[openssl-commits] [openssl] master update
Richard Levitte
levitte at openssl.org
Fri Apr 28 13:50:46 UTC 2017
The branch master has been updated
via 36b2cfb191f4a3f3a49b7c4d865308b7021daa42 (commit)
via 67887855af3bfbf3f44b246aa83db6faeddae886 (commit)
via 28e5ea88a8fe93aa6dd023a5abd54f01c1ad6450 (commit)
from 9ff2cebf29d30397b3b67603000f67ee429c700b (commit)
- Log -----------------------------------------------------------------
commit 36b2cfb191f4a3f3a49b7c4d865308b7021daa42
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date: Fri Apr 7 19:15:38 2017 +0200
Add checks on return code when applying some settings.
Remove hardcoded bound checkings.
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)
commit 67887855af3bfbf3f44b246aa83db6faeddae886
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date: Fri Apr 7 09:02:06 2017 +0200
Output prog name within error message
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)
commit 28e5ea88a8fe93aa6dd023a5abd54f01c1ad6450
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date: Thu Apr 6 23:47:18 2017 +0200
Add a 'max_send_frag' option to configure maximum size of send fragments
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)
-----------------------------------------------------------------------
Summary of changes:
apps/s_client.c | 61 ++++++++++++++++++++++++++-------------------------
apps/s_server.c | 53 +++++++++++++++++++++++---------------------
doc/man1/s_client.pod | 11 ++++++++--
doc/man1/s_server.pod | 11 ++++++++--
4 files changed, 77 insertions(+), 59 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index d018268..6cb2e73 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -540,13 +540,12 @@ typedef enum OPTION_choice {
OPT_SSL3, OPT_SSL_CONFIG,
OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
- OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH,
- OPT_VERIFYCAPATH,
+ OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
- OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME,
+ OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
- OPT_ASYNC, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
+ OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
OPT_V_ENUM,
OPT_X_ENUM,
@@ -665,11 +664,12 @@ const OPTIONS s_client_options[] = {
"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
- {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+ {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
+ {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
"Size used to split data for encrypt pipelines"},
- {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+ {"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
- {"read_buf", OPT_READ_BUF, 'n',
+ {"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
@@ -895,8 +895,8 @@ int s_client_main(int argc, char **argv)
#endif
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
int async = 0;
- unsigned int split_send_fragment = 0;
- unsigned int max_pipelines = 0;
+ unsigned int max_send_fragment = 0;
+ unsigned int split_send_fragment = 0, max_pipelines = 0;
enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
int count4or6 = 0;
int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
@@ -1379,15 +1379,11 @@ int s_client_main(int argc, char **argv)
case OPT_ASYNC:
async = 1;
break;
+ case OPT_MAX_SEND_FRAG:
+ max_send_fragment = atoi(opt_arg());
+ break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
- if (split_send_fragment == 0) {
- /*
- * Not allowed - set to a deliberately bad value so we get an
- * error message below
- */
- split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
- }
break;
case OPT_MAX_PIPELINES:
max_pipelines = atoi(opt_arg());
@@ -1477,16 +1473,6 @@ int s_client_main(int argc, char **argv)
}
#endif
- if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
- BIO_printf(bio_err, "Bad split send fragment size\n");
- goto end;
- }
-
- if (max_pipelines > SSL_MAX_PIPELINES) {
- BIO_printf(bio_err, "Bad max pipelines value\n");
- goto end;
- }
-
#if !defined(OPENSSL_NO_NEXTPROTONEG)
next_proto.status = -1;
if (next_proto_neg_in) {
@@ -1608,11 +1594,26 @@ int s_client_main(int argc, char **argv)
if (async) {
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
- if (split_send_fragment > 0) {
- SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+
+ if (max_send_fragment > 0
+ && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
+ BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
+ prog, max_send_fragment);
+ goto end;
+ }
+
+ if (split_send_fragment > 0
+ && !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
+ BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
+ prog, split_send_fragment);
+ goto end;
}
- if (max_pipelines > 0) {
- SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+
+ if (max_pipelines > 0
+ && !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
+ BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
+ prog, max_pipelines);
+ goto end;
}
if (read_buf_len > 0) {
diff --git a/apps/s_server.c b/apps/s_server.c
index 4631663..e597ecb 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -717,7 +717,8 @@ typedef enum OPTION_choice {
OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
- OPT_SSL_CONFIG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
+ OPT_SSL_CONFIG,
+ OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN,
OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
@@ -856,11 +857,12 @@ const OPTIONS s_server_options[] = {
{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
{"ssl_config", OPT_SSL_CONFIG, 's',
"Configure SSL_CTX using the configuration 'val'"},
- {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+ {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
+ {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
"Size used to split data for encrypt pipelines"},
- {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+ {"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
- {"read_buf", OPT_READ_BUF, 'n',
+ {"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
@@ -999,6 +1001,7 @@ int s_server_main(int argc, char *argv[])
int s_tlsextstatus = 0;
#endif
int no_resume_ephemeral = 0;
+ unsigned int max_send_fragment = 0;
unsigned int split_send_fragment = 0, max_pipelines = 0;
const char *s_serverinfo_file = NULL;
const char *keylog_file = NULL;
@@ -1497,15 +1500,11 @@ int s_server_main(int argc, char *argv[])
case OPT_ASYNC:
async = 1;
break;
+ case OPT_MAX_SEND_FRAG:
+ max_send_fragment = atoi(opt_arg());
+ break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
- if (split_send_fragment == 0) {
- /*
- * Not allowed - set to a deliberately bad value so we get an
- * error message below
- */
- split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
- }
break;
case OPT_MAX_PIPELINES:
max_pipelines = atoi(opt_arg());
@@ -1562,16 +1561,6 @@ int s_server_main(int argc, char *argv[])
}
#endif
- if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
- BIO_printf(bio_err, "Bad split send fragment size\n");
- goto end;
- }
-
- if (max_pipelines > SSL_MAX_PIPELINES) {
- BIO_printf(bio_err, "Bad max pipelines value\n");
- goto end;
- }
-
if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
@@ -1760,11 +1749,25 @@ int s_server_main(int argc, char *argv[])
if (async) {
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
- if (split_send_fragment > 0) {
- SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+
+ if (max_send_fragment > 0
+ && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
+ BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
+ prog, max_send_fragment);
+ goto end;
+ }
+
+ if (split_send_fragment > 0
+ && !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
+ BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
+ prog, split_send_fragment);
+ goto end;
}
- if (max_pipelines > 0) {
- SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+ if (max_pipelines > 0
+ && !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
+ BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
+ prog, max_pipelines);
+ goto end;
}
if (read_buf_len > 0) {
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 1653856..96df8a4 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -86,6 +86,7 @@ B<openssl> B<s_client>
[B<-sctp>]
[B<-fallback_scsv>]
[B<-async>]
+[B<-max_send_frag>]
[B<-split_send_frag>]
[B<-max_pipelines>]
[B<-read_buf>]
@@ -416,6 +417,11 @@ asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
+=item B<-max_send_frag int>
+
+The maximum size of data fragment to send.
+See L<SSL_CTX_set_max_send_fragment(3)> for further information.
+
=item B<-split_send_frag int>
The size used to split data for encrypt pipelines. If more data is written in
@@ -643,8 +649,9 @@ information whenever a session is renegotiated.
=head1 SEE ALSO
-L<SSL_CONF_cmd(3)>,
-L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>
+L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>,
+L<SSL_CTX_set_max_send_fragment(3)>, L<SSL_CTX_set_split_send_fragment(3)>
+L<SSL_CTX_set_max_pipelines(3)>
=head1 HISTORY
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index d2fbb84..c3e763f 100644
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -86,6 +86,7 @@ B<openssl> B<s_server>
[B<-sctp>]
[B<-listen>]
[B<-async>]
+[B<-max_send_frag>]
[B<-split_send_frag>]
[B<-max_pipelines>]
[B<-read_buf>]
@@ -376,6 +377,11 @@ asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
+=item B<-max_send_frag int>
+
+The maximum size of data fragment to send.
+See L<SSL_CTX_set_max_send_fragment(3)> for further information.
+
=item B<-split_send_frag int>
The size used to split data for encrypt pipelines. If more data is written in
@@ -638,8 +644,9 @@ unknown cipher suites a client says it supports.
=head1 SEE ALSO
-L<SSL_CONF_cmd(3)>,
-L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
+L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
+L<SSL_CTX_set_max_send_fragment(3)>, L<SSL_CTX_set_split_send_fragment(3)>
+L<SSL_CTX_set_max_pipelines(3)>
=head1 HISTORY
More information about the openssl-commits
mailing list