[openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Tue Jun 30 13:13:27 UTC 2020
The branch OpenSSL_1_1_1-stable has been updated
via 0c3d0247a7b16cf10d6d869f34b40aa833b79fd5 (commit)
via 45f02e9095f30abefc799b34a612140a47aa9e27 (commit)
via 4864a232ee7f901388532f65911866ca2478cfa9 (commit)
via d3ef3d01accec8cc373661c7f0dd39541a8df96c (commit)
via 32d738c9a2abeea5a709de9c33e4e6d6b87938bd (commit)
from 943c6daa491cb248750da1625d3f65b73bc77130 (commit)
- Log -----------------------------------------------------------------
commit 0c3d0247a7b16cf10d6d869f34b40aa833b79fd5
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jun 25 10:43:20 2020 +0100
Fix a typo on the SSL_dup page
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
commit 45f02e9095f30abefc799b34a612140a47aa9e27
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jun 16 17:19:40 2020 +0100
Add an SSL_dup test
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
commit 4864a232ee7f901388532f65911866ca2478cfa9
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jun 16 17:40:40 2020 +0100
Don't attempt to duplicate the BIO state in SSL_dup
SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs
configured for it. This did not work.
Firstly the SSL_dup code was passing a BIO ** as the destination
argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that
parameter. Any attempt to use this will either (1) fail silently, (2) crash
or fail in some other strange way.
Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make
this work.
Thirdly, if rbio == wbio in the original SSL object, then an attempt is made
to up-ref the BIO in the new SSL object - even though it hasn't been set
yet and is NULL. This results in a crash.
This appears to have been broken for a very long time with at least some of
the problems described above coming from SSLeay. The simplest approach is
to just remove this capability from the function.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
commit d3ef3d01accec8cc373661c7f0dd39541a8df96c
Author: Matt Caswell <matt at openssl.org>
Date: Mon Jun 15 12:11:46 2020 +0100
Update the SSL_dup documentation to match reality
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
commit 32d738c9a2abeea5a709de9c33e4e6d6b87938bd
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jun 12 10:52:41 2020 +0100
Ensure that SSL_dup copies the min/max protocol version
With thanks to Rebekah Johnson for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_new.pod | 73 +++++++++++++++++++++++++++++++++++++++++++++++++---
ssl/ssl_lib.c | 17 ++----------
test/sslapitest.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 143 insertions(+), 19 deletions(-)
diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod
index 222e9d5886..7a6c9d4b1a 100644
--- a/doc/man3/SSL_new.pod
+++ b/doc/man3/SSL_new.pod
@@ -26,10 +26,75 @@ structure are freed.
SSL_up_ref() increments the reference count for an
existing B<SSL> structure.
-SSL_dup() duplicates an existing B<SSL> structure into a new allocated one. All
-settings are inherited from the original B<SSL> structure. Dynamic data (i.e.
-existing connection details) are not copied, the new B<SSL> is set into an
-initial accept (server) or connect (client) state.
+The function SSL_dup() creates and returns a new B<SSL> structure from the same
+B<SSL_CTX> that was used to create I<s>. It additionally duplicates a subset of
+the settings in I<s> into the new B<SSL> object.
+
+For SSL_dup() to work, the connection MUST be in its initial state and
+MUST NOT have yet started the SSL handshake. For connections that are not in
+their initial state SSL_dup() just increments an internal
+reference count and returns the I<same> handle. It may be possible to
+use L<SSL_clear(3)> to recycle an SSL handle that is not in its initial
+state for re-use, but this is best avoided. Instead, save and restore
+the session, if desired, and construct a fresh handle for each connection.
+
+The subset of settings in I<s> that are duplicated are:
+
+=over 4
+
+=item any session data if configured (including the session_id_context)
+
+=item any tmp_dh settings set via L<SSL_set_tmp_dh(3)>,
+L<SSL_set_tmp_dh_callback(3)>, or L<SSL_set_dh_auto(3)>
+
+=item any configured certificates, private keys or certificate chains
+
+=item any configured signature algorithms, or client signature algorithms
+
+=item any DANE settings
+
+=item any Options set via L<SSL_set_options(3)>
+
+=item any Mode set via L<SSL_set_mode(3)>
+
+=item any minimum or maximum protocol settings set via
+L<SSL_set_min_proto_version(3)> or L<SSL_set_max_proto_version(3)> (Note: Only
+from OpenSSL 1.1.1h and above)
+
+=item any Verify mode, callback or depth set via L<SSL_set_verify(3)> or
+L<SSL_set_verify_depth(3)> or any configured X509 verification parameters
+
+=item any msg callback or info callback set via L<SSL_set_msg_callback(3)> or
+L<SSL_set_info_callback(3)>
+
+=item any default password callback set via L<SSL_set_default_passwd_cb(3)>
+
+=item any session id generation callback set via L<SSL_set_generate_session_id(3)>
+
+=item any configured Cipher List
+
+=item initial accept (server) or connect (client) state
+
+=item the max cert list value set via L<SSL_set_max_cert_list(3)>
+
+=item the read_ahead value set via L<SSL_set_read_ahead(3)>
+
+=item application specific data set via L<SSL_set_ex_data(3)>
+
+=item any CA list or client CA list set via L<SSL_set0_CA_list(3)>,
+SSL_set0_client_CA_list() or similar functions
+
+=item any security level settings or callbacks
+
+=item any configured serverinfo data
+
+=item any configured PSK identity hint
+
+=item any configured custom extensions
+
+=item any client certificate types configured via SSL_set1_client_certificate_types
+
+=back
=head1 RETURN VALUES
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7c7e59789c..f6a4964ed2 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3824,6 +3824,8 @@ SSL *SSL_dup(SSL *s)
goto err;
ret->version = s->version;
ret->options = s->options;
+ ret->min_proto_version = s->min_proto_version;
+ ret->max_proto_version = s->max_proto_version;
ret->mode = s->mode;
SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
@@ -3839,21 +3841,6 @@ SSL *SSL_dup(SSL *s)
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
- /* setup rbio, and wbio */
- if (s->rbio != NULL) {
- if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
- goto err;
- }
- if (s->wbio != NULL) {
- if (s->wbio != s->rbio) {
- if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
- goto err;
- } else {
- BIO_up_ref(ret->rbio);
- ret->wbio = ret->rbio;
- }
- }
-
ret->server = s->server;
if (s->handshake_func) {
if (s->server)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 62d22e85b0..52207226f4 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6578,6 +6578,75 @@ static int test_servername(int tst)
return testresult;
}
+#ifndef OPENSSL_NO_TLS1_2
+static int test_ssl_dup(void)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
+ int testresult = 0;
+ BIO *rbio = NULL, *wbio = NULL;
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ 0,
+ 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
+ || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
+ goto end;
+
+ client2ssl = SSL_dup(clientssl);
+ rbio = SSL_get_rbio(clientssl);
+ if (!TEST_ptr(rbio)
+ || !TEST_true(BIO_up_ref(rbio)))
+ goto end;
+ SSL_set0_rbio(client2ssl, rbio);
+ rbio = NULL;
+
+ wbio = SSL_get_wbio(clientssl);
+ if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
+ goto end;
+ SSL_set0_wbio(client2ssl, wbio);
+ rbio = NULL;
+
+ if (!TEST_ptr(client2ssl)
+ /* Handshake not started so pointers should be different */
+ || !TEST_ptr_ne(clientssl, client2ssl))
+ goto end;
+
+ if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
+ || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_free(clientssl);
+ clientssl = SSL_dup(client2ssl);
+ if (!TEST_ptr(clientssl)
+ /* Handshake has finished so pointers should be the same */
+ || !TEST_ptr_eq(clientssl, client2ssl))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_free(client2ssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif
+
int setup_tests(void)
{
if (!TEST_ptr(certsdir = test_get_argument(0))
@@ -6698,6 +6767,9 @@ int setup_tests(void)
ADD_ALL_TESTS(test_client_cert_cb, 2);
ADD_ALL_TESTS(test_ca_names, 3);
ADD_ALL_TESTS(test_servername, 10);
+#ifndef OPENSSL_NO_TLS1_2
+ ADD_TEST(test_ssl_dup);
+#endif
return 1;
}
More information about the openssl-commits
mailing list