[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via cfbcfe86c2ccdd308fc6fa3d3245dd6eb5774b0e (commit) from b5bcce5df1951ba2d7dd6a167826a3fe88f1dfd9 (commit) - Log - commit cfbcfe86c2ccdd308fc6fa3d3245dd6eb5774b0e Author: Daniel Date: Wed Feb 9 16:23:46 2022 +0100 Use C locale in Bash scripts. Fixes openssl#17228. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17674) (cherry picked from commit bd654f7e98e13c0dc3b5c707880b9a77ba9e342f) --- Summary of changes: dev/release.sh | 4 1 file changed, 4 insertions(+) diff --git a/dev/release.sh b/dev/release.sh index 4b778f3b75..d60779d161 100755 --- a/dev/release.sh +++ b/dev/release.sh @@ -9,6 +9,10 @@ # This is the most shell agnostic way to specify that POSIX rules. POSIXLY_CORRECT=1 +# Force C locale because some commands (like date +%b) relies +# on the current locale. +export LC_ALL=C + usage () { cat <
[openssl] master update
The branch master has been updated via bd654f7e98e13c0dc3b5c707880b9a77ba9e342f (commit) from 8fff986d52606e1a33f9404504535e2e2aee3e8b (commit) - Log - commit bd654f7e98e13c0dc3b5c707880b9a77ba9e342f Author: Daniel Date: Wed Feb 9 16:23:46 2022 +0100 Use C locale in Bash scripts. Fixes openssl#17228. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17674) --- Summary of changes: dev/release.sh | 4 1 file changed, 4 insertions(+) diff --git a/dev/release.sh b/dev/release.sh index bb2728e14f..cf184c309c 100755 --- a/dev/release.sh +++ b/dev/release.sh @@ -9,6 +9,10 @@ # This is the most shell agnostic way to specify that POSIX rules. POSIXLY_CORRECT=1 +# Force C locale because some commands (like date +%b) relies +# on the current locale. +export LC_ALL=C + usage () { cat <
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DWOMk_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE3IJ2Gpj7qxGG-2BUgjrz0H3fMYpoRMIOeIoeT4zf5coJf3Yh90TZAHcOSN3AFXSFlRiwi3nEVIw7ppsIuugCQ7WrfXRjg1GsYi-2FlZpISdhW2J7FwrPyb7lzSPHc2usQoTNbL9eOPkUq32Qdx1yRkolfc-2FNCwvGw-2FmzxAwf7akHQnbmERP4qdmLopmRPrtsMKDQ-3D Build ID: 437011 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] master update
The branch master has been updated via 8fff986d52606e1a33f9404504535e2e2aee3e8b (commit) from 0c47b8a879c6cd2d553831f930af5ee9df291eca (commit) - Log - commit 8fff986d52606e1a33f9404504535e2e2aee3e8b Author: Bernd Edlinger Date: Fri Jan 14 10:01:29 2022 +0100 Cleanup record length checks for KTLS In some corner cases the check for packets which exceed the allowed record length was missing when KTLS is initially enabled, when some unprocessed packets are still pending. Add at least some tests for KTLS, since we have currently not very much test coverage for KTLS. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17504) --- Summary of changes: ssl/record/ssl3_record.c | 27 +-- test/recipes/80-test_ssl_old.t | 22 -- test/ssl_old_test.c| 11 +++ 3 files changed, 48 insertions(+), 12 deletions(-) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 86203849a9..5534814305 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -191,7 +191,7 @@ int ssl3_get_record(SSL *s) rr = RECORD_LAYER_get_rrec(>rlayer); rbuf = RECORD_LAYER_get_rbuf(>rlayer); -is_ktls_left = (rbuf->left > 0); +is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); max_recs = s->max_pipelines; if (max_recs == 0) max_recs = 1; @@ -408,7 +408,11 @@ int ssl3_get_record(SSL *s) len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif -if (thisrr->length > len && !BIO_get_ktls_recv(s->rbio)) { +/* KTLS may use all of the buffer */ +if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) +len = SSL3_BUFFER_get_left(rbuf); + +if (thisrr->length > len) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); return -1; @@ -711,16 +715,27 @@ int ssl3_get_record(SSL *s) goto end; } +/* + * Usually thisrr->length is the length of a single record, but when + * KTLS handles the decryption, thisrr->length may be larger than + * SSL3_RT_MAX_PLAIN_LENGTH because the kernel may have coalesced + * multiple records. + * Therefore we have to rely on KTLS to check the plaintext length + * limit in the kernel. + */ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH -&& !BIO_get_ktls_recv(s->rbio)) { +&& (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; } -/* If received packet overflows current Max Fragment Length setting */ +/* + * Check if the received packet overflows the current + * Max Fragment Length setting. + * Note: USE_MAX_FRAGMENT_LENGTH_EXT and KTLS are mutually exclusive. + */ if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) -&& thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session) -&& !BIO_get_ktls_recv(s->rbio)) { +&& thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; } diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index b144bc9fb9..c1fb30f6b2 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -346,11 +346,9 @@ sub testssl { } -# plan tests => 11; - subtest 'standard SSL tests' => sub { ## -plan tests => 13; +plan tests => 19; SKIP: { skip "SSLv3 is not supported by this OpenSSL build", 4 @@ -378,7 +376,7 @@ sub testssl { } SKIP: { - skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 + skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 14 if $no_anytls; SKIP: { @@ -406,17 +404,29 @@ sub testssl { 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); SKIP: { -skip "No IPv4 available on this machine", 1 +skip "No IPv4 available on this machine", 4 unless !disabled("sock") && have_IPv4(); ok(run(test([@ssltest, "-ipv4"])), 'test TLS via IPv4'); +ok(run(test([@ssltest, "-ipv4", "-client_ktls"])), + 'test TLS via IPv4 + ktls(client)'); +ok(run(test([@ssltest, "-ipv4", "-server_ktls"])), + 'test
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via b5bcce5df1951ba2d7dd6a167826a3fe88f1dfd9 (commit) from fc27d9f3af95aa33e5028c6cef8d56d1c7f17436 (commit) - Log - commit b5bcce5df1951ba2d7dd6a167826a3fe88f1dfd9 Author: Bernd Edlinger Date: Fri Jan 14 10:01:29 2022 +0100 Cleanup record length checks for KTLS In some corner cases the check for packets which exceed the allowed record length was missing when KTLS is initially enabled, when some unprocessed packets are still pending. Add at least some tests for KTLS, since we have currently not very much test coverage for KTLS. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17504) (cherry picked from commit 8fff986d52606e1a33f9404504535e2e2aee3e8b) --- Summary of changes: ssl/record/ssl3_record.c | 27 +-- test/recipes/80-test_ssl_old.t | 22 -- test/ssl_old_test.c| 11 +++ 3 files changed, 48 insertions(+), 12 deletions(-) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index d4101618c6..4229c9c392 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -191,7 +191,7 @@ int ssl3_get_record(SSL *s) rr = RECORD_LAYER_get_rrec(>rlayer); rbuf = RECORD_LAYER_get_rbuf(>rlayer); -is_ktls_left = (rbuf->left > 0); +is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); max_recs = s->max_pipelines; if (max_recs == 0) max_recs = 1; @@ -408,7 +408,11 @@ int ssl3_get_record(SSL *s) len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif -if (thisrr->length > len && !BIO_get_ktls_recv(s->rbio)) { +/* KTLS may use all of the buffer */ +if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) +len = SSL3_BUFFER_get_left(rbuf); + +if (thisrr->length > len) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); return -1; @@ -711,16 +715,27 @@ int ssl3_get_record(SSL *s) goto end; } +/* + * Usually thisrr->length is the length of a single record, but when + * KTLS handles the decryption, thisrr->length may be larger than + * SSL3_RT_MAX_PLAIN_LENGTH because the kernel may have coalesced + * multiple records. + * Therefore we have to rely on KTLS to check the plaintext length + * limit in the kernel. + */ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH -&& !BIO_get_ktls_recv(s->rbio)) { +&& (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; } -/* If received packet overflows current Max Fragment Length setting */ +/* + * Check if the received packet overflows the current + * Max Fragment Length setting. + * Note: USE_MAX_FRAGMENT_LENGTH_EXT and KTLS are mutually exclusive. + */ if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) -&& thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session) -&& !BIO_get_ktls_recv(s->rbio)) { +&& thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; } diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index b144bc9fb9..c1fb30f6b2 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -346,11 +346,9 @@ sub testssl { } -# plan tests => 11; - subtest 'standard SSL tests' => sub { ## -plan tests => 13; +plan tests => 19; SKIP: { skip "SSLv3 is not supported by this OpenSSL build", 4 @@ -378,7 +376,7 @@ sub testssl { } SKIP: { - skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 + skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 14 if $no_anytls; SKIP: { @@ -406,17 +404,29 @@ sub testssl { 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); SKIP: { -skip "No IPv4 available on this machine", 1 +skip "No IPv4 available on this machine", 4 unless !disabled("sock") && have_IPv4(); ok(run(test([@ssltest, "-ipv4"])), 'test TLS via IPv4'); +ok(run(test([@ssltest, "-ipv4", "-client_ktls"])), + 'test TLS via IPv4 + ktls(client)'); +