[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Fri May 11 13:30:21 UTC 2018
The branch master has been updated
via e825109236f6795fbe24c0c6a489ef89ca05a906 (commit)
via f478c8a7c0229feb9f446df68e9940e8782edd91 (commit)
via 66fab92316c913c781b2a274900d9d1e6a206ed0 (commit)
from 0d8da77908df1aa3186b00113aab1b338cba9b07 (commit)
- Log -----------------------------------------------------------------
commit e825109236f6795fbe24c0c6a489ef89ca05a906
Author: Matt Caswell <matt at openssl.org>
Date: Wed May 2 16:08:07 2018 +0100
Add some more SSL_pending() and SSL_has_pending() tests
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6159)
commit f478c8a7c0229feb9f446df68e9940e8782edd91
Author: Matt Caswell <matt at openssl.org>
Date: Wed May 2 16:08:27 2018 +0100
Don't set TCP_NODELAY on a UDP socket
This was preventing DTLS connections from being made from the command line.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6159)
commit 66fab92316c913c781b2a274900d9d1e6a206ed0
Author: Matt Caswell <matt at openssl.org>
Date: Wed May 2 16:07:13 2018 +0100
Mark DTLS records as read when we have finished with them
The TLS code marks records as read when its finished using a record. The DTLS code did
not do that. However SSL_has_pending() relies on it. So we should make DTLS consistent.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6159)
-----------------------------------------------------------------------
Summary of changes:
apps/s_socket.c | 3 ++-
ssl/record/rec_layer_d1.c | 27 +++++++++++++++++++++++----
ssl/record/ssl3_record.c | 13 ++++++++++++-
test/sslapitest.c | 9 +++++++--
4 files changed, 44 insertions(+), 8 deletions(-)
diff --git a/apps/s_socket.c b/apps/s_socket.c
index 69f0f4f..d16108c 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -146,7 +146,8 @@ int init_client(int *sock, const char *host, const char *port,
}
#endif
- if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai), BIO_SOCK_NODELAY)) {
+ if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
+ type == SOCK_STREAM ? BIO_SOCK_NODELAY : 0)) {
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
continue;
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 37a2eb1..43e1f98 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -363,8 +363,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
return -1;
}
- if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s))
- {
+ if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) {
/* type == SSL3_RT_APPLICATION_DATA */
i = s->handshake_func(s);
/* SSLfatal() already called if appropriate */
@@ -473,6 +472,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
return -1;
}
SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
goto start;
}
@@ -482,6 +482,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
*/
if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
s->rwstate = SSL_NOTHING;
return 0;
}
@@ -508,8 +509,16 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
if (recvd_type != NULL)
*recvd_type = SSL3_RECORD_get_type(rr);
- if (len == 0)
+ if (len == 0) {
+ /*
+ * Mark a zero length record as read. This ensures multiple calls to
+ * SSL_read() with a zero length buffer will eventually cause
+ * SSL_pending() to report data as being available.
+ */
+ if (SSL3_RECORD_get_length(rr) == 0)
+ SSL3_RECORD_set_read(rr);
return 0;
+ }
if (len > SSL3_RECORD_get_length(rr))
n = SSL3_RECORD_get_length(rr);
@@ -517,12 +526,16 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
n = len;
memcpy(buf, &(SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]), n);
- if (!peek) {
+ if (peek) {
+ if (SSL3_RECORD_get_length(rr) == 0)
+ SSL3_RECORD_set_read(rr);
+ } else {
SSL3_RECORD_sub_length(rr, n);
SSL3_RECORD_add_off(rr, n);
if (SSL3_RECORD_get_length(rr) == 0) {
s->rlayer.rstate = SSL_ST_READ_HEADER;
SSL3_RECORD_set_off(rr, 0);
+ SSL3_RECORD_set_read(rr);
}
}
#ifndef OPENSSL_NO_SCTP
@@ -578,6 +591,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
+ SSL3_RECORD_set_read(rr);
s->rlayer.alert_count++;
if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
@@ -615,6 +629,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ SSL3_RECORD_set_read(rr);
SSL_CTX_remove_session(s->session_ctx, s->session);
return 0;
} else {
@@ -630,6 +645,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
* shutdown */
s->rwstate = SSL_NOTHING;
SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
return 0;
}
@@ -639,6 +655,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
* are still missing, so just drop it.
*/
SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
goto start;
}
@@ -656,6 +673,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
if (SSL3_RECORD_get_epoch(rr) != s->rlayer.d->r_epoch
|| SSL3_RECORD_get_length(rr) < DTLS1_HM_HEADER_LENGTH) {
SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
goto start;
}
@@ -677,6 +695,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
return -1;
}
SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) {
/* no read-ahead left? */
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index c21a478..ae510b2 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1882,6 +1882,7 @@ int dtls1_get_record(SSL *s)
p += 6;
n2s(p, rr->length);
+ rr->read = 0;
/*
* Lets check the version. We tolerate alerts that don't have the exact
@@ -1891,6 +1892,7 @@ int dtls1_get_record(SSL *s)
if (version != s->version) {
/* unexpected version, silently discard */
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer);
goto again;
}
@@ -1899,6 +1901,7 @@ int dtls1_get_record(SSL *s)
if ((version & 0xff00) != (s->version & 0xff00)) {
/* wrong version, silently discard record */
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer);
goto again;
}
@@ -1906,6 +1909,7 @@ int dtls1_get_record(SSL *s)
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
/* record too long, silently discard it */
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer);
goto again;
}
@@ -1915,6 +1919,7 @@ int dtls1_get_record(SSL *s)
&& rr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) {
/* record too long, silently discard it */
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer);
goto again;
}
@@ -1936,6 +1941,7 @@ int dtls1_get_record(SSL *s)
return -1;
}
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer);
goto again;
}
@@ -1966,6 +1972,7 @@ int dtls1_get_record(SSL *s)
*/
if (!dtls1_record_replay_check(s, bitmap)) {
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
goto again; /* get another record */
}
@@ -1974,8 +1981,10 @@ int dtls1_get_record(SSL *s)
#endif
/* just read a 0 length packet */
- if (rr->length == 0)
+ if (rr->length == 0) {
+ rr->read = 1;
goto again;
+ }
/*
* If this record is from the next epoch (either HM or ALERT), and a
@@ -1992,6 +2001,7 @@ int dtls1_get_record(SSL *s)
}
}
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer);
goto again;
}
@@ -2002,6 +2012,7 @@ int dtls1_get_record(SSL *s)
return -1;
}
rr->length = 0;
+ rr->read = 1;
RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
goto again; /* get another record */
}
diff --git a/test/sslapitest.c b/test/sslapitest.c
index bce15db..26ef435 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -4454,11 +4454,16 @@ static int test_ssl_pending(int tst)
SSL_ERROR_NONE)))
goto end;
- if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
+ if (!TEST_int_eq(SSL_pending(clientssl), 0)
+ || !TEST_false(SSL_has_pending(clientssl))
+ || !TEST_int_eq(SSL_pending(serverssl), 0)
+ || !TEST_false(SSL_has_pending(serverssl))
+ || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
|| !TEST_size_t_eq(written, sizeof(msg))
|| !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
|| !TEST_size_t_eq(readbytes, sizeof(buf))
- || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes)))
+ || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
+ || !TEST_true(SSL_has_pending(clientssl)))
goto end;
testresult = 1;
More information about the openssl-commits
mailing list