Changeset View
Changeset View
Standalone View
Standalone View
security/openssl/files/extra-patch-ktls
| diff --git CHANGES CHANGES | diff --git CHANGES CHANGES | ||||
| index 37dd60b726..4d61c1dadb 100644 | index 1ab64b35c9..a4a63a9bea 100644 | ||||
| --- CHANGES | --- CHANGES | ||||
| +++ CHANGES | +++ CHANGES | ||||
| @@ -390,6 +390,11 @@ | @@ -427,6 +427,11 @@ | ||||
| necessary to configure just to create a source distribution. | necessary to configure just to create a source distribution. | ||||
| [Richard Levitte] | [Richard Levitte] | ||||
| + *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path | + *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path | ||||
| + improves application performance by removing data copies and providing | + improves application performance by removing data copies and providing | ||||
| + applications with zero-copy system calls such as sendfile and splice. | + applications with zero-copy system calls such as sendfile and splice. | ||||
| + [Boris Pismenny] | + [Boris Pismenny] | ||||
| + | + | ||||
| Changes between 1.1.1 and 1.1.1a [20 Nov 2018] | Changes between 1.1.1 and 1.1.1a [20 Nov 2018] | ||||
| *) Timing vulnerability in DSA signature generation | *) Timing vulnerability in DSA signature generation | ||||
| diff --git Configure Configure | diff --git Configure Configure | ||||
| index 1d73d06e1b..29e655da96 100755 | index b286dd0678..f66f6bb3b1 100755 | ||||
| --- Configure | --- Configure | ||||
| +++ Configure | +++ Configure | ||||
| @@ -341,6 +341,7 @@ my @dtls = qw(dtls1 dtls1_2); | @@ -341,6 +341,7 @@ my @dtls = qw(dtls1 dtls1_2); | ||||
| # For developers: keep it sorted alphabetically | # For developers: keep it sorted alphabetically | ||||
| my @disablables = ( | my @disablables = ( | ||||
| + "ktls", | + "ktls", | ||||
| "afalgeng", | "afalgeng", | ||||
| Show All 37 Lines | |||||
| +} | +} | ||||
| + | + | ||||
| +push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); | +push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); | ||||
| + | + | ||||
| # Get the extra flags used when building shared libraries and modules. We | # Get the extra flags used when building shared libraries and modules. We | ||||
| # do this late because some of them depend on %disabled. | # do this late because some of them depend on %disabled. | ||||
| diff --git INSTALL INSTALL | diff --git INSTALL INSTALL | ||||
| index f5118428b3..be84f2aa8e 100644 | index f3ac727183..f6f754fd5e 100644 | ||||
| --- INSTALL | --- INSTALL | ||||
| +++ INSTALL | +++ INSTALL | ||||
| @@ -262,6 +262,15 @@ | @@ -263,6 +263,15 @@ | ||||
| Don't build the AFALG engine. This option will be forced if | Don't build the AFALG engine. This option will be forced if | ||||
| on a platform that does not support AFALG. | on a platform that does not support AFALG. | ||||
| + enable-ktls | + enable-ktls | ||||
| + Build with Kernel TLS support. This option will enable the | + Build with Kernel TLS support. This option will enable the | ||||
| + use of the Kernel TLS data-path, which can improve | + use of the Kernel TLS data-path, which can improve | ||||
| + performance and allow for the use of sendfile and splice | + performance and allow for the use of sendfile and splice | ||||
| + system calls on TLS sockets. The Kernel may use TLS | + system calls on TLS sockets. The Kernel may use TLS | ||||
| ▲ Show 20 Lines • Show All 261 Lines • ▼ Show 20 Lines | |||||
| + BIO_clear_ktls_ctrl_msg_flag(b); | + BIO_clear_ktls_ctrl_msg_flag(b); | ||||
| + ret = 0; | + ret = 0; | ||||
| + break; | + break; | ||||
| +# endif | +# endif | ||||
| case BIO_CTRL_EOF: | case BIO_CTRL_EOF: | ||||
| ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; | ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; | ||||
| break; | break; | ||||
| diff --git crypto/err/openssl.txt crypto/err/openssl.txt | diff --git crypto/err/openssl.txt crypto/err/openssl.txt | ||||
| index 815460b24f..d547c45913 100644 | index 7e1776375d..b22e8a735c 100644 | ||||
| --- crypto/err/openssl.txt | --- crypto/err/openssl.txt | ||||
| +++ crypto/err/openssl.txt | +++ crypto/err/openssl.txt | ||||
| @@ -1318,6 +1318,7 @@ SSL_F_SSL_RENEGOTIATE:516:SSL_renegotiate | @@ -1318,6 +1318,7 @@ SSL_F_SSL_RENEGOTIATE:516:SSL_renegotiate | ||||
| SSL_F_SSL_RENEGOTIATE_ABBREVIATED:546:SSL_renegotiate_abbreviated | SSL_F_SSL_RENEGOTIATE_ABBREVIATED:546:SSL_renegotiate_abbreviated | ||||
| SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT:320:* | SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT:320:* | ||||
| SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT:321:* | SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT:321:* | ||||
| +SSL_F_SSL_SENDFILE:639:SSL_sendfile | +SSL_F_SSL_SENDFILE:639:SSL_sendfile | ||||
| SSL_F_SSL_SESSION_DUP:348:ssl_session_dup | SSL_F_SSL_SESSION_DUP:348:ssl_session_dup | ||||
| ▲ Show 20 Lines • Show All 151 Lines • ▼ Show 20 Lines | |||||
| +The return type of SSL_CTX_set_record_padding_callback() function was | +The return type of SSL_CTX_set_record_padding_callback() function was | ||||
| +changed to int in OpenSSL 3.0. | +changed to int in OpenSSL 3.0. | ||||
| + | + | ||||
| =head1 COPYRIGHT | =head1 COPYRIGHT | ||||
| Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. | Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. | ||||
| diff --git doc/man3/SSL_write.pod doc/man3/SSL_write.pod | diff --git doc/man3/SSL_write.pod doc/man3/SSL_write.pod | ||||
| index 5e3ce1e7e4..20c7953deb 100644 | index 5e3ce1e7e4..9b271d8e65 100644 | ||||
| --- doc/man3/SSL_write.pod | --- doc/man3/SSL_write.pod | ||||
| +++ doc/man3/SSL_write.pod | +++ doc/man3/SSL_write.pod | ||||
| @@ -2,12 +2,13 @@ | @@ -2,12 +2,13 @@ | ||||
| =head1 NAME | =head1 NAME | ||||
| -SSL_write_ex, SSL_write - write bytes to a TLS/SSL connection | -SSL_write_ex, SSL_write - write bytes to a TLS/SSL connection | ||||
| +SSL_write_ex, SSL_write, SSL_sendfile - write bytes to a TLS/SSL connection | +SSL_write_ex, SSL_write, SSL_sendfile - write bytes to a TLS/SSL connection | ||||
| Show All 16 Lines | |||||
| +Kernel TLS is enabled, which can be checked by calling BIO_get_ktls_send(). | +Kernel TLS is enabled, which can be checked by calling BIO_get_ktls_send(). | ||||
| +It is provided here to allow users to maintain the same interface. | +It is provided here to allow users to maintain the same interface. | ||||
| +The meaning of B<flags> is platform dependent. | +The meaning of B<flags> is platform dependent. | ||||
| +Currently, under Linux it is ignored. | +Currently, under Linux it is ignored. | ||||
| + | + | ||||
| =head1 NOTES | =head1 NOTES | ||||
| In the paragraphs below a "write function" is defined as one of either | In the paragraphs below a "write function" is defined as one of either | ||||
| @@ -104,17 +113,35 @@ You should instead call SSL_get_error() to find out if it's retryable. | @@ -104,17 +113,36 @@ You should instead call SSL_get_error() to find out if it's retryable. | ||||
| =back | =back | ||||
| +For SSL_sendfile(), the following return values can occur: | +For SSL_sendfile(), the following return values can occur: | ||||
| + | + | ||||
| +=over 4 | +=over 4 | ||||
| + | + | ||||
| +=item Z<>>= 0 | +=item Z<>>= 0 | ||||
| + | + | ||||
| +The write operation was successful, the return value is the number | +The write operation was successful, the return value is the number | ||||
| +of bytes of the file written to the TLS/SSL connection. | +of bytes of the file written to the TLS/SSL connection. The return | ||||
| +value can be less than B<size> for a partial write. | |||||
| + | + | ||||
| +=item E<lt> 0 | +=item E<lt> 0 | ||||
| + | + | ||||
| +The write operation was not successful, because either the connection was | +The write operation was not successful, because either the connection was | ||||
| +closed, an error occured or action must be taken by the calling process. | +closed, an error occured or action must be taken by the calling process. | ||||
| +Call SSL_get_error() with the return value to find out the reason. | +Call SSL_get_error() with the return value to find out the reason. | ||||
| + | + | ||||
| +=back | +=back | ||||
| ▲ Show 20 Lines • Show All 86 Lines • ▼ Show 20 Lines | |||||
| +# define BIO_set_ktls_ctrl_msg(b, record_type) \ | +# define BIO_set_ktls_ctrl_msg(b, record_type) \ | ||||
| + BIO_ctrl(b, BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG, record_type, NULL) | + BIO_ctrl(b, BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG, record_type, NULL) | ||||
| +# define BIO_clear_ktls_ctrl_msg(b) \ | +# define BIO_clear_ktls_ctrl_msg(b) \ | ||||
| + BIO_ctrl(b, BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG, 0, NULL) | + BIO_ctrl(b, BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG, 0, NULL) | ||||
| + | + | ||||
| +#endif | +#endif | ||||
| diff --git include/internal/ktls.h include/internal/ktls.h | diff --git include/internal/ktls.h include/internal/ktls.h | ||||
| new file mode 100644 | new file mode 100644 | ||||
| index 0000000000..9032c0ed61 | index 0000000000..622d7be76d | ||||
| --- /dev/null | --- /dev/null | ||||
| +++ include/internal/ktls.h | +++ include/internal/ktls.h | ||||
| @@ -0,0 +1,403 @@ | @@ -0,0 +1,400 @@ | ||||
| +/* | +/* | ||||
| + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. | + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. | ||||
| + * | + * | ||||
| + * Licensed under the Apache License 2.0 (the "License"). You may not use | + * Licensed under the Apache License 2.0 (the "License"). You may not use | ||||
| + * this file except in compliance with the License. You can obtain a copy | + * this file except in compliance with the License. You can obtain a copy | ||||
| + * in the file LICENSE in the source distribution or at | + * in the file LICENSE in the source distribution or at | ||||
| + * https://www.openssl.org/source/license.html | + * https://www.openssl.org/source/license.html | ||||
| + */ | + */ | ||||
| ▲ Show 20 Lines • Show All 178 Lines • ▼ Show 20 Lines | |||||
| + | + | ||||
| +/* | +/* | ||||
| + * KTLS enables the sendfile system call to send data from a file over | + * KTLS enables the sendfile system call to send data from a file over | ||||
| + * TLS. | + * TLS. | ||||
| + */ | + */ | ||||
| +static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, | +static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, | ||||
| + size_t size, int flags) | + size_t size, int flags) | ||||
| +{ | +{ | ||||
| + off_t sbytes; | + off_t sbytes = 0; | ||||
| + int ret; | + int ret; | ||||
| + | + | ||||
| + ret = sendfile(fd, s, off, size, NULL, &sbytes, flags); | + ret = sendfile(fd, s, off, size, NULL, &sbytes, flags); | ||||
| + if (ret == -1) { | + if (ret == -1 && sbytes == 0) | ||||
| + if (errno == EAGAIN && sbytes != 0) | |||||
| + return sbytes; | |||||
| + return -1; | + return -1; | ||||
| + } | |||||
| + return sbytes; | + return sbytes; | ||||
| +} | +} | ||||
| + | + | ||||
| +# endif /* __FreeBSD__ */ | +# endif /* __FreeBSD__ */ | ||||
| + | + | ||||
| +# if defined(OPENSSL_SYS_LINUX) | +# if defined(OPENSSL_SYS_LINUX) | ||||
| + | + | ||||
| +# include <linux/tls.h> | +# include <linux/tls.h> | ||||
| ▲ Show 20 Lines • Show All 1,196 Lines • ▼ Show 20 Lines | |||||
| + ssl->record_padding_cb = cb; | + ssl->record_padding_cb = cb; | ||||
| + return 1; | + return 1; | ||||
| + } | + } | ||||
| + return 0; | + return 0; | ||||
| } | } | ||||
| void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) | void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) | ||||
| diff --git ssl/ssl_local.h ssl/ssl_local.h | diff --git ssl/ssl_local.h ssl/ssl_local.h | ||||
| index 8ddbde7729..dc430fe40b 100644 | index 8c3542a542..c10e7d52ce 100644 | ||||
| --- ssl/ssl_local.h | --- ssl/ssl_local.h | ||||
| +++ ssl/ssl_local.h | +++ ssl/ssl_local.h | ||||
| @@ -34,6 +34,8 @@ | @@ -34,6 +34,8 @@ | ||||
| # include "internal/dane.h" | # include "internal/dane.h" | ||||
| # include "internal/refcount.h" | # include "internal/refcount.h" | ||||
| # include "internal/tsan_assist.h" | # include "internal/tsan_assist.h" | ||||
| +# include "internal/bio.h" | +# include "internal/bio.h" | ||||
| +# include "internal/ktls.h" | +# include "internal/ktls.h" | ||||
| # ifdef OPENSSL_BUILD_SHLIBSSL | # ifdef OPENSSL_BUILD_SHLIBSSL | ||||
| # undef OPENSSL_EXTERN | # undef OPENSSL_EXTERN | ||||
| @@ -2618,6 +2620,17 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, | @@ -2617,6 +2619,17 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, | ||||
| #define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" | #define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" | ||||
| #define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" | #define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" | ||||
| +# ifndef OPENSSL_NO_KTLS | +# ifndef OPENSSL_NO_KTLS | ||||
| +/* ktls.c */ | +/* ktls.c */ | ||||
| +int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, | +int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, | ||||
| + const EVP_CIPHER_CTX *dd); | + const EVP_CIPHER_CTX *dd); | ||||
| +int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, | +int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, | ||||
| ▲ Show 20 Lines • Show All 355 Lines • ▼ Show 20 Lines | @@ -764,6 +816,7 @@ int tls13_update_key(SSL *s, int sending) | ||||
| s->statem.enc_write_state = ENC_WRITE_STATE_VALID; | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; | ||||
| ret = 1; | ret = 1; | ||||
| err: | err: | ||||
| + OPENSSL_cleanse(key, sizeof(key)); | + OPENSSL_cleanse(key, sizeof(key)); | ||||
| OPENSSL_cleanse(secret, sizeof(secret)); | OPENSSL_cleanse(secret, sizeof(secret)); | ||||
| return ret; | return ret; | ||||
| } | } | ||||
| diff --git test/build.info test/build.info | diff --git test/build.info test/build.info | ||||
| index 56ac14eabd..e8454e2e03 100644 | index bc3dae81f9..e5ccaab5ba 100644 | ||||
| --- test/build.info | --- test/build.info | ||||
| +++ test/build.info | +++ test/build.info | ||||
| @@ -544,7 +544,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN | @@ -544,7 +544,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN | ||||
| # We disable this test completely in a shared build because it deliberately | # We disable this test completely in a shared build because it deliberately | ||||
| # redefines some internal libssl symbols. This doesn't work in a non-shared | # redefines some internal libssl symbols. This doesn't work in a non-shared | ||||
| # build | # build | ||||
| - IF[{- !$disabled{shared} -}] | - IF[{- !$disabled{shared} -}] | ||||
| + IF[{- !$disabled{shared} && $disabled{ktls} -}] | + IF[{- !$disabled{shared} && $disabled{ktls} -}] | ||||
| Show All 9 Lines | |||||
| plan skip_all => "$test_name is not supported in this build" | plan skip_all => "$test_name is not supported in this build" | ||||
| - if disabled("tls1_3") || disabled("shared"); | - if disabled("tls1_3") || disabled("shared"); | ||||
| + if disabled("tls1_3") || disabled("shared") || !disabled("ktls"); | + if disabled("tls1_3") || disabled("shared") || !disabled("ktls"); | ||||
| plan tests => 1; | plan tests => 1; | ||||
| diff --git test/sslapitest.c test/sslapitest.c | diff --git test/sslapitest.c test/sslapitest.c | ||||
| index ad1824c68d..f6a61cab4e 100644 | index 4a27ee1ba2..f846bcb4ee 100644 | ||||
| --- test/sslapitest.c | --- test/sslapitest.c | ||||
| +++ test/sslapitest.c | +++ test/sslapitest.c | ||||
| @@ -7,6 +7,7 @@ | @@ -7,6 +7,7 @@ | ||||
| * https://www.openssl.org/source/license.html | * https://www.openssl.org/source/license.html | ||||
| */ | */ | ||||
| +#include <stdio.h> | +#include <stdio.h> | ||||
| #include <string.h> | #include <string.h> | ||||
| ▲ Show 20 Lines • Show All 418 Lines • ▼ Show 20 Lines | |||||
| +} | +} | ||||
| + | + | ||||
| +#endif | +#endif | ||||
| +#endif | +#endif | ||||
| + | + | ||||
| static int test_large_message_tls(void) | static int test_large_message_tls(void) | ||||
| { | { | ||||
| return execute_test_large_message(TLS_server_method(), TLS_client_method(), | return execute_test_large_message(TLS_server_method(), TLS_client_method(), | ||||
| @@ -6691,6 +7097,12 @@ int setup_tests(void) | @@ -6747,6 +7153,12 @@ int setup_tests(void) | ||||
| return 0; | return 0; | ||||
| } | } | ||||
| +#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) | +#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) | ||||
| +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) | +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) | ||||
| + ADD_ALL_TESTS(test_ktls, 32); | + ADD_ALL_TESTS(test_ktls, 32); | ||||
| + ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6); | + ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6); | ||||
| +#endif | +#endif | ||||
| ▲ Show 20 Lines • Show All 174 Lines • Show Last 20 Lines | |||||