASYNC 0x00000100U -+/* -+ * Don't use the kernel TLS data-path for sending. -+ */ -+# define SSL_MODE_NO_KTLS_TX 0x00000200U - - /* - * When using DTLS/SCTP, include the terminating zero in the label -@@ -506,6 +510,10 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); - * - OpenSSL 1.1.1 and 1.1.1a - */ - # define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U -+/* -+ * Don't use the kernel TLS data-path for receiving. -+ */ -+# define SSL_MODE_NO_KTLS_RX 0x00000800U - - /* Cert related flags */ - /* -@@ -1837,6 +1845,8 @@ __owur int SSL_read_early_data(SSL *s, void *buf, size_t num, +@@ -303,7 +303,9 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); + /* Allow initial connection to servers that don't support RI */ + # define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U + +-/* Reserved value (until OpenSSL 1.2.0) 0x00000008U */ ++/* Enable support for Kernel TLS */ ++# define SSL_OP_ENABLE_KTLS 0x00000008U ++ + # define SSL_OP_TLSEXT_PADDING 0x00000010U + /* Reserved value (until OpenSSL 1.2.0) 0x00000020U */ + # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U +@@ -1837,6 +1839,8 @@ __owur int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes); __owur int SSL_peek(SSL *ssl, void *buf, int num); __owur int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); @@ -1161,7 +1190,7 @@ index fd0c5a9996..09620489bc 100644 __owur int SSL_write(SSL *ssl, const void *buf, int num); __owur int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written); __owur int SSL_write_early_data(SSL *s, const void *buf, size_t num, -@@ -2123,7 +2133,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); +@@ -2123,7 +2127,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx); int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size); @@ -1202,10 +1231,10 @@ index bb2f1deb53..1c49ac9aee 100644 +ENDIF diff --git ssl/ktls.c ssl/ktls.c new file mode 100644 -index 0000000000..7123ecac00 +index 0000000000..c7a440b79b --- /dev/null +++ ssl/ktls.c -@@ -0,0 +1,221 @@ +@@ -0,0 +1,251 @@ +/* + * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * @@ -1245,6 +1274,10 @@ index 0000000000..7123ecac00 + case SSL_AES128GCM: + case SSL_AES256GCM: + return 1; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ return 1; ++# endif + case SSL_AES128: + case SSL_AES256: + if (s->ext.use_etm) @@ -1279,6 +1312,12 @@ index 0000000000..7123ecac00 + else + crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; + break; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; ++ crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd); ++ break; ++# endif + case SSL_AES128: + case SSL_AES256: + switch (s->s3->tmp.new_cipher->algorithm_mac) { @@ -1334,7 +1373,9 @@ index 0000000000..7123ecac00 + return 0; + } + -+ /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 */ ++ /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 ++ * or Chacha20-Poly1305 ++ */ + switch (EVP_CIPHER_nid(c)) + { +# ifdef OPENSSL_KTLS_AES_CCM_128 @@ -1343,11 +1384,15 @@ index 0000000000..7123ecac00 + return 0; +# endif +# ifdef OPENSSL_KTLS_AES_GCM_128 ++ /* Fall through */ + case NID_aes_128_gcm: +# endif +# ifdef OPENSSL_KTLS_AES_GCM_256 + case NID_aes_256_gcm: +# endif ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case NID_chacha20_poly1305: ++# endif + return 1; + default: + return 0; @@ -1420,6 +1465,20 @@ index 0000000000..7123ecac00 + *rec_seq = crypto_info->ccm128.rec_seq; + return 1; +# endif ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case NID_chacha20_poly1305: ++ crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; ++ crypto_info->chacha20poly1305.info.version = s->version; ++ crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305); ++ memcpy(crypto_info->chacha20poly1305.iv, iiv, ++ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); ++ memcpy(crypto_info->chacha20poly1305.key, key, EVP_CIPHER_key_length(c)); ++ memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, ++ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); ++ if (rec_seq != NULL) ++ *rec_seq = crypto_info->chacha20poly1305.rec_seq; ++ return 1; ++# endif + default: + return 0; + } @@ -1567,21 +1626,21 @@ index b2a7a47eb0..f53c402006 100644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); goto err; -- } -- -- /* Get a pointer to the start of this record excluding header */ -- recordstart = WPACKET_get_curr(thispkt) - len; + } - -- SSL3_RECORD_set_data(thiswr, recordstart); -- SSL3_RECORD_reset_input(thiswr); -- SSL3_RECORD_set_length(thiswr, len); ++ + /* Get a pointer to the start of this record excluding header */ + recordstart = WPACKET_get_curr(thispkt) - len; + SSL3_RECORD_set_data(thiswr, recordstart); + SSL3_RECORD_reset_input(thiswr); + SSL3_RECORD_set_length(thiswr, len); -+ } + } +- +- /* Get a pointer to the start of this record excluding header */ +- recordstart = WPACKET_get_curr(thispkt) - len; +- +- SSL3_RECORD_set_data(thiswr, recordstart); +- SSL3_RECORD_reset_input(thiswr); +- SSL3_RECORD_set_length(thiswr, len); } if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) { @@ -1890,6 +1949,20 @@ index ab5d22aa10..3d747db64b 100644 SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); return -1; +diff --git ssl/ssl_conf.c ssl/ssl_conf.c +index 0a3fef7c8c..8013c62f07 100644 +--- ssl/ssl_conf.c ++++ ssl/ssl_conf.c +@@ -391,7 +391,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), + SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), +- SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY) ++ SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY), ++ SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS) + }; + if (value == NULL) + return -3; diff --git ssl/ssl_err.c ssl/ssl_err.c index 4b12ed1485..0561678c33 100644 --- ssl/ssl_err.c @@ -1903,7 +1976,7 @@ index 4b12ed1485..0561678c33 100644 {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0), diff --git ssl/ssl_lib.c ssl/ssl_lib.c -index 98057921f8..382f4b6d7b 100644 +index 58f8f3c14c..3fc6549c80 100644 --- ssl/ssl_lib.c +++ ssl/ssl_lib.c @@ -11,6 +11,7 @@ @@ -1922,7 +1995,7 @@ index 98057921f8..382f4b6d7b 100644 const char SSL_version_str[] = OPENSSL_VERSION_TEXT; -@@ -1153,11 +1155,15 @@ void SSL_free(SSL *s) +@@ -1159,11 +1161,15 @@ void SSL_free(SSL *s) dane_final(&s->dane); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); @@ -1938,7 +2011,7 @@ index 98057921f8..382f4b6d7b 100644 BUF_MEM_free(s->init_buf); -@@ -1214,8 +1220,6 @@ void SSL_free(SSL *s) +@@ -1220,8 +1226,6 @@ void SSL_free(SSL *s) if (s->method != NULL) s->method->ssl_free(s); @@ -1947,7 +2020,7 @@ index 98057921f8..382f4b6d7b 100644 SSL_CTX_free(s->ctx); ASYNC_WAIT_CTX_free(s->waitctx); -@@ -1355,6 +1359,15 @@ int SSL_set_fd(SSL *s, int fd) +@@ -1361,6 +1365,15 @@ int SSL_set_fd(SSL *s, int fd) } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(s, bio, bio); @@ -1963,7 +2036,7 @@ index 98057921f8..382f4b6d7b 100644 ret = 1; err: return ret; -@@ -1374,6 +1387,15 @@ int SSL_set_wfd(SSL *s, int fd) +@@ -1380,6 +1393,15 @@ int SSL_set_wfd(SSL *s, int fd) } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set0_wbio(s, bio); @@ -1979,7 +2052,7 @@ index 98057921f8..382f4b6d7b 100644 } else { BIO_up_ref(rbio); SSL_set0_wbio(s, rbio); -@@ -1955,6 +1977,69 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) +@@ -1961,6 +1983,69 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) } } @@ -2049,7 +2122,7 @@ index 98057921f8..382f4b6d7b 100644 int SSL_write(SSL *s, const void *buf, int num) { int ret; -@@ -2199,6 +2284,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) +@@ -2205,6 +2290,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return 0; @@ -2060,7 +2133,7 @@ index 98057921f8..382f4b6d7b 100644 s->max_send_fragment = larg; if (s->max_send_fragment < s->split_send_fragment) s->split_send_fragment = s->max_send_fragment; -@@ -4417,11 +4506,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) +@@ -4425,11 +4514,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) return 1; } @@ -2113,7 +2186,7 @@ index 8c3542a542..c10e7d52ce 100644 __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, diff --git ssl/t1_enc.c ssl/t1_enc.c -index c85c0b0310..d461421068 100644 +index c85c0b0310..7d2eb381af 100644 --- ssl/t1_enc.c +++ ssl/t1_enc.c @@ -10,10 +10,14 @@ @@ -2190,16 +2263,12 @@ index c85c0b0310..d461421068 100644 c = s->s3->tmp.new_sym_enc; m = s->s3->tmp.new_hash; -@@ -312,6 +361,85 @@ int tls1_change_cipher_state(SSL *s, int which) +@@ -312,6 +361,81 @@ int tls1_change_cipher_state(SSL *s, int which) ERR_R_INTERNAL_ERROR); goto err; } +#ifndef OPENSSL_NO_KTLS -+ if (s->compress) -+ goto skip_ktls; -+ -+ if (((which & SSL3_CC_READ) && (s->mode & SSL_MODE_NO_KTLS_RX)) -+ || ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX))) ++ if (s->compress || (s->options & SSL_OP_ENABLE_KTLS) == 0) + goto skip_ktls; + + /* ktls supports only the maximum fragment size */ @@ -2277,7 +2346,7 @@ index c85c0b0310..d461421068 100644 #ifdef SSL_DEBUG diff --git ssl/tls13_enc.c ssl/tls13_enc.c -index b8fb07f210..d9f050ee34 100644 +index b8fb07f210..39530237d8 100644 --- ssl/tls13_enc.c +++ ssl/tls13_enc.c @@ -9,6 +9,8 @@ @@ -2386,14 +2455,15 @@ index b8fb07f210..d9f050ee34 100644 /* SSLfatal() already called */ goto err; } -@@ -714,8 +722,51 @@ int tls13_change_cipher_state(SSL *s, int which) +@@ -714,8 +722,52 @@ int tls13_change_cipher_state(SSL *s, int which) s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; else s->statem.enc_write_state = ENC_WRITE_STATE_VALID; +#ifndef OPENSSL_NO_KTLS +# if defined(OPENSSL_KTLS_TLS13) -+ if (!(which & SSL3_CC_WRITE) || !(which & SSL3_CC_APPLICATION) -+ || ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX))) ++ if (!(which & SSL3_CC_WRITE) ++ || !(which & SSL3_CC_APPLICATION) ++ || (s->options & SSL_OP_ENABLE_KTLS) == 0) + goto skip_ktls; + + /* ktls supports only the maximum fragment size */ @@ -2438,7 +2508,7 @@ index b8fb07f210..d9f050ee34 100644 OPENSSL_cleanse(secret, sizeof(secret)); return ret; } -@@ -729,6 +780,7 @@ int tls13_update_key(SSL *s, int sending) +@@ -729,6 +781,7 @@ int tls13_update_key(SSL *s, int sending) #endif const EVP_MD *md = ssl_handshake_md(s); size_t hashlen = EVP_MD_size(md); @@ -2446,7 +2516,7 @@ index b8fb07f210..d9f050ee34 100644 unsigned char *insecret, *iv; unsigned char secret[EVP_MAX_MD_SIZE]; EVP_CIPHER_CTX *ciph_ctx; -@@ -753,8 +805,8 @@ int tls13_update_key(SSL *s, int sending) +@@ -753,8 +806,8 @@ int tls13_update_key(SSL *s, int sending) if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), s->s3->tmp.new_sym_enc, insecret, NULL, application_traffic, @@ -2457,7 +2527,7 @@ index b8fb07f210..d9f050ee34 100644 /* SSLfatal() already called */ goto err; } -@@ -764,6 +816,7 @@ int tls13_update_key(SSL *s, int sending) +@@ -764,6 +817,7 @@ int tls13_update_key(SSL *s, int sending) s->statem.enc_write_state = ENC_WRITE_STATE_VALID; ret = 1; err: @@ -2492,7 +2562,7 @@ index 5490885309..3478e540ed 100644 plan tests => 1; diff --git test/sslapitest.c test/sslapitest.c -index 4a27ee1ba2..f846bcb4ee 100644 +index 4a27ee1ba2..1388219551 100644 --- test/sslapitest.c +++ test/sslapitest.c @@ -7,6 +7,7 @@ @@ -2517,13 +2587,12 @@ index 4a27ee1ba2..f846bcb4ee 100644 #include "../ssl/ssl_local.h" #ifndef OPENSSL_NO_TLS1_3 -@@ -779,6 +782,409 @@ static int execute_test_large_message(const SSL_METHOD *smeth, +@@ -779,6 +782,433 @@ static int execute_test_large_message(const SSL_METHOD *smeth, return testresult; } +#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \ + !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) -+#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8 +/* sock must be connected */ +static int ktls_chk_platform(int sock) +{ @@ -2532,26 +2601,26 @@ index 4a27ee1ba2..f846bcb4ee 100644 + return 1; +} + -+static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size) ++static int ping_pong_query(SSL *clientssl, SSL *serverssl) +{ + static char count = 1; + unsigned char cbuf[16000] = {0}; + unsigned char sbuf[16000]; + size_t err = 0; -+ char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE]; -+ char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE]; -+ char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE]; -+ char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE]; -+ char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE]; -+ char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE]; -+ char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE]; -+ char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE]; ++ char crec_wseq_before[SEQ_NUM_SIZE]; ++ char crec_wseq_after[SEQ_NUM_SIZE]; ++ char crec_rseq_before[SEQ_NUM_SIZE]; ++ char crec_rseq_after[SEQ_NUM_SIZE]; ++ char srec_wseq_before[SEQ_NUM_SIZE]; ++ char srec_wseq_after[SEQ_NUM_SIZE]; ++ char srec_rseq_before[SEQ_NUM_SIZE]; ++ char srec_rseq_after[SEQ_NUM_SIZE]; + + cbuf[0] = count++; -+ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size); -+ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size); -+ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size); -+ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size); ++ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); ++ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); ++ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); ++ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); + + if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf))) + goto end; @@ -2571,53 +2640,56 @@ index 4a27ee1ba2..f846bcb4ee 100644 + } + } + -+ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size); -+ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size); -+ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size); -+ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size); ++ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); ++ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); ++ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); ++ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); + + /* verify the payload */ + if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf))) + goto end; + -+ /* ktls is used then kernel sequences are used instead of OpenSSL sequences */ -+ if (clientssl->mode & SSL_MODE_NO_KTLS_TX) { -+ if (!TEST_mem_ne(crec_wseq_before, rec_seq_size, -+ crec_wseq_after, rec_seq_size)) ++ /* ++ * If ktls is used then kernel sequences are used instead of ++ * OpenSSL sequences ++ */ ++ if (!BIO_get_ktls_send(clientssl->wbio)) { ++ if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE, ++ crec_wseq_after, SEQ_NUM_SIZE)) + goto end; + } else { -+ if (!TEST_mem_eq(crec_wseq_before, rec_seq_size, -+ crec_wseq_after, rec_seq_size)) ++ if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE, ++ crec_wseq_after, SEQ_NUM_SIZE)) + goto end; + } + -+ if (serverssl->mode & SSL_MODE_NO_KTLS_TX) { -+ if (!TEST_mem_ne(srec_wseq_before, rec_seq_size, -+ srec_wseq_after, rec_seq_size)) ++ if (!BIO_get_ktls_send(serverssl->wbio)) { ++ if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE, ++ srec_wseq_after, SEQ_NUM_SIZE)) + goto end; + } else { -+ if (!TEST_mem_eq(srec_wseq_before, rec_seq_size, -+ srec_wseq_after, rec_seq_size)) ++ if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE, ++ srec_wseq_after, SEQ_NUM_SIZE)) + goto end; + } + -+ if (clientssl->mode & SSL_MODE_NO_KTLS_RX) { -+ if (!TEST_mem_ne(crec_rseq_before, rec_seq_size, -+ crec_rseq_after, rec_seq_size)) ++ if (!BIO_get_ktls_recv(clientssl->wbio)) { ++ if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE, ++ crec_rseq_after, SEQ_NUM_SIZE)) + goto end; + } else { -+ if (!TEST_mem_eq(crec_rseq_before, rec_seq_size, -+ crec_rseq_after, rec_seq_size)) ++ if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE, ++ crec_rseq_after, SEQ_NUM_SIZE)) + goto end; + } + -+ if (serverssl->mode & SSL_MODE_NO_KTLS_RX) { -+ if (!TEST_mem_ne(srec_rseq_before, rec_seq_size, -+ srec_rseq_after, rec_seq_size)) ++ if (!BIO_get_ktls_recv(serverssl->wbio)) { ++ if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE, ++ srec_rseq_after, SEQ_NUM_SIZE)) + goto end; + } else { -+ if (!TEST_mem_eq(srec_rseq_before, rec_seq_size, -+ srec_rseq_after, rec_seq_size)) ++ if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE, ++ srec_rseq_after, SEQ_NUM_SIZE)) + goto end; + } + @@ -2626,92 +2698,110 @@ index 4a27ee1ba2..f846bcb4ee 100644 + return 0; +} + -+static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx, -+ int sis_ktls_tx, int sis_ktls_rx, -+ int tls_version, const char *cipher, -+ int rec_seq_size) ++static int execute_test_ktls(int cis_ktls, int sis_ktls, ++ int tls_version, const char *cipher) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; -+ int testresult = 0; -+ int cfd, sfd; ++ int ktls_used = 0, testresult = 0; ++ int cfd = -1, sfd = -1; ++ int rx_supported; + + if (!TEST_true(create_test_sockets(&cfd, &sfd))) + goto end; + + /* Skip this test if the platform does not support ktls */ -+ if (!ktls_chk_platform(cfd)) -+ return 1; ++ if (!ktls_chk_platform(cfd)) { ++ TEST_info("Kernel does not support KTLS"); ++ testresult = 1; ++ goto end; ++ } + + /* Create a session based on SHA-256 */ + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + tls_version, tls_version, -+ &sctx, &cctx, cert, privkey)) -+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) -+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)) -+ || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, -+ &clientssl, sfd, cfd))) ++ &sctx, &cctx, cert, privkey))) + goto end; + -+ if (!cis_ktls_tx) { -+ if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX))) ++ if (tls_version == TLS1_3_VERSION) { ++ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) ++ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) + goto end; -+ } -+ -+ if (!sis_ktls_tx) { -+ if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX))) ++ } else { ++ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) ++ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) + goto end; + } + -+ if (!cis_ktls_rx) { -+ if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX))) ++ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, ++ &clientssl, sfd, cfd))) ++ goto end; ++ ++ if (cis_ktls) { ++ if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS))) + goto end; + } + -+ if (!sis_ktls_rx) { -+ if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX))) ++ if (sis_ktls) { ++ if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) + goto end; + } + -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + -+ if (!cis_ktls_tx) { ++ /* ++ * The running kernel may not support a given cipher suite ++ * or direction, so just check that KTLS isn't used when it ++ * isn't enabled. ++ */ ++ if (!cis_ktls) { + if (!TEST_false(BIO_get_ktls_send(clientssl->wbio))) + goto end; + } else { -+ if (!TEST_true(BIO_get_ktls_send(clientssl->wbio))) -+ goto end; ++ if (BIO_get_ktls_send(clientssl->wbio)) ++ ktls_used = 1; + } + -+ if (!sis_ktls_tx) { ++ if (!sis_ktls) { + if (!TEST_false(BIO_get_ktls_send(serverssl->wbio))) + goto end; + } else { -+ if (!TEST_true(BIO_get_ktls_send(serverssl->wbio))) -+ goto end; ++ if (BIO_get_ktls_send(serverssl->wbio)) ++ ktls_used = 1; + } + -+ if (!cis_ktls_rx) { ++#if defined(OPENSSL_NO_KTLS_RX) ++ rx_supported = 0; ++#else ++ rx_supported = (tls_version != TLS1_3_VERSION); ++#endif ++ if (!cis_ktls || !rx_supported) { + if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) + goto end; + } else { -+ if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio))) -+ goto end; ++ if (BIO_get_ktls_send(clientssl->rbio)) ++ ktls_used = 1; + } + -+ if (!sis_ktls_rx) { ++ if (!sis_ktls || !rx_supported) { + if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio))) + goto end; + } else { -+ if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio))) -+ goto end; ++ if (BIO_get_ktls_send(serverssl->rbio)) ++ ktls_used = 1; + } + -+ if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd, -+ rec_seq_size))) ++ if ((cis_ktls || sis_ktls) && !ktls_used) { ++ TEST_info("KTLS not supported for %s cipher %s", ++ tls_version == TLS1_3_VERSION ? "TLS 1.3" : ++ "TLS 1.2", cipher); ++ testresult = 1; ++ goto end; ++ } ++ ++ if (!TEST_true(ping_pong_query(clientssl, serverssl))) + goto end; + + testresult = 1; @@ -2727,6 +2817,10 @@ index 4a27ee1ba2..f846bcb4ee 100644 + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + serverssl = clientssl = NULL; ++ if (cfd != -1) ++ close(cfd); ++ if (sfd != -1) ++ close(sfd); + return testresult; +} + @@ -2734,13 +2828,13 @@ index 4a27ee1ba2..f846bcb4ee 100644 +#define SENDFILE_CHUNK (4 * 4096) +#define min(a,b) ((a) > (b) ? (b) : (a)) + -+static int test_ktls_sendfile(int tls_version, const char *cipher) ++static int execute_test_ktls_sendfile(int tls_version, const char *cipher) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + unsigned char *buf, *buf_dst; + BIO *out = NULL, *in = NULL; -+ int cfd, sfd, ffd, err; ++ int cfd = -1, sfd = -1, ffd, err; + ssize_t chunk_size = 0; + off_t chunk_off = 0; + int testresult = 0; @@ -2754,6 +2848,7 @@ index 4a27ee1ba2..f846bcb4ee 100644 + + /* Skip this test if the platform does not support ktls */ + if (!ktls_chk_platform(sfd)) { ++ TEST_info("Kernel does not support KTLS"); + testresult = 1; + goto end; + } @@ -2762,19 +2857,40 @@ index 4a27ee1ba2..f846bcb4ee 100644 + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + tls_version, tls_version, -+ &sctx, &cctx, cert, privkey)) -+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) -+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)) -+ || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, -+ &clientssl, sfd, cfd))) ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ if (tls_version == TLS1_3_VERSION) { ++ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) ++ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) ++ goto end; ++ } else { ++ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) ++ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) ++ goto end; ++ } ++ ++ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, ++ &clientssl, sfd, cfd))) *** 284 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108191405.17JE55Ov050232>