[openssl] master update
dev at ddvo.net
dev at ddvo.net
Sat May 29 05:48:46 UTC 2021
The branch master has been updated
via 24c07e50551f73f565295db22478464ca9adc32e (commit)
via a7014122ac4d7b29e349e51028994581e8a73840 (commit)
via f4706b165a12dd5e120efaa9a94ea47f26792362 (commit)
via d318fc954524e413148baa5fa1620f85fb008100 (commit)
via d357dd51cbea662792b0816f441718b7fb66bd49 (commit)
from 189c4759ebb7eefe6c8edb0a5493dc4082f45696 (commit)
- Log -----------------------------------------------------------------
commit 24c07e50551f73f565295db22478464ca9adc32e
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue May 25 08:43:59 2021 +0200
BIO acpt_state(): Allow retrying addresses (e.g., using IPv6 vs. IPv4) on creating accept socket
Fixes #15386
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
commit a7014122ac4d7b29e349e51028994581e8a73840
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon May 24 13:02:55 2021 +0200
BIO_s_accept.pod: Add missing documentation for BIO_{get,set}_accept_ip_family()
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
commit f4706b165a12dd5e120efaa9a94ea47f26792362
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sun May 23 12:36:11 2021 +0200
apps/ocsp: Allow -port 0
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
commit d318fc954524e413148baa5fa1620f85fb008100
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat May 22 12:02:00 2021 +0200
DOC: Slightly improve the documentation of BIO_lookup() and related functions
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
commit d357dd51cbea662792b0816f441718b7fb66bd49
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat May 22 11:59:44 2021 +0200
apps/lib/s_socket.c and 80-test_cmp_http.t: Make ACCEPT port reporting more robust
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
-----------------------------------------------------------------------
Summary of changes:
NOTES-NONSTOP.md | 2 +-
apps/lib/s_socket.c | 11 +++++----
apps/ocsp.c | 2 +-
crypto/bio/b_addr.c | 6 ++---
crypto/bio/bss_acpt.c | 12 +++++++---
doc/man1/openssl-ocsp.pod.in | 1 +
doc/man3/BIO_ADDRINFO.pod | 5 ++--
doc/man3/BIO_s_accept.pod | 8 ++++++-
test/recipes/80-test_cmp_http.t | 28 ++++++++++++----------
test/recipes/80-test_cmp_http_data/Mock/server.cnf | 3 +--
test/recipes/80-test_cmp_http_data/Mock/test.cnf | 1 +
11 files changed, 48 insertions(+), 31 deletions(-)
diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md
index 0ad09bae8d..7bf051cdd3 100644
--- a/NOTES-NONSTOP.md
+++ b/NOTES-NONSTOP.md
@@ -42,7 +42,7 @@ The TNS/E platform is build using the same set of builds specifying `nse`
instead of `nsx` in the set above.
You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
-option to `./Configure`
+option to `./Configure`.
About Prefix and OpenSSLDir
---------------------------
diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c
index f543551bf1..fbe913e37a 100644
--- a/apps/lib/s_socket.c
+++ b/apps/lib/s_socket.c
@@ -195,6 +195,8 @@ int report_server_accept(BIO *out, int asock, int with_address)
{
int success = 0;
+ if (BIO_printf(out, "ACCEPT") <= 0)
+ return 0;
if (with_address) {
union BIO_sock_info_u info;
char *hostname = NULL;
@@ -206,16 +208,17 @@ int report_server_accept(BIO *out, int asock, int with_address)
&& (service = BIO_ADDR_service_string(info.addr, 1)) != NULL
&& BIO_printf(out,
strchr(hostname, ':') == NULL
- ? /* IPv4 */ "ACCEPT %s:%s\n"
- : /* IPv6 */ "ACCEPT [%s]:%s\n",
+ ? /* IPv4 */ " %s:%s\n"
+ : /* IPv6 */ " [%s]:%s\n",
hostname, service) > 0)
success = 1;
+ else
+ (void)BIO_printf(out, "unknown:error\n");
OPENSSL_free(hostname);
OPENSSL_free(service);
BIO_ADDR_free(info.addr);
- } else {
- (void)BIO_printf(out, "ACCEPT\n");
+ } else if (BIO_printf(out, "\n") > 0) {
success = 1;
}
(void)BIO_flush(out);
diff --git a/apps/ocsp.c b/apps/ocsp.c
index cf4f629db1..7a5f84e527 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -160,7 +160,7 @@ const OPTIONS ocsp_options[] = {
OPT_SECTION("Client"),
{"url", OPT_URL, 's', "Responder URL"},
{"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"},
- {"port", OPT_PORT, 'p', "Port to run responder on"},
+ {"port", OPT_PORT, 'N', "Port to run responder on"},
{"path", OPT_PATH, 's', "Path to use in OCSP request"},
#ifndef OPENSSL_NO_SOCK
{"proxy", OPT_PROXY, 's',
diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c
index 3ea5271bd3..0efbc3cb44 100644
--- a/crypto/bio/b_addr.c
+++ b/crypto/bio/b_addr.c
@@ -628,8 +628,8 @@ int BIO_lookup(const char *host, const char *service,
}
/*-
- * BIO_lookup_ex - look up the node and service you want to connect to.
- * @node: the node you want to connect to.
+ * BIO_lookup_ex - look up the host and service you want to connect to.
+ * @host: the host (or node, in case family == AF_UNIX) you want to connect to.
* @service: the service you want to connect to.
* @lookup_type: declare intent with the result, client or server.
* @family: the address family you want to use. Use AF_UNSPEC for any, or
@@ -642,7 +642,7 @@ int BIO_lookup(const char *host, const char *service,
* with 0 for the protocol)
* @res: Storage place for the resulting list of returned addresses
*
- * This will do a lookup of the node and service that you want to connect to.
+ * This will do a lookup of the host and service that you want to connect to.
* It returns a linked list of different addresses you can try to connect to.
*
* When no longer needed you should call BIO_ADDRINFO_free() to free the result.
diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
index aff92223af..834c2ffef1 100644
--- a/crypto/bio/bss_acpt.c
+++ b/crypto/bio/bss_acpt.c
@@ -216,18 +216,24 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c)
ERR_raise(ERR_LIB_BIO, BIO_R_LOOKUP_RETURNED_NOTHING);
goto exit_loop;
}
- /* We're currently not iterating, but set this as preparation
- * for possible future development in that regard
- */
c->addr_iter = c->addr_first;
c->state = ACPT_S_CREATE_SOCKET;
break;
case ACPT_S_CREATE_SOCKET:
+ ERR_set_mark();
s = BIO_socket(BIO_ADDRINFO_family(c->addr_iter),
BIO_ADDRINFO_socktype(c->addr_iter),
BIO_ADDRINFO_protocol(c->addr_iter), 0);
if (s == (int)INVALID_SOCKET) {
+ if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter)) != NULL) {
+ /*
+ * if there are more addresses to try, do that first
+ */
+ ERR_pop_to_mark();
+ break;
+ }
+ ERR_clear_last_mark();
ERR_raise_data(ERR_LIB_SYS, get_last_socket_error(),
"calling socket(%s, %s)",
c->param_addr, c->param_serv);
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 0116feeaae..0ef1e1a002 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -371,6 +371,7 @@ subject name.
Port to listen for OCSP requests on. The port may also be specified
using the B<url> option.
+A `0` argument indicates that any available port shall be chosen automatically.
=item B<-ignore_err>
diff --git a/doc/man3/BIO_ADDRINFO.pod b/doc/man3/BIO_ADDRINFO.pod
index d6f452065e..a4fa808830 100644
--- a/doc/man3/BIO_ADDRINFO.pod
+++ b/doc/man3/BIO_ADDRINFO.pod
@@ -23,7 +23,7 @@ BIO_lookup
int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
int family, int socktype, int protocol, BIO_ADDRINFO **res);
- int BIO_lookup(const char *node, const char *service,
+ int BIO_lookup(const char *host, const char *service,
enum BIO_lookup_type lookup_type,
int family, int socktype, BIO_ADDRINFO **res);
@@ -54,8 +54,7 @@ used. B<res> points at a pointer to hold the start of a B<BIO_ADDRINFO>
chain.
For the family B<AF_UNIX>, BIO_lookup_ex() will ignore the B<service>
-parameter and expects the B<node> parameter to hold the path to the
-socket file.
+parameter and expects the B<host> parameter to hold the path to the socket file.
BIO_lookup() does the same as BIO_lookup_ex() but does not provide the ability
to select based on the protocol (any protocol may be returned).
diff --git a/doc/man3/BIO_s_accept.pod b/doc/man3/BIO_s_accept.pod
index f49eb532fc..4e6a915b46 100644
--- a/doc/man3/BIO_s_accept.pod
+++ b/doc/man3/BIO_s_accept.pod
@@ -73,7 +73,7 @@ connect BIOs, that is it can be a numerical port string or a
string to lookup using getservbyname() and a string table.
BIO_set_accept_port() uses the string B<port> to set the accept
-port. "port" has the same syntax as the port specified in
+port of BIO I<b>. "port" has the same syntax as the port specified in
BIO_set_conn_port() for connect BIOs, that is it can be a numerical
port string or a string to lookup using getservbyname() and a string
table.
@@ -94,6 +94,12 @@ buffering or SSL BIO is required for each connection. The
chain of BIOs must not be freed after this call, they will
be automatically freed when the accept BIO is freed.
+BIO_get_accept_ip_family() returns the IP family accepted by the BIO I<b>,
+which may be B<BIO_FAMILY_IPV4>, B<BIO_FAMILY_IPV6>, or B<BIO_FAMILY_IPANY>.
+
+BIO_set_accept_ip_family() sets the IP family I<family> accepted by BIO I<b>.
+The default is B<BIO_FAMILY_IPANY>.
+
BIO_set_bind_mode() and BIO_get_bind_mode() set and retrieve
the current bind mode. If B<BIO_BIND_NORMAL> (the default) is set
then another socket cannot be bound to the same port. If
diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t
index c74a5faf03..106f580636 100644
--- a/test/recipes/80-test_cmp_http.t
+++ b/test/recipes/80-test_cmp_http.t
@@ -187,8 +187,7 @@ indir data_dir() => sub {
if ($server_name eq "Mock") {
indir "Mock" => sub {
$pid = start_mock_server("");
- skip "Cannot start or find the started CMP mock server",
- scalar @all_aspects unless $pid;
+ die "Cannot start or find the started CMP mock server" unless $pid;
}
}
foreach my $aspect (@all_aspects) {
@@ -275,20 +274,23 @@ sub start_mock_server {
my $cmd = bldtop_dir($app) . " -config server.cnf $args";
print "Current directory is ".getcwd()."\n";
print "Launching mock server: $cmd\n";
+ die "Invalid port: $server_port" unless $server_port =~ m/^\d+$/;
my $pid = open($server_fh, "$cmd|") or die "Trying to $cmd";
print "Pid is: $pid\n";
- # Find out the actual server port
- while (<$server_fh>) {
- print;
- s/\R$//; # Better chomp
- next unless (/^ACCEPT\s.*:(\d+)$/);
- $server_port = $1;
- $server_tls = $1;
- $kur_port = $1;
- $pbm_port = $1;
- last;
+ if ($server_port eq "0") {
+ # Find out the actual server port
+ while (<$server_fh>) {
+ print;
+ s/\R$//; # Better chomp
+ next unless (/^ACCEPT/);
+ $server_port = $server_tls = $kur_port = $pbm_port = $1
+ if m/^ACCEPT\s.*?:(\d+)$/;
+ last;
+ }
}
- return $pid;
+ return $pid if $server_port =~ m/^(\d+)$/;
+ stop_mock_server($pid);
+ return 0;
}
sub stop_mock_server {
diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.cnf b/test/recipes/80-test_cmp_http_data/Mock/server.cnf
index 24a6ebb9f6..633dc9230b 100644
--- a/test/recipes/80-test_cmp_http_data/Mock/server.cnf
+++ b/test/recipes/80-test_cmp_http_data/Mock/server.cnf
@@ -1,7 +1,6 @@
[cmp] # mock server configuration
-# port 0 means that a random available port will be used
-port = 0
+port = 0 # 0 means that the server should choose a random available port
srv_cert = server.crt
srv_key = server.key
srv_secret = pass:test
diff --git a/test/recipes/80-test_cmp_http_data/Mock/test.cnf b/test/recipes/80-test_cmp_http_data/Mock/test.cnf
index 8c8913b3c9..87dd575a8a 100644
--- a/test/recipes/80-test_cmp_http_data/Mock/test.cnf
+++ b/test/recipes/80-test_cmp_http_data/Mock/test.cnf
@@ -17,6 +17,7 @@ policies = certificatePolicies
[Mock] # the built-in OpenSSL CMP mock server
no_check_time = 1
server_host = 127.0.0.1 # localhost
+# server_port = 0 means that the port is determined by the server
server_port = 0
server_tls = $server_port
server_cert = server.crt
More information about the openssl-commits
mailing list