Also add comment to the public header to avoid
making another conflict in future.
Reviewed by: jkim
Obtained from: OpenSSL commit 5d4975ecd88ac17d0749513a8fac9a7c7befd900
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34135
(cherry picked from commit aa72082549)
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.
NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.
Reviewed by: jkim
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31443
(cherry picked from commit 6372fd253e)
Most of this upstream commit touched tests not included in the
vendor import. The one change merged in is to remove a constant
only present in an internal header to appease the older tests.
Reviewed by: jkim
Obtained from: OpenSSL (e1fdd5262e4a45ce3aaa631768e877ee7b6da21b)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31442
(cherry picked from commit d6e78ecb0b)
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.
Instead we change KTLS so that it is disabled by default.
We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).
Reviewed by: jkim
Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31440
(cherry picked from commit 62ca9fc1ad)
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.
Reviewed by: jkim
Obtained from: OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31439
(cherry picked from commit 63c6d3e283)
Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.
PR: 251969
Obtained from: OpenSSL (dfcfd17f2818cf520ce6381aed9ec3d2fc12170d)
Sponsored by: Netflix (merging to FreeBSD)
(cherry picked from commit 9b2f020c14)
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Sponsored by: Netflix
(cherry picked from commit aa906e2a49)
OpenSSL commit 3db2c9f3:
Complain if we are attempting to encode with an invalid ASN.1 template
OpenSSL commit 43a7033:
Check that multi-strings/CHOICE types don't use implicit tagging
OpenSSL commit f960d812:
Correctly compare EdiPartyName in GENERAL_NAME_cmp()
Obtained from: OpenSSL 3db2c9f3, 43a7033, f960d812
Security: CVE-2020-1971
