[openssl] master update
kaduk at mit.edu
kaduk at mit.edu
Sun Nov 29 03:16:48 UTC 2020
The branch master has been updated
via 6568d7a93127d097122e2ce10491d06a363929e9 (commit)
via 410f5bb18908d89e5e35339049adf4070925faec (commit)
from d27a8e922ba0b5357abf435cca75b5fe133cfe94 (commit)
- Log -----------------------------------------------------------------
commit 6568d7a93127d097122e2ce10491d06a363929e9
Author: John Baldwin <jhb at FreeBSD.org>
Date: Fri Oct 9 15:12:53 2020 -0700
Collapse two identical if statements into a single body.
These two bodies should be grouped together anyway as the reason for
the call to BIO_flush() is to permit using BIO_set_ktls_ctrl_msg().
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13090)
commit 410f5bb18908d89e5e35339049adf4070925faec
Author: John Baldwin <jhb at FreeBSD.org>
Date: Wed Oct 7 14:34:19 2020 -0700
Allow zero-byte writes to be reported as success.
When using KTLS, empty fragments sent as a mitigation for known-IV
weakenesses in TLS 1.0 are sent as writes of 0 bytes. The TLS header
and trailer are added to the empty fragment by the kernel.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13090)
-----------------------------------------------------------------------
Summary of changes:
ssl/record/rec_layer_s3.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 0d9228c670..17ee8bd483 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1189,10 +1189,6 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
i = BIO_flush(s->wbio);
if (i <= 0)
return i;
- }
-
- if (BIO_get_ktls_send(s->wbio)
- && type != SSL3_RT_APPLICATION_DATA) {
BIO_set_ktls_ctrl_msg(s->wbio, type);
}
/* TODO(size_t): Convert this call */
@@ -1206,7 +1202,15 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BIO_NOT_SET);
i = -1;
}
- if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) {
+
+ /*
+ * When an empty fragment is sent on a connection using KTLS,
+ * it is sent as a write of zero bytes. If this zero byte
+ * write succeeds, i will be 0 rather than a non-zero value.
+ * Treat i == 0 as success rather than an error for zero byte
+ * writes to permit this case.
+ */
+ if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) {
SSL3_BUFFER_set_left(&wb[currbuf], 0);
SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit);
if (currbuf + 1 < s->rlayer.numwpipes)
More information about the openssl-commits
mailing list