[openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Tue Jun 30 13:13:27 UTC 2020


The branch OpenSSL_1_1_1-stable has been updated
       via  0c3d0247a7b16cf10d6d869f34b40aa833b79fd5 (commit)
       via  45f02e9095f30abefc799b34a612140a47aa9e27 (commit)
       via  4864a232ee7f901388532f65911866ca2478cfa9 (commit)
       via  d3ef3d01accec8cc373661c7f0dd39541a8df96c (commit)
       via  32d738c9a2abeea5a709de9c33e4e6d6b87938bd (commit)
      from  943c6daa491cb248750da1625d3f65b73bc77130 (commit)


- Log -----------------------------------------------------------------
commit 0c3d0247a7b16cf10d6d869f34b40aa833b79fd5
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jun 25 10:43:20 2020 +0100

    Fix a typo on the SSL_dup page
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12245)

commit 45f02e9095f30abefc799b34a612140a47aa9e27
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 16 17:19:40 2020 +0100

    Add an SSL_dup test
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12245)

commit 4864a232ee7f901388532f65911866ca2478cfa9
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 16 17:40:40 2020 +0100

    Don't attempt to duplicate the BIO state in SSL_dup
    
    SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs
    configured for it. This did not work.
    
    Firstly the SSL_dup code was passing a BIO ** as the destination
    argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that
    parameter. Any attempt to use this will either (1) fail silently, (2) crash
    or fail in some other strange way.
    
    Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make
    this work.
    
    Thirdly, if rbio == wbio in the original SSL object, then an attempt is made
    to up-ref the BIO in the new SSL object - even though it hasn't been set
    yet and is NULL. This results in a crash.
    
    This appears to have been broken for a very long time with at least some of
    the problems described above coming from SSLeay. The simplest approach is
    to just remove this capability from the function.
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12245)

commit d3ef3d01accec8cc373661c7f0dd39541a8df96c
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Jun 15 12:11:46 2020 +0100

    Update the SSL_dup documentation to match reality
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12245)

commit 32d738c9a2abeea5a709de9c33e4e6d6b87938bd
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Jun 12 10:52:41 2020 +0100

    Ensure that SSL_dup copies the min/max protocol version
    
    With thanks to Rebekah Johnson for reporting this issue.
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12245)

-----------------------------------------------------------------------

Summary of changes:
 doc/man3/SSL_new.pod | 73 +++++++++++++++++++++++++++++++++++++++++++++++++---
 ssl/ssl_lib.c        | 17 ++----------
 test/sslapitest.c    | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 143 insertions(+), 19 deletions(-)

diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod
index 222e9d5886..7a6c9d4b1a 100644
--- a/doc/man3/SSL_new.pod
+++ b/doc/man3/SSL_new.pod
@@ -26,10 +26,75 @@ structure are freed.
 SSL_up_ref() increments the reference count for an
 existing B<SSL> structure.
 
-SSL_dup() duplicates an existing B<SSL> structure into a new allocated one. All
-settings are inherited from the original B<SSL> structure. Dynamic data (i.e.
-existing connection details) are not copied, the new B<SSL> is set into an
-initial accept (server) or connect (client) state.
+The function SSL_dup() creates and returns a new B<SSL> structure from the same
+B<SSL_CTX> that was used to create I<s>. It additionally duplicates a subset of
+the settings in I<s> into the new B<SSL> object.
+
+For SSL_dup() to work, the connection MUST be in its initial state and
+MUST NOT have yet started the SSL handshake.  For connections that are not in
+their initial state SSL_dup() just increments an internal
+reference count and returns the I<same> handle.  It may be possible to
+use L<SSL_clear(3)> to recycle an SSL handle that is not in its initial
+state for re-use, but this is best avoided.  Instead, save and restore
+the session, if desired, and construct a fresh handle for each connection.
+
+The subset of settings in I<s> that are duplicated are:
+
+=over 4
+
+=item any session data if configured (including the session_id_context)
+
+=item any tmp_dh settings set via L<SSL_set_tmp_dh(3)>,
+L<SSL_set_tmp_dh_callback(3)>, or L<SSL_set_dh_auto(3)>
+
+=item any configured certificates, private keys or certificate chains
+
+=item any configured signature algorithms, or client signature algorithms
+
+=item any DANE settings
+
+=item any Options set via L<SSL_set_options(3)>
+
+=item any Mode set via L<SSL_set_mode(3)>
+
+=item any minimum or maximum protocol settings set via
+L<SSL_set_min_proto_version(3)> or L<SSL_set_max_proto_version(3)> (Note: Only
+from OpenSSL 1.1.1h and above)
+
+=item any Verify mode, callback or depth set via L<SSL_set_verify(3)> or
+L<SSL_set_verify_depth(3)> or any configured X509 verification parameters
+
+=item any msg callback or info callback set via L<SSL_set_msg_callback(3)> or
+L<SSL_set_info_callback(3)>
+
+=item any default password callback set via L<SSL_set_default_passwd_cb(3)>
+
+=item any session id generation callback set via L<SSL_set_generate_session_id(3)>
+
+=item any configured Cipher List
+
+=item initial accept (server) or connect (client) state
+
+=item the max cert list value set via L<SSL_set_max_cert_list(3)>
+
+=item the read_ahead value set via L<SSL_set_read_ahead(3)>
+
+=item application specific data set via L<SSL_set_ex_data(3)>
+
+=item any CA list or client CA list set via L<SSL_set0_CA_list(3)>,
+SSL_set0_client_CA_list() or similar functions
+
+=item any security level settings or callbacks
+
+=item any configured serverinfo data
+
+=item any configured PSK identity hint
+
+=item any configured custom extensions
+
+=item any client certificate types configured via SSL_set1_client_certificate_types
+
+=back
 
 =head1 RETURN VALUES
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7c7e59789c..f6a4964ed2 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3824,6 +3824,8 @@ SSL *SSL_dup(SSL *s)
         goto err;
     ret->version = s->version;
     ret->options = s->options;
+    ret->min_proto_version = s->min_proto_version;
+    ret->max_proto_version = s->max_proto_version;
     ret->mode = s->mode;
     SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
     SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
@@ -3839,21 +3841,6 @@ SSL *SSL_dup(SSL *s)
     if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
         goto err;
 
-    /* setup rbio, and wbio */
-    if (s->rbio != NULL) {
-        if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
-            goto err;
-    }
-    if (s->wbio != NULL) {
-        if (s->wbio != s->rbio) {
-            if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
-                goto err;
-        } else {
-            BIO_up_ref(ret->rbio);
-            ret->wbio = ret->rbio;
-        }
-    }
-
     ret->server = s->server;
     if (s->handshake_func) {
         if (s->server)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 62d22e85b0..52207226f4 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6578,6 +6578,75 @@ static int test_servername(int tst)
     return testresult;
 }
 
+#ifndef OPENSSL_NO_TLS1_2
+static int test_ssl_dup(void)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
+    int testresult = 0;
+    BIO *rbio = NULL, *wbio = NULL;
+
+    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+                                       TLS_client_method(),
+                                       0,
+                                       0,
+                                       &sctx, &cctx, cert, privkey)))
+        goto end;
+
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+                                             NULL, NULL)))
+        goto end;
+
+    if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
+            || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
+        goto end;
+
+    client2ssl = SSL_dup(clientssl);
+    rbio = SSL_get_rbio(clientssl);
+    if (!TEST_ptr(rbio)
+            || !TEST_true(BIO_up_ref(rbio)))
+        goto end;
+    SSL_set0_rbio(client2ssl, rbio);
+    rbio = NULL;
+
+    wbio = SSL_get_wbio(clientssl);
+    if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
+        goto end;
+    SSL_set0_wbio(client2ssl, wbio);
+    rbio = NULL;
+
+    if (!TEST_ptr(client2ssl)
+               /* Handshake not started so pointers should be different */
+            || !TEST_ptr_ne(clientssl, client2ssl))
+        goto end;
+
+    if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
+            || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
+        goto end;
+
+    if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
+        goto end;
+
+    SSL_free(clientssl);
+    clientssl = SSL_dup(client2ssl);
+    if (!TEST_ptr(clientssl)
+               /* Handshake has finished so pointers should be the same */
+            || !TEST_ptr_eq(clientssl, client2ssl))
+        goto end;
+
+    testresult = 1;
+
+ end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_free(client2ssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
+#endif
+
 int setup_tests(void)
 {
     if (!TEST_ptr(certsdir = test_get_argument(0))
@@ -6698,6 +6767,9 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_client_cert_cb, 2);
     ADD_ALL_TESTS(test_ca_names, 3);
     ADD_ALL_TESTS(test_servername, 10);
+#ifndef OPENSSL_NO_TLS1_2
+    ADD_TEST(test_ssl_dup);
+#endif
     return 1;
 }
 


More information about the openssl-commits mailing list