summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSiddharth Doshi <sdoshi@mvista.com>2024-09-06 14:02:18 +0530
committerSteve Sakoman <steve@sakoman.com>2024-09-16 06:09:56 -0700
commitf5805aec43e99e32e3d7d5f6f963e832f1a29aeb (patch)
tree0e68e6d94cfe0d6555ad562b52e3fd4437340fda
parent00fb236b77e000b48e268bb0b22613cf524fd2c6 (diff)
downloadpoky-f5805aec43e99e32e3d7d5f6f963e832f1a29aeb.tar.gz
openssl: Upgrade 3.0.14 -> 3.0.15
Updated SRC_URI link and format due to change in openssl website. CVE's Fixed by upgrade: CVE-2024-5535: Fixed possible buffer overread in SSL_select_next_proto(). CVE-2024-6119: Fixed possible denial of service in X.509 name checks - Removed backports of CVE-2024-5535 as it is already fixed. Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3014-and-3015-3-sep-2024 (From OE-Core rev: 299118bf8e50055de28139b23781f2d34eb6eae0) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch115
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch44
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch84
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch178
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch1175
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch45
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch68
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch273
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch205
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.0.15.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.0.14.bb)13
10 files changed, 2 insertions, 2198 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
deleted file mode 100644
index a96af0ed13..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
+++ /dev/null
@@ -1,115 +0,0 @@
1From e6190fc977f086428cc7880f95e8bcd5a11ac193 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 11:14:33 +0100
4Subject: [PATCH 1/9] Fix SSL_select_next_proto
5
6Ensure that the provided client list is non-NULL and starts with a valid
7entry. When called from the ALPN callback the client list should already
8have been validated by OpenSSL so this should not cause a problem. When
9called from the NPN callback the client list is locally configured and
10will not have already been validated. Therefore SSL_select_next_proto
11should not assume that it is correctly formatted.
12
13We implement stricter checking of the client protocol list. We also do the
14same for the server list while we are about it.
15
16CVE-2024-5535
17
18Reviewed-by: Neil Horman <nhorman@openssl.org>
19Reviewed-by: Tomas Mraz <tomas@openssl.org>
20(Merged from https://github.com/openssl/openssl/pull/24718)
21
22(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37)
23
24Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c]
25CVE: CVE-2024-5535
26Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
27---
28 ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
29 1 file changed, 40 insertions(+), 23 deletions(-)
30
31diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
32index cb4e006..e628140 100644
33--- a/ssl/ssl_lib.c
34+++ b/ssl/ssl_lib.c
35@@ -2952,37 +2952,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
36 unsigned int server_len,
37 const unsigned char *client, unsigned int client_len)
38 {
39- unsigned int i, j;
40- const unsigned char *result;
41- int status = OPENSSL_NPN_UNSUPPORTED;
42+ PACKET cpkt, csubpkt, spkt, ssubpkt;
43+
44+ if (!PACKET_buf_init(&cpkt, client, client_len)
45+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
46+ || PACKET_remaining(&csubpkt) == 0) {
47+ *out = NULL;
48+ *outlen = 0;
49+ return OPENSSL_NPN_NO_OVERLAP;
50+ }
51+
52+ /*
53+ * Set the default opportunistic protocol. Will be overwritten if we find
54+ * a match.
55+ */
56+ *out = (unsigned char *)PACKET_data(&csubpkt);
57+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
58
59 /*
60 * For each protocol in server preference order, see if we support it.
61 */
62- for (i = 0; i < server_len;) {
63- for (j = 0; j < client_len;) {
64- if (server[i] == client[j] &&
65- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
66- /* We found a match */
67- result = &server[i];
68- status = OPENSSL_NPN_NEGOTIATED;
69- goto found;
70+ if (PACKET_buf_init(&spkt, server, server_len)) {
71+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
72+ if (PACKET_remaining(&ssubpkt) == 0)
73+ continue; /* Invalid - ignore it */
74+ if (PACKET_buf_init(&cpkt, client, client_len)) {
75+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
76+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
77+ PACKET_remaining(&ssubpkt))) {
78+ /* We found a match */
79+ *out = (unsigned char *)PACKET_data(&ssubpkt);
80+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
81+ return OPENSSL_NPN_NEGOTIATED;
82+ }
83+ }
84+ /* Ignore spurious trailing bytes in the client list */
85+ } else {
86+ /* This should never happen */
87+ return OPENSSL_NPN_NO_OVERLAP;
88 }
89- j += client[j];
90- j++;
91 }
92- i += server[i];
93- i++;
94+ /* Ignore spurious trailing bytes in the server list */
95 }
96
97- /* There's no overlap between our protocols and the server's list. */
98- result = client;
99- status = OPENSSL_NPN_NO_OVERLAP;
100-
101- found:
102- *out = (unsigned char *)result + 1;
103- *outlen = result[0];
104- return status;
105+ /*
106+ * There's no overlap between our protocols and the server's list. We use
107+ * the default opportunistic protocol selected earlier
108+ */
109+ return OPENSSL_NPN_NO_OVERLAP;
110 }
111
112 #ifndef OPENSSL_NO_NEXTPROTONEG
113--
1142.25.1
115
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
deleted file mode 100644
index 02fd7a1443..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 4a96c6b7265838b044dab4a2a6150c246297bc89 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 11:18:27 +0100
4Subject: [PATCH 2/9] More correctly handle a selected_len of 0 when processing
5 NPN
6
7In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
8the selected_len is 0 we should fail. Previously this would fail with an
9internal_error alert because calling OPENSSL_malloc(selected_len) will
10return NULL when selected_len is 0. We make this error detection more
11explicit and return a handshake failure alert.
12
13Follow on from CVE-2024-5535
14
15Reviewed-by: Neil Horman <nhorman@openssl.org>
16Reviewed-by: Tomas Mraz <tomas@openssl.org>
17(Merged from https://github.com/openssl/openssl/pull/24718)
18
19(cherry picked from commit 4279c89a726025c758db3dafb263b17e52211304)
20
21Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/159921152fd4aa91e4c849fd281ad93ac0d0d0ba]
22CVE: CVE-2024-5535
23Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
24---
25 ssl/statem/extensions_clnt.c | 3 ++-
26 1 file changed, 2 insertions(+), 1 deletion(-)
27
28diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
29index 842be07..a07dc62 100644
30--- a/ssl/statem/extensions_clnt.c
31+++ b/ssl/statem/extensions_clnt.c
32@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
33 PACKET_data(pkt),
34 PACKET_remaining(pkt),
35 s->ctx->ext.npn_select_cb_arg) !=
36- SSL_TLSEXT_ERR_OK) {
37+ SSL_TLSEXT_ERR_OK
38+ || selected_len == 0) {
39 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
40 return 0;
41 }
42--
432.25.1
44
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
deleted file mode 100644
index 9635b7d8d0..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
+++ /dev/null
@@ -1,84 +0,0 @@
1From 6887608f77236d14b0789f4b1c14df53dfe2d618 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 11:46:38 +0100
4Subject: [PATCH 3/9] Clarify the SSL_select_next_proto() documentation
5
6We clarify the input preconditions and the expected behaviour in the event
7of no overlap.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24718)
14
15(cherry picked from commit 889ed19ba25abebd2690997acd6d4791cbe5c493)
16
17Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/7a9f521b1de96e79184948e5813e791e608cc94b]
18CVE: CVE-2024-5535
19Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
20---
21 doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
22 1 file changed, 18 insertions(+), 8 deletions(-)
23
24diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
25index 102e657..a29557d 100644
26--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
27+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
28@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
29 SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
30 set the list of protocols available to be negotiated. The B<protos> must be in
31 protocol-list format, described below. The length of B<protos> is specified in
32-B<protos_len>.
33+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
34+protocols and no ALPN extension will be sent to the server.
35
36 SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
37 server to select which protocol to use for the incoming connection. When B<cb>
38@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
39 described below. The first item in the B<server>, B<server_len> list that
40 matches an item in the B<client>, B<client_len> list is selected, and returned
41 in B<out>, B<outlen>. The B<out> value will point into either B<server> or
42-B<client>, so it should be copied immediately. If no match is found, the first
43-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
44-function can also be used in the NPN callback.
45+B<client>, so it should be copied immediately. The client list must include at
46+least one valid (nonempty) protocol entry in the list.
47+
48+The SSL_select_next_proto() helper function can be useful from either the ALPN
49+callback or the NPN callback (described below). If no match is found, the first
50+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
51+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
52+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
53+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
54+SSL_select_next_proto().
55
56 SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
57 client needs to select a protocol from the server's provided list, and a
58@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
59 The length of the protocol name must be written into B<outlen>. The
60 server's advertised protocols are provided in B<in> and B<inlen>. The
61 callback can assume that B<in> is syntactically valid. The client must
62-select a protocol. It is fatal to the connection if this callback returns
63-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
64-set via SSL_CTX_set_next_proto_select_cb().
65+select a protocol (although it may be an empty, zero length protocol). It is
66+fatal to the connection if this callback returns a value other than
67+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
68+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
69
70 SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
71 when a TLS server needs a list of supported protocols for Next Protocol
72@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
73 =item OPENSSL_NPN_NO_OVERLAP
74
75 No match was found. The first item in B<client>, B<client_len> is returned in
76-B<out>, B<outlen>.
77+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
78+B<client> is invalid).
79
80 =back
81
82--
832.25.1
84
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
deleted file mode 100644
index e97020ad3e..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
+++ /dev/null
@@ -1,178 +0,0 @@
1From 6f9e71968f1f5e089bf79b0925e703a16f7bfa19 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 31 May 2024 16:35:16 +0100
4Subject: [PATCH 4/9] Add a test for SSL_select_next_proto
5
6Follow on from CVE-2024-5535
7
8Reviewed-by: Neil Horman <nhorman@openssl.org>
9Reviewed-by: Tomas Mraz <tomas@openssl.org>
10(Merged from https://github.com/openssl/openssl/pull/24718)
11
12(cherry picked from commit ad1318efa2cfdf43ed49d23c4a815f4754604b97)
13
14Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/707c71aa03ba968e09325d72cf1e8dcac70df2df]
15CVE: CVE-2024-5535
16Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
17---
18 test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
19 1 file changed, 137 insertions(+)
20
21diff --git a/test/sslapitest.c b/test/sslapitest.c
22index 2b1c2fd..3922262 100644
23--- a/test/sslapitest.c
24+++ b/test/sslapitest.c
25@@ -10765,6 +10765,142 @@ static int test_multi_resume(int idx)
26 return testresult;
27 }
28
29+static struct next_proto_st {
30+ int serverlen;
31+ unsigned char server[40];
32+ int clientlen;
33+ unsigned char client[40];
34+ int expected_ret;
35+ size_t selectedlen;
36+ unsigned char selected[40];
37+} next_proto_tests[] = {
38+ {
39+ 4, { 3, 'a', 'b', 'c' },
40+ 4, { 3, 'a', 'b', 'c' },
41+ OPENSSL_NPN_NEGOTIATED,
42+ 3, { 'a', 'b', 'c' }
43+ },
44+ {
45+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
46+ 4, { 3, 'a', 'b', 'c' },
47+ OPENSSL_NPN_NEGOTIATED,
48+ 3, { 'a', 'b', 'c' }
49+ },
50+ {
51+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
52+ 4, { 3, 'a', 'b', 'c' },
53+ OPENSSL_NPN_NEGOTIATED,
54+ 3, { 'a', 'b', 'c' }
55+ },
56+ {
57+ 4, { 3, 'a', 'b', 'c' },
58+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
59+ OPENSSL_NPN_NEGOTIATED,
60+ 3, { 'a', 'b', 'c' }
61+ },
62+ {
63+ 4, { 3, 'a', 'b', 'c' },
64+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
65+ OPENSSL_NPN_NEGOTIATED,
66+ 3, { 'a', 'b', 'c' }
67+ },
68+ {
69+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
70+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
71+ OPENSSL_NPN_NEGOTIATED,
72+ 3, { 'a', 'b', 'c' }
73+ },
74+ {
75+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
76+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
77+ OPENSSL_NPN_NEGOTIATED,
78+ 3, { 'a', 'b', 'c' }
79+ },
80+ {
81+ 4, { 3, 'b', 'c', 'd' },
82+ 4, { 3, 'a', 'b', 'c' },
83+ OPENSSL_NPN_NO_OVERLAP,
84+ 3, { 'a', 'b', 'c' }
85+ },
86+ {
87+ 0, { 0 },
88+ 4, { 3, 'a', 'b', 'c' },
89+ OPENSSL_NPN_NO_OVERLAP,
90+ 3, { 'a', 'b', 'c' }
91+ },
92+ {
93+ -1, { 0 },
94+ 4, { 3, 'a', 'b', 'c' },
95+ OPENSSL_NPN_NO_OVERLAP,
96+ 3, { 'a', 'b', 'c' }
97+ },
98+ {
99+ 4, { 3, 'a', 'b', 'c' },
100+ 0, { 0 },
101+ OPENSSL_NPN_NO_OVERLAP,
102+ 0, { 0 }
103+ },
104+ {
105+ 4, { 3, 'a', 'b', 'c' },
106+ -1, { 0 },
107+ OPENSSL_NPN_NO_OVERLAP,
108+ 0, { 0 }
109+ },
110+ {
111+ 3, { 3, 'a', 'b', 'c' },
112+ 4, { 3, 'a', 'b', 'c' },
113+ OPENSSL_NPN_NO_OVERLAP,
114+ 3, { 'a', 'b', 'c' }
115+ },
116+ {
117+ 4, { 3, 'a', 'b', 'c' },
118+ 3, { 3, 'a', 'b', 'c' },
119+ OPENSSL_NPN_NO_OVERLAP,
120+ 0, { 0 }
121+ }
122+};
123+
124+static int test_select_next_proto(int idx)
125+{
126+ struct next_proto_st *np = &next_proto_tests[idx];
127+ int ret = 0;
128+ unsigned char *out, *client, *server;
129+ unsigned char outlen;
130+ unsigned int clientlen, serverlen;
131+
132+ if (np->clientlen == -1) {
133+ client = NULL;
134+ clientlen = 0;
135+ } else {
136+ client = np->client;
137+ clientlen = (unsigned int)np->clientlen;
138+ }
139+ if (np->serverlen == -1) {
140+ server = NULL;
141+ serverlen = 0;
142+ } else {
143+ server = np->server;
144+ serverlen = (unsigned int)np->serverlen;
145+ }
146+
147+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
148+ client, clientlen),
149+ np->expected_ret))
150+ goto err;
151+
152+ if (np->selectedlen == 0) {
153+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
154+ goto err;
155+ } else {
156+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
157+ goto err;
158+ }
159+
160+ ret = 1;
161+ err:
162+ return ret;
163+}
164+
165 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
166
167 int setup_tests(void)
168@@ -11041,6 +11177,7 @@ int setup_tests(void)
169 #endif
170 ADD_ALL_TESTS(test_handshake_retry, 16);
171 ADD_ALL_TESTS(test_multi_resume, 5);
172+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
173 return 1;
174
175 err:
176--
1772.25.1
178
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
deleted file mode 100644
index 93a9aba8b2..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
+++ /dev/null
@@ -1,1175 +0,0 @@
1From f2f3681f96c778b2a7e0d110bac5bd6053717ef6 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Tue, 4 Jun 2024 15:47:32 +0100
4Subject: [PATCH 5/9] Allow an empty NPN/ALPN protocol list in the tests
5
6Allow ourselves to configure an empty NPN/ALPN protocol list and test what
7happens if we do.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24718)
14
15(cherry picked from commit c54e56fc8ab19e9d07c284d6c7c6bf293f7520d2)
16
17Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/72394c9a1a6a6b07edf43eb2ad7e95e1093ada1b]
18CVE: CVE-2024-5535
19Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
20---
21 test/helpers/handshake.c | 6 +
22 test/ssl-tests/08-npn.cnf | 553 +++++++++++++++++++---------------
23 test/ssl-tests/08-npn.cnf.in | 35 +++
24 test/ssl-tests/09-alpn.cnf | 66 +++-
25 test/ssl-tests/09-alpn.cnf.in | 33 ++
26 5 files changed, 449 insertions(+), 244 deletions(-)
27
28diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
29index 285391b..dd5a6d9 100644
30--- a/test/helpers/handshake.c
31+++ b/test/helpers/handshake.c
32@@ -348,6 +348,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen)
33
34 len = strlen(protos);
35
36+ if (len == 0) {
37+ *out = NULL;
38+ *outlen = 0;
39+ return 1;
40+ }
41+
42 /* Should never have reuse. */
43 if (!TEST_ptr_null(*out)
44 /* Test values are small, so we omit length limit checks. */
45diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf
46index f38b3f6..1931d02 100644
47--- a/test/ssl-tests/08-npn.cnf
48+++ b/test/ssl-tests/08-npn.cnf
49@@ -1,6 +1,6 @@
50 # Generated with generate_ssl_tests.pl
51
52-num_tests = 20
53+num_tests = 22
54
55 test-0 = 0-npn-simple
56 test-1 = 1-npn-client-finds-match
57@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref
58 test-3 = 3-npn-client-first-pref-on-mismatch
59 test-4 = 4-npn-no-server-support
60 test-5 = 5-npn-no-client-support
61-test-6 = 6-npn-with-sni-no-context-switch
62-test-7 = 7-npn-with-sni-context-switch
63-test-8 = 8-npn-selected-sni-server-supports-npn
64-test-9 = 9-npn-selected-sni-server-does-not-support-npn
65-test-10 = 10-alpn-preferred-over-npn
66-test-11 = 11-sni-npn-preferred-over-alpn
67-test-12 = 12-npn-simple-resumption
68-test-13 = 13-npn-server-switch-resumption
69-test-14 = 14-npn-client-switch-resumption
70-test-15 = 15-npn-client-first-pref-on-mismatch-resumption
71-test-16 = 16-npn-no-server-support-resumption
72-test-17 = 17-npn-no-client-support-resumption
73-test-18 = 18-alpn-preferred-over-npn-resumption
74-test-19 = 19-npn-used-if-alpn-not-supported-resumption
75+test-6 = 6-npn-empty-client-list
76+test-7 = 7-npn-empty-server-list
77+test-8 = 8-npn-with-sni-no-context-switch
78+test-9 = 9-npn-with-sni-context-switch
79+test-10 = 10-npn-selected-sni-server-supports-npn
80+test-11 = 11-npn-selected-sni-server-does-not-support-npn
81+test-12 = 12-alpn-preferred-over-npn
82+test-13 = 13-sni-npn-preferred-over-alpn
83+test-14 = 14-npn-simple-resumption
84+test-15 = 15-npn-server-switch-resumption
85+test-16 = 16-npn-client-switch-resumption
86+test-17 = 17-npn-client-first-pref-on-mismatch-resumption
87+test-18 = 18-npn-no-server-support-resumption
88+test-19 = 19-npn-no-client-support-resumption
89+test-20 = 20-alpn-preferred-over-npn-resumption
90+test-21 = 21-npn-used-if-alpn-not-supported-resumption
91 # ===========================================================
92
93 [0-npn-simple]
94@@ -206,253 +208,318 @@ NPNProtocols = foo
95
96 # ===========================================================
97
98-[6-npn-with-sni-no-context-switch]
99-ssl_conf = 6-npn-with-sni-no-context-switch-ssl
100+[6-npn-empty-client-list]
101+ssl_conf = 6-npn-empty-client-list-ssl
102
103-[6-npn-with-sni-no-context-switch-ssl]
104-server = 6-npn-with-sni-no-context-switch-server
105-client = 6-npn-with-sni-no-context-switch-client
106-server2 = 6-npn-with-sni-no-context-switch-server2
107+[6-npn-empty-client-list-ssl]
108+server = 6-npn-empty-client-list-server
109+client = 6-npn-empty-client-list-client
110
111-[6-npn-with-sni-no-context-switch-server]
112+[6-npn-empty-client-list-server]
113 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
114 CipherString = DEFAULT
115 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
116
117-[6-npn-with-sni-no-context-switch-server2]
118+[6-npn-empty-client-list-client]
119+CipherString = DEFAULT
120+MaxProtocol = TLSv1.2
121+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
122+VerifyMode = Peer
123+
124+[test-6]
125+ExpectedClientAlert = HandshakeFailure
126+ExpectedResult = ClientFail
127+server = 6-npn-empty-client-list-server-extra
128+client = 6-npn-empty-client-list-client-extra
129+
130+[6-npn-empty-client-list-server-extra]
131+NPNProtocols = foo
132+
133+[6-npn-empty-client-list-client-extra]
134+NPNProtocols =
135+
136+
137+# ===========================================================
138+
139+[7-npn-empty-server-list]
140+ssl_conf = 7-npn-empty-server-list-ssl
141+
142+[7-npn-empty-server-list-ssl]
143+server = 7-npn-empty-server-list-server
144+client = 7-npn-empty-server-list-client
145+
146+[7-npn-empty-server-list-server]
147 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
148 CipherString = DEFAULT
149 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
150
151-[6-npn-with-sni-no-context-switch-client]
152+[7-npn-empty-server-list-client]
153 CipherString = DEFAULT
154 MaxProtocol = TLSv1.2
155 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
156 VerifyMode = Peer
157
158-[test-6]
159+[test-7]
160+ExpectedNPNProtocol = foo
161+server = 7-npn-empty-server-list-server-extra
162+client = 7-npn-empty-server-list-client-extra
163+
164+[7-npn-empty-server-list-server-extra]
165+NPNProtocols =
166+
167+[7-npn-empty-server-list-client-extra]
168+NPNProtocols = foo
169+
170+
171+# ===========================================================
172+
173+[8-npn-with-sni-no-context-switch]
174+ssl_conf = 8-npn-with-sni-no-context-switch-ssl
175+
176+[8-npn-with-sni-no-context-switch-ssl]
177+server = 8-npn-with-sni-no-context-switch-server
178+client = 8-npn-with-sni-no-context-switch-client
179+server2 = 8-npn-with-sni-no-context-switch-server2
180+
181+[8-npn-with-sni-no-context-switch-server]
182+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
183+CipherString = DEFAULT
184+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
185+
186+[8-npn-with-sni-no-context-switch-server2]
187+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
188+CipherString = DEFAULT
189+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
190+
191+[8-npn-with-sni-no-context-switch-client]
192+CipherString = DEFAULT
193+MaxProtocol = TLSv1.2
194+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
195+VerifyMode = Peer
196+
197+[test-8]
198 ExpectedNPNProtocol = foo
199 ExpectedServerName = server1
200-server = 6-npn-with-sni-no-context-switch-server-extra
201-server2 = 6-npn-with-sni-no-context-switch-server2-extra
202-client = 6-npn-with-sni-no-context-switch-client-extra
203+server = 8-npn-with-sni-no-context-switch-server-extra
204+server2 = 8-npn-with-sni-no-context-switch-server2-extra
205+client = 8-npn-with-sni-no-context-switch-client-extra
206
207-[6-npn-with-sni-no-context-switch-server-extra]
208+[8-npn-with-sni-no-context-switch-server-extra]
209 NPNProtocols = foo
210 ServerNameCallback = IgnoreMismatch
211
212-[6-npn-with-sni-no-context-switch-server2-extra]
213+[8-npn-with-sni-no-context-switch-server2-extra]
214 NPNProtocols = bar
215
216-[6-npn-with-sni-no-context-switch-client-extra]
217+[8-npn-with-sni-no-context-switch-client-extra]
218 NPNProtocols = foo,bar
219 ServerName = server1
220
221
222 # ===========================================================
223
224-[7-npn-with-sni-context-switch]
225-ssl_conf = 7-npn-with-sni-context-switch-ssl
226+[9-npn-with-sni-context-switch]
227+ssl_conf = 9-npn-with-sni-context-switch-ssl
228
229-[7-npn-with-sni-context-switch-ssl]
230-server = 7-npn-with-sni-context-switch-server
231-client = 7-npn-with-sni-context-switch-client
232-server2 = 7-npn-with-sni-context-switch-server2
233+[9-npn-with-sni-context-switch-ssl]
234+server = 9-npn-with-sni-context-switch-server
235+client = 9-npn-with-sni-context-switch-client
236+server2 = 9-npn-with-sni-context-switch-server2
237
238-[7-npn-with-sni-context-switch-server]
239+[9-npn-with-sni-context-switch-server]
240 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
241 CipherString = DEFAULT
242 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
243
244-[7-npn-with-sni-context-switch-server2]
245+[9-npn-with-sni-context-switch-server2]
246 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
247 CipherString = DEFAULT
248 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
249
250-[7-npn-with-sni-context-switch-client]
251+[9-npn-with-sni-context-switch-client]
252 CipherString = DEFAULT
253 MaxProtocol = TLSv1.2
254 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
255 VerifyMode = Peer
256
257-[test-7]
258+[test-9]
259 ExpectedNPNProtocol = bar
260 ExpectedServerName = server2
261-server = 7-npn-with-sni-context-switch-server-extra
262-server2 = 7-npn-with-sni-context-switch-server2-extra
263-client = 7-npn-with-sni-context-switch-client-extra
264+server = 9-npn-with-sni-context-switch-server-extra
265+server2 = 9-npn-with-sni-context-switch-server2-extra
266+client = 9-npn-with-sni-context-switch-client-extra
267
268-[7-npn-with-sni-context-switch-server-extra]
269+[9-npn-with-sni-context-switch-server-extra]
270 NPNProtocols = foo
271 ServerNameCallback = IgnoreMismatch
272
273-[7-npn-with-sni-context-switch-server2-extra]
274+[9-npn-with-sni-context-switch-server2-extra]
275 NPNProtocols = bar
276
277-[7-npn-with-sni-context-switch-client-extra]
278+[9-npn-with-sni-context-switch-client-extra]
279 NPNProtocols = foo,bar
280 ServerName = server2
281
282
283 # ===========================================================
284
285-[8-npn-selected-sni-server-supports-npn]
286-ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl
287+[10-npn-selected-sni-server-supports-npn]
288+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl
289
290-[8-npn-selected-sni-server-supports-npn-ssl]
291-server = 8-npn-selected-sni-server-supports-npn-server
292-client = 8-npn-selected-sni-server-supports-npn-client
293-server2 = 8-npn-selected-sni-server-supports-npn-server2
294+[10-npn-selected-sni-server-supports-npn-ssl]
295+server = 10-npn-selected-sni-server-supports-npn-server
296+client = 10-npn-selected-sni-server-supports-npn-client
297+server2 = 10-npn-selected-sni-server-supports-npn-server2
298
299-[8-npn-selected-sni-server-supports-npn-server]
300+[10-npn-selected-sni-server-supports-npn-server]
301 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
302 CipherString = DEFAULT
303 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
304
305-[8-npn-selected-sni-server-supports-npn-server2]
306+[10-npn-selected-sni-server-supports-npn-server2]
307 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
308 CipherString = DEFAULT
309 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
310
311-[8-npn-selected-sni-server-supports-npn-client]
312+[10-npn-selected-sni-server-supports-npn-client]
313 CipherString = DEFAULT
314 MaxProtocol = TLSv1.2
315 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
316 VerifyMode = Peer
317
318-[test-8]
319+[test-10]
320 ExpectedNPNProtocol = bar
321 ExpectedServerName = server2
322-server = 8-npn-selected-sni-server-supports-npn-server-extra
323-server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
324-client = 8-npn-selected-sni-server-supports-npn-client-extra
325+server = 10-npn-selected-sni-server-supports-npn-server-extra
326+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra
327+client = 10-npn-selected-sni-server-supports-npn-client-extra
328
329-[8-npn-selected-sni-server-supports-npn-server-extra]
330+[10-npn-selected-sni-server-supports-npn-server-extra]
331 ServerNameCallback = IgnoreMismatch
332
333-[8-npn-selected-sni-server-supports-npn-server2-extra]
334+[10-npn-selected-sni-server-supports-npn-server2-extra]
335 NPNProtocols = bar
336
337-[8-npn-selected-sni-server-supports-npn-client-extra]
338+[10-npn-selected-sni-server-supports-npn-client-extra]
339 NPNProtocols = foo,bar
340 ServerName = server2
341
342
343 # ===========================================================
344
345-[9-npn-selected-sni-server-does-not-support-npn]
346-ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl
347+[11-npn-selected-sni-server-does-not-support-npn]
348+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl
349
350-[9-npn-selected-sni-server-does-not-support-npn-ssl]
351-server = 9-npn-selected-sni-server-does-not-support-npn-server
352-client = 9-npn-selected-sni-server-does-not-support-npn-client
353-server2 = 9-npn-selected-sni-server-does-not-support-npn-server2
354+[11-npn-selected-sni-server-does-not-support-npn-ssl]
355+server = 11-npn-selected-sni-server-does-not-support-npn-server
356+client = 11-npn-selected-sni-server-does-not-support-npn-client
357+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2
358
359-[9-npn-selected-sni-server-does-not-support-npn-server]
360+[11-npn-selected-sni-server-does-not-support-npn-server]
361 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
362 CipherString = DEFAULT
363 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
364
365-[9-npn-selected-sni-server-does-not-support-npn-server2]
366+[11-npn-selected-sni-server-does-not-support-npn-server2]
367 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
368 CipherString = DEFAULT
369 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
370
371-[9-npn-selected-sni-server-does-not-support-npn-client]
372+[11-npn-selected-sni-server-does-not-support-npn-client]
373 CipherString = DEFAULT
374 MaxProtocol = TLSv1.2
375 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
376 VerifyMode = Peer
377
378-[test-9]
379+[test-11]
380 ExpectedServerName = server2
381-server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
382-client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
383+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra
384+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra
385
386-[9-npn-selected-sni-server-does-not-support-npn-server-extra]
387+[11-npn-selected-sni-server-does-not-support-npn-server-extra]
388 NPNProtocols = bar
389 ServerNameCallback = IgnoreMismatch
390
391-[9-npn-selected-sni-server-does-not-support-npn-client-extra]
392+[11-npn-selected-sni-server-does-not-support-npn-client-extra]
393 NPNProtocols = foo,bar
394 ServerName = server2
395
396
397 # ===========================================================
398
399-[10-alpn-preferred-over-npn]
400-ssl_conf = 10-alpn-preferred-over-npn-ssl
401+[12-alpn-preferred-over-npn]
402+ssl_conf = 12-alpn-preferred-over-npn-ssl
403
404-[10-alpn-preferred-over-npn-ssl]
405-server = 10-alpn-preferred-over-npn-server
406-client = 10-alpn-preferred-over-npn-client
407+[12-alpn-preferred-over-npn-ssl]
408+server = 12-alpn-preferred-over-npn-server
409+client = 12-alpn-preferred-over-npn-client
410
411-[10-alpn-preferred-over-npn-server]
412+[12-alpn-preferred-over-npn-server]
413 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
414 CipherString = DEFAULT
415 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
416
417-[10-alpn-preferred-over-npn-client]
418+[12-alpn-preferred-over-npn-client]
419 CipherString = DEFAULT
420 MaxProtocol = TLSv1.2
421 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
422 VerifyMode = Peer
423
424-[test-10]
425+[test-12]
426 ExpectedALPNProtocol = foo
427-server = 10-alpn-preferred-over-npn-server-extra
428-client = 10-alpn-preferred-over-npn-client-extra
429+server = 12-alpn-preferred-over-npn-server-extra
430+client = 12-alpn-preferred-over-npn-client-extra
431
432-[10-alpn-preferred-over-npn-server-extra]
433+[12-alpn-preferred-over-npn-server-extra]
434 ALPNProtocols = foo
435 NPNProtocols = bar
436
437-[10-alpn-preferred-over-npn-client-extra]
438+[12-alpn-preferred-over-npn-client-extra]
439 ALPNProtocols = foo
440 NPNProtocols = bar
441
442
443 # ===========================================================
444
445-[11-sni-npn-preferred-over-alpn]
446-ssl_conf = 11-sni-npn-preferred-over-alpn-ssl
447+[13-sni-npn-preferred-over-alpn]
448+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl
449
450-[11-sni-npn-preferred-over-alpn-ssl]
451-server = 11-sni-npn-preferred-over-alpn-server
452-client = 11-sni-npn-preferred-over-alpn-client
453-server2 = 11-sni-npn-preferred-over-alpn-server2
454+[13-sni-npn-preferred-over-alpn-ssl]
455+server = 13-sni-npn-preferred-over-alpn-server
456+client = 13-sni-npn-preferred-over-alpn-client
457+server2 = 13-sni-npn-preferred-over-alpn-server2
458
459-[11-sni-npn-preferred-over-alpn-server]
460+[13-sni-npn-preferred-over-alpn-server]
461 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
462 CipherString = DEFAULT
463 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
464
465-[11-sni-npn-preferred-over-alpn-server2]
466+[13-sni-npn-preferred-over-alpn-server2]
467 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
468 CipherString = DEFAULT
469 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
470
471-[11-sni-npn-preferred-over-alpn-client]
472+[13-sni-npn-preferred-over-alpn-client]
473 CipherString = DEFAULT
474 MaxProtocol = TLSv1.2
475 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
476 VerifyMode = Peer
477
478-[test-11]
479+[test-13]
480 ExpectedNPNProtocol = bar
481 ExpectedServerName = server2
482-server = 11-sni-npn-preferred-over-alpn-server-extra
483-server2 = 11-sni-npn-preferred-over-alpn-server2-extra
484-client = 11-sni-npn-preferred-over-alpn-client-extra
485+server = 13-sni-npn-preferred-over-alpn-server-extra
486+server2 = 13-sni-npn-preferred-over-alpn-server2-extra
487+client = 13-sni-npn-preferred-over-alpn-client-extra
488
489-[11-sni-npn-preferred-over-alpn-server-extra]
490+[13-sni-npn-preferred-over-alpn-server-extra]
491 ALPNProtocols = foo
492 ServerNameCallback = IgnoreMismatch
493
494-[11-sni-npn-preferred-over-alpn-server2-extra]
495+[13-sni-npn-preferred-over-alpn-server2-extra]
496 NPNProtocols = bar
497
498-[11-sni-npn-preferred-over-alpn-client-extra]
499+[13-sni-npn-preferred-over-alpn-client-extra]
500 ALPNProtocols = foo
501 NPNProtocols = bar
502 ServerName = server2
503@@ -460,356 +527,356 @@ ServerName = server2
504
505 # ===========================================================
506
507-[12-npn-simple-resumption]
508-ssl_conf = 12-npn-simple-resumption-ssl
509+[14-npn-simple-resumption]
510+ssl_conf = 14-npn-simple-resumption-ssl
511
512-[12-npn-simple-resumption-ssl]
513-server = 12-npn-simple-resumption-server
514-client = 12-npn-simple-resumption-client
515-resume-server = 12-npn-simple-resumption-server
516-resume-client = 12-npn-simple-resumption-client
517+[14-npn-simple-resumption-ssl]
518+server = 14-npn-simple-resumption-server
519+client = 14-npn-simple-resumption-client
520+resume-server = 14-npn-simple-resumption-server
521+resume-client = 14-npn-simple-resumption-client
522
523-[12-npn-simple-resumption-server]
524+[14-npn-simple-resumption-server]
525 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
526 CipherString = DEFAULT
527 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
528
529-[12-npn-simple-resumption-client]
530+[14-npn-simple-resumption-client]
531 CipherString = DEFAULT
532 MaxProtocol = TLSv1.2
533 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
534 VerifyMode = Peer
535
536-[test-12]
537+[test-14]
538 ExpectedNPNProtocol = foo
539 HandshakeMode = Resume
540 ResumptionExpected = Yes
541-server = 12-npn-simple-resumption-server-extra
542-resume-server = 12-npn-simple-resumption-server-extra
543-client = 12-npn-simple-resumption-client-extra
544-resume-client = 12-npn-simple-resumption-client-extra
545+server = 14-npn-simple-resumption-server-extra
546+resume-server = 14-npn-simple-resumption-server-extra
547+client = 14-npn-simple-resumption-client-extra
548+resume-client = 14-npn-simple-resumption-client-extra
549
550-[12-npn-simple-resumption-server-extra]
551+[14-npn-simple-resumption-server-extra]
552 NPNProtocols = foo
553
554-[12-npn-simple-resumption-client-extra]
555+[14-npn-simple-resumption-client-extra]
556 NPNProtocols = foo
557
558
559 # ===========================================================
560
561-[13-npn-server-switch-resumption]
562-ssl_conf = 13-npn-server-switch-resumption-ssl
563+[15-npn-server-switch-resumption]
564+ssl_conf = 15-npn-server-switch-resumption-ssl
565
566-[13-npn-server-switch-resumption-ssl]
567-server = 13-npn-server-switch-resumption-server
568-client = 13-npn-server-switch-resumption-client
569-resume-server = 13-npn-server-switch-resumption-resume-server
570-resume-client = 13-npn-server-switch-resumption-client
571+[15-npn-server-switch-resumption-ssl]
572+server = 15-npn-server-switch-resumption-server
573+client = 15-npn-server-switch-resumption-client
574+resume-server = 15-npn-server-switch-resumption-resume-server
575+resume-client = 15-npn-server-switch-resumption-client
576
577-[13-npn-server-switch-resumption-server]
578+[15-npn-server-switch-resumption-server]
579 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
580 CipherString = DEFAULT
581 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
582
583-[13-npn-server-switch-resumption-resume-server]
584+[15-npn-server-switch-resumption-resume-server]
585 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
586 CipherString = DEFAULT
587 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
588
589-[13-npn-server-switch-resumption-client]
590+[15-npn-server-switch-resumption-client]
591 CipherString = DEFAULT
592 MaxProtocol = TLSv1.2
593 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
594 VerifyMode = Peer
595
596-[test-13]
597+[test-15]
598 ExpectedNPNProtocol = baz
599 HandshakeMode = Resume
600 ResumptionExpected = Yes
601-server = 13-npn-server-switch-resumption-server-extra
602-resume-server = 13-npn-server-switch-resumption-resume-server-extra
603-client = 13-npn-server-switch-resumption-client-extra
604-resume-client = 13-npn-server-switch-resumption-client-extra
605+server = 15-npn-server-switch-resumption-server-extra
606+resume-server = 15-npn-server-switch-resumption-resume-server-extra
607+client = 15-npn-server-switch-resumption-client-extra
608+resume-client = 15-npn-server-switch-resumption-client-extra
609
610-[13-npn-server-switch-resumption-server-extra]
611+[15-npn-server-switch-resumption-server-extra]
612 NPNProtocols = bar,foo
613
614-[13-npn-server-switch-resumption-resume-server-extra]
615+[15-npn-server-switch-resumption-resume-server-extra]
616 NPNProtocols = baz,foo
617
618-[13-npn-server-switch-resumption-client-extra]
619+[15-npn-server-switch-resumption-client-extra]
620 NPNProtocols = foo,bar,baz
621
622
623 # ===========================================================
624
625-[14-npn-client-switch-resumption]
626-ssl_conf = 14-npn-client-switch-resumption-ssl
627+[16-npn-client-switch-resumption]
628+ssl_conf = 16-npn-client-switch-resumption-ssl
629
630-[14-npn-client-switch-resumption-ssl]
631-server = 14-npn-client-switch-resumption-server
632-client = 14-npn-client-switch-resumption-client
633-resume-server = 14-npn-client-switch-resumption-server
634-resume-client = 14-npn-client-switch-resumption-resume-client
635+[16-npn-client-switch-resumption-ssl]
636+server = 16-npn-client-switch-resumption-server
637+client = 16-npn-client-switch-resumption-client
638+resume-server = 16-npn-client-switch-resumption-server
639+resume-client = 16-npn-client-switch-resumption-resume-client
640
641-[14-npn-client-switch-resumption-server]
642+[16-npn-client-switch-resumption-server]
643 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
644 CipherString = DEFAULT
645 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
646
647-[14-npn-client-switch-resumption-client]
648+[16-npn-client-switch-resumption-client]
649 CipherString = DEFAULT
650 MaxProtocol = TLSv1.2
651 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
652 VerifyMode = Peer
653
654-[14-npn-client-switch-resumption-resume-client]
655+[16-npn-client-switch-resumption-resume-client]
656 CipherString = DEFAULT
657 MaxProtocol = TLSv1.2
658 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
659 VerifyMode = Peer
660
661-[test-14]
662+[test-16]
663 ExpectedNPNProtocol = bar
664 HandshakeMode = Resume
665 ResumptionExpected = Yes
666-server = 14-npn-client-switch-resumption-server-extra
667-resume-server = 14-npn-client-switch-resumption-server-extra
668-client = 14-npn-client-switch-resumption-client-extra
669-resume-client = 14-npn-client-switch-resumption-resume-client-extra
670+server = 16-npn-client-switch-resumption-server-extra
671+resume-server = 16-npn-client-switch-resumption-server-extra
672+client = 16-npn-client-switch-resumption-client-extra
673+resume-client = 16-npn-client-switch-resumption-resume-client-extra
674
675-[14-npn-client-switch-resumption-server-extra]
676+[16-npn-client-switch-resumption-server-extra]
677 NPNProtocols = foo,bar,baz
678
679-[14-npn-client-switch-resumption-client-extra]
680+[16-npn-client-switch-resumption-client-extra]
681 NPNProtocols = foo,baz
682
683-[14-npn-client-switch-resumption-resume-client-extra]
684+[16-npn-client-switch-resumption-resume-client-extra]
685 NPNProtocols = bar,baz
686
687
688 # ===========================================================
689
690-[15-npn-client-first-pref-on-mismatch-resumption]
691-ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl
692+[17-npn-client-first-pref-on-mismatch-resumption]
693+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl
694
695-[15-npn-client-first-pref-on-mismatch-resumption-ssl]
696-server = 15-npn-client-first-pref-on-mismatch-resumption-server
697-client = 15-npn-client-first-pref-on-mismatch-resumption-client
698-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server
699-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client
700+[17-npn-client-first-pref-on-mismatch-resumption-ssl]
701+server = 17-npn-client-first-pref-on-mismatch-resumption-server
702+client = 17-npn-client-first-pref-on-mismatch-resumption-client
703+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server
704+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client
705
706-[15-npn-client-first-pref-on-mismatch-resumption-server]
707+[17-npn-client-first-pref-on-mismatch-resumption-server]
708 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
709 CipherString = DEFAULT
710 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
711
712-[15-npn-client-first-pref-on-mismatch-resumption-resume-server]
713+[17-npn-client-first-pref-on-mismatch-resumption-resume-server]
714 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
715 CipherString = DEFAULT
716 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
717
718-[15-npn-client-first-pref-on-mismatch-resumption-client]
719+[17-npn-client-first-pref-on-mismatch-resumption-client]
720 CipherString = DEFAULT
721 MaxProtocol = TLSv1.2
722 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
723 VerifyMode = Peer
724
725-[test-15]
726+[test-17]
727 ExpectedNPNProtocol = foo
728 HandshakeMode = Resume
729 ResumptionExpected = Yes
730-server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra
731-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
732-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
733-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
734+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra
735+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
736+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
737+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
738
739-[15-npn-client-first-pref-on-mismatch-resumption-server-extra]
740+[17-npn-client-first-pref-on-mismatch-resumption-server-extra]
741 NPNProtocols = bar
742
743-[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
744+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
745 NPNProtocols = baz
746
747-[15-npn-client-first-pref-on-mismatch-resumption-client-extra]
748+[17-npn-client-first-pref-on-mismatch-resumption-client-extra]
749 NPNProtocols = foo,bar
750
751
752 # ===========================================================
753
754-[16-npn-no-server-support-resumption]
755-ssl_conf = 16-npn-no-server-support-resumption-ssl
756+[18-npn-no-server-support-resumption]
757+ssl_conf = 18-npn-no-server-support-resumption-ssl
758
759-[16-npn-no-server-support-resumption-ssl]
760-server = 16-npn-no-server-support-resumption-server
761-client = 16-npn-no-server-support-resumption-client
762-resume-server = 16-npn-no-server-support-resumption-resume-server
763-resume-client = 16-npn-no-server-support-resumption-client
764+[18-npn-no-server-support-resumption-ssl]
765+server = 18-npn-no-server-support-resumption-server
766+client = 18-npn-no-server-support-resumption-client
767+resume-server = 18-npn-no-server-support-resumption-resume-server
768+resume-client = 18-npn-no-server-support-resumption-client
769
770-[16-npn-no-server-support-resumption-server]
771+[18-npn-no-server-support-resumption-server]
772 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
773 CipherString = DEFAULT
774 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
775
776-[16-npn-no-server-support-resumption-resume-server]
777+[18-npn-no-server-support-resumption-resume-server]
778 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
779 CipherString = DEFAULT
780 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
781
782-[16-npn-no-server-support-resumption-client]
783+[18-npn-no-server-support-resumption-client]
784 CipherString = DEFAULT
785 MaxProtocol = TLSv1.2
786 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
787 VerifyMode = Peer
788
789-[test-16]
790+[test-18]
791 HandshakeMode = Resume
792 ResumptionExpected = Yes
793-server = 16-npn-no-server-support-resumption-server-extra
794-client = 16-npn-no-server-support-resumption-client-extra
795-resume-client = 16-npn-no-server-support-resumption-client-extra
796+server = 18-npn-no-server-support-resumption-server-extra
797+client = 18-npn-no-server-support-resumption-client-extra
798+resume-client = 18-npn-no-server-support-resumption-client-extra
799
800-[16-npn-no-server-support-resumption-server-extra]
801+[18-npn-no-server-support-resumption-server-extra]
802 NPNProtocols = foo
803
804-[16-npn-no-server-support-resumption-client-extra]
805+[18-npn-no-server-support-resumption-client-extra]
806 NPNProtocols = foo
807
808
809 # ===========================================================
810
811-[17-npn-no-client-support-resumption]
812-ssl_conf = 17-npn-no-client-support-resumption-ssl
813+[19-npn-no-client-support-resumption]
814+ssl_conf = 19-npn-no-client-support-resumption-ssl
815
816-[17-npn-no-client-support-resumption-ssl]
817-server = 17-npn-no-client-support-resumption-server
818-client = 17-npn-no-client-support-resumption-client
819-resume-server = 17-npn-no-client-support-resumption-server
820-resume-client = 17-npn-no-client-support-resumption-resume-client
821+[19-npn-no-client-support-resumption-ssl]
822+server = 19-npn-no-client-support-resumption-server
823+client = 19-npn-no-client-support-resumption-client
824+resume-server = 19-npn-no-client-support-resumption-server
825+resume-client = 19-npn-no-client-support-resumption-resume-client
826
827-[17-npn-no-client-support-resumption-server]
828+[19-npn-no-client-support-resumption-server]
829 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
830 CipherString = DEFAULT
831 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
832
833-[17-npn-no-client-support-resumption-client]
834+[19-npn-no-client-support-resumption-client]
835 CipherString = DEFAULT
836 MaxProtocol = TLSv1.2
837 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
838 VerifyMode = Peer
839
840-[17-npn-no-client-support-resumption-resume-client]
841+[19-npn-no-client-support-resumption-resume-client]
842 CipherString = DEFAULT
843 MaxProtocol = TLSv1.2
844 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
845 VerifyMode = Peer
846
847-[test-17]
848+[test-19]
849 HandshakeMode = Resume
850 ResumptionExpected = Yes
851-server = 17-npn-no-client-support-resumption-server-extra
852-resume-server = 17-npn-no-client-support-resumption-server-extra
853-client = 17-npn-no-client-support-resumption-client-extra
854+server = 19-npn-no-client-support-resumption-server-extra
855+resume-server = 19-npn-no-client-support-resumption-server-extra
856+client = 19-npn-no-client-support-resumption-client-extra
857
858-[17-npn-no-client-support-resumption-server-extra]
859+[19-npn-no-client-support-resumption-server-extra]
860 NPNProtocols = foo
861
862-[17-npn-no-client-support-resumption-client-extra]
863+[19-npn-no-client-support-resumption-client-extra]
864 NPNProtocols = foo
865
866
867 # ===========================================================
868
869-[18-alpn-preferred-over-npn-resumption]
870-ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl
871+[20-alpn-preferred-over-npn-resumption]
872+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl
873
874-[18-alpn-preferred-over-npn-resumption-ssl]
875-server = 18-alpn-preferred-over-npn-resumption-server
876-client = 18-alpn-preferred-over-npn-resumption-client
877-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server
878-resume-client = 18-alpn-preferred-over-npn-resumption-client
879+[20-alpn-preferred-over-npn-resumption-ssl]
880+server = 20-alpn-preferred-over-npn-resumption-server
881+client = 20-alpn-preferred-over-npn-resumption-client
882+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server
883+resume-client = 20-alpn-preferred-over-npn-resumption-client
884
885-[18-alpn-preferred-over-npn-resumption-server]
886+[20-alpn-preferred-over-npn-resumption-server]
887 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
888 CipherString = DEFAULT
889 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
890
891-[18-alpn-preferred-over-npn-resumption-resume-server]
892+[20-alpn-preferred-over-npn-resumption-resume-server]
893 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
894 CipherString = DEFAULT
895 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
896
897-[18-alpn-preferred-over-npn-resumption-client]
898+[20-alpn-preferred-over-npn-resumption-client]
899 CipherString = DEFAULT
900 MaxProtocol = TLSv1.2
901 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
902 VerifyMode = Peer
903
904-[test-18]
905+[test-20]
906 ExpectedALPNProtocol = foo
907 HandshakeMode = Resume
908 ResumptionExpected = Yes
909-server = 18-alpn-preferred-over-npn-resumption-server-extra
910-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra
911-client = 18-alpn-preferred-over-npn-resumption-client-extra
912-resume-client = 18-alpn-preferred-over-npn-resumption-client-extra
913+server = 20-alpn-preferred-over-npn-resumption-server-extra
914+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra
915+client = 20-alpn-preferred-over-npn-resumption-client-extra
916+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra
917
918-[18-alpn-preferred-over-npn-resumption-server-extra]
919+[20-alpn-preferred-over-npn-resumption-server-extra]
920 NPNProtocols = bar
921
922-[18-alpn-preferred-over-npn-resumption-resume-server-extra]
923+[20-alpn-preferred-over-npn-resumption-resume-server-extra]
924 ALPNProtocols = foo
925 NPNProtocols = baz
926
927-[18-alpn-preferred-over-npn-resumption-client-extra]
928+[20-alpn-preferred-over-npn-resumption-client-extra]
929 ALPNProtocols = foo
930 NPNProtocols = bar,baz
931
932
933 # ===========================================================
934
935-[19-npn-used-if-alpn-not-supported-resumption]
936-ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl
937+[21-npn-used-if-alpn-not-supported-resumption]
938+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl
939
940-[19-npn-used-if-alpn-not-supported-resumption-ssl]
941-server = 19-npn-used-if-alpn-not-supported-resumption-server
942-client = 19-npn-used-if-alpn-not-supported-resumption-client
943-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server
944-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client
945+[21-npn-used-if-alpn-not-supported-resumption-ssl]
946+server = 21-npn-used-if-alpn-not-supported-resumption-server
947+client = 21-npn-used-if-alpn-not-supported-resumption-client
948+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server
949+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client
950
951-[19-npn-used-if-alpn-not-supported-resumption-server]
952+[21-npn-used-if-alpn-not-supported-resumption-server]
953 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
954 CipherString = DEFAULT
955 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
956
957-[19-npn-used-if-alpn-not-supported-resumption-resume-server]
958+[21-npn-used-if-alpn-not-supported-resumption-resume-server]
959 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
960 CipherString = DEFAULT
961 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
962
963-[19-npn-used-if-alpn-not-supported-resumption-client]
964+[21-npn-used-if-alpn-not-supported-resumption-client]
965 CipherString = DEFAULT
966 MaxProtocol = TLSv1.2
967 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
968 VerifyMode = Peer
969
970-[test-19]
971+[test-21]
972 ExpectedNPNProtocol = baz
973 HandshakeMode = Resume
974 ResumptionExpected = Yes
975-server = 19-npn-used-if-alpn-not-supported-resumption-server-extra
976-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra
977-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
978-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
979+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra
980+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra
981+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
982+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
983
984-[19-npn-used-if-alpn-not-supported-resumption-server-extra]
985+[21-npn-used-if-alpn-not-supported-resumption-server-extra]
986 ALPNProtocols = foo
987 NPNProtocols = bar
988
989-[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
990+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
991 NPNProtocols = baz
992
993-[19-npn-used-if-alpn-not-supported-resumption-client-extra]
994+[21-npn-used-if-alpn-not-supported-resumption-client-extra]
995 ALPNProtocols = foo
996 NPNProtocols = bar,baz
997
998diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in
999index 30783e4..1dc2704 100644
1000--- a/test/ssl-tests/08-npn.cnf.in
1001+++ b/test/ssl-tests/08-npn.cnf.in
1002@@ -110,6 +110,41 @@ our @tests = (
1003 "ExpectedNPNProtocol" => undef,
1004 },
1005 },
1006+ {
1007+ name => "npn-empty-client-list",
1008+ server => {
1009+ extra => {
1010+ "NPNProtocols" => "foo",
1011+ },
1012+ },
1013+ client => {
1014+ extra => {
1015+ "NPNProtocols" => "",
1016+ },
1017+ "MaxProtocol" => "TLSv1.2"
1018+ },
1019+ test => {
1020+ "ExpectedResult" => "ClientFail",
1021+ "ExpectedClientAlert" => "HandshakeFailure"
1022+ },
1023+ },
1024+ {
1025+ name => "npn-empty-server-list",
1026+ server => {
1027+ extra => {
1028+ "NPNProtocols" => "",
1029+ },
1030+ },
1031+ client => {
1032+ extra => {
1033+ "NPNProtocols" => "foo",
1034+ },
1035+ "MaxProtocol" => "TLSv1.2"
1036+ },
1037+ test => {
1038+ "ExpectedNPNProtocol" => "foo"
1039+ },
1040+ },
1041 {
1042 name => "npn-with-sni-no-context-switch",
1043 server => {
1044diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf
1045index e7e6cb9..dd66873 100644
1046--- a/test/ssl-tests/09-alpn.cnf
1047+++ b/test/ssl-tests/09-alpn.cnf
1048@@ -1,6 +1,6 @@
1049 # Generated with generate_ssl_tests.pl
1050
1051-num_tests = 16
1052+num_tests = 18
1053
1054 test-0 = 0-alpn-simple
1055 test-1 = 1-alpn-server-finds-match
1056@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption
1057 test-13 = 13-alpn-alert-on-mismatch-resumption
1058 test-14 = 14-alpn-no-server-support-resumption
1059 test-15 = 15-alpn-no-client-support-resumption
1060+test-16 = 16-alpn-empty-client-list
1061+test-17 = 17-alpn-empty-server-list
1062 # ===========================================================
1063
1064 [0-alpn-simple]
1065@@ -617,3 +619,65 @@ ALPNProtocols = foo
1066 ALPNProtocols = foo
1067
1068
1069+# ===========================================================
1070+
1071+[16-alpn-empty-client-list]
1072+ssl_conf = 16-alpn-empty-client-list-ssl
1073+
1074+[16-alpn-empty-client-list-ssl]
1075+server = 16-alpn-empty-client-list-server
1076+client = 16-alpn-empty-client-list-client
1077+
1078+[16-alpn-empty-client-list-server]
1079+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
1080+CipherString = DEFAULT
1081+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
1082+
1083+[16-alpn-empty-client-list-client]
1084+CipherString = DEFAULT
1085+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
1086+VerifyMode = Peer
1087+
1088+[test-16]
1089+server = 16-alpn-empty-client-list-server-extra
1090+client = 16-alpn-empty-client-list-client-extra
1091+
1092+[16-alpn-empty-client-list-server-extra]
1093+ALPNProtocols = foo
1094+
1095+[16-alpn-empty-client-list-client-extra]
1096+ALPNProtocols =
1097+
1098+
1099+# ===========================================================
1100+
1101+[17-alpn-empty-server-list]
1102+ssl_conf = 17-alpn-empty-server-list-ssl
1103+
1104+[17-alpn-empty-server-list-ssl]
1105+server = 17-alpn-empty-server-list-server
1106+client = 17-alpn-empty-server-list-client
1107+
1108+[17-alpn-empty-server-list-server]
1109+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
1110+CipherString = DEFAULT
1111+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
1112+
1113+[17-alpn-empty-server-list-client]
1114+CipherString = DEFAULT
1115+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
1116+VerifyMode = Peer
1117+
1118+[test-17]
1119+ExpectedResult = ServerFail
1120+ExpectedServerAlert = NoApplicationProtocol
1121+server = 17-alpn-empty-server-list-server-extra
1122+client = 17-alpn-empty-server-list-client-extra
1123+
1124+[17-alpn-empty-server-list-server-extra]
1125+ALPNProtocols =
1126+
1127+[17-alpn-empty-server-list-client-extra]
1128+ALPNProtocols = foo
1129+
1130+
1131diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in
1132index 8133075..322b709 100644
1133--- a/test/ssl-tests/09-alpn.cnf.in
1134+++ b/test/ssl-tests/09-alpn.cnf.in
1135@@ -322,4 +322,37 @@ our @tests = (
1136 "ExpectedALPNProtocol" => undef,
1137 },
1138 },
1139+ {
1140+ name => "alpn-empty-client-list",
1141+ server => {
1142+ extra => {
1143+ "ALPNProtocols" => "foo",
1144+ },
1145+ },
1146+ client => {
1147+ extra => {
1148+ "ALPNProtocols" => "",
1149+ },
1150+ },
1151+ test => {
1152+ "ExpectedALPNProtocol" => undef,
1153+ },
1154+ },
1155+ {
1156+ name => "alpn-empty-server-list",
1157+ server => {
1158+ extra => {
1159+ "ALPNProtocols" => "",
1160+ },
1161+ },
1162+ client => {
1163+ extra => {
1164+ "ALPNProtocols" => "foo",
1165+ },
1166+ },
1167+ test => {
1168+ "ExpectedResult" => "ServerFail",
1169+ "ExpectedServerAlert" => "NoApplicationProtocol",
1170+ },
1171+ },
1172 );
1173--
11742.25.1
1175
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
deleted file mode 100644
index 3ad7488ac6..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1From a8c0ee154d212284f82680275de63642d914365e Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 10:41:55 +0100
4Subject: [PATCH 6/9] Correct return values for
5 tls_construct_stoc_next_proto_neg
6
7Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
8rather than EXT_RETURN_SENT. This actually makes no difference at all to
9the current control flow since this return value is ignored in this case
10anyway. But lets make it correct anyway.
11
12Follow on from CVE-2024-5535
13
14Reviewed-by: Neil Horman <nhorman@openssl.org>
15Reviewed-by: Tomas Mraz <tomas@openssl.org>
16(Merged from https://github.com/openssl/openssl/pull/24718)
17
18(cherry picked from commit 087501b4f572825e27ca8cc2c5874fcf6fd47cf7)
19
20Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/189a7ed3e380e34ea38fe4190a7c9396bace0fb7]
21CVE: CVE-2024-5535
22Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
23---
24 ssl/statem/extensions_srvr.c | 3 ++-
25 1 file changed, 2 insertions(+), 1 deletion(-)
26
27diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
28index 1fab5a3..51ea74b 100644
29--- a/ssl/statem/extensions_srvr.c
30+++ b/ssl/statem/extensions_srvr.c
31@@ -1471,9 +1471,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
32 return EXT_RETURN_FAIL;
33 }
34 s->s3.npn_seen = 1;
35+ return EXT_RETURN_SENT;
36 }
37
38- return EXT_RETURN_SENT;
39+ return EXT_RETURN_NOT_SENT;
40 }
41 #endif
42
43--
442.25.1
45
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
deleted file mode 100644
index 777497ef22..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
+++ /dev/null
@@ -1,68 +0,0 @@
1From fa5cc5eb58a4c9632929397fc9a6c291fff1b99d Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 11:51:54 +0100
4Subject: [PATCH 7/9] Add ALPN validation in the client
5
6The ALPN protocol selected by the server must be one that we originally
7advertised. We should verify that it is.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24718)
14
15(cherry picked from commit 017e54183b95617825fb9316d618c154a34c634e)
16
17Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/4b375b998798dd516d367036773073e1b88e6433]
18CVE: CVE-2024-5535
19Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
20---
21 ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
22 1 file changed, 24 insertions(+)
23
24diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
25index a07dc62..b21ccf9 100644
26--- a/ssl/statem/extensions_clnt.c
27+++ b/ssl/statem/extensions_clnt.c
28@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
29 size_t chainidx)
30 {
31 size_t len;
32+ PACKET confpkt, protpkt;
33+ int valid = 0;
34
35 /* We must have requested it. */
36 if (!s->s3.alpn_sent) {
37@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
38 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
39 return 0;
40 }
41+
42+ /* It must be a protocol that we sent */
43+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
44+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
45+ return 0;
46+ }
47+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
48+ if (PACKET_remaining(&protpkt) != len)
49+ continue;
50+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
51+ /* Valid protocol found */
52+ valid = 1;
53+ break;
54+ }
55+ }
56+
57+ if (!valid) {
58+ /* The protocol sent from the server does not match one we advertised */
59+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
60+ return 0;
61+ }
62+
63 OPENSSL_free(s->s3.alpn_selected);
64 s->s3.alpn_selected = OPENSSL_malloc(len);
65 if (s->s3.alpn_selected == NULL) {
66--
672.25.1
68
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
deleted file mode 100644
index 0166f831f6..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
+++ /dev/null
@@ -1,273 +0,0 @@
1From b898db2b91751a52d2af699e674a80a6b218084d Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 10:09:41 +0100
4Subject: [PATCH 8/9] Add explicit testing of ALN and NPN in sslapitest
5
6We already had some tests elsewhere - but this extends that testing with
7additional tests.
8
9Follow on from CVE-2024-5535
10
11Reviewed-by: Neil Horman <nhorman@openssl.org>
12Reviewed-by: Tomas Mraz <tomas@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/24718)
14
15(cherry picked from commit 0453bf5a7ac60ab01c8bb713d8cc2a94324aa88c)
16
17Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/ca176d7291eb780e4ed2781342f5be5a32210a68]
18CVE: CVE-2024-5535
19Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
20---
21 test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
22 1 file changed, 229 insertions(+)
23
24diff --git a/test/sslapitest.c b/test/sslapitest.c
25index 3922262..171298b 100644
26--- a/test/sslapitest.c
27+++ b/test/sslapitest.c
28@@ -10901,6 +10901,231 @@ static int test_select_next_proto(int idx)
29 return ret;
30 }
31
32+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
33+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
34+
35+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
36+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
37+ unsigned int *outlen, void *arg)
38+{
39+ int *idx = (int *)arg;
40+
41+ switch (*idx) {
42+ default:
43+ case 0:
44+ *out = fooprot;
45+ *outlen = sizeof(fooprot);
46+ return SSL_TLSEXT_ERR_OK;
47+
48+ case 1:
49+ *outlen = 0;
50+ return SSL_TLSEXT_ERR_OK;
51+
52+ case 2:
53+ return SSL_TLSEXT_ERR_NOACK;
54+ }
55+}
56+
57+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
58+ const unsigned char *in, unsigned int inlen, void *arg)
59+{
60+ int *idx = (int *)arg;
61+
62+ switch (*idx) {
63+ case 0:
64+ case 1:
65+ *out = (unsigned char *)(fooprot + 1);
66+ *outlen = *fooprot;
67+ return SSL_TLSEXT_ERR_OK;
68+
69+ case 3:
70+ *out = (unsigned char *)(barprot + 1);
71+ *outlen = *barprot;
72+ return SSL_TLSEXT_ERR_OK;
73+
74+ case 4:
75+ *outlen = 0;
76+ return SSL_TLSEXT_ERR_OK;
77+
78+ default:
79+ case 2:
80+ return SSL_TLSEXT_ERR_ALERT_FATAL;
81+ }
82+}
83+
84+/*
85+ * Test the NPN callbacks
86+ * Test 0: advert = foo, select = foo
87+ * Test 1: advert = <empty>, select = foo
88+ * Test 2: no advert
89+ * Test 3: advert = foo, select = bar
90+ * Test 4: advert = foo, select = <empty> (should fail)
91+ */
92+static int test_npn(int idx)
93+{
94+ SSL_CTX *sctx = NULL, *cctx = NULL;
95+ SSL *serverssl = NULL, *clientssl = NULL;
96+ int testresult = 0;
97+
98+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
99+ TLS_client_method(), 0, TLS1_2_VERSION,
100+ &sctx, &cctx, cert, privkey)))
101+ goto end;
102+
103+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
104+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
105+
106+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
107+ NULL)))
108+ goto end;
109+
110+ if (idx == 4) {
111+ /* We don't allow empty selection of NPN, so this should fail */
112+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
113+ SSL_ERROR_NONE)))
114+ goto end;
115+ } else {
116+ const unsigned char *prot;
117+ unsigned int protlen;
118+
119+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
120+ SSL_ERROR_NONE)))
121+ goto end;
122+
123+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
124+ switch (idx) {
125+ case 0:
126+ case 1:
127+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
128+ goto end;
129+ break;
130+ case 2:
131+ if (!TEST_uint_eq(protlen, 0))
132+ goto end;
133+ break;
134+ case 3:
135+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
136+ goto end;
137+ break;
138+ default:
139+ TEST_error("Should not get here");
140+ goto end;
141+ }
142+ }
143+
144+ testresult = 1;
145+ end:
146+ SSL_free(serverssl);
147+ SSL_free(clientssl);
148+ SSL_CTX_free(sctx);
149+ SSL_CTX_free(cctx);
150+
151+ return testresult;
152+}
153+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
154+
155+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
156+ unsigned char *outlen, const unsigned char *in,
157+ unsigned int inlen, void *arg)
158+{
159+ int *idx = (int *)arg;
160+
161+ switch (*idx) {
162+ case 0:
163+ *out = (unsigned char *)(fooprot + 1);
164+ *outlen = *fooprot;
165+ return SSL_TLSEXT_ERR_OK;
166+
167+ case 2:
168+ *out = (unsigned char *)(barprot + 1);
169+ *outlen = *barprot;
170+ return SSL_TLSEXT_ERR_OK;
171+
172+ case 3:
173+ *outlen = 0;
174+ return SSL_TLSEXT_ERR_OK;
175+
176+ default:
177+ case 1:
178+ return SSL_TLSEXT_ERR_ALERT_FATAL;
179+ }
180+ return 0;
181+}
182+
183+/*
184+ * Test the ALPN callbacks
185+ * Test 0: client = foo, select = foo
186+ * Test 1: client = <empty>, select = none
187+ * Test 2: client = foo, select = bar (should fail)
188+ * Test 3: client = foo, select = <empty> (should fail)
189+ */
190+static int test_alpn(int idx)
191+{
192+ SSL_CTX *sctx = NULL, *cctx = NULL;
193+ SSL *serverssl = NULL, *clientssl = NULL;
194+ int testresult = 0;
195+ const unsigned char *prots = fooprot;
196+ unsigned int protslen = sizeof(fooprot);
197+
198+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
199+ TLS_client_method(), 0, 0,
200+ &sctx, &cctx, cert, privkey)))
201+ goto end;
202+
203+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
204+
205+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
206+ NULL)))
207+ goto end;
208+
209+ if (idx == 1) {
210+ prots = NULL;
211+ protslen = 0;
212+ }
213+
214+ /* SSL_set_alpn_protos returns 0 for success! */
215+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
216+ goto end;
217+
218+ if (idx == 2 || idx == 3) {
219+ /* We don't allow empty selection of NPN, so this should fail */
220+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
221+ SSL_ERROR_NONE)))
222+ goto end;
223+ } else {
224+ const unsigned char *prot;
225+ unsigned int protlen;
226+
227+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
228+ SSL_ERROR_NONE)))
229+ goto end;
230+
231+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
232+ switch (idx) {
233+ case 0:
234+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
235+ goto end;
236+ break;
237+ case 1:
238+ if (!TEST_uint_eq(protlen, 0))
239+ goto end;
240+ break;
241+ default:
242+ TEST_error("Should not get here");
243+ goto end;
244+ }
245+ }
246+
247+ testresult = 1;
248+ end:
249+ SSL_free(serverssl);
250+ SSL_free(clientssl);
251+ SSL_CTX_free(sctx);
252+ SSL_CTX_free(cctx);
253+
254+ return testresult;
255+}
256+
257 OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
258
259 int setup_tests(void)
260@@ -11178,6 +11403,10 @@ int setup_tests(void)
261 ADD_ALL_TESTS(test_handshake_retry, 16);
262 ADD_ALL_TESTS(test_multi_resume, 5);
263 ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
264+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
265+ ADD_ALL_TESTS(test_npn, 5);
266+#endif
267+ ADD_ALL_TESTS(test_alpn, 4);
268 return 1;
269
270 err:
271--
2722.25.1
273
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
deleted file mode 100644
index ac43cc0efe..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
+++ /dev/null
@@ -1,205 +0,0 @@
1From 475480db0f9592f15f00a7cf692d3e04ad8e742f Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Fri, 21 Jun 2024 14:29:26 +0100
4Subject: [PATCH 9/9] Add a test for an empty NextProto message
5
6It is valid according to the spec for a NextProto message to have no
7protocols listed in it. The OpenSSL implementation however does not allow
8us to create such a message. In order to check that we work as expected
9when communicating with a client that does generate such messages we have
10to use a TLSProxy test.
11
12Follow on from CVE-2024-5535
13
14Reviewed-by: Neil Horman <nhorman@openssl.org>
15Reviewed-by: Tomas Mraz <tomas@openssl.org>
16(Merged from https://github.com/openssl/openssl/pull/24718)
17
18(cherry picked from commit a201030901de9f9a48b34c38f6922fb0b272f26f)
19
20Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/99c2b6b971c302595db1801e26a202247238659d]
21CVE: CVE-2024-5535
22Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
23---
24 test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
25 util/perl/TLSProxy/Message.pm | 9 ++++
26 util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
27 util/perl/TLSProxy/Proxy.pm | 1 +
28 4 files changed, 137 insertions(+)
29 create mode 100644 test/recipes/70-test_npn.t
30 create mode 100644 util/perl/TLSProxy/NextProto.pm
31
32diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
33new file mode 100644
34index 0000000..f82e71a
35--- /dev/null
36+++ b/test/recipes/70-test_npn.t
37@@ -0,0 +1,73 @@
38+#! /usr/bin/env perl
39+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
40+#
41+# Licensed under the Apache License 2.0 (the "License"). You may not use
42+# this file except in compliance with the License. You can obtain a copy
43+# in the file LICENSE in the source distribution or at
44+# https://www.openssl.org/source/license.html
45+
46+use strict;
47+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
48+use OpenSSL::Test::Utils;
49+
50+use TLSProxy::Proxy;
51+
52+my $test_name = "test_npn";
53+setup($test_name);
54+
55+plan skip_all => "TLSProxy isn't usable on $^O"
56+ if $^O =~ /^(VMS)$/;
57+
58+plan skip_all => "$test_name needs the dynamic engine feature enabled"
59+ if disabled("engine") || disabled("dynamic-engine");
60+
61+plan skip_all => "$test_name needs the sock feature enabled"
62+ if disabled("sock");
63+
64+plan skip_all => "$test_name needs NPN enabled"
65+ if disabled("nextprotoneg");
66+
67+plan skip_all => "$test_name needs TLSv1.2 enabled"
68+ if disabled("tls1_2");
69+
70+my $proxy = TLSProxy::Proxy->new(
71+ undef,
72+ cmdstr(app(["openssl"]), display => 1),
73+ srctop_file("apps", "server.pem"),
74+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
75+);
76+
77+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
78+plan tests => 1;
79+
80+my $npnseen = 0;
81+
82+# Test 1: Check sending an empty NextProto message from the client works. This is
83+# valid as per the spec, but OpenSSL does not allow you to send it.
84+# Therefore we must be prepared to receive such a message but we cannot
85+# generate it except via TLSProxy
86+$proxy->clear();
87+$proxy->filter(\&npn_filter);
88+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
89+$proxy->serverflags("-nextprotoneg foo");
90+$proxy->start();
91+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
92+
93+sub npn_filter
94+{
95+ my $proxy = shift;
96+ my $message;
97+
98+ # The NextProto message always appears in flight 2
99+ return if $proxy->flight != 2;
100+
101+ foreach my $message (@{$proxy->message_list}) {
102+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
103+ # Our TLSproxy NextProto message support doesn't support parsing of
104+ # the message. If we repack it just creates an empty NextProto
105+ # message - which is exactly the scenario we want to test here.
106+ $message->repack();
107+ $npnseen = 1;
108+ }
109+ }
110+}
111diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
112index 2c1bdb3..eb350de 100644
113--- a/util/perl/TLSProxy/Message.pm
114+++ b/util/perl/TLSProxy/Message.pm
115@@ -379,6 +379,15 @@ sub create_message
116 [@message_frag_lens]
117 );
118 $message->parse();
119+ } elsif ($mt == MT_NEXT_PROTO) {
120+ $message = TLSProxy::NextProto->new(
121+ $server,
122+ $data,
123+ [@message_rec_list],
124+ $startoffset,
125+ [@message_frag_lens]
126+ );
127+ $message->parse();
128 } else {
129 #Unknown message type
130 $message = TLSProxy::Message->new(
131diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
132new file mode 100644
133index 0000000..0e18347
134--- /dev/null
135+++ b/util/perl/TLSProxy/NextProto.pm
136@@ -0,0 +1,54 @@
137+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
138+#
139+# Licensed under the Apache License 2.0 (the "License"). You may not use
140+# this file except in compliance with the License. You can obtain a copy
141+# in the file LICENSE in the source distribution or at
142+# https://www.openssl.org/source/license.html
143+
144+use strict;
145+
146+package TLSProxy::NextProto;
147+
148+use vars '@ISA';
149+push @ISA, 'TLSProxy::Message';
150+
151+sub new
152+{
153+ my $class = shift;
154+ my ($server,
155+ $data,
156+ $records,
157+ $startoffset,
158+ $message_frag_lens) = @_;
159+
160+ my $self = $class->SUPER::new(
161+ $server,
162+ TLSProxy::Message::MT_NEXT_PROTO,
163+ $data,
164+ $records,
165+ $startoffset,
166+ $message_frag_lens);
167+
168+ return $self;
169+}
170+
171+sub parse
172+{
173+ # We don't support parsing at the moment
174+}
175+
176+# This is supposed to reconstruct the on-the-wire message data following changes.
177+# For now though since we don't support parsing we just create an empty NextProto
178+# message - this capability is used in test_npn
179+sub set_message_contents
180+{
181+ my $self = shift;
182+ my $data;
183+
184+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
185+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
186+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
187+ 0x00, 0x00, 0x00);
188+ $self->data($data);
189+}
190+1;
191diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
192index 3de10ec..b707722 100644
193--- a/util/perl/TLSProxy/Proxy.pm
194+++ b/util/perl/TLSProxy/Proxy.pm
195@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
196 use TLSProxy::CertificateVerify;
197 use TLSProxy::ServerKeyExchange;
198 use TLSProxy::NewSessionTicket;
199+use TLSProxy::NextProto;
200
201 my $have_IPv6;
202 my $IP_factory;
203--
2042.25.1
205
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.14.bb b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
index 8b9fd4a96b..b76a763cc3 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.14.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
@@ -7,27 +7,18 @@ SECTION = "libs/network"
7LICENSE = "Apache-2.0" 7LICENSE = "Apache-2.0"
8LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" 8LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
9 9
10SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ 10SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \
11 file://run-ptest \ 11 file://run-ptest \
12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 12 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13 file://afalg.patch \ 13 file://afalg.patch \
14 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 14 file://0001-Configure-do-not-tweak-mips-cflags.patch \
15 file://CVE-2024-5535_1.patch \
16 file://CVE-2024-5535_2.patch \
17 file://CVE-2024-5535_3.patch \
18 file://CVE-2024-5535_4.patch \
19 file://CVE-2024-5535_5.patch \
20 file://CVE-2024-5535_6.patch \
21 file://CVE-2024-5535_7.patch \
22 file://CVE-2024-5535_8.patch \
23 file://CVE-2024-5535_9.patch \
24 " 15 "
25 16
26SRC_URI:append:class-nativesdk = " \ 17SRC_URI:append:class-nativesdk = " \
27 file://environment.d-openssl.sh \ 18 file://environment.d-openssl.sh \
28 " 19 "
29 20
30SRC_URI[sha256sum] = "eeca035d4dd4e84fc25846d952da6297484afa0650a6f84c682e39df3a4123ca" 21SRC_URI[sha256sum] = "23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533"
31 22
32inherit lib_package multilib_header multilib_script ptest perlnative 23inherit lib_package multilib_header multilib_script ptest perlnative
33MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 24MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-13 13:34:32 +0000