summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSiddharth Doshi <sdoshi@mvista.com>2024-09-06 12:25:19 +0530
committerSteve Sakoman <steve@sakoman.com>2024-09-25 05:07:47 -0700
commita2803e528ca267235c6e51e78ba7bde6f4dfa614 (patch)
tree50a9faf03b6b8aa3c2e48772491fc85b610254cf
parent263e0c2f1ab5f7c86a7698d4d2b4c4a70dc6f418 (diff)
downloadpoky-a2803e528ca267235c6e51e78ba7bde6f4dfa614.tar.gz
openssl: Upgrade 3.2.2 -> 3.2.3
Updated SRC_URI link and format due to change in openssl website. CVE's Fixed by upgrade: CVE-2024-5535: Fixed possible buffer overread in SSL_select_next_proto(). CVE-2024-6119: Fixed possible denial of service in X.509 name checks - Removed backports of CVE-2024-5535 as it is already fixed. - Removed first hunk of 0001-Added-handshake-history-reporting-when-test-fails.patch as the copyright years are already updated in test/helpers/handshake.c file Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#changes-between-322-and-323-3-sep-2024 (From OE-Core rev: 2155e3016a98ae0db28488dcc5176437e6f8b24a) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch8
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch113
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch203
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch43
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch38
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch82
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch176
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch1173
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch43
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch66
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch271
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.2.3.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.2.2.bb)14
12 files changed, 3 insertions, 2227 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
index aa2e5bb800..9baa0c2d75 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] Added handshake history reporting when test fails
6Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] 6Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
7 7
8Signed-off-by: William Lyu <William.Lyu@windriver.com> 8Signed-off-by: William Lyu <William.Lyu@windriver.com>
9Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
9--- 10---
10 test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++---------- 11 test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++----------
11 test/helpers/handshake.h | 70 +++++++++++++++++++- 12 test/helpers/handshake.h | 70 +++++++++++++++++++-
@@ -16,13 +17,6 @@ diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
16index e0422469e4..ae2ad59dd4 100644 17index e0422469e4..ae2ad59dd4 100644
17--- a/test/helpers/handshake.c 18--- a/test/helpers/handshake.c
18+++ b/test/helpers/handshake.c 19+++ b/test/helpers/handshake.c
19@@ -1,5 +1,5 @@
20 /*
21- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
22+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
23 *
24 * Licensed under the Apache License 2.0 (the "License"). You may not use
25 * this file except in compliance with the License. You can obtain a copy
26@@ -24,6 +24,102 @@ 20@@ -24,6 +24,102 @@
27 #include <netinet/sctp.h> 21 #include <netinet/sctp.h>
28 #endif 22 #endif
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
deleted file mode 100644
index d5c178eeab..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
+++ /dev/null
@@ -1,113 +0,0 @@
1From b63b4db52e10677db4ab46b608aabd55a44668aa Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 11:14:33 +0100
4Subject: [PATCH 01/10] Fix SSL_select_next_proto
5
6Ensure that the provided client list is non-NULL and starts with a valid
7entry. When called from the ALPN callback the client list should already
8have been validated by OpenSSL so this should not cause a problem. When
9called from the NPN callback the client list is locally configured and
10will not have already been validated. Therefore SSL_select_next_proto
11should not assume that it is correctly formatted.
12
13We implement stricter checking of the client protocol list. We also do the
14same for the server list while we are about it.
15
16CVE-2024-5535
17
18Reviewed-by: Neil Horman <nhorman@openssl.org>
19Reviewed-by: Tomas Mraz <tomas@openssl.org>
20(Merged from https://github.com/openssl/openssl/pull/24717)
21
22Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e]
23CVE: CVE-2024-5535
24Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
25---
26 ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
27 1 file changed, 40 insertions(+), 23 deletions(-)
28
29diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
30index 016135f..cf52b31 100644
31--- a/ssl/ssl_lib.c
32+++ b/ssl/ssl_lib.c
33@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
34 unsigned int server_len,
35 const unsigned char *client, unsigned int client_len)
36 {
37- unsigned int i, j;
38- const unsigned char *result;
39- int status = OPENSSL_NPN_UNSUPPORTED;
40+ PACKET cpkt, csubpkt, spkt, ssubpkt;
41+
42+ if (!PACKET_buf_init(&cpkt, client, client_len)
43+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
44+ || PACKET_remaining(&csubpkt) == 0) {
45+ *out = NULL;
46+ *outlen = 0;
47+ return OPENSSL_NPN_NO_OVERLAP;
48+ }
49+
50+ /*
51+ * Set the default opportunistic protocol. Will be overwritten if we find
52+ * a match.
53+ */
54+ *out = (unsigned char *)PACKET_data(&csubpkt);
55+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
56
57 /*
58 * For each protocol in server preference order, see if we support it.
59 */
60- for (i = 0; i < server_len;) {
61- for (j = 0; j < client_len;) {
62- if (server[i] == client[j] &&
63- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
64- /* We found a match */
65- result = &server[i];
66- status = OPENSSL_NPN_NEGOTIATED;
67- goto found;
68+ if (PACKET_buf_init(&spkt, server, server_len)) {
69+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
70+ if (PACKET_remaining(&ssubpkt) == 0)
71+ continue; /* Invalid - ignore it */
72+ if (PACKET_buf_init(&cpkt, client, client_len)) {
73+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
74+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
75+ PACKET_remaining(&ssubpkt))) {
76+ /* We found a match */
77+ *out = (unsigned char *)PACKET_data(&ssubpkt);
78+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
79+ return OPENSSL_NPN_NEGOTIATED;
80+ }
81+ }
82+ /* Ignore spurious trailing bytes in the client list */
83+ } else {
84+ /* This should never happen */
85+ return OPENSSL_NPN_NO_OVERLAP;
86 }
87- j += client[j];
88- j++;
89 }
90- i += server[i];
91- i++;
92+ /* Ignore spurious trailing bytes in the server list */
93 }
94
95- /* There's no overlap between our protocols and the server's list. */
96- result = client;
97- status = OPENSSL_NPN_NO_OVERLAP;
98-
99- found:
100- *out = (unsigned char *)result + 1;
101- *outlen = result[0];
102- return status;
103+ /*
104+ * There's no overlap between our protocols and the server's list. We use
105+ * the default opportunistic protocol selected earlier
106+ */
107+ return OPENSSL_NPN_NO_OVERLAP;
108 }
109
110 #ifndef OPENSSL_NO_NEXTPROTONEG
111--
1122.44.0
113
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch
deleted file mode 100644
index 7cc36f20ab..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch
+++ /dev/null
@@ -1,203 +0,0 @@
1From 61cad53901703944d22f1cd6a1b57460f2270599 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 14:29:26 +0100
4Subject: [PATCH 10/10] Add a test for an empty NextProto message
5
6It is valid according to the spec for a NextProto message to have no
7protocols listed in it. The OpenSSL implementation however does not allow
8us to create such a message. In order to check that we work as expected
9when communicating with a client that does generate such messages we have
10to use a TLSProxy test.
11
12Follow on from CVE-2024-5535
13
14Reviewed-by: Neil Horman <nhorman@openssl.org>
15Reviewed-by: Tomas Mraz <tomas@openssl.org>
16(Merged from https://github.com/openssl/openssl/pull/24717)
17
18Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/301b870546d1c7b2d8f0d66e04a2596142f0399f]
19CVE: CVE-2024-5535
20Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
21---
22 test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
23 util/perl/TLSProxy/Message.pm | 9 ++++
24 util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
25 util/perl/TLSProxy/Proxy.pm | 1 +
26 4 files changed, 137 insertions(+)
27 create mode 100644 test/recipes/70-test_npn.t
28 create mode 100644 util/perl/TLSProxy/NextProto.pm
29
30diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
31new file mode 100644
32index 0000000..f82e71a
33--- /dev/null
34+++ b/test/recipes/70-test_npn.t
35@@ -0,0 +1,73 @@
36+#! /usr/bin/env perl
37+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
38+#
39+# Licensed under the Apache License 2.0 (the "License"). You may not use
40+# this file except in compliance with the License. You can obtain a copy
41+# in the file LICENSE in the source distribution or at
42+# https://www.openssl.org/source/license.html
43+
44+use strict;
45+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
46+use OpenSSL::Test::Utils;
47+
48+use TLSProxy::Proxy;
49+
50+my $test_name = "test_npn";
51+setup($test_name);
52+
53+plan skip_all => "TLSProxy isn't usable on $^O"
54+ if $^O =~ /^(VMS)$/;
55+
56+plan skip_all => "$test_name needs the dynamic engine feature enabled"
57+ if disabled("engine") || disabled("dynamic-engine");
58+
59+plan skip_all => "$test_name needs the sock feature enabled"
60+ if disabled("sock");
61+
62+plan skip_all => "$test_name needs NPN enabled"
63+ if disabled("nextprotoneg");
64+
65+plan skip_all => "$test_name needs TLSv1.2 enabled"
66+ if disabled("tls1_2");
67+
68+my $proxy = TLSProxy::Proxy->new(
69+ undef,
70+ cmdstr(app(["openssl"]), display => 1),
71+ srctop_file("apps", "server.pem"),
72+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
73+);
74+
75+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
76+plan tests => 1;
77+
78+my $npnseen = 0;
79+
80+# Test 1: Check sending an empty NextProto message from the client works. This is
81+# valid as per the spec, but OpenSSL does not allow you to send it.
82+# Therefore we must be prepared to receive such a message but we cannot
83+# generate it except via TLSProxy
84+$proxy->clear();
85+$proxy->filter(\&npn_filter);
86+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
87+$proxy->serverflags("-nextprotoneg foo");
88+$proxy->start();
89+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
90+
91+sub npn_filter
92+{
93+ my $proxy = shift;
94+ my $message;
95+
96+ # The NextProto message always appears in flight 2
97+ return if $proxy->flight != 2;
98+
99+ foreach my $message (@{$proxy->message_list}) {
100+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
101+ # Our TLSproxy NextProto message support doesn't support parsing of
102+ # the message. If we repack it just creates an empty NextProto
103+ # message - which is exactly the scenario we want to test here.
104+ $message->repack();
105+ $npnseen = 1;
106+ }
107+ }
108+}
109diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
110index ce22187..fb41b2f 100644
111--- a/util/perl/TLSProxy/Message.pm
112+++ b/util/perl/TLSProxy/Message.pm
113@@ -384,6 +384,15 @@ sub create_message
114 [@message_frag_lens]
115 );
116 $message->parse();
117+ } elsif ($mt == MT_NEXT_PROTO) {
118+ $message = TLSProxy::NextProto->new(
119+ $server,
120+ $data,
121+ [@message_rec_list],
122+ $startoffset,
123+ [@message_frag_lens]
124+ );
125+ $message->parse();
126 } else {
127 #Unknown message type
128 $message = TLSProxy::Message->new(
129diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
130new file mode 100644
131index 0000000..0e18347
132--- /dev/null
133+++ b/util/perl/TLSProxy/NextProto.pm
134@@ -0,0 +1,54 @@
135+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
136+#
137+# Licensed under the Apache License 2.0 (the "License"). You may not use
138+# this file except in compliance with the License. You can obtain a copy
139+# in the file LICENSE in the source distribution or at
140+# https://www.openssl.org/source/license.html
141+
142+use strict;
143+
144+package TLSProxy::NextProto;
145+
146+use vars '@ISA';
147+push @ISA, 'TLSProxy::Message';
148+
149+sub new
150+{
151+ my $class = shift;
152+ my ($server,
153+ $data,
154+ $records,
155+ $startoffset,
156+ $message_frag_lens) = @_;
157+
158+ my $self = $class->SUPER::new(
159+ $server,
160+ TLSProxy::Message::MT_NEXT_PROTO,
161+ $data,
162+ $records,
163+ $startoffset,
164+ $message_frag_lens);
165+
166+ return $self;
167+}
168+
169+sub parse
170+{
171+ # We don't support parsing at the moment
172+}
173+
174+# This is supposed to reconstruct the on-the-wire message data following changes.
175+# For now though since we don't support parsing we just create an empty NextProto
176+# message - this capability is used in test_npn
177+sub set_message_contents
178+{
179+ my $self = shift;
180+ my $data;
181+
182+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
183+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
184+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
185+ 0x00, 0x00, 0x00);
186+ $self->data($data);
187+}
188+1;
189diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
190index 3de10ec..b707722 100644
191--- a/util/perl/TLSProxy/Proxy.pm
192+++ b/util/perl/TLSProxy/Proxy.pm
193@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
194 use TLSProxy::CertificateVerify;
195 use TLSProxy::ServerKeyExchange;
196 use TLSProxy::NewSessionTicket;
197+use TLSProxy::NextProto;
198
199 my $have_IPv6;
200 my $IP_factory;
201--
2022.44.0
203
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
deleted file mode 100644
index 768304f00b..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From 6de1d37cd129b0af5b4a247c76f97b98e70b108b Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 11:18:27 +0100
4Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
5 processing NPN
6
7In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
8the selected_len is 0 we should fail. Previously this would fail with an
9internal_error alert because calling OPENSSL_malloc(selected_len) will
10return NULL when selected_len is 0. We make this error detection more
11explicit and return a handshake failure alert.
12
13Follow on from CVE-2024-5535
14
15Reviewed-by: Neil Horman <nhorman@openssl.org>
16Reviewed-by: Tomas Mraz <tomas@openssl.org>
17(Merged from https://github.com/openssl/openssl/pull/24717)
18
19Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/015255851371757d54c2560643eb3b3a88123cf1]
20CVE: CVE-2024-5535
21Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
22---
23 ssl/statem/extensions_clnt.c | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
27index 381a6c9..1ab3c13 100644
28--- a/ssl/statem/extensions_clnt.c
29+++ b/ssl/statem/extensions_clnt.c
30@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
31 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
32 &selected, &selected_len,
33 PACKET_data(pkt), PACKET_remaining(pkt),
34- sctx->ext.npn_select_cb_arg) !=
35- SSL_TLSEXT_ERR_OK) {
36+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
37+ || selected_len == 0) {
38 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
39 return 0;
40 }
41--
422.44.0
43
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
deleted file mode 100644
index d6d4d869be..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From 4f9334a33da89949f97927c8fe7df1003c42cda4 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 11:22:13 +0100
4Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
5
6The QUIC test server was using incorrectly formatted ALPN data. With the
7previous implementation of SSL_select_next_proto this went unnoticed. With
8the new stricter implemenation it was failing.
9
10Follow on from CVE-2024-5535
11
12Reviewed-by: Neil Horman <nhorman@openssl.org>
13Reviewed-by: Tomas Mraz <tomas@openssl.org>
14(Merged from https://github.com/openssl/openssl/pull/24717)
15
16Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/6cc511826f09e513b4ec066d9b95acaf4f86d991]
17CVE: CVE-2024-5535
18Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
19---
20 ssl/quic/quic_tserver.c | 2 +-
21 1 file changed, 1 insertion(+), 1 deletion(-)
22
23diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
24index 86187d0..15694e7 100644
25--- a/ssl/quic/quic_tserver.c
26+++ b/ssl/quic/quic_tserver.c
27@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
28
29 if (srv->args.alpn == NULL) {
30 alpn = alpndeflt;
31- alpnlen = sizeof(alpn);
32+ alpnlen = sizeof(alpndeflt);
33 } else {
34 alpn = srv->args.alpn;
35 alpnlen = srv->args.alpnlen;
36--
372.44.0
38
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
deleted file mode 100644
index 03fc1168f9..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
+++ /dev/null
@@ -1,82 +0,0 @@
1From 5145a1f50e44c9f86127a76f01519a9f25157290 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 11:46:38 +0100
4Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
5
6We clarify the input preconditions and the expected behaviour in the event
7of no overlap.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24717)
14
15Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/8e81c57adbbf703dfb63955f65599765fdacc741]
16CVE: CVE-2024-5535
17Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
18---
19 doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
20 1 file changed, 18 insertions(+), 8 deletions(-)
21
22diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
23index 05fee2f..79e1a25 100644
24--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
25+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
26@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
27 SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
28 set the list of protocols available to be negotiated. The B<protos> must be in
29 protocol-list format, described below. The length of B<protos> is specified in
30-B<protos_len>.
31+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
32+protocols and no ALPN extension will be sent to the server.
33
34 SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
35 server to select which protocol to use for the incoming connection. When B<cb>
36@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
37 described below. The first item in the B<server>, B<server_len> list that
38 matches an item in the B<client>, B<client_len> list is selected, and returned
39 in B<out>, B<outlen>. The B<out> value will point into either B<server> or
40-B<client>, so it should be copied immediately. If no match is found, the first
41-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
42-function can also be used in the NPN callback.
43+B<client>, so it should be copied immediately. The client list must include at
44+least one valid (nonempty) protocol entry in the list.
45+
46+The SSL_select_next_proto() helper function can be useful from either the ALPN
47+callback or the NPN callback (described below). If no match is found, the first
48+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
49+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
50+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
51+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
52+SSL_select_next_proto().
53
54 SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
55 client needs to select a protocol from the server's provided list, and a
56@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
57 The length of the protocol name must be written into B<outlen>. The
58 server's advertised protocols are provided in B<in> and B<inlen>. The
59 callback can assume that B<in> is syntactically valid. The client must
60-select a protocol. It is fatal to the connection if this callback returns
61-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
62-set via SSL_CTX_set_next_proto_select_cb().
63+select a protocol (although it may be an empty, zero length protocol). It is
64+fatal to the connection if this callback returns a value other than
65+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
66+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
67
68 SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
69 when a TLS server needs a list of supported protocols for Next Protocol
70@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
71 =item OPENSSL_NPN_NO_OVERLAP
72
73 No match was found. The first item in B<client>, B<client_len> is returned in
74-B<out>, B<outlen>.
75+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
76+B<client> is invalid).
77
78 =back
79
80--
812.44.0
82
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
deleted file mode 100644
index e439d9b59a..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
+++ /dev/null
@@ -1,176 +0,0 @@
1From 01d44bc7f50670002cad495654fd99a6371d7662 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 16:35:16 +0100
4Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
5
6Follow on from CVE-2024-5535
7
8Reviewed-by: Neil Horman <nhorman@openssl.org>
9Reviewed-by: Tomas Mraz <tomas@openssl.org>
10(Merged from https://github.com/openssl/openssl/pull/24717)
11
12Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/add5c52a25c549cec4a730cdf96e2252f0a1862d]
13CVE: CVE-2024-5535
14Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
15---
16 test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
17 1 file changed, 137 insertions(+)
18
19diff --git a/test/sslapitest.c b/test/sslapitest.c
20index ce16332..15cb906 100644
21--- a/test/sslapitest.c
22+++ b/test/sslapitest.c
23@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
24 return testresult;
25 }
26
27+static struct next_proto_st {
28+ int serverlen;
29+ unsigned char server[40];
30+ int clientlen;
31+ unsigned char client[40];
32+ int expected_ret;
33+ size_t selectedlen;
34+ unsigned char selected[40];
35+} next_proto_tests[] = {
36+ {
37+ 4, { 3, 'a', 'b', 'c' },
38+ 4, { 3, 'a', 'b', 'c' },
39+ OPENSSL_NPN_NEGOTIATED,
40+ 3, { 'a', 'b', 'c' }
41+ },
42+ {
43+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
44+ 4, { 3, 'a', 'b', 'c' },
45+ OPENSSL_NPN_NEGOTIATED,
46+ 3, { 'a', 'b', 'c' }
47+ },
48+ {
49+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
50+ 4, { 3, 'a', 'b', 'c' },
51+ OPENSSL_NPN_NEGOTIATED,
52+ 3, { 'a', 'b', 'c' }
53+ },
54+ {
55+ 4, { 3, 'a', 'b', 'c' },
56+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
57+ OPENSSL_NPN_NEGOTIATED,
58+ 3, { 'a', 'b', 'c' }
59+ },
60+ {
61+ 4, { 3, 'a', 'b', 'c' },
62+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
63+ OPENSSL_NPN_NEGOTIATED,
64+ 3, { 'a', 'b', 'c' }
65+ },
66+ {
67+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
68+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
69+ OPENSSL_NPN_NEGOTIATED,
70+ 3, { 'a', 'b', 'c' }
71+ },
72+ {
73+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
74+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
75+ OPENSSL_NPN_NEGOTIATED,
76+ 3, { 'a', 'b', 'c' }
77+ },
78+ {
79+ 4, { 3, 'b', 'c', 'd' },
80+ 4, { 3, 'a', 'b', 'c' },
81+ OPENSSL_NPN_NO_OVERLAP,
82+ 3, { 'a', 'b', 'c' }
83+ },
84+ {
85+ 0, { 0 },
86+ 4, { 3, 'a', 'b', 'c' },
87+ OPENSSL_NPN_NO_OVERLAP,
88+ 3, { 'a', 'b', 'c' }
89+ },
90+ {
91+ -1, { 0 },
92+ 4, { 3, 'a', 'b', 'c' },
93+ OPENSSL_NPN_NO_OVERLAP,
94+ 3, { 'a', 'b', 'c' }
95+ },
96+ {
97+ 4, { 3, 'a', 'b', 'c' },
98+ 0, { 0 },
99+ OPENSSL_NPN_NO_OVERLAP,
100+ 0, { 0 }
101+ },
102+ {
103+ 4, { 3, 'a', 'b', 'c' },
104+ -1, { 0 },
105+ OPENSSL_NPN_NO_OVERLAP,
106+ 0, { 0 }
107+ },
108+ {
109+ 3, { 3, 'a', 'b', 'c' },
110+ 4, { 3, 'a', 'b', 'c' },
111+ OPENSSL_NPN_NO_OVERLAP,
112+ 3, { 'a', 'b', 'c' }
113+ },
114+ {
115+ 4, { 3, 'a', 'b', 'c' },
116+ 3, { 3, 'a', 'b', 'c' },
117+ OPENSSL_NPN_NO_OVERLAP,
118+ 0, { 0 }
119+ }
120+};
121+
122+static int test_select_next_proto(int idx)
123+{
124+ struct next_proto_st *np = &next_proto_tests[idx];
125+ int ret = 0;
126+ unsigned char *out, *client, *server;
127+ unsigned char outlen;
128+ unsigned int clientlen, serverlen;
129+
130+ if (np->clientlen == -1) {
131+ client = NULL;
132+ clientlen = 0;
133+ } else {
134+ client = np->client;
135+ clientlen = (unsigned int)np->clientlen;
136+ }
137+ if (np->serverlen == -1) {
138+ server = NULL;
139+ serverlen = 0;
140+ } else {
141+ server = np->server;
142+ serverlen = (unsigned int)np->serverlen;
143+ }
144+
145+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
146+ client, clientlen),
147+ np->expected_ret))
148+ goto err;
149+
150+ if (np->selectedlen == 0) {
151+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
152+ goto err;
153+ } else {
154+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
155+ goto err;
156+ }
157+
158+ ret = 1;
159+ err:
160+ return ret;
161+}
162+
163 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
164
165 int setup_tests(void)
166@@ -12053,6 +12189,7 @@ int setup_tests(void)
167 ADD_ALL_TESTS(test_handshake_retry, 16);
168 ADD_TEST(test_data_retry);
169 ADD_ALL_TESTS(test_multi_resume, 5);
170+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
171 return 1;
172
173 err:
174--
1752.44.0
176
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
deleted file mode 100644
index df24702fa6..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
+++ /dev/null
@@ -1,1173 +0,0 @@
1From e344d0b5860560ffa59415ea4028ba7760b2a773 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Tue, 4 Jun 2024 15:47:32 +0100
4Subject: [PATCH 06/10] Allow an empty NPN/ALPN protocol list in the tests
5
6Allow ourselves to configure an empty NPN/ALPN protocol list and test what
7happens if we do.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24717)
14
15Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7ea1f6a85b299b976cb3f756b2a7f0153f31b2b6]
16CVE: CVE-2024-5535
17Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
18---
19 test/helpers/handshake.c | 6 +
20 test/ssl-tests/08-npn.cnf | 553 +++++++++++++++++++---------------
21 test/ssl-tests/08-npn.cnf.in | 35 +++
22 test/ssl-tests/09-alpn.cnf | 66 +++-
23 test/ssl-tests/09-alpn.cnf.in | 33 ++
24 5 files changed, 449 insertions(+), 244 deletions(-)
25
26diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
27index ae2ad59..b66b2f5 100644
28--- a/test/helpers/handshake.c
29+++ b/test/helpers/handshake.c
30@@ -444,6 +444,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen)
31
32 len = strlen(protos);
33
34+ if (len == 0) {
35+ *out = NULL;
36+ *outlen = 0;
37+ return 1;
38+ }
39+
40 /* Should never have reuse. */
41 if (!TEST_ptr_null(*out)
42 /* Test values are small, so we omit length limit checks. */
43diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf
44index f38b3f6..1931d02 100644
45--- a/test/ssl-tests/08-npn.cnf
46+++ b/test/ssl-tests/08-npn.cnf
47@@ -1,6 +1,6 @@
48 # Generated with generate_ssl_tests.pl
49
50-num_tests = 20
51+num_tests = 22
52
53 test-0 = 0-npn-simple
54 test-1 = 1-npn-client-finds-match
55@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref
56 test-3 = 3-npn-client-first-pref-on-mismatch
57 test-4 = 4-npn-no-server-support
58 test-5 = 5-npn-no-client-support
59-test-6 = 6-npn-with-sni-no-context-switch
60-test-7 = 7-npn-with-sni-context-switch
61-test-8 = 8-npn-selected-sni-server-supports-npn
62-test-9 = 9-npn-selected-sni-server-does-not-support-npn
63-test-10 = 10-alpn-preferred-over-npn
64-test-11 = 11-sni-npn-preferred-over-alpn
65-test-12 = 12-npn-simple-resumption
66-test-13 = 13-npn-server-switch-resumption
67-test-14 = 14-npn-client-switch-resumption
68-test-15 = 15-npn-client-first-pref-on-mismatch-resumption
69-test-16 = 16-npn-no-server-support-resumption
70-test-17 = 17-npn-no-client-support-resumption
71-test-18 = 18-alpn-preferred-over-npn-resumption
72-test-19 = 19-npn-used-if-alpn-not-supported-resumption
73+test-6 = 6-npn-empty-client-list
74+test-7 = 7-npn-empty-server-list
75+test-8 = 8-npn-with-sni-no-context-switch
76+test-9 = 9-npn-with-sni-context-switch
77+test-10 = 10-npn-selected-sni-server-supports-npn
78+test-11 = 11-npn-selected-sni-server-does-not-support-npn
79+test-12 = 12-alpn-preferred-over-npn
80+test-13 = 13-sni-npn-preferred-over-alpn
81+test-14 = 14-npn-simple-resumption
82+test-15 = 15-npn-server-switch-resumption
83+test-16 = 16-npn-client-switch-resumption
84+test-17 = 17-npn-client-first-pref-on-mismatch-resumption
85+test-18 = 18-npn-no-server-support-resumption
86+test-19 = 19-npn-no-client-support-resumption
87+test-20 = 20-alpn-preferred-over-npn-resumption
88+test-21 = 21-npn-used-if-alpn-not-supported-resumption
89 # ===========================================================
90
91 [0-npn-simple]
92@@ -206,253 +208,318 @@ NPNProtocols = foo
93
94 # ===========================================================
95
96-[6-npn-with-sni-no-context-switch]
97-ssl_conf = 6-npn-with-sni-no-context-switch-ssl
98+[6-npn-empty-client-list]
99+ssl_conf = 6-npn-empty-client-list-ssl
100
101-[6-npn-with-sni-no-context-switch-ssl]
102-server = 6-npn-with-sni-no-context-switch-server
103-client = 6-npn-with-sni-no-context-switch-client
104-server2 = 6-npn-with-sni-no-context-switch-server2
105+[6-npn-empty-client-list-ssl]
106+server = 6-npn-empty-client-list-server
107+client = 6-npn-empty-client-list-client
108
109-[6-npn-with-sni-no-context-switch-server]
110+[6-npn-empty-client-list-server]
111 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
112 CipherString = DEFAULT
113 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
114
115-[6-npn-with-sni-no-context-switch-server2]
116+[6-npn-empty-client-list-client]
117+CipherString = DEFAULT
118+MaxProtocol = TLSv1.2
119+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
120+VerifyMode = Peer
121+
122+[test-6]
123+ExpectedClientAlert = HandshakeFailure
124+ExpectedResult = ClientFail
125+server = 6-npn-empty-client-list-server-extra
126+client = 6-npn-empty-client-list-client-extra
127+
128+[6-npn-empty-client-list-server-extra]
129+NPNProtocols = foo
130+
131+[6-npn-empty-client-list-client-extra]
132+NPNProtocols =
133+
134+
135+# ===========================================================
136+
137+[7-npn-empty-server-list]
138+ssl_conf = 7-npn-empty-server-list-ssl
139+
140+[7-npn-empty-server-list-ssl]
141+server = 7-npn-empty-server-list-server
142+client = 7-npn-empty-server-list-client
143+
144+[7-npn-empty-server-list-server]
145 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
146 CipherString = DEFAULT
147 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
148
149-[6-npn-with-sni-no-context-switch-client]
150+[7-npn-empty-server-list-client]
151 CipherString = DEFAULT
152 MaxProtocol = TLSv1.2
153 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
154 VerifyMode = Peer
155
156-[test-6]
157+[test-7]
158+ExpectedNPNProtocol = foo
159+server = 7-npn-empty-server-list-server-extra
160+client = 7-npn-empty-server-list-client-extra
161+
162+[7-npn-empty-server-list-server-extra]
163+NPNProtocols =
164+
165+[7-npn-empty-server-list-client-extra]
166+NPNProtocols = foo
167+
168+
169+# ===========================================================
170+
171+[8-npn-with-sni-no-context-switch]
172+ssl_conf = 8-npn-with-sni-no-context-switch-ssl
173+
174+[8-npn-with-sni-no-context-switch-ssl]
175+server = 8-npn-with-sni-no-context-switch-server
176+client = 8-npn-with-sni-no-context-switch-client
177+server2 = 8-npn-with-sni-no-context-switch-server2
178+
179+[8-npn-with-sni-no-context-switch-server]
180+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
181+CipherString = DEFAULT
182+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
183+
184+[8-npn-with-sni-no-context-switch-server2]
185+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
186+CipherString = DEFAULT
187+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
188+
189+[8-npn-with-sni-no-context-switch-client]
190+CipherString = DEFAULT
191+MaxProtocol = TLSv1.2
192+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
193+VerifyMode = Peer
194+
195+[test-8]
196 ExpectedNPNProtocol = foo
197 ExpectedServerName = server1
198-server = 6-npn-with-sni-no-context-switch-server-extra
199-server2 = 6-npn-with-sni-no-context-switch-server2-extra
200-client = 6-npn-with-sni-no-context-switch-client-extra
201+server = 8-npn-with-sni-no-context-switch-server-extra
202+server2 = 8-npn-with-sni-no-context-switch-server2-extra
203+client = 8-npn-with-sni-no-context-switch-client-extra
204
205-[6-npn-with-sni-no-context-switch-server-extra]
206+[8-npn-with-sni-no-context-switch-server-extra]
207 NPNProtocols = foo
208 ServerNameCallback = IgnoreMismatch
209
210-[6-npn-with-sni-no-context-switch-server2-extra]
211+[8-npn-with-sni-no-context-switch-server2-extra]
212 NPNProtocols = bar
213
214-[6-npn-with-sni-no-context-switch-client-extra]
215+[8-npn-with-sni-no-context-switch-client-extra]
216 NPNProtocols = foo,bar
217 ServerName = server1
218
219
220 # ===========================================================
221
222-[7-npn-with-sni-context-switch]
223-ssl_conf = 7-npn-with-sni-context-switch-ssl
224+[9-npn-with-sni-context-switch]
225+ssl_conf = 9-npn-with-sni-context-switch-ssl
226
227-[7-npn-with-sni-context-switch-ssl]
228-server = 7-npn-with-sni-context-switch-server
229-client = 7-npn-with-sni-context-switch-client
230-server2 = 7-npn-with-sni-context-switch-server2
231+[9-npn-with-sni-context-switch-ssl]
232+server = 9-npn-with-sni-context-switch-server
233+client = 9-npn-with-sni-context-switch-client
234+server2 = 9-npn-with-sni-context-switch-server2
235
236-[7-npn-with-sni-context-switch-server]
237+[9-npn-with-sni-context-switch-server]
238 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
239 CipherString = DEFAULT
240 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
241
242-[7-npn-with-sni-context-switch-server2]
243+[9-npn-with-sni-context-switch-server2]
244 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
245 CipherString = DEFAULT
246 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
247
248-[7-npn-with-sni-context-switch-client]
249+[9-npn-with-sni-context-switch-client]
250 CipherString = DEFAULT
251 MaxProtocol = TLSv1.2
252 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
253 VerifyMode = Peer
254
255-[test-7]
256+[test-9]
257 ExpectedNPNProtocol = bar
258 ExpectedServerName = server2
259-server = 7-npn-with-sni-context-switch-server-extra
260-server2 = 7-npn-with-sni-context-switch-server2-extra
261-client = 7-npn-with-sni-context-switch-client-extra
262+server = 9-npn-with-sni-context-switch-server-extra
263+server2 = 9-npn-with-sni-context-switch-server2-extra
264+client = 9-npn-with-sni-context-switch-client-extra
265
266-[7-npn-with-sni-context-switch-server-extra]
267+[9-npn-with-sni-context-switch-server-extra]
268 NPNProtocols = foo
269 ServerNameCallback = IgnoreMismatch
270
271-[7-npn-with-sni-context-switch-server2-extra]
272+[9-npn-with-sni-context-switch-server2-extra]
273 NPNProtocols = bar
274
275-[7-npn-with-sni-context-switch-client-extra]
276+[9-npn-with-sni-context-switch-client-extra]
277 NPNProtocols = foo,bar
278 ServerName = server2
279
280
281 # ===========================================================
282
283-[8-npn-selected-sni-server-supports-npn]
284-ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl
285+[10-npn-selected-sni-server-supports-npn]
286+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl
287
288-[8-npn-selected-sni-server-supports-npn-ssl]
289-server = 8-npn-selected-sni-server-supports-npn-server
290-client = 8-npn-selected-sni-server-supports-npn-client
291-server2 = 8-npn-selected-sni-server-supports-npn-server2
292+[10-npn-selected-sni-server-supports-npn-ssl]
293+server = 10-npn-selected-sni-server-supports-npn-server
294+client = 10-npn-selected-sni-server-supports-npn-client
295+server2 = 10-npn-selected-sni-server-supports-npn-server2
296
297-[8-npn-selected-sni-server-supports-npn-server]
298+[10-npn-selected-sni-server-supports-npn-server]
299 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
300 CipherString = DEFAULT
301 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
302
303-[8-npn-selected-sni-server-supports-npn-server2]
304+[10-npn-selected-sni-server-supports-npn-server2]
305 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
306 CipherString = DEFAULT
307 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
308
309-[8-npn-selected-sni-server-supports-npn-client]
310+[10-npn-selected-sni-server-supports-npn-client]
311 CipherString = DEFAULT
312 MaxProtocol = TLSv1.2
313 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
314 VerifyMode = Peer
315
316-[test-8]
317+[test-10]
318 ExpectedNPNProtocol = bar
319 ExpectedServerName = server2
320-server = 8-npn-selected-sni-server-supports-npn-server-extra
321-server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
322-client = 8-npn-selected-sni-server-supports-npn-client-extra
323+server = 10-npn-selected-sni-server-supports-npn-server-extra
324+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra
325+client = 10-npn-selected-sni-server-supports-npn-client-extra
326
327-[8-npn-selected-sni-server-supports-npn-server-extra]
328+[10-npn-selected-sni-server-supports-npn-server-extra]
329 ServerNameCallback = IgnoreMismatch
330
331-[8-npn-selected-sni-server-supports-npn-server2-extra]
332+[10-npn-selected-sni-server-supports-npn-server2-extra]
333 NPNProtocols = bar
334
335-[8-npn-selected-sni-server-supports-npn-client-extra]
336+[10-npn-selected-sni-server-supports-npn-client-extra]
337 NPNProtocols = foo,bar
338 ServerName = server2
339
340
341 # ===========================================================
342
343-[9-npn-selected-sni-server-does-not-support-npn]
344-ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl
345+[11-npn-selected-sni-server-does-not-support-npn]
346+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl
347
348-[9-npn-selected-sni-server-does-not-support-npn-ssl]
349-server = 9-npn-selected-sni-server-does-not-support-npn-server
350-client = 9-npn-selected-sni-server-does-not-support-npn-client
351-server2 = 9-npn-selected-sni-server-does-not-support-npn-server2
352+[11-npn-selected-sni-server-does-not-support-npn-ssl]
353+server = 11-npn-selected-sni-server-does-not-support-npn-server
354+client = 11-npn-selected-sni-server-does-not-support-npn-client
355+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2
356
357-[9-npn-selected-sni-server-does-not-support-npn-server]
358+[11-npn-selected-sni-server-does-not-support-npn-server]
359 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
360 CipherString = DEFAULT
361 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
362
363-[9-npn-selected-sni-server-does-not-support-npn-server2]
364+[11-npn-selected-sni-server-does-not-support-npn-server2]
365 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
366 CipherString = DEFAULT
367 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
368
369-[9-npn-selected-sni-server-does-not-support-npn-client]
370+[11-npn-selected-sni-server-does-not-support-npn-client]
371 CipherString = DEFAULT
372 MaxProtocol = TLSv1.2
373 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
374 VerifyMode = Peer
375
376-[test-9]
377+[test-11]
378 ExpectedServerName = server2
379-server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
380-client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
381+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra
382+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra
383
384-[9-npn-selected-sni-server-does-not-support-npn-server-extra]
385+[11-npn-selected-sni-server-does-not-support-npn-server-extra]
386 NPNProtocols = bar
387 ServerNameCallback = IgnoreMismatch
388
389-[9-npn-selected-sni-server-does-not-support-npn-client-extra]
390+[11-npn-selected-sni-server-does-not-support-npn-client-extra]
391 NPNProtocols = foo,bar
392 ServerName = server2
393
394
395 # ===========================================================
396
397-[10-alpn-preferred-over-npn]
398-ssl_conf = 10-alpn-preferred-over-npn-ssl
399+[12-alpn-preferred-over-npn]
400+ssl_conf = 12-alpn-preferred-over-npn-ssl
401
402-[10-alpn-preferred-over-npn-ssl]
403-server = 10-alpn-preferred-over-npn-server
404-client = 10-alpn-preferred-over-npn-client
405+[12-alpn-preferred-over-npn-ssl]
406+server = 12-alpn-preferred-over-npn-server
407+client = 12-alpn-preferred-over-npn-client
408
409-[10-alpn-preferred-over-npn-server]
410+[12-alpn-preferred-over-npn-server]
411 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
412 CipherString = DEFAULT
413 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
414
415-[10-alpn-preferred-over-npn-client]
416+[12-alpn-preferred-over-npn-client]
417 CipherString = DEFAULT
418 MaxProtocol = TLSv1.2
419 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
420 VerifyMode = Peer
421
422-[test-10]
423+[test-12]
424 ExpectedALPNProtocol = foo
425-server = 10-alpn-preferred-over-npn-server-extra
426-client = 10-alpn-preferred-over-npn-client-extra
427+server = 12-alpn-preferred-over-npn-server-extra
428+client = 12-alpn-preferred-over-npn-client-extra
429
430-[10-alpn-preferred-over-npn-server-extra]
431+[12-alpn-preferred-over-npn-server-extra]
432 ALPNProtocols = foo
433 NPNProtocols = bar
434
435-[10-alpn-preferred-over-npn-client-extra]
436+[12-alpn-preferred-over-npn-client-extra]
437 ALPNProtocols = foo
438 NPNProtocols = bar
439
440
441 # ===========================================================
442
443-[11-sni-npn-preferred-over-alpn]
444-ssl_conf = 11-sni-npn-preferred-over-alpn-ssl
445+[13-sni-npn-preferred-over-alpn]
446+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl
447
448-[11-sni-npn-preferred-over-alpn-ssl]
449-server = 11-sni-npn-preferred-over-alpn-server
450-client = 11-sni-npn-preferred-over-alpn-client
451-server2 = 11-sni-npn-preferred-over-alpn-server2
452+[13-sni-npn-preferred-over-alpn-ssl]
453+server = 13-sni-npn-preferred-over-alpn-server
454+client = 13-sni-npn-preferred-over-alpn-client
455+server2 = 13-sni-npn-preferred-over-alpn-server2
456
457-[11-sni-npn-preferred-over-alpn-server]
458+[13-sni-npn-preferred-over-alpn-server]
459 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
460 CipherString = DEFAULT
461 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
462
463-[11-sni-npn-preferred-over-alpn-server2]
464+[13-sni-npn-preferred-over-alpn-server2]
465 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
466 CipherString = DEFAULT
467 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
468
469-[11-sni-npn-preferred-over-alpn-client]
470+[13-sni-npn-preferred-over-alpn-client]
471 CipherString = DEFAULT
472 MaxProtocol = TLSv1.2
473 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
474 VerifyMode = Peer
475
476-[test-11]
477+[test-13]
478 ExpectedNPNProtocol = bar
479 ExpectedServerName = server2
480-server = 11-sni-npn-preferred-over-alpn-server-extra
481-server2 = 11-sni-npn-preferred-over-alpn-server2-extra
482-client = 11-sni-npn-preferred-over-alpn-client-extra
483+server = 13-sni-npn-preferred-over-alpn-server-extra
484+server2 = 13-sni-npn-preferred-over-alpn-server2-extra
485+client = 13-sni-npn-preferred-over-alpn-client-extra
486
487-[11-sni-npn-preferred-over-alpn-server-extra]
488+[13-sni-npn-preferred-over-alpn-server-extra]
489 ALPNProtocols = foo
490 ServerNameCallback = IgnoreMismatch
491
492-[11-sni-npn-preferred-over-alpn-server2-extra]
493+[13-sni-npn-preferred-over-alpn-server2-extra]
494 NPNProtocols = bar
495
496-[11-sni-npn-preferred-over-alpn-client-extra]
497+[13-sni-npn-preferred-over-alpn-client-extra]
498 ALPNProtocols = foo
499 NPNProtocols = bar
500 ServerName = server2
501@@ -460,356 +527,356 @@ ServerName = server2
502
503 # ===========================================================
504
505-[12-npn-simple-resumption]
506-ssl_conf = 12-npn-simple-resumption-ssl
507+[14-npn-simple-resumption]
508+ssl_conf = 14-npn-simple-resumption-ssl
509
510-[12-npn-simple-resumption-ssl]
511-server = 12-npn-simple-resumption-server
512-client = 12-npn-simple-resumption-client
513-resume-server = 12-npn-simple-resumption-server
514-resume-client = 12-npn-simple-resumption-client
515+[14-npn-simple-resumption-ssl]
516+server = 14-npn-simple-resumption-server
517+client = 14-npn-simple-resumption-client
518+resume-server = 14-npn-simple-resumption-server
519+resume-client = 14-npn-simple-resumption-client
520
521-[12-npn-simple-resumption-server]
522+[14-npn-simple-resumption-server]
523 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
524 CipherString = DEFAULT
525 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
526
527-[12-npn-simple-resumption-client]
528+[14-npn-simple-resumption-client]
529 CipherString = DEFAULT
530 MaxProtocol = TLSv1.2
531 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
532 VerifyMode = Peer
533
534-[test-12]
535+[test-14]
536 ExpectedNPNProtocol = foo
537 HandshakeMode = Resume
538 ResumptionExpected = Yes
539-server = 12-npn-simple-resumption-server-extra
540-resume-server = 12-npn-simple-resumption-server-extra
541-client = 12-npn-simple-resumption-client-extra
542-resume-client = 12-npn-simple-resumption-client-extra
543+server = 14-npn-simple-resumption-server-extra
544+resume-server = 14-npn-simple-resumption-server-extra
545+client = 14-npn-simple-resumption-client-extra
546+resume-client = 14-npn-simple-resumption-client-extra
547
548-[12-npn-simple-resumption-server-extra]
549+[14-npn-simple-resumption-server-extra]
550 NPNProtocols = foo
551
552-[12-npn-simple-resumption-client-extra]
553+[14-npn-simple-resumption-client-extra]
554 NPNProtocols = foo
555
556
557 # ===========================================================
558
559-[13-npn-server-switch-resumption]
560-ssl_conf = 13-npn-server-switch-resumption-ssl
561+[15-npn-server-switch-resumption]
562+ssl_conf = 15-npn-server-switch-resumption-ssl
563
564-[13-npn-server-switch-resumption-ssl]
565-server = 13-npn-server-switch-resumption-server
566-client = 13-npn-server-switch-resumption-client
567-resume-server = 13-npn-server-switch-resumption-resume-server
568-resume-client = 13-npn-server-switch-resumption-client
569+[15-npn-server-switch-resumption-ssl]
570+server = 15-npn-server-switch-resumption-server
571+client = 15-npn-server-switch-resumption-client
572+resume-server = 15-npn-server-switch-resumption-resume-server
573+resume-client = 15-npn-server-switch-resumption-client
574
575-[13-npn-server-switch-resumption-server]
576+[15-npn-server-switch-resumption-server]
577 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
578 CipherString = DEFAULT
579 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
580
581-[13-npn-server-switch-resumption-resume-server]
582+[15-npn-server-switch-resumption-resume-server]
583 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
584 CipherString = DEFAULT
585 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
586
587-[13-npn-server-switch-resumption-client]
588+[15-npn-server-switch-resumption-client]
589 CipherString = DEFAULT
590 MaxProtocol = TLSv1.2
591 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
592 VerifyMode = Peer
593
594-[test-13]
595+[test-15]
596 ExpectedNPNProtocol = baz
597 HandshakeMode = Resume
598 ResumptionExpected = Yes
599-server = 13-npn-server-switch-resumption-server-extra
600-resume-server = 13-npn-server-switch-resumption-resume-server-extra
601-client = 13-npn-server-switch-resumption-client-extra
602-resume-client = 13-npn-server-switch-resumption-client-extra
603+server = 15-npn-server-switch-resumption-server-extra
604+resume-server = 15-npn-server-switch-resumption-resume-server-extra
605+client = 15-npn-server-switch-resumption-client-extra
606+resume-client = 15-npn-server-switch-resumption-client-extra
607
608-[13-npn-server-switch-resumption-server-extra]
609+[15-npn-server-switch-resumption-server-extra]
610 NPNProtocols = bar,foo
611
612-[13-npn-server-switch-resumption-resume-server-extra]
613+[15-npn-server-switch-resumption-resume-server-extra]
614 NPNProtocols = baz,foo
615
616-[13-npn-server-switch-resumption-client-extra]
617+[15-npn-server-switch-resumption-client-extra]
618 NPNProtocols = foo,bar,baz
619
620
621 # ===========================================================
622
623-[14-npn-client-switch-resumption]
624-ssl_conf = 14-npn-client-switch-resumption-ssl
625+[16-npn-client-switch-resumption]
626+ssl_conf = 16-npn-client-switch-resumption-ssl
627
628-[14-npn-client-switch-resumption-ssl]
629-server = 14-npn-client-switch-resumption-server
630-client = 14-npn-client-switch-resumption-client
631-resume-server = 14-npn-client-switch-resumption-server
632-resume-client = 14-npn-client-switch-resumption-resume-client
633+[16-npn-client-switch-resumption-ssl]
634+server = 16-npn-client-switch-resumption-server
635+client = 16-npn-client-switch-resumption-client
636+resume-server = 16-npn-client-switch-resumption-server
637+resume-client = 16-npn-client-switch-resumption-resume-client
638
639-[14-npn-client-switch-resumption-server]
640+[16-npn-client-switch-resumption-server]
641 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
642 CipherString = DEFAULT
643 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
644
645-[14-npn-client-switch-resumption-client]
646+[16-npn-client-switch-resumption-client]
647 CipherString = DEFAULT
648 MaxProtocol = TLSv1.2
649 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
650 VerifyMode = Peer
651
652-[14-npn-client-switch-resumption-resume-client]
653+[16-npn-client-switch-resumption-resume-client]
654 CipherString = DEFAULT
655 MaxProtocol = TLSv1.2
656 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
657 VerifyMode = Peer
658
659-[test-14]
660+[test-16]
661 ExpectedNPNProtocol = bar
662 HandshakeMode = Resume
663 ResumptionExpected = Yes
664-server = 14-npn-client-switch-resumption-server-extra
665-resume-server = 14-npn-client-switch-resumption-server-extra
666-client = 14-npn-client-switch-resumption-client-extra
667-resume-client = 14-npn-client-switch-resumption-resume-client-extra
668+server = 16-npn-client-switch-resumption-server-extra
669+resume-server = 16-npn-client-switch-resumption-server-extra
670+client = 16-npn-client-switch-resumption-client-extra
671+resume-client = 16-npn-client-switch-resumption-resume-client-extra
672
673-[14-npn-client-switch-resumption-server-extra]
674+[16-npn-client-switch-resumption-server-extra]
675 NPNProtocols = foo,bar,baz
676
677-[14-npn-client-switch-resumption-client-extra]
678+[16-npn-client-switch-resumption-client-extra]
679 NPNProtocols = foo,baz
680
681-[14-npn-client-switch-resumption-resume-client-extra]
682+[16-npn-client-switch-resumption-resume-client-extra]
683 NPNProtocols = bar,baz
684
685
686 # ===========================================================
687
688-[15-npn-client-first-pref-on-mismatch-resumption]
689-ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl
690+[17-npn-client-first-pref-on-mismatch-resumption]
691+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl
692
693-[15-npn-client-first-pref-on-mismatch-resumption-ssl]
694-server = 15-npn-client-first-pref-on-mismatch-resumption-server
695-client = 15-npn-client-first-pref-on-mismatch-resumption-client
696-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server
697-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client
698+[17-npn-client-first-pref-on-mismatch-resumption-ssl]
699+server = 17-npn-client-first-pref-on-mismatch-resumption-server
700+client = 17-npn-client-first-pref-on-mismatch-resumption-client
701+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server
702+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client
703
704-[15-npn-client-first-pref-on-mismatch-resumption-server]
705+[17-npn-client-first-pref-on-mismatch-resumption-server]
706 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
707 CipherString = DEFAULT
708 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
709
710-[15-npn-client-first-pref-on-mismatch-resumption-resume-server]
711+[17-npn-client-first-pref-on-mismatch-resumption-resume-server]
712 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
713 CipherString = DEFAULT
714 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
715
716-[15-npn-client-first-pref-on-mismatch-resumption-client]
717+[17-npn-client-first-pref-on-mismatch-resumption-client]
718 CipherString = DEFAULT
719 MaxProtocol = TLSv1.2
720 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
721 VerifyMode = Peer
722
723-[test-15]
724+[test-17]
725 ExpectedNPNProtocol = foo
726 HandshakeMode = Resume
727 ResumptionExpected = Yes
728-server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra
729-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
730-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
731-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
732+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra
733+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
734+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
735+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
736
737-[15-npn-client-first-pref-on-mismatch-resumption-server-extra]
738+[17-npn-client-first-pref-on-mismatch-resumption-server-extra]
739 NPNProtocols = bar
740
741-[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
742+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
743 NPNProtocols = baz
744
745-[15-npn-client-first-pref-on-mismatch-resumption-client-extra]
746+[17-npn-client-first-pref-on-mismatch-resumption-client-extra]
747 NPNProtocols = foo,bar
748
749
750 # ===========================================================
751
752-[16-npn-no-server-support-resumption]
753-ssl_conf = 16-npn-no-server-support-resumption-ssl
754+[18-npn-no-server-support-resumption]
755+ssl_conf = 18-npn-no-server-support-resumption-ssl
756
757-[16-npn-no-server-support-resumption-ssl]
758-server = 16-npn-no-server-support-resumption-server
759-client = 16-npn-no-server-support-resumption-client
760-resume-server = 16-npn-no-server-support-resumption-resume-server
761-resume-client = 16-npn-no-server-support-resumption-client
762+[18-npn-no-server-support-resumption-ssl]
763+server = 18-npn-no-server-support-resumption-server
764+client = 18-npn-no-server-support-resumption-client
765+resume-server = 18-npn-no-server-support-resumption-resume-server
766+resume-client = 18-npn-no-server-support-resumption-client
767
768-[16-npn-no-server-support-resumption-server]
769+[18-npn-no-server-support-resumption-server]
770 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
771 CipherString = DEFAULT
772 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
773
774-[16-npn-no-server-support-resumption-resume-server]
775+[18-npn-no-server-support-resumption-resume-server]
776 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
777 CipherString = DEFAULT
778 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
779
780-[16-npn-no-server-support-resumption-client]
781+[18-npn-no-server-support-resumption-client]
782 CipherString = DEFAULT
783 MaxProtocol = TLSv1.2
784 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
785 VerifyMode = Peer
786
787-[test-16]
788+[test-18]
789 HandshakeMode = Resume
790 ResumptionExpected = Yes
791-server = 16-npn-no-server-support-resumption-server-extra
792-client = 16-npn-no-server-support-resumption-client-extra
793-resume-client = 16-npn-no-server-support-resumption-client-extra
794+server = 18-npn-no-server-support-resumption-server-extra
795+client = 18-npn-no-server-support-resumption-client-extra
796+resume-client = 18-npn-no-server-support-resumption-client-extra
797
798-[16-npn-no-server-support-resumption-server-extra]
799+[18-npn-no-server-support-resumption-server-extra]
800 NPNProtocols = foo
801
802-[16-npn-no-server-support-resumption-client-extra]
803+[18-npn-no-server-support-resumption-client-extra]
804 NPNProtocols = foo
805
806
807 # ===========================================================
808
809-[17-npn-no-client-support-resumption]
810-ssl_conf = 17-npn-no-client-support-resumption-ssl
811+[19-npn-no-client-support-resumption]
812+ssl_conf = 19-npn-no-client-support-resumption-ssl
813
814-[17-npn-no-client-support-resumption-ssl]
815-server = 17-npn-no-client-support-resumption-server
816-client = 17-npn-no-client-support-resumption-client
817-resume-server = 17-npn-no-client-support-resumption-server
818-resume-client = 17-npn-no-client-support-resumption-resume-client
819+[19-npn-no-client-support-resumption-ssl]
820+server = 19-npn-no-client-support-resumption-server
821+client = 19-npn-no-client-support-resumption-client
822+resume-server = 19-npn-no-client-support-resumption-server
823+resume-client = 19-npn-no-client-support-resumption-resume-client
824
825-[17-npn-no-client-support-resumption-server]
826+[19-npn-no-client-support-resumption-server]
827 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
828 CipherString = DEFAULT
829 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
830
831-[17-npn-no-client-support-resumption-client]
832+[19-npn-no-client-support-resumption-client]
833 CipherString = DEFAULT
834 MaxProtocol = TLSv1.2
835 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
836 VerifyMode = Peer
837
838-[17-npn-no-client-support-resumption-resume-client]
839+[19-npn-no-client-support-resumption-resume-client]
840 CipherString = DEFAULT
841 MaxProtocol = TLSv1.2
842 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
843 VerifyMode = Peer
844
845-[test-17]
846+[test-19]
847 HandshakeMode = Resume
848 ResumptionExpected = Yes
849-server = 17-npn-no-client-support-resumption-server-extra
850-resume-server = 17-npn-no-client-support-resumption-server-extra
851-client = 17-npn-no-client-support-resumption-client-extra
852+server = 19-npn-no-client-support-resumption-server-extra
853+resume-server = 19-npn-no-client-support-resumption-server-extra
854+client = 19-npn-no-client-support-resumption-client-extra
855
856-[17-npn-no-client-support-resumption-server-extra]
857+[19-npn-no-client-support-resumption-server-extra]
858 NPNProtocols = foo
859
860-[17-npn-no-client-support-resumption-client-extra]
861+[19-npn-no-client-support-resumption-client-extra]
862 NPNProtocols = foo
863
864
865 # ===========================================================
866
867-[18-alpn-preferred-over-npn-resumption]
868-ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl
869+[20-alpn-preferred-over-npn-resumption]
870+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl
871
872-[18-alpn-preferred-over-npn-resumption-ssl]
873-server = 18-alpn-preferred-over-npn-resumption-server
874-client = 18-alpn-preferred-over-npn-resumption-client
875-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server
876-resume-client = 18-alpn-preferred-over-npn-resumption-client
877+[20-alpn-preferred-over-npn-resumption-ssl]
878+server = 20-alpn-preferred-over-npn-resumption-server
879+client = 20-alpn-preferred-over-npn-resumption-client
880+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server
881+resume-client = 20-alpn-preferred-over-npn-resumption-client
882
883-[18-alpn-preferred-over-npn-resumption-server]
884+[20-alpn-preferred-over-npn-resumption-server]
885 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
886 CipherString = DEFAULT
887 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
888
889-[18-alpn-preferred-over-npn-resumption-resume-server]
890+[20-alpn-preferred-over-npn-resumption-resume-server]
891 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
892 CipherString = DEFAULT
893 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
894
895-[18-alpn-preferred-over-npn-resumption-client]
896+[20-alpn-preferred-over-npn-resumption-client]
897 CipherString = DEFAULT
898 MaxProtocol = TLSv1.2
899 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
900 VerifyMode = Peer
901
902-[test-18]
903+[test-20]
904 ExpectedALPNProtocol = foo
905 HandshakeMode = Resume
906 ResumptionExpected = Yes
907-server = 18-alpn-preferred-over-npn-resumption-server-extra
908-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra
909-client = 18-alpn-preferred-over-npn-resumption-client-extra
910-resume-client = 18-alpn-preferred-over-npn-resumption-client-extra
911+server = 20-alpn-preferred-over-npn-resumption-server-extra
912+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra
913+client = 20-alpn-preferred-over-npn-resumption-client-extra
914+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra
915
916-[18-alpn-preferred-over-npn-resumption-server-extra]
917+[20-alpn-preferred-over-npn-resumption-server-extra]
918 NPNProtocols = bar
919
920-[18-alpn-preferred-over-npn-resumption-resume-server-extra]
921+[20-alpn-preferred-over-npn-resumption-resume-server-extra]
922 ALPNProtocols = foo
923 NPNProtocols = baz
924
925-[18-alpn-preferred-over-npn-resumption-client-extra]
926+[20-alpn-preferred-over-npn-resumption-client-extra]
927 ALPNProtocols = foo
928 NPNProtocols = bar,baz
929
930
931 # ===========================================================
932
933-[19-npn-used-if-alpn-not-supported-resumption]
934-ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl
935+[21-npn-used-if-alpn-not-supported-resumption]
936+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl
937
938-[19-npn-used-if-alpn-not-supported-resumption-ssl]
939-server = 19-npn-used-if-alpn-not-supported-resumption-server
940-client = 19-npn-used-if-alpn-not-supported-resumption-client
941-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server
942-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client
943+[21-npn-used-if-alpn-not-supported-resumption-ssl]
944+server = 21-npn-used-if-alpn-not-supported-resumption-server
945+client = 21-npn-used-if-alpn-not-supported-resumption-client
946+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server
947+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client
948
949-[19-npn-used-if-alpn-not-supported-resumption-server]
950+[21-npn-used-if-alpn-not-supported-resumption-server]
951 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
952 CipherString = DEFAULT
953 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
954
955-[19-npn-used-if-alpn-not-supported-resumption-resume-server]
956+[21-npn-used-if-alpn-not-supported-resumption-resume-server]
957 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
958 CipherString = DEFAULT
959 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
960
961-[19-npn-used-if-alpn-not-supported-resumption-client]
962+[21-npn-used-if-alpn-not-supported-resumption-client]
963 CipherString = DEFAULT
964 MaxProtocol = TLSv1.2
965 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
966 VerifyMode = Peer
967
968-[test-19]
969+[test-21]
970 ExpectedNPNProtocol = baz
971 HandshakeMode = Resume
972 ResumptionExpected = Yes
973-server = 19-npn-used-if-alpn-not-supported-resumption-server-extra
974-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra
975-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
976-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
977+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra
978+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra
979+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
980+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
981
982-[19-npn-used-if-alpn-not-supported-resumption-server-extra]
983+[21-npn-used-if-alpn-not-supported-resumption-server-extra]
984 ALPNProtocols = foo
985 NPNProtocols = bar
986
987-[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
988+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
989 NPNProtocols = baz
990
991-[19-npn-used-if-alpn-not-supported-resumption-client-extra]
992+[21-npn-used-if-alpn-not-supported-resumption-client-extra]
993 ALPNProtocols = foo
994 NPNProtocols = bar,baz
995
996diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in
997index 30783e4..1dc2704 100644
998--- a/test/ssl-tests/08-npn.cnf.in
999+++ b/test/ssl-tests/08-npn.cnf.in
1000@@ -110,6 +110,41 @@ our @tests = (
1001 "ExpectedNPNProtocol" => undef,
1002 },
1003 },
1004+ {
1005+ name => "npn-empty-client-list",
1006+ server => {
1007+ extra => {
1008+ "NPNProtocols" => "foo",
1009+ },
1010+ },
1011+ client => {
1012+ extra => {
1013+ "NPNProtocols" => "",
1014+ },
1015+ "MaxProtocol" => "TLSv1.2"
1016+ },
1017+ test => {
1018+ "ExpectedResult" => "ClientFail",
1019+ "ExpectedClientAlert" => "HandshakeFailure"
1020+ },
1021+ },
1022+ {
1023+ name => "npn-empty-server-list",
1024+ server => {
1025+ extra => {
1026+ "NPNProtocols" => "",
1027+ },
1028+ },
1029+ client => {
1030+ extra => {
1031+ "NPNProtocols" => "foo",
1032+ },
1033+ "MaxProtocol" => "TLSv1.2"
1034+ },
1035+ test => {
1036+ "ExpectedNPNProtocol" => "foo"
1037+ },
1038+ },
1039 {
1040 name => "npn-with-sni-no-context-switch",
1041 server => {
1042diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf
1043index e7e6cb9..dd66873 100644
1044--- a/test/ssl-tests/09-alpn.cnf
1045+++ b/test/ssl-tests/09-alpn.cnf
1046@@ -1,6 +1,6 @@
1047 # Generated with generate_ssl_tests.pl
1048
1049-num_tests = 16
1050+num_tests = 18
1051
1052 test-0 = 0-alpn-simple
1053 test-1 = 1-alpn-server-finds-match
1054@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption
1055 test-13 = 13-alpn-alert-on-mismatch-resumption
1056 test-14 = 14-alpn-no-server-support-resumption
1057 test-15 = 15-alpn-no-client-support-resumption
1058+test-16 = 16-alpn-empty-client-list
1059+test-17 = 17-alpn-empty-server-list
1060 # ===========================================================
1061
1062 [0-alpn-simple]
1063@@ -617,3 +619,65 @@ ALPNProtocols = foo
1064 ALPNProtocols = foo
1065
1066
1067+# ===========================================================
1068+
1069+[16-alpn-empty-client-list]
1070+ssl_conf = 16-alpn-empty-client-list-ssl
1071+
1072+[16-alpn-empty-client-list-ssl]
1073+server = 16-alpn-empty-client-list-server
1074+client = 16-alpn-empty-client-list-client
1075+
1076+[16-alpn-empty-client-list-server]
1077+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
1078+CipherString = DEFAULT
1079+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
1080+
1081+[16-alpn-empty-client-list-client]
1082+CipherString = DEFAULT
1083+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
1084+VerifyMode = Peer
1085+
1086+[test-16]
1087+server = 16-alpn-empty-client-list-server-extra
1088+client = 16-alpn-empty-client-list-client-extra
1089+
1090+[16-alpn-empty-client-list-server-extra]
1091+ALPNProtocols = foo
1092+
1093+[16-alpn-empty-client-list-client-extra]
1094+ALPNProtocols =
1095+
1096+
1097+# ===========================================================
1098+
1099+[17-alpn-empty-server-list]
1100+ssl_conf = 17-alpn-empty-server-list-ssl
1101+
1102+[17-alpn-empty-server-list-ssl]
1103+server = 17-alpn-empty-server-list-server
1104+client = 17-alpn-empty-server-list-client
1105+
1106+[17-alpn-empty-server-list-server]
1107+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
1108+CipherString = DEFAULT
1109+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
1110+
1111+[17-alpn-empty-server-list-client]
1112+CipherString = DEFAULT
1113+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
1114+VerifyMode = Peer
1115+
1116+[test-17]
1117+ExpectedResult = ServerFail
1118+ExpectedServerAlert = NoApplicationProtocol
1119+server = 17-alpn-empty-server-list-server-extra
1120+client = 17-alpn-empty-server-list-client-extra
1121+
1122+[17-alpn-empty-server-list-server-extra]
1123+ALPNProtocols =
1124+
1125+[17-alpn-empty-server-list-client-extra]
1126+ALPNProtocols = foo
1127+
1128+
1129diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in
1130index 8133075..322b709 100644
1131--- a/test/ssl-tests/09-alpn.cnf.in
1132+++ b/test/ssl-tests/09-alpn.cnf.in
1133@@ -322,4 +322,37 @@ our @tests = (
1134 "ExpectedALPNProtocol" => undef,
1135 },
1136 },
1137+ {
1138+ name => "alpn-empty-client-list",
1139+ server => {
1140+ extra => {
1141+ "ALPNProtocols" => "foo",
1142+ },
1143+ },
1144+ client => {
1145+ extra => {
1146+ "ALPNProtocols" => "",
1147+ },
1148+ },
1149+ test => {
1150+ "ExpectedALPNProtocol" => undef,
1151+ },
1152+ },
1153+ {
1154+ name => "alpn-empty-server-list",
1155+ server => {
1156+ extra => {
1157+ "ALPNProtocols" => "",
1158+ },
1159+ },
1160+ client => {
1161+ extra => {
1162+ "ALPNProtocols" => "foo",
1163+ },
1164+ },
1165+ test => {
1166+ "ExpectedResult" => "ServerFail",
1167+ "ExpectedServerAlert" => "NoApplicationProtocol",
1168+ },
1169+ },
1170 );
1171--
11722.44.0
1173
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
deleted file mode 100644
index 7319d27bb8..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From 86351b8dd4c499de7a0c02313ee54966e978150f Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 10:41:55 +0100
4Subject: [PATCH 07/10] Correct return values for
5 tls_construct_stoc_next_proto_neg
6
7Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
8rather than EXT_RETURN_SENT. This actually makes no difference at all to
9the current control flow since this return value is ignored in this case
10anyway. But lets make it correct anyway.
11
12Follow on from CVE-2024-5535
13
14Reviewed-by: Neil Horman <nhorman@openssl.org>
15Reviewed-by: Tomas Mraz <tomas@openssl.org>
16(Merged from https://github.com/openssl/openssl/pull/24717)
17
18Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/53f5677f358c4a4f69830d944ea40e71950673b8]
19CVE: CVE-2024-5535
20Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
21---
22 ssl/statem/extensions_srvr.c | 3 ++-
23 1 file changed, 2 insertions(+), 1 deletion(-)
24
25diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
26index 64ccb3e..b821c7c 100644
27--- a/ssl/statem/extensions_srvr.c
28+++ b/ssl/statem/extensions_srvr.c
29@@ -1496,9 +1496,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
30 return EXT_RETURN_FAIL;
31 }
32 s->s3.npn_seen = 1;
33+ return EXT_RETURN_SENT;
34 }
35
36- return EXT_RETURN_SENT;
37+ return EXT_RETURN_NOT_SENT;
38 }
39 #endif
40
41--
422.44.0
43
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
deleted file mode 100644
index f64938a5ca..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
+++ /dev/null
@@ -1,66 +0,0 @@
1From 29f860914824cde6b0aea6ad818b93132930137f Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 11:51:54 +0100
4Subject: [PATCH 08/10] Add ALPN validation in the client
5
6The ALPN protocol selected by the server must be one that we originally
7advertised. We should verify that it is.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24717)
14
15Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/195e15421df113d7283aab2ccff8b8fb06df5465]
16CVE: CVE-2024-5535
17Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
18---
19 ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
20 1 file changed, 24 insertions(+)
21
22diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
23index 1ab3c13..ff9c009 100644
24--- a/ssl/statem/extensions_clnt.c
25+++ b/ssl/statem/extensions_clnt.c
26@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
27 X509 *x, size_t chainidx)
28 {
29 size_t len;
30+ PACKET confpkt, protpkt;
31+ int valid = 0;
32
33 /* We must have requested it. */
34 if (!s->s3.alpn_sent) {
35@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
36 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
37 return 0;
38 }
39+
40+ /* It must be a protocol that we sent */
41+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
42+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43+ return 0;
44+ }
45+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
46+ if (PACKET_remaining(&protpkt) != len)
47+ continue;
48+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
49+ /* Valid protocol found */
50+ valid = 1;
51+ break;
52+ }
53+ }
54+
55+ if (!valid) {
56+ /* The protocol sent from the server does not match one we advertised */
57+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
58+ return 0;
59+ }
60+
61 OPENSSL_free(s->s3.alpn_selected);
62 s->s3.alpn_selected = OPENSSL_malloc(len);
63 if (s->s3.alpn_selected == NULL) {
64--
652.44.0
66
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
deleted file mode 100644
index fb1cef5067..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
+++ /dev/null
@@ -1,271 +0,0 @@
1From 6a5484b0d3fcf9a868c7e3e5b62e5eedc90b6080 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 10:09:41 +0100
4Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
5
6We already had some tests elsewhere - but this extends that testing with
7additional tests.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24717)
14
15Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7c95191434415d1c9b7fe9b130df13cce630b6b5]
16CVE: CVE-2024-5535
17Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
18---
19 test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
20 1 file changed, 229 insertions(+)
21
22diff --git a/test/sslapitest.c b/test/sslapitest.c
23index 15cb906..7a55a2b 100644
24--- a/test/sslapitest.c
25+++ b/test/sslapitest.c
26@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
27 return ret;
28 }
29
30+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
31+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
32+
33+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
34+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
35+ unsigned int *outlen, void *arg)
36+{
37+ int *idx = (int *)arg;
38+
39+ switch (*idx) {
40+ default:
41+ case 0:
42+ *out = fooprot;
43+ *outlen = sizeof(fooprot);
44+ return SSL_TLSEXT_ERR_OK;
45+
46+ case 1:
47+ *outlen = 0;
48+ return SSL_TLSEXT_ERR_OK;
49+
50+ case 2:
51+ return SSL_TLSEXT_ERR_NOACK;
52+ }
53+}
54+
55+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
56+ const unsigned char *in, unsigned int inlen, void *arg)
57+{
58+ int *idx = (int *)arg;
59+
60+ switch (*idx) {
61+ case 0:
62+ case 1:
63+ *out = (unsigned char *)(fooprot + 1);
64+ *outlen = *fooprot;
65+ return SSL_TLSEXT_ERR_OK;
66+
67+ case 3:
68+ *out = (unsigned char *)(barprot + 1);
69+ *outlen = *barprot;
70+ return SSL_TLSEXT_ERR_OK;
71+
72+ case 4:
73+ *outlen = 0;
74+ return SSL_TLSEXT_ERR_OK;
75+
76+ default:
77+ case 2:
78+ return SSL_TLSEXT_ERR_ALERT_FATAL;
79+ }
80+}
81+
82+/*
83+ * Test the NPN callbacks
84+ * Test 0: advert = foo, select = foo
85+ * Test 1: advert = <empty>, select = foo
86+ * Test 2: no advert
87+ * Test 3: advert = foo, select = bar
88+ * Test 4: advert = foo, select = <empty> (should fail)
89+ */
90+static int test_npn(int idx)
91+{
92+ SSL_CTX *sctx = NULL, *cctx = NULL;
93+ SSL *serverssl = NULL, *clientssl = NULL;
94+ int testresult = 0;
95+
96+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
97+ TLS_client_method(), 0, TLS1_2_VERSION,
98+ &sctx, &cctx, cert, privkey)))
99+ goto end;
100+
101+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
102+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
103+
104+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
105+ NULL)))
106+ goto end;
107+
108+ if (idx == 4) {
109+ /* We don't allow empty selection of NPN, so this should fail */
110+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
111+ SSL_ERROR_NONE)))
112+ goto end;
113+ } else {
114+ const unsigned char *prot;
115+ unsigned int protlen;
116+
117+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
118+ SSL_ERROR_NONE)))
119+ goto end;
120+
121+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
122+ switch (idx) {
123+ case 0:
124+ case 1:
125+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
126+ goto end;
127+ break;
128+ case 2:
129+ if (!TEST_uint_eq(protlen, 0))
130+ goto end;
131+ break;
132+ case 3:
133+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
134+ goto end;
135+ break;
136+ default:
137+ TEST_error("Should not get here");
138+ goto end;
139+ }
140+ }
141+
142+ testresult = 1;
143+ end:
144+ SSL_free(serverssl);
145+ SSL_free(clientssl);
146+ SSL_CTX_free(sctx);
147+ SSL_CTX_free(cctx);
148+
149+ return testresult;
150+}
151+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
152+
153+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
154+ unsigned char *outlen, const unsigned char *in,
155+ unsigned int inlen, void *arg)
156+{
157+ int *idx = (int *)arg;
158+
159+ switch (*idx) {
160+ case 0:
161+ *out = (unsigned char *)(fooprot + 1);
162+ *outlen = *fooprot;
163+ return SSL_TLSEXT_ERR_OK;
164+
165+ case 2:
166+ *out = (unsigned char *)(barprot + 1);
167+ *outlen = *barprot;
168+ return SSL_TLSEXT_ERR_OK;
169+
170+ case 3:
171+ *outlen = 0;
172+ return SSL_TLSEXT_ERR_OK;
173+
174+ default:
175+ case 1:
176+ return SSL_TLSEXT_ERR_ALERT_FATAL;
177+ }
178+ return 0;
179+}
180+
181+/*
182+ * Test the ALPN callbacks
183+ * Test 0: client = foo, select = foo
184+ * Test 1: client = <empty>, select = none
185+ * Test 2: client = foo, select = bar (should fail)
186+ * Test 3: client = foo, select = <empty> (should fail)
187+ */
188+static int test_alpn(int idx)
189+{
190+ SSL_CTX *sctx = NULL, *cctx = NULL;
191+ SSL *serverssl = NULL, *clientssl = NULL;
192+ int testresult = 0;
193+ const unsigned char *prots = fooprot;
194+ unsigned int protslen = sizeof(fooprot);
195+
196+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
197+ TLS_client_method(), 0, 0,
198+ &sctx, &cctx, cert, privkey)))
199+ goto end;
200+
201+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
202+
203+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
204+ NULL)))
205+ goto end;
206+
207+ if (idx == 1) {
208+ prots = NULL;
209+ protslen = 0;
210+ }
211+
212+ /* SSL_set_alpn_protos returns 0 for success! */
213+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
214+ goto end;
215+
216+ if (idx == 2 || idx == 3) {
217+ /* We don't allow empty selection of NPN, so this should fail */
218+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
219+ SSL_ERROR_NONE)))
220+ goto end;
221+ } else {
222+ const unsigned char *prot;
223+ unsigned int protlen;
224+
225+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
226+ SSL_ERROR_NONE)))
227+ goto end;
228+
229+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
230+ switch (idx) {
231+ case 0:
232+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
233+ goto end;
234+ break;
235+ case 1:
236+ if (!TEST_uint_eq(protlen, 0))
237+ goto end;
238+ break;
239+ default:
240+ TEST_error("Should not get here");
241+ goto end;
242+ }
243+ }
244+
245+ testresult = 1;
246+ end:
247+ SSL_free(serverssl);
248+ SSL_free(clientssl);
249+ SSL_CTX_free(sctx);
250+ SSL_CTX_free(cctx);
251+
252+ return testresult;
253+}
254+
255 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
256
257 int setup_tests(void)
258@@ -12190,6 +12415,10 @@ int setup_tests(void)
259 ADD_TEST(test_data_retry);
260 ADD_ALL_TESTS(test_multi_resume, 5);
261 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
262+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
263+ ADD_ALL_TESTS(test_npn, 5);
264+#endif
265+ ADD_ALL_TESTS(test_alpn, 4);
266 return 1;
267
268 err:
269--
2702.44.0
271
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.2.bb b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
index 3242dd69c6..53139df40c 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.2.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
@@ -7,28 +7,18 @@ SECTION = "libs/network"
7LICENSE = "Apache-2.0" 7LICENSE = "Apache-2.0"
8LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" 8LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
9 9
10SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ 10SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
11 file://run-ptest \ 11 file://run-ptest \
12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 13 file://0001-Configure-do-not-tweak-mips-cflags.patch \
14 file://0001-Added-handshake-history-reporting-when-test-fails.patch \ 14 file://0001-Added-handshake-history-reporting-when-test-fails.patch \
15 file://CVE-2024-5535_1.patch \
16 file://CVE-2024-5535_2.patch \
17 file://CVE-2024-5535_3.patch \
18 file://CVE-2024-5535_4.patch \
19 file://CVE-2024-5535_5.patch \
20 file://CVE-2024-5535_6.patch \
21 file://CVE-2024-5535_7.patch \
22 file://CVE-2024-5535_8.patch \
23 file://CVE-2024-5535_9.patch \
24 file://CVE-2024-5535_10.patch \
25 " 15 "
26 16
27SRC_URI:append:class-nativesdk = " \ 17SRC_URI:append:class-nativesdk = " \
28 file://environment.d-openssl.sh \ 18 file://environment.d-openssl.sh \
29 " 19 "
30 20
31SRC_URI[sha256sum] = "197149c18d9e9f292c43f0400acaba12e5f52cacfe050f3d199277ea738ec2e7" 21SRC_URI[sha256sum] = "52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239"
32 22
33inherit lib_package multilib_header multilib_script ptest perlnative manpages 23inherit lib_package multilib_header multilib_script ptest perlnative manpages
34MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 24MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-06-14 20:58:57 +0000