[openssl] master update

Mon Jan 13 17:49:06 UTC 2020

The branch master has been updated
       via  9ce921f2dacc9f56b8ae932ae9c299670700a297 (commit)
       via  0b3b2b33c7e888fc1e735ad25cc1b963b5c24ad4 (commit)
       via  d4bff20d55b7ab7b4dd43ada28372efb90942dfd (commit)
      from  6d242fa585d6e52ee6e099ac4f89601231c0f1d3 (commit)


- Log -----------------------------------------------------------------
commit 9ce921f2dacc9f56b8ae932ae9c299670700a297
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Jan 8 09:03:00 2020 -0500

    Remove duplicates
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/10134)

commit 0b3b2b33c7e888fc1e735ad25cc1b963b5c24ad4
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Dec 12 13:34:32 2019 -0500

    Better documentation of -www,-WWW,-HTTP flags
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/10134)

commit d4bff20d55b7ab7b4dd43ada28372efb90942dfd
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Oct 12 17:45:56 2019 -0400

    Refactor the tls/dlts version options
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/10134)

-----------------------------------------------------------------------

Summary of changes:
 doc/man1/openssl-s_client.pod.in | 45 +++++--------------------
 doc/man1/openssl-s_server.pod.in | 73 +++++++++++++---------------------------
 doc/man1/openssl-s_time.pod.in   | 17 ++--------
 doc/man1/openssl.pod             | 31 +++++++++++++++++
 doc/perlvars.pm                  | 32 ++++++++++++++++++
 util/dofile.pl                   |  8 +++++
 6 files changed, 107 insertions(+), 99 deletions(-)

diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 8bd6c9eec1..779f91700f 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -79,19 +79,6 @@ B<openssl> B<s_client>
 [B<-psk> I<key>]
 [B<-psk_session> I<file>]
 [B<-quiet>]
-[B<-ssl3>]
-[B<-tls1>]
-[B<-tls1_1>]
-[B<-tls1_2>]
-[B<-tls1_3>]
-[B<-no_ssl3>]
-[B<-no_tls1>]
-[B<-no_tls1_1>]
-[B<-no_tls1_2>]
-[B<-no_tls1_3>]
-[B<-dtls>]
-[B<-dtls1>]
-[B<-dtls1_2>]
 [B<-sctp>]
 [B<-sctp_label_bug>]
 [B<-fallback_scsv>]
@@ -127,6 +114,7 @@ B<openssl> B<s_client>
 [B<-early_data> I<file>]
 [B<-enable_pha>]
 {- $OpenSSL::safe::opt_name_synopsis -}
+{- $OpenSSL::safe::opt_version_synopsis -}
 {- $OpenSSL::safe::opt_x_synopsis -}
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
@@ -458,23 +446,6 @@ This option must be provided in order to use a PSK cipher.
 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
 Note that this will only work if TLSv1.3 is negotiated.
 
-=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
-
-These options require or disable the use of the specified SSL or TLS protocols.
-By default, this command will negotiate the highest mutually supported protocol
-version.
-When a specific TLS version is required, only that version will be offered to
-and accepted from the server.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-
-=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
-
-These options make this command use DTLS protocols instead of TLS.
-With B<-dtls>, it will negotiate any supported DTLS protocol version,
-whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2
-respectively.
-
 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
@@ -685,12 +656,7 @@ data and when the server accepts the early data.
 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
 happen whether or not a certificate has been provided via B<-cert>.
 
-=item I<host>:I<port>
-
-Rather than providing B<-connect>, the target hostname and optional port may
-be provided as a single positional argument after all options. If neither this
-nor B<-connect> are provided, falls back to attempting to connect to
-I<localhost> on port I<4433>.
+{- $OpenSSL::safe::opt_version_item -}
 
 {- $OpenSSL::safe::opt_name_item -}
 
@@ -702,6 +668,13 @@ I<localhost> on port I<4433>.
 
 {- $OpenSSL::safe::opt_engine_item -}
 
+=item I<host>:I<port>
+
+Rather than providing B<-connect>, the target hostname and optional port may
+be provided as a single positional argument after all options. If neither this
+nor B<-connect> are provided, falls back to attempting to connect to
+I<localhost> on port I<4433>.
+
 =back
 
 =head1 CONNECTED COMMANDS
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 743ad616d5..47343585bd 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -83,11 +83,6 @@ B<openssl> B<s_server>
 [B<-split_send_frag> I<+int>]
 [B<-max_pipelines> I<+int>]
 [B<-read_buf> I<+int>]
-[B<-no_ssl3>]
-[B<-no_tls1>]
-[B<-no_tls1_1>]
-[B<-no_tls1_2>]
-[B<-no_tls1_3>]
 [B<-bugs>]
 [B<-no_comp>]
 [B<-comp>]
@@ -149,17 +144,9 @@ B<openssl> B<s_server>
 [B<-psk_session> I<file>]
 [B<-srpvfile> I<infile>]
 [B<-srpuserseed> I<val>]
-[B<-ssl3>]
-[B<-tls1>]
-[B<-tls1_1>]
-[B<-tls1_2>]
-[B<-tls1_3>]
-[B<-dtls>]
 [B<-timeout>]
 [B<-mtu> I<+int>]
 [B<-listen>]
-[B<-dtls1>]
-[B<-dtls1_2>]
 [B<-sctp>]
 [B<-sctp_label_bug>]
 [B<-no_dhe>]
@@ -173,6 +160,7 @@ B<openssl> B<s_server>
 [B<-no_anti_replay>]
 [B<-http_server_binmode>]
 {- $OpenSSL::safe::opt_name_synopsis -}
+{- $OpenSSL::safe::opt_version_synopsis -}
 {- $OpenSSL::safe::opt_x_synopsis -}
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
@@ -380,32 +368,34 @@ DH).
 
 Inhibit printing of session and certificate information.
 
+=item B<-tlsextdebug>
+
+Print a hex dump of any TLS extensions received from the server.
+
 =item B<-www>
 
 Sends a status message back to the client when it connects. This includes
 information about the ciphers used and various session parameters.
-The output is in HTML format so this option will normally be used with a
-web browser. Cannot be used in conjunction with B<-early_data>.
-
-=item B<-WWW>
-
-Emulates a simple web server. Pages will be resolved relative to the
-current directory, for example if the URL https://myhost/page.html is
-requested the file F<./page.html> will be loaded. Cannot be used in conjunction
-with B<-early_data>.
-
-=item B<-tlsextdebug>
-
-Print a hex dump of any TLS extensions received from the server.
+The output is in HTML format so this option can be used with a web browser.
+The special URL C</renegcert> turns on client cert validation, and C</reneg>
+tells the server to request renegotiation.
+The B<-early_data> option cannot be used with this option.
 
-=item B<-HTTP>
+=item B<-WWW>, B<-HTTP>
 
 Emulates a simple web server. Pages will be resolved relative to the
-current directory, for example if the URL https://myhost/page.html is
-requested the file F<./page.html> will be loaded. The files loaded are
-assumed to contain a complete and correct HTTP response (lines that
-are part of the HTTP response line and headers must end with CRLF). Cannot be
-used in conjunction with B<-early_data>.
+current directory, for example if the URL C<https://myhost/page.html> is
+requested the file F<./page.html> will be sent.
+If the B<-HTTP> flag is used, the files are sent directly, and should contain
+any HTTP response headers (including status response line).
+If the B<-WWW> option is used,
+the response headers are generated by the server, and the file extension is
+examined to determine the B<Content-Type> header.
+Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
+C<text/plain>.
+In addition, the special URL C</stats> will return status
+information like the B<-www> option.
+Neither of these options can be used in conjunction with B<-early_data>.
 
 =item B<-id_prefix> I<val>
 
@@ -495,16 +485,6 @@ effect if the buffer size is larger than the size that would otherwise be used
 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
 further information).
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
-
-These options require or disable the use of the specified SSL or TLS protocols.
-By default, this command will negotiate the highest mutually supported
-protocol version.
-When a specific TLS version is required, only that version will be accepted
-from the client.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-
 =item B<-bugs>
 
 There are several known bugs in SSL and TLS implementations. Adding this
@@ -639,13 +619,6 @@ Any without a cookie will be responded to with a HelloVerifyRequest.
 If a ClientHello with a cookie is received then this command will
 connect to that peer and complete the handshake.
 
-=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
-
-These options make this command use DTLS protocols instead of TLS.
-With B<-dtls>, it will negotiate any supported DTLS protocol
-version, whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and
-DTLSv1.2 respectively.
-
 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
@@ -709,6 +682,8 @@ by the client in binary mode.
 
 {- $OpenSSL::safe::opt_name_item -}
 
+{- $OpenSSL::safe::opt_version_item -}
+
 {- $OpenSSL::safe::opt_x_item -}
 
 {- $OpenSSL::safe::opt_trust_item -}
diff --git a/doc/man1/openssl-s_time.pod.in b/doc/man1/openssl-s_time.pod.in
index 01707324db..ed1c012f8e 100644
--- a/doc/man1/openssl-s_time.pod.in
+++ b/doc/man1/openssl-s_time.pod.in
@@ -17,11 +17,7 @@ B<openssl> B<s_time>
 [B<-new>]
 [B<-verify> I<depth>]
 [B<-time> I<seconds>]
-[B<-ssl3>]
-[B<-tls1>]
-[B<-tls1_1>]
-[B<-tls1_2>]
-[B<-tls1_3>]
+{- $OpenSSL::safe::opt_versiontls_synopsis -}
 [B<-bugs>]
 [B<-cipher> I<cipherlist>]
 [B<-ciphersuites> I<val>]
@@ -94,15 +90,6 @@ Performs the timing test using the same session ID; this can be used as a test
 that session caching is working. If neither B<-new> nor B<-reuse> are
 specified, they are both on by default and executed in sequence.
 
-=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>
-
-These options enable specific SSL or TLS protocol versions for the handshake
-initiated by this command.
-By default, it negotiates the highest mutually supported protocol
-version.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-
 =item B<-bugs>
 
 There are several known bugs in SSL and TLS implementations. Adding this
@@ -136,6 +123,8 @@ can establish.
 
 {- $OpenSSL::safe::opt_trust_item -}
 
+{- $OpenSSL::safe::opt_versiontls_item -}
+
 =back
 
 =head1 NOTES
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index 5ef537434c..dfa7a3bf7c 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -933,6 +933,37 @@ name.
 
 =back
 
+=head2 TLS Version Options
+
+Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and
+clients will offer the lowest and highest protocol version they support,
+and servers will pick the highest version that the client offers that is also
+supported by the server.
+
+The options below can be used to limit which protocol versions are used,
+and whether TCP (SSL and TLS) or UDP (DTLS) is used.
+Note that not all protocols and flags may be available, depending on how
+OpenSSL was built.
+
+=over 4
+
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
+
+These options require or disable the use of the specified SSL or TLS protocols.
+When a specific TLS version is required, only that version will be offered or
+accepted.
+Only one specific protocol can be given and it cannot be combined with any of
+the B<no_> options.
+
+=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
+
+These options specify to use DTLS instead of DLTS.
+With B<-dtls>, clients will negotiate any supported DTLS protocol version.
+Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2,
+respectively.
+
+=back
+
 =head2 Engine Options
 
 =over 4
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index 4e9dc31ac2..7f0cf167d3 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -107,6 +107,38 @@ $OpenSSL::safe::opt_trust_item = ""
 . "\n"
 . "See L<openssl(1)/Trusted Certificate Options> for details.";
 
+# TLS Version Options
+$OpenSSL::safe::opt_versiontls_synopsis = ""
+. "[B<-no_ssl3>]\n"
+. "[B<-no_tls1>]\n"
+. "[B<-no_tls1_1>]\n"
+. "[B<-no_tls1_2>]\n"
+. "[B<-no_tls1_3>]\n"
+. "[B<-ssl3>]\n"
+. "[B<-tls1>]\n"
+. "[B<-tls1_1>]\n"
+. "[B<-tls1_2>]\n"
+. "[B<-tls1_3>]";
+$OpenSSL::safe::opt_versiontls_item = ""
+. "=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>,\n"
+. "B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>\n"
+. "\n"
+. "See L<openssl(1)/TLS Version Options>.";
+
+# TLS/DTLS Version Options
+$OpenSSL::safe::opt_version_synopsis = ""
+. "$OpenSSL::safe::opt_versiontls_synopsis\n"
+. "[B<-dtls>]\n"
+. "[B<-dtls1>]\n"
+. "[B<-dtls1_2>]";
+$OpenSSL::safe::opt_version_item = "\n"
+. "$OpenSSL::safe::opt_versiontls_item\n"
+. "\n"
+. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>\n"
+. "\n"
+. "These specify the use of DTLS instead of TLS.\n"
+. "See L<openssl(1)/TLS Version Options>.";
+
 # SSL connection options.
 # TODO(3.0) Not currently used.  The refactoring needs to be done, and
 # the options will probably be re-ordered.
diff --git a/util/dofile.pl b/util/dofile.pl
index 57243880d4..6d4ffa4abd 100644
--- a/util/dofile.pl
+++ b/util/dofile.pl
@@ -40,6 +40,14 @@ my @autowarntext = (
         . (scalar(@ARGV) > 0 ? " from " .join(", ", @ARGV) : "")
 );
 
+if (defined($opts{s})) {
+    local $/ = undef;
+    open VARS, $opts{s} or die "Couldn't open $opts{s}, $!";
+    my $contents = <VARS>;
+    close VARS;
+    eval $contents;
+    die $@ if $@;
+}
 die "Must have input files"
    if defined($opts{i}) and scalar(@ARGV) == 0;
 
