git: 214d5852d425 - main - security/openssl: Update KTLS patches for Chacha20-Poly1305
Bernard Spil
brnrd at FreeBSD.org
Thu Aug 19 14:05:05 UTC 2021
The branch main has been updated by brnrd:
URL: https://cgit.FreeBSD.org/ports/commit/?id=214d5852d425659f89f6de1834b8bc662d7a29a7
commit 214d5852d425659f89f6de1834b8bc662d7a29a7
Author: Bernard Spil <brnrd at FreeBSD.org>
AuthorDate: 2021-08-19 14:01:53 +0000
Commit: Bernard Spil <brnrd at FreeBSD.org>
CommitDate: 2021-08-19 14:01:53 +0000
security/openssl: Update KTLS patches for Chacha20-Poly1305
This pulls in several upstream KTLS patches from OpenSSL master:
* A fix to the return values of BIO_get_ktls_*().
* Support for Chacha20-Poly1305.
* Replacing the SSL_MODE_NO_KTLS_* modes which opted-out of KTLS with
an opt-in SSL_OP_ENABLE_KTLS. Note that this means that KTLS is not
enabled by default. Users can enable KTLS via a custom OpenSSL config
file that enables the KTLS option.
Reported by: jhb
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31430
---
security/openssl/Makefile | 2 +-
security/openssl/files/extra-patch-ktls | 683 ++++++++++++++++++--------------
2 files changed, 389 insertions(+), 296 deletions(-)
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index ab678c4087b1..ec3e8a967d0f 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -2,7 +2,7 @@
PORTNAME= openssl
PORTVERSION= 1.1.1k
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security devel
MASTER_SITES= https://www.openssl.org/source/ \
diff --git a/security/openssl/files/extra-patch-ktls b/security/openssl/files/extra-patch-ktls
index 3df11e5b80ba..ce1f6242fd58 100644
--- a/security/openssl/files/extra-patch-ktls
+++ b/security/openssl/files/extra-patch-ktls
@@ -1,8 +1,8 @@
diff --git CHANGES CHANGES
-index 1ab64b35c9..a4a63a9bea 100644
+index 7d0129e687..7f8057bb6f 100644
--- CHANGES
+++ CHANGES
-@@ -427,6 +427,11 @@
+@@ -471,6 +471,11 @@
necessary to configure just to create a source distribution.
[Richard Levitte]
@@ -153,7 +153,7 @@ index 335dfabc61..80ef348d92 100644
return sock;
}
diff --git crypto/bio/bss_conn.c crypto/bio/bss_conn.c
-index 807a82b23b..d478644280 100644
+index 807a82b23b..10cf20871c 100644
--- crypto/bio/bss_conn.c
+++ crypto/bio/bss_conn.c
@@ -11,6 +11,7 @@
@@ -216,9 +216,12 @@ index 807a82b23b..d478644280 100644
data = (BIO_CONNECT *)b->ptr;
-@@ -520,6 +541,27 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
+@@ -518,8 +539,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
+ }
+ break;
case BIO_CTRL_EOF:
- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0;
break;
+# ifndef OPENSSL_NO_KTLS
+ case BIO_CTRL_SET_KTLS:
@@ -228,9 +231,9 @@ index 807a82b23b..d478644280 100644
+ BIO_set_ktls_flag(b, num);
+ break;
+ case BIO_CTRL_GET_KTLS_SEND:
-+ return BIO_should_ktls_flag(b, 1);
++ return BIO_should_ktls_flag(b, 1) != 0;
+ case BIO_CTRL_GET_KTLS_RECV:
-+ return BIO_should_ktls_flag(b, 0);
++ return BIO_should_ktls_flag(b, 0) != 0;
+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG:
+ BIO_set_ktls_ctrl_msg_flag(b);
+ data->record_type = num;
@@ -244,8 +247,21 @@ index 807a82b23b..d478644280 100644
default:
ret = 0;
break;
+diff --git crypto/bio/bss_fd.c crypto/bio/bss_fd.c
+index ccbe1626ba..8d03e48ce9 100644
+--- crypto/bio/bss_fd.c
++++ crypto/bio/bss_fd.c
+@@ -189,7 +189,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
+ ret = 1;
+ break;
+ case BIO_CTRL_EOF:
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0;
+ break;
+ default:
+ ret = 0;
diff --git crypto/bio/bss_sock.c crypto/bio/bss_sock.c
-index 6251f3d46a..a1fc23c7c9 100644
+index 6251f3d46a..8de1f58292 100644
--- crypto/bio/bss_sock.c
+++ crypto/bio/bss_sock.c
@@ -11,6 +11,7 @@
@@ -321,7 +337,7 @@ index 6251f3d46a..a1fc23c7c9 100644
switch (cmd) {
case BIO_C_SET_FD:
-@@ -153,6 +183,27 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr)
+@@ -153,8 +183,29 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr)
case BIO_CTRL_FLUSH:
ret = 1;
break;
@@ -333,9 +349,9 @@ index 6251f3d46a..a1fc23c7c9 100644
+ BIO_set_ktls_flag(b, num);
+ break;
+ case BIO_CTRL_GET_KTLS_SEND:
-+ return BIO_should_ktls_flag(b, 1);
++ return BIO_should_ktls_flag(b, 1) != 0;
+ case BIO_CTRL_GET_KTLS_RECV:
-+ return BIO_should_ktls_flag(b, 0);
++ return BIO_should_ktls_flag(b, 0) != 0;
+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG:
+ BIO_set_ktls_ctrl_msg_flag(b);
+ b->ptr = (void *)num;
@@ -347,8 +363,11 @@ index 6251f3d46a..a1fc23c7c9 100644
+ break;
+# endif
case BIO_CTRL_EOF:
- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
+- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
++ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0;
break;
+ default:
+ ret = 0;
diff --git crypto/err/openssl.txt crypto/err/openssl.txt
index 7e1776375d..b22e8a735c 100644
--- crypto/err/openssl.txt
@@ -440,41 +459,55 @@ index 2e438c3ce9..31b18b2879 100644
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
-diff --git doc/man3/SSL_CTX_set_mode.pod doc/man3/SSL_CTX_set_mode.pod
-index 85e3353e0e..27eaebad1e 100644
---- doc/man3/SSL_CTX_set_mode.pod
-+++ doc/man3/SSL_CTX_set_mode.pod
-@@ -114,6 +114,22 @@ enables this behaviour to allow interoperability with such broken
- implementations. Please note that setting this option breaks interoperability
- with correct implementations. This option only applies to DTLS over SCTP.
-
-+=item SSL_MODE_NO_KTLS_TX
-+
-+Disable the use of the kernel TLS egress data-path.
-+By default kernel TLS is enabled if it is supported by the negotiated ciphersuites
-+and extensions and OpenSSL has been compiled with support for it.
-+The kernel TLS data-path implements the record layer,
-+and the crypto algorithm. The kernel will utilize the best hardware
-+available for crypto. Using the kernel data-path should reduce the memory
+diff --git doc/man3/SSL_CONF_cmd.pod doc/man3/SSL_CONF_cmd.pod
+index 900c4f3a56..a3f447a986 100644
+--- doc/man3/SSL_CONF_cmd.pod
++++ doc/man3/SSL_CONF_cmd.pod
+@@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in
+ other ways and in such cases the built-in OpenSSL functionality is not required.
+ Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>.
+
++B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported
++by the negotiated ciphersuites and extensions. Equivalent to
++B<SSL_OP_ENABLE_KTLS>.
++
+ =item B<VerifyMode>
+
+ The B<value> argument is a comma separated list of flags to set.
+diff --git doc/man3/SSL_CTX_set_options.pod doc/man3/SSL_CTX_set_options.pod
+index 969e0366c4..231fe92d8e 100644
+--- doc/man3/SSL_CTX_set_options.pod
++++ doc/man3/SSL_CTX_set_options.pod
+@@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by
+ setting this option. This is a server-side opton only. It is ignored by
+ clients.
+
++=item SSL_OP_ENABLE_KTLS
++
++Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must
++have been compiled with support for it, and it must be supported by the
++negotiated ciphersuites and extensions. The specific ciphersuites and extensions
++that are supported may vary by platform and kernel version.
++
++The kernel TLS data-path implements the record layer, and the encryption
++algorithm. The kernel will utilize the best hardware
++available for encryption. Using the kernel data-path should reduce the memory
+footprint of OpenSSL because no buffering is required. Also, the throughput
+should improve because data copy is avoided when user data is encrypted into
-+kernel memory instead of the usual encrypt than copy to kernel.
++kernel memory instead of the usual encrypt then copy to kernel.
+
+Kernel TLS might not support all the features of OpenSSL. For instance,
+renegotiation, and setting the maximum fragment size is not possible as of
+Linux 4.20.
++
++Note that with kernel TLS enabled some cryptographic operations are performed
++by the kernel directly and not via any available OpenSSL Providers. This might
++be undesirable if, for example, the application requires all cryptographic
++operations to be performed by the FIPS provider.
+
=back
- All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by
-@@ -134,6 +150,7 @@ L<SSL_write(3)>, L<SSL_get_error(3)>
- =head1 HISTORY
-
- SSL_MODE_ASYNC was added in OpenSSL 1.1.0.
-+SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0.
-
- =head1 COPYRIGHT
-
+ The following options no longer have any effect but their identifiers are
diff --git doc/man3/SSL_CTX_set_record_padding_callback.pod doc/man3/SSL_CTX_set_record_padding_callback.pod
index 13e56f0c57..247a39fc03 100644
--- doc/man3/SSL_CTX_set_record_padding_callback.pod
@@ -666,10 +699,10 @@ index c343b27629..521b5fa219 100644
+#endif
diff --git include/internal/ktls.h include/internal/ktls.h
new file mode 100644
-index 0000000000..622d7be76d
+index 0000000000..5f9e3f91ed
--- /dev/null
+++ include/internal/ktls.h
-@@ -0,0 +1,400 @@
+@@ -0,0 +1,407 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
@@ -710,12 +743,11 @@ index 0000000000..622d7be76d
+# define OPENSSL_KTLS_AES_GCM_128
+# define OPENSSL_KTLS_AES_GCM_256
+# define OPENSSL_KTLS_TLS13
-+
-+/*
-+ * Only used by the tests in sslapitest.c.
-+ */
-+# define TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE 8
-+# define TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE 8
++# ifdef TLS_CHACHA20_IV_LEN
++# ifndef OPENSSL_NO_CHACHA
++# define OPENSSL_KTLS_CHACHA20_POLY1305
++# endif
++# endif
+
+typedef struct tls_enable ktls_crypto_info_t;
+
@@ -891,6 +923,11 @@ index 0000000000..622d7be76d
+# define OPENSSL_KTLS_TLS13
+# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
+# define OPENSSL_KTLS_AES_CCM_128
++# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
++# ifndef OPENSSL_NO_CHACHA
++# define OPENSSL_KTLS_CHACHA20_POLY1305
++# endif
++# endif
+# endif
+# endif
+
@@ -924,6 +961,9 @@ index 0000000000..622d7be76d
+# ifdef OPENSSL_KTLS_AES_CCM_128
+ struct tls12_crypto_info_aes_ccm_128 ccm128;
+# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305;
++# endif
+ };
+ size_t tls_crypto_info_len;
+};
@@ -1127,32 +1167,21 @@ index a411f3f2f9..60103707d2 100644
/* Padding modes */
#define EVP_PADDING_PKCS7 1
diff --git include/openssl/ssl.h include/openssl/ssl.h
-index fd0c5a9996..09620489bc 100644
+index fd0c5a9996..cfb87e6322 100644
--- include/openssl/ssl.h
+++ include/openssl/ssl.h
-@@ -493,6 +493,10 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
- * Support Asynchronous operation
- */
- # define SSL_MODE_ASYNC 0x00000100U
-+/*
-+ * Don't use the kernel TLS data-path for sending.
-+ */
-+# define SSL_MODE_NO_KTLS_TX 0x00000200U
-
- /*
- * When using DTLS/SCTP, include the terminating zero in the label
-@@ -506,6 +510,10 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
- * - OpenSSL 1.1.1 and 1.1.1a
- */
- # define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U
-+/*
-+ * Don't use the kernel TLS data-path for receiving.
-+ */
-+# define SSL_MODE_NO_KTLS_RX 0x00000800U
-
- /* Cert related flags */
- /*
-@@ -1837,6 +1845,8 @@ __owur int SSL_read_early_data(SSL *s, void *buf, size_t num,
+@@ -303,7 +303,9 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
+ /* Allow initial connection to servers that don't support RI */
+ # define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U
+
+-/* Reserved value (until OpenSSL 1.2.0) 0x00000008U */
++/* Enable support for Kernel TLS */
++# define SSL_OP_ENABLE_KTLS 0x00000008U
++
+ # define SSL_OP_TLSEXT_PADDING 0x00000010U
+ /* Reserved value (until OpenSSL 1.2.0) 0x00000020U */
+ # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
+@@ -1837,6 +1839,8 @@ __owur int SSL_read_early_data(SSL *s, void *buf, size_t num,
size_t *readbytes);
__owur int SSL_peek(SSL *ssl, void *buf, int num);
__owur int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
@@ -1161,7 +1190,7 @@ index fd0c5a9996..09620489bc 100644
__owur int SSL_write(SSL *ssl, const void *buf, int num);
__owur int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written);
__owur int SSL_write_early_data(SSL *s, const void *buf, size_t num,
-@@ -2123,7 +2133,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
+@@ -2123,7 +2127,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx);
int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
@@ -1202,10 +1231,10 @@ index bb2f1deb53..1c49ac9aee 100644
+ENDIF
diff --git ssl/ktls.c ssl/ktls.c
new file mode 100644
-index 0000000000..7123ecac00
+index 0000000000..c7a440b79b
--- /dev/null
+++ ssl/ktls.c
-@@ -0,0 +1,221 @@
+@@ -0,0 +1,251 @@
+/*
+ * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
@@ -1245,6 +1274,10 @@ index 0000000000..7123ecac00
+ case SSL_AES128GCM:
+ case SSL_AES256GCM:
+ return 1;
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case SSL_CHACHA20POLY1305:
++ return 1;
++# endif
+ case SSL_AES128:
+ case SSL_AES256:
+ if (s->ext.use_etm)
@@ -1279,6 +1312,12 @@ index 0000000000..7123ecac00
+ else
+ crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
+ break;
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case SSL_CHACHA20POLY1305:
++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
++ crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd);
++ break;
++# endif
+ case SSL_AES128:
+ case SSL_AES256:
+ switch (s->s3->tmp.new_cipher->algorithm_mac) {
@@ -1334,7 +1373,9 @@ index 0000000000..7123ecac00
+ return 0;
+ }
+
-+ /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 */
++ /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128
++ * or Chacha20-Poly1305
++ */
+ switch (EVP_CIPHER_nid(c))
+ {
+# ifdef OPENSSL_KTLS_AES_CCM_128
@@ -1343,11 +1384,15 @@ index 0000000000..7123ecac00
+ return 0;
+# endif
+# ifdef OPENSSL_KTLS_AES_GCM_128
++ /* Fall through */
+ case NID_aes_128_gcm:
+# endif
+# ifdef OPENSSL_KTLS_AES_GCM_256
+ case NID_aes_256_gcm:
+# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case NID_chacha20_poly1305:
++# endif
+ return 1;
+ default:
+ return 0;
@@ -1420,6 +1465,20 @@ index 0000000000..7123ecac00
+ *rec_seq = crypto_info->ccm128.rec_seq;
+ return 1;
+# endif
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case NID_chacha20_poly1305:
++ crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
++ crypto_info->chacha20poly1305.info.version = s->version;
++ crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305);
++ memcpy(crypto_info->chacha20poly1305.iv, iiv,
++ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
++ memcpy(crypto_info->chacha20poly1305.key, key, EVP_CIPHER_key_length(c));
++ memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
++ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
++ if (rec_seq != NULL)
++ *rec_seq = crypto_info->chacha20poly1305.rec_seq;
++ return 1;
++# endif
+ default:
+ return 0;
+ }
@@ -1567,21 +1626,21 @@ index b2a7a47eb0..f53c402006 100644
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
ERR_R_INTERNAL_ERROR);
goto err;
-- }
--
-- /* Get a pointer to the start of this record excluding header */
-- recordstart = WPACKET_get_curr(thispkt) - len;
+ }
-
-- SSL3_RECORD_set_data(thiswr, recordstart);
-- SSL3_RECORD_reset_input(thiswr);
-- SSL3_RECORD_set_length(thiswr, len);
++
+ /* Get a pointer to the start of this record excluding header */
+ recordstart = WPACKET_get_curr(thispkt) - len;
+ SSL3_RECORD_set_data(thiswr, recordstart);
+ SSL3_RECORD_reset_input(thiswr);
+ SSL3_RECORD_set_length(thiswr, len);
-+ }
+ }
+-
+- /* Get a pointer to the start of this record excluding header */
+- recordstart = WPACKET_get_curr(thispkt) - len;
+-
+- SSL3_RECORD_set_data(thiswr, recordstart);
+- SSL3_RECORD_reset_input(thiswr);
+- SSL3_RECORD_set_length(thiswr, len);
}
if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) {
@@ -1890,6 +1949,20 @@ index ab5d22aa10..3d747db64b 100644
SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
SSL_R_DATA_LENGTH_TOO_LONG);
return -1;
+diff --git ssl/ssl_conf.c ssl/ssl_conf.c
+index 0a3fef7c8c..8013c62f07 100644
+--- ssl/ssl_conf.c
++++ ssl/ssl_conf.c
+@@ -391,7 +391,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+ SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+ SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
+ SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
+- SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY)
++ SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
++ SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS)
+ };
+ if (value == NULL)
+ return -3;
diff --git ssl/ssl_err.c ssl/ssl_err.c
index 4b12ed1485..0561678c33 100644
--- ssl/ssl_err.c
@@ -1903,7 +1976,7 @@ index 4b12ed1485..0561678c33 100644
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0),
diff --git ssl/ssl_lib.c ssl/ssl_lib.c
-index 98057921f8..382f4b6d7b 100644
+index 58f8f3c14c..3fc6549c80 100644
--- ssl/ssl_lib.c
+++ ssl/ssl_lib.c
@@ -11,6 +11,7 @@
@@ -1922,7 +1995,7 @@ index 98057921f8..382f4b6d7b 100644
const char SSL_version_str[] = OPENSSL_VERSION_TEXT;
-@@ -1153,11 +1155,15 @@ void SSL_free(SSL *s)
+@@ -1159,11 +1161,15 @@ void SSL_free(SSL *s)
dane_final(&s->dane);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
@@ -1938,7 +2011,7 @@ index 98057921f8..382f4b6d7b 100644
BUF_MEM_free(s->init_buf);
-@@ -1214,8 +1220,6 @@ void SSL_free(SSL *s)
+@@ -1220,8 +1226,6 @@ void SSL_free(SSL *s)
if (s->method != NULL)
s->method->ssl_free(s);
@@ -1947,7 +2020,7 @@ index 98057921f8..382f4b6d7b 100644
SSL_CTX_free(s->ctx);
ASYNC_WAIT_CTX_free(s->waitctx);
-@@ -1355,6 +1359,15 @@ int SSL_set_fd(SSL *s, int fd)
+@@ -1361,6 +1365,15 @@ int SSL_set_fd(SSL *s, int fd)
}
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set_bio(s, bio, bio);
@@ -1963,7 +2036,7 @@ index 98057921f8..382f4b6d7b 100644
ret = 1;
err:
return ret;
-@@ -1374,6 +1387,15 @@ int SSL_set_wfd(SSL *s, int fd)
+@@ -1380,6 +1393,15 @@ int SSL_set_wfd(SSL *s, int fd)
}
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_wbio(s, bio);
@@ -1979,7 +2052,7 @@ index 98057921f8..382f4b6d7b 100644
} else {
BIO_up_ref(rbio);
SSL_set0_wbio(s, rbio);
-@@ -1955,6 +1977,69 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
+@@ -1961,6 +1983,69 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written)
}
}
@@ -2049,7 +2122,7 @@ index 98057921f8..382f4b6d7b 100644
int SSL_write(SSL *s, const void *buf, int num)
{
int ret;
-@@ -2199,6 +2284,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
+@@ -2205,6 +2290,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;
@@ -2060,7 +2133,7 @@ index 98057921f8..382f4b6d7b 100644
s->max_send_fragment = larg;
if (s->max_send_fragment < s->split_send_fragment)
s->split_send_fragment = s->max_send_fragment;
-@@ -4417,11 +4506,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
+@@ -4425,11 +4514,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size)
return 1;
}
@@ -2113,7 +2186,7 @@ index 8c3542a542..c10e7d52ce 100644
__owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
__owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
diff --git ssl/t1_enc.c ssl/t1_enc.c
-index c85c0b0310..d461421068 100644
+index c85c0b0310..7d2eb381af 100644
--- ssl/t1_enc.c
+++ ssl/t1_enc.c
@@ -10,10 +10,14 @@
@@ -2190,16 +2263,12 @@ index c85c0b0310..d461421068 100644
c = s->s3->tmp.new_sym_enc;
m = s->s3->tmp.new_hash;
-@@ -312,6 +361,85 @@ int tls1_change_cipher_state(SSL *s, int which)
+@@ -312,6 +361,81 @@ int tls1_change_cipher_state(SSL *s, int which)
ERR_R_INTERNAL_ERROR);
goto err;
}
+#ifndef OPENSSL_NO_KTLS
-+ if (s->compress)
-+ goto skip_ktls;
-+
-+ if (((which & SSL3_CC_READ) && (s->mode & SSL_MODE_NO_KTLS_RX))
-+ || ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX)))
++ if (s->compress || (s->options & SSL_OP_ENABLE_KTLS) == 0)
+ goto skip_ktls;
+
+ /* ktls supports only the maximum fragment size */
@@ -2277,7 +2346,7 @@ index c85c0b0310..d461421068 100644
#ifdef SSL_DEBUG
diff --git ssl/tls13_enc.c ssl/tls13_enc.c
-index b8fb07f210..d9f050ee34 100644
+index b8fb07f210..39530237d8 100644
--- ssl/tls13_enc.c
+++ ssl/tls13_enc.c
@@ -9,6 +9,8 @@
@@ -2386,14 +2455,15 @@ index b8fb07f210..d9f050ee34 100644
/* SSLfatal() already called */
goto err;
}
-@@ -714,8 +722,51 @@ int tls13_change_cipher_state(SSL *s, int which)
+@@ -714,8 +722,52 @@ int tls13_change_cipher_state(SSL *s, int which)
s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS;
else
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
+#ifndef OPENSSL_NO_KTLS
+# if defined(OPENSSL_KTLS_TLS13)
-+ if (!(which & SSL3_CC_WRITE) || !(which & SSL3_CC_APPLICATION)
-+ || ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX)))
++ if (!(which & SSL3_CC_WRITE)
++ || !(which & SSL3_CC_APPLICATION)
++ || (s->options & SSL_OP_ENABLE_KTLS) == 0)
+ goto skip_ktls;
+
+ /* ktls supports only the maximum fragment size */
@@ -2438,7 +2508,7 @@ index b8fb07f210..d9f050ee34 100644
OPENSSL_cleanse(secret, sizeof(secret));
return ret;
}
-@@ -729,6 +780,7 @@ int tls13_update_key(SSL *s, int sending)
+@@ -729,6 +781,7 @@ int tls13_update_key(SSL *s, int sending)
#endif
const EVP_MD *md = ssl_handshake_md(s);
size_t hashlen = EVP_MD_size(md);
@@ -2446,7 +2516,7 @@ index b8fb07f210..d9f050ee34 100644
unsigned char *insecret, *iv;
unsigned char secret[EVP_MAX_MD_SIZE];
EVP_CIPHER_CTX *ciph_ctx;
-@@ -753,8 +805,8 @@ int tls13_update_key(SSL *s, int sending)
+@@ -753,8 +806,8 @@ int tls13_update_key(SSL *s, int sending)
if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s),
s->s3->tmp.new_sym_enc, insecret, NULL,
application_traffic,
@@ -2457,7 +2527,7 @@ index b8fb07f210..d9f050ee34 100644
/* SSLfatal() already called */
goto err;
}
-@@ -764,6 +816,7 @@ int tls13_update_key(SSL *s, int sending)
+@@ -764,6 +817,7 @@ int tls13_update_key(SSL *s, int sending)
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
ret = 1;
err:
@@ -2492,7 +2562,7 @@ index 5490885309..3478e540ed 100644
plan tests => 1;
diff --git test/sslapitest.c test/sslapitest.c
-index 4a27ee1ba2..f846bcb4ee 100644
+index 4a27ee1ba2..1388219551 100644
--- test/sslapitest.c
+++ test/sslapitest.c
@@ -7,6 +7,7 @@
@@ -2517,13 +2587,12 @@ index 4a27ee1ba2..f846bcb4ee 100644
#include "../ssl/ssl_local.h"
#ifndef OPENSSL_NO_TLS1_3
-@@ -779,6 +782,409 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
+@@ -779,6 +782,433 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
return testresult;
}
+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
+ !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
-+#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
+/* sock must be connected */
+static int ktls_chk_platform(int sock)
+{
@@ -2532,26 +2601,26 @@ index 4a27ee1ba2..f846bcb4ee 100644
+ return 1;
+}
+
-+static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
++static int ping_pong_query(SSL *clientssl, SSL *serverssl)
+{
+ static char count = 1;
+ unsigned char cbuf[16000] = {0};
+ unsigned char sbuf[16000];
+ size_t err = 0;
-+ char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
-+ char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
++ char crec_wseq_before[SEQ_NUM_SIZE];
++ char crec_wseq_after[SEQ_NUM_SIZE];
++ char crec_rseq_before[SEQ_NUM_SIZE];
++ char crec_rseq_after[SEQ_NUM_SIZE];
++ char srec_wseq_before[SEQ_NUM_SIZE];
++ char srec_wseq_after[SEQ_NUM_SIZE];
++ char srec_rseq_before[SEQ_NUM_SIZE];
++ char srec_rseq_after[SEQ_NUM_SIZE];
+
+ cbuf[0] = count++;
-+ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
-+ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
++ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
+
+ if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
+ goto end;
@@ -2571,53 +2640,56 @@ index 4a27ee1ba2..f846bcb4ee 100644
+ }
+ }
+
-+ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
-+ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
-+ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
++ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
++ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
+
+ /* verify the payload */
+ if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
+ goto end;
+
-+ /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
-+ if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
-+ if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
-+ crec_wseq_after, rec_seq_size))
++ /*
++ * If ktls is used then kernel sequences are used instead of
++ * OpenSSL sequences
++ */
++ if (!BIO_get_ktls_send(clientssl->wbio)) {
++ if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
++ crec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
-+ crec_wseq_after, rec_seq_size))
++ if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
++ crec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
-+ if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
-+ if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
-+ srec_wseq_after, rec_seq_size))
++ if (!BIO_get_ktls_send(serverssl->wbio)) {
++ if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
++ srec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
-+ srec_wseq_after, rec_seq_size))
++ if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
++ srec_wseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
-+ if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
-+ if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
-+ crec_rseq_after, rec_seq_size))
++ if (!BIO_get_ktls_recv(clientssl->wbio)) {
++ if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
++ crec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
-+ crec_rseq_after, rec_seq_size))
++ if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
++ crec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
-+ if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
-+ if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
-+ srec_rseq_after, rec_seq_size))
++ if (!BIO_get_ktls_recv(serverssl->wbio)) {
++ if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
++ srec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ } else {
-+ if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
-+ srec_rseq_after, rec_seq_size))
++ if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
++ srec_rseq_after, SEQ_NUM_SIZE))
+ goto end;
+ }
+
@@ -2626,92 +2698,110 @@ index 4a27ee1ba2..f846bcb4ee 100644
+ return 0;
+}
+
-+static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
-+ int sis_ktls_tx, int sis_ktls_rx,
-+ int tls_version, const char *cipher,
-+ int rec_seq_size)
++static int execute_test_ktls(int cis_ktls, int sis_ktls,
++ int tls_version, const char *cipher)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
-+ int testresult = 0;
-+ int cfd, sfd;
++ int ktls_used = 0, testresult = 0;
++ int cfd = -1, sfd = -1;
++ int rx_supported;
+
+ if (!TEST_true(create_test_sockets(&cfd, &sfd)))
+ goto end;
+
+ /* Skip this test if the platform does not support ktls */
-+ if (!ktls_chk_platform(cfd))
-+ return 1;
++ if (!ktls_chk_platform(cfd)) {
++ TEST_info("Kernel does not support KTLS");
++ testresult = 1;
++ goto end;
++ }
+
+ /* Create a session based on SHA-256 */
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ tls_version, tls_version,
-+ &sctx, &cctx, cert, privkey))
-+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
-+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
-+ || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
-+ &clientssl, sfd, cfd)))
++ &sctx, &cctx, cert, privkey)))
+ goto end;
+
-+ if (!cis_ktls_tx) {
-+ if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
++ if (tls_version == TLS1_3_VERSION) {
++ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
+ goto end;
-+ }
-+
-+ if (!sis_ktls_tx) {
-+ if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
++ } else {
++ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
+ goto end;
+ }
+
-+ if (!cis_ktls_rx) {
-+ if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
++ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
++ &clientssl, sfd, cfd)))
++ goto end;
++
++ if (cis_ktls) {
++ if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
+ goto end;
+ }
+
-+ if (!sis_ktls_rx) {
-+ if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
++ if (sis_ktls) {
++ if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
+ goto end;
+ }
+
-+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
-+ if (!cis_ktls_tx) {
++ /*
++ * The running kernel may not support a given cipher suite
++ * or direction, so just check that KTLS isn't used when it
++ * isn't enabled.
++ */
++ if (!cis_ktls) {
+ if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
-+ goto end;
++ if (BIO_get_ktls_send(clientssl->wbio))
++ ktls_used = 1;
+ }
+
-+ if (!sis_ktls_tx) {
++ if (!sis_ktls) {
+ if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
-+ goto end;
++ if (BIO_get_ktls_send(serverssl->wbio))
++ ktls_used = 1;
+ }
+
-+ if (!cis_ktls_rx) {
++#if defined(OPENSSL_NO_KTLS_RX)
++ rx_supported = 0;
++#else
++ rx_supported = (tls_version != TLS1_3_VERSION);
++#endif
++ if (!cis_ktls || !rx_supported) {
+ if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
-+ goto end;
++ if (BIO_get_ktls_send(clientssl->rbio))
++ ktls_used = 1;
+ }
+
-+ if (!sis_ktls_rx) {
++ if (!sis_ktls || !rx_supported) {
+ if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
+ goto end;
+ } else {
-+ if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
-+ goto end;
++ if (BIO_get_ktls_send(serverssl->rbio))
++ ktls_used = 1;
+ }
+
-+ if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
-+ rec_seq_size)))
++ if ((cis_ktls || sis_ktls) && !ktls_used) {
++ TEST_info("KTLS not supported for %s cipher %s",
++ tls_version == TLS1_3_VERSION ? "TLS 1.3" :
++ "TLS 1.2", cipher);
++ testresult = 1;
++ goto end;
++ }
++
++ if (!TEST_true(ping_pong_query(clientssl, serverssl)))
+ goto end;
+
+ testresult = 1;
@@ -2727,6 +2817,10 @@ index 4a27ee1ba2..f846bcb4ee 100644
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ serverssl = clientssl = NULL;
++ if (cfd != -1)
++ close(cfd);
++ if (sfd != -1)
++ close(sfd);
+ return testresult;
+}
+
@@ -2734,13 +2828,13 @@ index 4a27ee1ba2..f846bcb4ee 100644
+#define SENDFILE_CHUNK (4 * 4096)
+#define min(a,b) ((a) > (b) ? (b) : (a))
+
-+static int test_ktls_sendfile(int tls_version, const char *cipher)
++static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ unsigned char *buf, *buf_dst;
+ BIO *out = NULL, *in = NULL;
-+ int cfd, sfd, ffd, err;
++ int cfd = -1, sfd = -1, ffd, err;
+ ssize_t chunk_size = 0;
+ off_t chunk_off = 0;
+ int testresult = 0;
@@ -2754,6 +2848,7 @@ index 4a27ee1ba2..f846bcb4ee 100644
+
+ /* Skip this test if the platform does not support ktls */
+ if (!ktls_chk_platform(sfd)) {
++ TEST_info("Kernel does not support KTLS");
+ testresult = 1;
+ goto end;
+ }
@@ -2762,19 +2857,40 @@ index 4a27ee1ba2..f846bcb4ee 100644
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ tls_version, tls_version,
-+ &sctx, &cctx, cert, privkey))
-+ || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
-+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
-+ || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
-+ &clientssl, sfd, cfd)))
++ &sctx, &cctx, cert, privkey)))
++ goto end;
++
++ if (tls_version == TLS1_3_VERSION) {
++ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
++ goto end;
++ } else {
++ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
++ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
++ goto end;
++ }
++
++ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
++ &clientssl, sfd, cfd)))
*** 284 LINES SKIPPED ***
More information about the dev-commits-ports-main
mailing list