[1.1.0] Add a 'max_send_frag' option to configure maximum size of send fragments #3390
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2344) (cherry picked from commit 122fa08)
Fix compilation on platforms with missing pthread_rwlock_t implementation by replacing it with pthread_mutex_t. An example of such platform can be Android OS 2.0 - 2.1, API level 5 (Eclair), Android NDK platform - android-5 where pthread_rwlock_t is not implemented and is missing in pthread.h. In case of missing pthread_rwlock_t implementation CRYPTO_RWLOCK will work as exclusive lock in write-only mode of pthread_rwlock_t lock. The implementation based on pthread_mutex_t must be using PTHREAD_MUTEX_RECURSIVE mode to be compatible with recursive behavior of pthread_rwlock_rdlock. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#1981) (cherry picked from commit 2accf3f)
Updated indentations according project rules, renamed file-local define to the shorter version - USE_RWLOCK, fixed declaration after the if statement in CRYPTO_THREAD_lock_new(). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#1981) (cherry picked from commit ec93a29)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#1981) (cherry picked from commit 5d5eed4)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#1981) (cherry picked from commit bc1dba2)
session_ctx and initial_ctx are aliases of each other, and with the opaque data structures, there's no need to keep both around. Since there were more references of session_ctx, replace all instances of initial_ctx with session_ctx. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#2340)
…issues: Fixed a memory leak in ASN1_digest and ASN1_item_digest. Reworked error handling in asn1_item_embed_new. Fixed error handling in int_ctx_new and EVP_PKEY_CTX_dup. Fixed a memory leak in CRYPTO_free_ex_data. Reworked error handing in x509_name_ex_d2i, x509_name_encode and x509_name_canon. Check for null pointer in tls_process_cert_verify. Fixes openssl#2103 openssl#2104 openssl#2105 openssl#2109 openssl#2111 openssl#2115 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#2163)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#2352) (cherry picked from commit fe4075f)
Reported by Alexander Köppe Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#2557) (cherry picked from commit bb6c5e7)
Reported by Jakub Wilk. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#2556) (cherry picked from commit be4c82a)
or EVP_CTRL_INIT/EVP_CTRL_COPY was not called or failed. If that happens in EVP_CipherInit_ex/EVP_CIPHER_CTX_copy set cipher = NULL, aes_gcm_cleanup should check that gctx != NULL before calling OPENSSL_cleanse. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#2562) (cherry picked from commit 273a021)
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2566) (cherry picked from commit a19a6c8)
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#2569) (cherry picked from commit e9681f8)
Fixes a copy&paste error Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2568) (cherry picked from commit fbc9eea)
While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes from an |SSL_SESSION|'s |session_id| array, the hash function would do so with without considering if all those bytes had been written to. This change checks |session_id_length| before possibly reading uninitialised memory. Since the result of the hash function was already attacker controlled, and since a lookup of a short session ID will always fail, it doesn't appear that this is anything more than a clean up. In particular, |ssl_get_prev_session| uses a stack-allocated placeholder |SSL_SESSION| as a lookup key, so the |session_id| array may be uninitialised. This was originally found with libFuzzer and MSan in https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7, then by Robert Swiecki with honggfuzz and MSan here. Thanks to both. Reviewed-by: Geoff Thorpe <geoff@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2583) (cherry picked from commit bd5d27c)
EVP_CIPH_FLAG_LENGTH_BITS flag for CFB1 has been broken with the introduction of the is_partially_overlapping() check that did not take it into the account (treating number of bits passed as bytes). This remedies that and allows this flag to work as intended. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#1942) (cherry picked from commit 6484609)
test/recipes/40-test_rehash.t uses test files from certs/demo, which doesn't exist any longer. Have it use PEM files from test/ instead. Because rehash wants only one certificate or CRL per file, we must also filter those PEM files to produce test files with a single object each. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2594) (cherry picked from commit 4bbd8a5)
CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#2604) (cherry picked from commit 4fd7b54)
This happens when a fd is added and then immediately removed from the ASYNC_WAIT_CTX before pausing the job. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#2581) (cherry picked from commit f44e636)
…e pause This fixes the num of fds added/removed returned by ASYNC_WAIT_CTX_get_changed_fds Previously, the numbers were not consistent with the fds actually written in the buffers since the fds that have been both added and removed are explicitly ignored in the loop. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#2581) (cherry picked from commit f89dd67)
Remove call to cleanup function Use only one loop to find previous element Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#2581) (cherry picked from commit 219aa86)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#2559) (cherry picked from commit e067097)
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#2626) (cherry picked from commit b4568b04c7cd425103ac8f1603682e8da2044238)
When a certificate is prepended update the list pointer. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2628) (cherry picked from commit 52f4840)
which are not possible with the default OPENSSL_zalloc, but are possible if the user has installed their own allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the secure heap code will later access (at least) the first byte of that space, which is technically an OOB access. This could lead to problems with some custom allocators that only return a valid pointer for subsequent free()-ing, and do not expect that the pointer is actually dereferenced. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2605) (cherry picked from commit 7f07149)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2618) (cherry picked from commit 57b0d65)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#1613) (cherry picked from commit 7c12035)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2571) (cherry picked from commit 7e12cdb)
… safety. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2636) (cherry picked from commit ed874fa)
Three modules were left behind in a285992. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#2617) (cherry picked from commit c93f06c)
... on the theme "I could have sworn I saved that fix!" Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#3285) (cherry picked from commit cb2a6eb)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3290)
- unbuffer causes single-byte reads from stdin and poor performance Fixes openssl#3281 CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3299) (cherry picked from commit 65d6248)
There was code existing which attempted to handle the case where application data is received after a reneg handshake has started in SCTP. In normal DTLS we just fail the connection if this occurs, so there doesn't seem any reason to try and work around it for SCTP. In practice it didn't work properly anyway and is probably a bad idea to start with. Fixes openssl#3251 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3287)
We were allocating the write buffer based on the size of max_send_fragment, but ignoring it when writing data. We should fragment handshake messages if they exceed max_send_fragment and reject application data writes that are too large. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3287)
In SCTP the code was only allowing a send of a close_notify alert if the socket is dry. If the socket isn't dry then it was attempting to save away the close_notify alert to resend later when it is dry and then it returned success. However because the application then thinks that the close_notify alert has been successfully sent it never re-enters the DTLS code to actually resend the alert. A much simpler solution is to just fail with a retryable error in the event that the socket isn't dry. That way the application knows to retry sending the close_notify alert. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3287)
We were incorrectly using "res" when we meant "ai" Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3287)
i.e. reduce amount of branches and favour likely ones. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3192) (cherry picked from commit a3ea6bf)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3192) (cherry picked from commit 6d4321f)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3192) (cherry picked from commit b997adb)
Trouble was that integer negation wasn't producing *formally* correct result in platform-neutral sense. Formally correct thing to do is -(int64_t)u, but this triggers undefined behaviour for one value that would still be representable in ASN.1. The trigger was masked with (int64_t)(0-u), but this is formally inappropriate for values other than the problematic one. [Also reorder branches to favour most-likely paths and harmonize asn1_string_set_int64 with asn1_get_int64].] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3231) (cherry picked from commit 786b6a4)
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#3260)
The only SSL tests prior to this tested using certificates with no embedded Signed Certificate Timestamps (SCTs), which meant they couldn't confirm whether Certificate Transparency checks in "strict" mode were working. These tests reveal a bug in the validation of SCT timestamps, which is fixed by the next commit. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#3260)
This resulted in the SCT timestamp check always failing, because the timestamp appeared to be in the future. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#3260)
It is not necessary to remove leading zeros here because RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done in constant time, this might have leaked timing information. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from openssl#3313) (cherry picked from commit 237bc6c)
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3336) (cherry picked from commit f2150cd)
When you want to debug a test that goes wrong, it's useful to know exactly what subprocess commands are run. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3342) (cherry picked from commit 46d5e2b)
Also add a comment describing the file format. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3337) (cherry picked from commit 9a837f2)
Bug found and fix suggested by Julian Rüth. Push error if fflush fails Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3266) (cherry picked from commit 595b2a4)
"Next" refers to negative minimum "next" to one presentable by given number of bytes. For example, -128 is negative minimum presentable by one byte, and -256 is "next" one. Thanks to Kazuki Yamaguchi for report, GH#3339 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 1e93d61)
ASN1_GENERALIZEDTIME and ASN1_UTCTIME may be specified using offsets, even though that's not supported within certificates. To convert the offset time back to GMT, the offsets are supposed to be subtracted, not added. e.g. 1759-0500 == 2359+0100 == 2259Z. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3335)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#3365) (cherry picked from commit dea0eb2)
…L_NAME Fixes openssl#1653 reported by Guido Vranken Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3362) (cherry picked from commit 75a3e39)
Fixes openssl#2360 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3366) (cherry picked from commit c41048f)
The init code uses DSO_dsobyaddr() to leak a reference to ourselves to ensure we remain loaded until atexit() time. In some circumstances that can fail and leave stale errors on the error queue. Fixes openssl#3372 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3383) (cherry picked from commit 689f112)
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3388) (cherry picked from commit 1d3235f)
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3141) cherry-pick from 28e5ea8
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3141) Cherry-oick from 6788785
Remove hardcoded bound checkings. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#3141) cherry-pick from 36b2cfb
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #3141: add missing options
Checklist