Changeset View
Changeset View
Standalone View
Standalone View
security/openssl/files/extra-patch-ktls
diff --git CHANGES CHANGES | diff --git CHANGES CHANGES | ||||
index 37dd60b726..4d61c1dadb 100644 | index 1ab64b35c9..a4a63a9bea 100644 | ||||
--- CHANGES | --- CHANGES | ||||
+++ CHANGES | +++ CHANGES | ||||
@@ -390,6 +390,11 @@ | @@ -427,6 +427,11 @@ | ||||
necessary to configure just to create a source distribution. | necessary to configure just to create a source distribution. | ||||
[Richard Levitte] | [Richard Levitte] | ||||
+ *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path | + *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path | ||||
+ improves application performance by removing data copies and providing | + improves application performance by removing data copies and providing | ||||
+ applications with zero-copy system calls such as sendfile and splice. | + applications with zero-copy system calls such as sendfile and splice. | ||||
+ [Boris Pismenny] | + [Boris Pismenny] | ||||
+ | + | ||||
Changes between 1.1.1 and 1.1.1a [20 Nov 2018] | Changes between 1.1.1 and 1.1.1a [20 Nov 2018] | ||||
*) Timing vulnerability in DSA signature generation | *) Timing vulnerability in DSA signature generation | ||||
diff --git Configure Configure | diff --git Configure Configure | ||||
index 1d73d06e1b..29e655da96 100755 | index b286dd0678..f66f6bb3b1 100755 | ||||
--- Configure | --- Configure | ||||
+++ Configure | +++ Configure | ||||
@@ -341,6 +341,7 @@ my @dtls = qw(dtls1 dtls1_2); | @@ -341,6 +341,7 @@ my @dtls = qw(dtls1 dtls1_2); | ||||
# For developers: keep it sorted alphabetically | # For developers: keep it sorted alphabetically | ||||
my @disablables = ( | my @disablables = ( | ||||
+ "ktls", | + "ktls", | ||||
"afalgeng", | "afalgeng", | ||||
Show All 37 Lines | |||||
+} | +} | ||||
+ | + | ||||
+push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); | +push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); | ||||
+ | + | ||||
# Get the extra flags used when building shared libraries and modules. We | # Get the extra flags used when building shared libraries and modules. We | ||||
# do this late because some of them depend on %disabled. | # do this late because some of them depend on %disabled. | ||||
diff --git INSTALL INSTALL | diff --git INSTALL INSTALL | ||||
index f5118428b3..be84f2aa8e 100644 | index f3ac727183..f6f754fd5e 100644 | ||||
--- INSTALL | --- INSTALL | ||||
+++ INSTALL | +++ INSTALL | ||||
@@ -262,6 +262,15 @@ | @@ -263,6 +263,15 @@ | ||||
Don't build the AFALG engine. This option will be forced if | Don't build the AFALG engine. This option will be forced if | ||||
on a platform that does not support AFALG. | on a platform that does not support AFALG. | ||||
+ enable-ktls | + enable-ktls | ||||
+ Build with Kernel TLS support. This option will enable the | + Build with Kernel TLS support. This option will enable the | ||||
+ use of the Kernel TLS data-path, which can improve | + use of the Kernel TLS data-path, which can improve | ||||
+ performance and allow for the use of sendfile and splice | + performance and allow for the use of sendfile and splice | ||||
+ system calls on TLS sockets. The Kernel may use TLS | + system calls on TLS sockets. The Kernel may use TLS | ||||
▲ Show 20 Lines • Show All 261 Lines • ▼ Show 20 Lines | |||||
+ BIO_clear_ktls_ctrl_msg_flag(b); | + BIO_clear_ktls_ctrl_msg_flag(b); | ||||
+ ret = 0; | + ret = 0; | ||||
+ break; | + break; | ||||
+# endif | +# endif | ||||
case BIO_CTRL_EOF: | case BIO_CTRL_EOF: | ||||
ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; | ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; | ||||
break; | break; | ||||
diff --git crypto/err/openssl.txt crypto/err/openssl.txt | diff --git crypto/err/openssl.txt crypto/err/openssl.txt | ||||
index 815460b24f..d547c45913 100644 | index 7e1776375d..b22e8a735c 100644 | ||||
--- crypto/err/openssl.txt | --- crypto/err/openssl.txt | ||||
+++ crypto/err/openssl.txt | +++ crypto/err/openssl.txt | ||||
@@ -1318,6 +1318,7 @@ SSL_F_SSL_RENEGOTIATE:516:SSL_renegotiate | @@ -1318,6 +1318,7 @@ SSL_F_SSL_RENEGOTIATE:516:SSL_renegotiate | ||||
SSL_F_SSL_RENEGOTIATE_ABBREVIATED:546:SSL_renegotiate_abbreviated | SSL_F_SSL_RENEGOTIATE_ABBREVIATED:546:SSL_renegotiate_abbreviated | ||||
SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT:320:* | SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT:320:* | ||||
SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT:321:* | SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT:321:* | ||||
+SSL_F_SSL_SENDFILE:639:SSL_sendfile | +SSL_F_SSL_SENDFILE:639:SSL_sendfile | ||||
SSL_F_SSL_SESSION_DUP:348:ssl_session_dup | SSL_F_SSL_SESSION_DUP:348:ssl_session_dup | ||||
▲ Show 20 Lines • Show All 151 Lines • ▼ Show 20 Lines | |||||
+The return type of SSL_CTX_set_record_padding_callback() function was | +The return type of SSL_CTX_set_record_padding_callback() function was | ||||
+changed to int in OpenSSL 3.0. | +changed to int in OpenSSL 3.0. | ||||
+ | + | ||||
=head1 COPYRIGHT | =head1 COPYRIGHT | ||||
Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. | Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. | ||||
diff --git doc/man3/SSL_write.pod doc/man3/SSL_write.pod | diff --git doc/man3/SSL_write.pod doc/man3/SSL_write.pod | ||||
index 5e3ce1e7e4..20c7953deb 100644 | index 5e3ce1e7e4..9b271d8e65 100644 | ||||
--- doc/man3/SSL_write.pod | --- doc/man3/SSL_write.pod | ||||
+++ doc/man3/SSL_write.pod | +++ doc/man3/SSL_write.pod | ||||
@@ -2,12 +2,13 @@ | @@ -2,12 +2,13 @@ | ||||
=head1 NAME | =head1 NAME | ||||
-SSL_write_ex, SSL_write - write bytes to a TLS/SSL connection | -SSL_write_ex, SSL_write - write bytes to a TLS/SSL connection | ||||
+SSL_write_ex, SSL_write, SSL_sendfile - write bytes to a TLS/SSL connection | +SSL_write_ex, SSL_write, SSL_sendfile - write bytes to a TLS/SSL connection | ||||
Show All 16 Lines | |||||
+Kernel TLS is enabled, which can be checked by calling BIO_get_ktls_send(). | +Kernel TLS is enabled, which can be checked by calling BIO_get_ktls_send(). | ||||
+It is provided here to allow users to maintain the same interface. | +It is provided here to allow users to maintain the same interface. | ||||
+The meaning of B<flags> is platform dependent. | +The meaning of B<flags> is platform dependent. | ||||
+Currently, under Linux it is ignored. | +Currently, under Linux it is ignored. | ||||
+ | + | ||||
=head1 NOTES | =head1 NOTES | ||||
In the paragraphs below a "write function" is defined as one of either | In the paragraphs below a "write function" is defined as one of either | ||||
@@ -104,17 +113,35 @@ You should instead call SSL_get_error() to find out if it's retryable. | @@ -104,17 +113,36 @@ You should instead call SSL_get_error() to find out if it's retryable. | ||||
=back | =back | ||||
+For SSL_sendfile(), the following return values can occur: | +For SSL_sendfile(), the following return values can occur: | ||||
+ | + | ||||
+=over 4 | +=over 4 | ||||
+ | + | ||||
+=item Z<>>= 0 | +=item Z<>>= 0 | ||||
+ | + | ||||
+The write operation was successful, the return value is the number | +The write operation was successful, the return value is the number | ||||
+of bytes of the file written to the TLS/SSL connection. | +of bytes of the file written to the TLS/SSL connection. The return | ||||
+value can be less than B<size> for a partial write. | |||||
+ | + | ||||
+=item E<lt> 0 | +=item E<lt> 0 | ||||
+ | + | ||||
+The write operation was not successful, because either the connection was | +The write operation was not successful, because either the connection was | ||||
+closed, an error occured or action must be taken by the calling process. | +closed, an error occured or action must be taken by the calling process. | ||||
+Call SSL_get_error() with the return value to find out the reason. | +Call SSL_get_error() with the return value to find out the reason. | ||||
+ | + | ||||
+=back | +=back | ||||
▲ Show 20 Lines • Show All 86 Lines • ▼ Show 20 Lines | |||||
+# define BIO_set_ktls_ctrl_msg(b, record_type) \ | +# define BIO_set_ktls_ctrl_msg(b, record_type) \ | ||||
+ BIO_ctrl(b, BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG, record_type, NULL) | + BIO_ctrl(b, BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG, record_type, NULL) | ||||
+# define BIO_clear_ktls_ctrl_msg(b) \ | +# define BIO_clear_ktls_ctrl_msg(b) \ | ||||
+ BIO_ctrl(b, BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG, 0, NULL) | + BIO_ctrl(b, BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG, 0, NULL) | ||||
+ | + | ||||
+#endif | +#endif | ||||
diff --git include/internal/ktls.h include/internal/ktls.h | diff --git include/internal/ktls.h include/internal/ktls.h | ||||
new file mode 100644 | new file mode 100644 | ||||
index 0000000000..9032c0ed61 | index 0000000000..622d7be76d | ||||
--- /dev/null | --- /dev/null | ||||
+++ include/internal/ktls.h | +++ include/internal/ktls.h | ||||
@@ -0,0 +1,403 @@ | @@ -0,0 +1,400 @@ | ||||
+/* | +/* | ||||
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. | + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. | ||||
+ * | + * | ||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use | + * Licensed under the Apache License 2.0 (the "License"). You may not use | ||||
+ * this file except in compliance with the License. You can obtain a copy | + * this file except in compliance with the License. You can obtain a copy | ||||
+ * in the file LICENSE in the source distribution or at | + * in the file LICENSE in the source distribution or at | ||||
+ * https://www.openssl.org/source/license.html | + * https://www.openssl.org/source/license.html | ||||
+ */ | + */ | ||||
▲ Show 20 Lines • Show All 178 Lines • ▼ Show 20 Lines | |||||
+ | + | ||||
+/* | +/* | ||||
+ * KTLS enables the sendfile system call to send data from a file over | + * KTLS enables the sendfile system call to send data from a file over | ||||
+ * TLS. | + * TLS. | ||||
+ */ | + */ | ||||
+static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, | +static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, | ||||
+ size_t size, int flags) | + size_t size, int flags) | ||||
+{ | +{ | ||||
+ off_t sbytes; | + off_t sbytes = 0; | ||||
+ int ret; | + int ret; | ||||
+ | + | ||||
+ ret = sendfile(fd, s, off, size, NULL, &sbytes, flags); | + ret = sendfile(fd, s, off, size, NULL, &sbytes, flags); | ||||
+ if (ret == -1) { | + if (ret == -1 && sbytes == 0) | ||||
+ if (errno == EAGAIN && sbytes != 0) | |||||
+ return sbytes; | |||||
+ return -1; | + return -1; | ||||
+ } | |||||
+ return sbytes; | + return sbytes; | ||||
+} | +} | ||||
+ | + | ||||
+# endif /* __FreeBSD__ */ | +# endif /* __FreeBSD__ */ | ||||
+ | + | ||||
+# if defined(OPENSSL_SYS_LINUX) | +# if defined(OPENSSL_SYS_LINUX) | ||||
+ | + | ||||
+# include <linux/tls.h> | +# include <linux/tls.h> | ||||
▲ Show 20 Lines • Show All 1,196 Lines • ▼ Show 20 Lines | |||||
+ ssl->record_padding_cb = cb; | + ssl->record_padding_cb = cb; | ||||
+ return 1; | + return 1; | ||||
+ } | + } | ||||
+ return 0; | + return 0; | ||||
} | } | ||||
void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) | void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) | ||||
diff --git ssl/ssl_local.h ssl/ssl_local.h | diff --git ssl/ssl_local.h ssl/ssl_local.h | ||||
index 8ddbde7729..dc430fe40b 100644 | index 8c3542a542..c10e7d52ce 100644 | ||||
--- ssl/ssl_local.h | --- ssl/ssl_local.h | ||||
+++ ssl/ssl_local.h | +++ ssl/ssl_local.h | ||||
@@ -34,6 +34,8 @@ | @@ -34,6 +34,8 @@ | ||||
# include "internal/dane.h" | # include "internal/dane.h" | ||||
# include "internal/refcount.h" | # include "internal/refcount.h" | ||||
# include "internal/tsan_assist.h" | # include "internal/tsan_assist.h" | ||||
+# include "internal/bio.h" | +# include "internal/bio.h" | ||||
+# include "internal/ktls.h" | +# include "internal/ktls.h" | ||||
# ifdef OPENSSL_BUILD_SHLIBSSL | # ifdef OPENSSL_BUILD_SHLIBSSL | ||||
# undef OPENSSL_EXTERN | # undef OPENSSL_EXTERN | ||||
@@ -2618,6 +2620,17 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, | @@ -2617,6 +2619,17 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, | ||||
#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" | #define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" | ||||
#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" | #define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" | ||||
+# ifndef OPENSSL_NO_KTLS | +# ifndef OPENSSL_NO_KTLS | ||||
+/* ktls.c */ | +/* ktls.c */ | ||||
+int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, | +int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, | ||||
+ const EVP_CIPHER_CTX *dd); | + const EVP_CIPHER_CTX *dd); | ||||
+int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, | +int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, | ||||
▲ Show 20 Lines • Show All 355 Lines • ▼ Show 20 Lines | @@ -764,6 +816,7 @@ int tls13_update_key(SSL *s, int sending) | ||||
s->statem.enc_write_state = ENC_WRITE_STATE_VALID; | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; | ||||
ret = 1; | ret = 1; | ||||
err: | err: | ||||
+ OPENSSL_cleanse(key, sizeof(key)); | + OPENSSL_cleanse(key, sizeof(key)); | ||||
OPENSSL_cleanse(secret, sizeof(secret)); | OPENSSL_cleanse(secret, sizeof(secret)); | ||||
return ret; | return ret; | ||||
} | } | ||||
diff --git test/build.info test/build.info | diff --git test/build.info test/build.info | ||||
index 56ac14eabd..e8454e2e03 100644 | index bc3dae81f9..e5ccaab5ba 100644 | ||||
--- test/build.info | --- test/build.info | ||||
+++ test/build.info | +++ test/build.info | ||||
@@ -544,7 +544,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN | @@ -544,7 +544,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN | ||||
# We disable this test completely in a shared build because it deliberately | # We disable this test completely in a shared build because it deliberately | ||||
# redefines some internal libssl symbols. This doesn't work in a non-shared | # redefines some internal libssl symbols. This doesn't work in a non-shared | ||||
# build | # build | ||||
- IF[{- !$disabled{shared} -}] | - IF[{- !$disabled{shared} -}] | ||||
+ IF[{- !$disabled{shared} && $disabled{ktls} -}] | + IF[{- !$disabled{shared} && $disabled{ktls} -}] | ||||
Show All 9 Lines | |||||
plan skip_all => "$test_name is not supported in this build" | plan skip_all => "$test_name is not supported in this build" | ||||
- if disabled("tls1_3") || disabled("shared"); | - if disabled("tls1_3") || disabled("shared"); | ||||
+ if disabled("tls1_3") || disabled("shared") || !disabled("ktls"); | + if disabled("tls1_3") || disabled("shared") || !disabled("ktls"); | ||||
plan tests => 1; | plan tests => 1; | ||||
diff --git test/sslapitest.c test/sslapitest.c | diff --git test/sslapitest.c test/sslapitest.c | ||||
index ad1824c68d..f6a61cab4e 100644 | index 4a27ee1ba2..f846bcb4ee 100644 | ||||
--- test/sslapitest.c | --- test/sslapitest.c | ||||
+++ test/sslapitest.c | +++ test/sslapitest.c | ||||
@@ -7,6 +7,7 @@ | @@ -7,6 +7,7 @@ | ||||
* https://www.openssl.org/source/license.html | * https://www.openssl.org/source/license.html | ||||
*/ | */ | ||||
+#include <stdio.h> | +#include <stdio.h> | ||||
#include <string.h> | #include <string.h> | ||||
▲ Show 20 Lines • Show All 418 Lines • ▼ Show 20 Lines | |||||
+} | +} | ||||
+ | + | ||||
+#endif | +#endif | ||||
+#endif | +#endif | ||||
+ | + | ||||
static int test_large_message_tls(void) | static int test_large_message_tls(void) | ||||
{ | { | ||||
return execute_test_large_message(TLS_server_method(), TLS_client_method(), | return execute_test_large_message(TLS_server_method(), TLS_client_method(), | ||||
@@ -6691,6 +7097,12 @@ int setup_tests(void) | @@ -6747,6 +7153,12 @@ int setup_tests(void) | ||||
return 0; | return 0; | ||||
} | } | ||||
+#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) | +#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) | ||||
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) | +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) | ||||
+ ADD_ALL_TESTS(test_ktls, 32); | + ADD_ALL_TESTS(test_ktls, 32); | ||||
+ ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6); | + ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6); | ||||
+#endif | +#endif | ||||
▲ Show 20 Lines • Show All 174 Lines • Show Last 20 Lines |