public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Rebasing OpenSSL to 3.2.4
Date: Tue, 09 Jun 2026 12:45:28 GMT [thread overview]
Message-ID: <178100912874.1.5761947699493159853.rpms-openssl-b573e5f6bf53@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : b573e5f6bf53a2fcad07b3a6f52675d3bef34e3d
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2025-02-12T17:22:26+01:00
Stats : +36/-2331 in 21 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/b573e5f6bf53a2fcad07b3a6f52675d3bef34e3d?branch=rebase_40beta
Log:
Rebasing OpenSSL to 3.2.4
Resolves: CVE-2024-12797
---
diff --git a/.gitignore b/.gitignore
index 31ec31d..144f98f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,3 +62,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.1.4.tar.gz
/openssl-3.2.1.tar.gz
/openssl-3.2.2.tar.gz
+/openssl-3.2.4.tar.gz
diff --git a/0034.fipsinstall_disable.patch b/0034.fipsinstall_disable.patch
index f1d7b27..2c3f5cf 100644
--- a/0034.fipsinstall_disable.patch
+++ b/0034.fipsinstall_disable.patch
@@ -312,7 +312,7 @@ index b1768b7f91..b6b00e27d8 100644
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
+enable FIPS mode on Red Hat Enterprise
- =head1 COPYRIGHT
+ =head1 HISTORY
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index d9c22a580f..d5ec3b9a6a 100644
diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch
index 117e6b2..89b2d57 100644
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@@ -349,8 +349,8 @@ index b53b7b715b..885e49a47c 100644
ADD_TEST_SUITE(EC);
ADD_TEST_SUITE_PARAMS(EC);
@@ -1443,10 +1445,12 @@ int setup_tests(void)
- ADD_TEST_SUITE(ECExplicitTri2G);
- ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
+ ADD_TEST_SUITE(SM2);
+ }
# endif
+ if (is_fips == 0) {
ADD_TEST_SUITE(ED25519);
diff --git a/0085-FIPS-RSA-disable-shake.patch b/0085-FIPS-RSA-disable-shake.patch
index 9ae7a99..0c1815b 100644
--- a/0085-FIPS-RSA-disable-shake.patch
+++ b/0085-FIPS-RSA-disable-shake.patch
@@ -61,7 +61,7 @@ index b2f7f7dc4b..af2b0b026c 100644
+
mdlen = EVP_MD_get_size(md);
- if (tlen <= 0 || flen <= 0)
+ if (tlen <= 0 || flen <= 0 || mdlen <= 0)
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index bb46ec64c7..c0fdf232da 100644
--- a/crypto/rsa/rsa_pss.c
diff --git a/0091-FIPS-RSA-encapsulate.patch b/0091-FIPS-RSA-encapsulate.patch
index 69c8546..0e7c754 100644
--- a/0091-FIPS-RSA-encapsulate.patch
+++ b/0091-FIPS-RSA-encapsulate.patch
@@ -13,9 +13,9 @@ diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations
index 365ae3d7d6..8a6f585d0b 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
-@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
- *secretlen = nlen;
- return 1;
+@@ -265,6 +265,13 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
+ return 0;
}
+
+#ifdef FIPS_MODULE
@@ -24,10 +24,9 @@ index 365ae3d7d6..8a6f585d0b 100644
+ return 0;
+ }
+#endif
-+
+
/*
* Step (2): Generate a random byte string z of nlen bytes where
- * 1 < z < n - 1
@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
return 1;
}
@@ -39,9 +38,9 @@ index 365ae3d7d6..8a6f585d0b 100644
+ }
+#endif
+
- /* Step (2): check the input ciphertext 'inlen' matches the nlen */
- if (inlen != nlen) {
- ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
+ /*
+ * Step (2): check the input ciphertext 'inlen' matches the nlen
+ * and that outlen is at least nlen bytes
--
2.41.0
diff --git a/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
index c92d417..48d8359 100644
--- a/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+++ b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
@@ -299,18 +299,18 @@ index 2a459856f0..afac836fa3 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
- ],
-
- [ "enveloped content test streaming S/MIME format, X9.42 DH",
-- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
-+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
- "-stream", "-out", "{output}.cms",
- "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
-- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
-+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
- "-in", "{output}.cms", "-out", "{output}.txt" ],
- \&final_compare
- ]
+ # Only SHA1 supported in dh_cms_encrypt()
+ push(@smime_cms_param_tests,
+ [ "enveloped content test streaming S/MIME format, X9.42 DH",
+- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
+ "-stream", "-out", "{output}.cms",
+ "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
+- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+ "-in", "{output}.cms", "-out", "{output}.txt" ],
+ \&final_compare
+ ]
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 527abcea6e..e1d38b1e62 100644
--- a/test/recipes/80-test_ssl_old.t
diff --git a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
deleted file mode 100644
index 85f97c6..0000000
--- a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 17 Jun 2024 16:48:26 +0200
-Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older
- providers
-
-If there is no get_ctx_params() implemented in the key exchange
-provider implementation the fallback will not work. Instead
-check the gettable_ctx_params() to see if the fallback should be
-performed.
-
-Fixes #24611
-
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-(Merged from https://github.com/openssl/openssl/pull/24661)
-
-(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
----
- crypto/evp/pmeth_lib.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 2caff2cd6d..d15e43be05 100644
---- a/crypto/evp/pmeth_lib.c
-+++ b/crypto/evp/pmeth_lib.c
-@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
- int datalen)
- {
- OSSL_PARAM os_params[2];
-+ const OSSL_PARAM *gettables;
- unsigned char *info = NULL;
- size_t info_len = 0;
- size_t info_alloc = 0;
-@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
- return 1;
- }
-
-+ /* Check for older provider that doesn't support getting this parameter */
-+ gettables = EVP_PKEY_CTX_gettable_params(ctx);
-+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
-+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
-+ data, datalen);
-+
- /* Get the original value length */
- os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
- os_params[1] = OSSL_PARAM_construct_end();
-@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
- if (!EVP_PKEY_CTX_get_params(ctx, os_params))
- return 0;
-
-- /* Older provider that doesn't support getting this parameter */
-+ /* This should not happen but check to be sure. */
- if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
-- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
-+ return 0;
-
- info_alloc = os_params[0].return_size + datalen;
- if (info_alloc == 0)
---
-2.45.1
-
diff --git a/0126-pkeyutl-encap.patch b/0126-pkeyutl-encap.patch
index 8f82cce..d1efe8a 100644
--- a/0126-pkeyutl-encap.patch
+++ b/0126-pkeyutl-encap.patch
@@ -47,15 +47,16 @@ index b5390c64c2a81..a14ad88217823 100644
OPT_CONFIG_OPTION,
OPT_SECTION("Input"),
-@@ -81,12 +85,13 @@ const OPTIONS pkeyutl_options[] = {
+@@ -81,13 +85,14 @@ const OPTIONS pkeyutl_options[] = {
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
+ {"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
- {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
+ {"asn1parse", OPT_ASN1PARSE, '-',
+ "parse the output as ASN.1 data to check its DER encoding and print errors"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
{"verifyrecover", OPT_VERIFYRECOVER, '-',
- "Verify with public key, recover original data"},
+ "Verify RSA signature, recovering original signature input data"},
- OPT_SECTION("Signing/Derivation"),
+ OPT_SECTION("Signing/Derivation/Encapsulation"),
@@ -296,7 +297,7 @@ index 50c2030aa353c..9de50dd6cee8f 100644
+
=item B<-sigfile> I<file>
- Signature file, required for B<-verify> operations only
+ Signature file, required and allowed for B<-verify> operations only
@@ -147,6 +155,31 @@ Decrypt the input data using a private key.
Derive a shared secret using the peer key.
diff --git a/0128-SAST-findings.patch b/0128-SAST-findings.patch
index 77cb8e9..9ffc74b 100644
--- a/0128-SAST-findings.patch
+++ b/0128-SAST-findings.patch
@@ -1,15 +1,3 @@
-diff -up openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx openssl-3.2.2/crypto/rsa/rsa_oaep.c
---- openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx 2024-08-14 14:22:48.733407808 +0200
-+++ openssl-3.2.2/crypto/rsa/rsa_oaep.c 2024-08-14 14:23:32.994483135 +0200
-@@ -233,7 +233,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
-
- mdlen = EVP_MD_get_size(md);
-
-- if (tlen <= 0 || flen <= 0)
-+ if (tlen <= 0 || flen <= 0 || mdlen <= 0)
- return -1;
- /*
- * |num| is the length of the modulus; |flen| is the length of the
diff -up openssl-3.2.2/crypto/x509/pcy_tree.c.xxx openssl-3.2.2/crypto/x509/pcy_tree.c
--- openssl-3.2.2/crypto/x509/pcy_tree.c.xxx 2024-08-14 14:14:13.144850097 +0200
+++ openssl-3.2.2/crypto/x509/pcy_tree.c 2024-08-14 14:14:53.213826481 +0200
diff --git a/0129-Fix-SSL_select_next_proto.patch b/0129-Fix-SSL_select_next_proto.patch
deleted file mode 100644
index 6458067..0000000
--- a/0129-Fix-SSL_select_next_proto.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Subject: [PATCH 01/10] Fix SSL_select_next_proto
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 40 insertions(+), 23 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 016135fe18..cf52b317cf 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
- unsigned int server_len,
- const unsigned char *client, unsigned int client_len)
- {
-- unsigned int i, j;
-- const unsigned char *result;
-- int status = OPENSSL_NPN_UNSUPPORTED;
-+ PACKET cpkt, csubpkt, spkt, ssubpkt;
-+
-+ if (!PACKET_buf_init(&cpkt, client, client_len)
-+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+ || PACKET_remaining(&csubpkt) == 0) {
-+ *out = NULL;
-+ *outlen = 0;
-+ return OPENSSL_NPN_NO_OVERLAP;
-+ }
-+
-+ /*
-+ * Set the default opportunistic protocol. Will be overwritten if we find
-+ * a match.
-+ */
-+ *out = (unsigned char *)PACKET_data(&csubpkt);
-+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
-
- /*
- * For each protocol in server preference order, see if we support it.
- */
-- for (i = 0; i < server_len;) {
-- for (j = 0; j < client_len;) {
-- if (server[i] == client[j] &&
-- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
-- /* We found a match */
-- result = &server[i];
-- status = OPENSSL_NPN_NEGOTIATED;
-- goto found;
-+ if (PACKET_buf_init(&spkt, server, server_len)) {
-+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+ if (PACKET_remaining(&ssubpkt) == 0)
-+ continue; /* Invalid - ignore it */
-+ if (PACKET_buf_init(&cpkt, client, client_len)) {
-+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+ PACKET_remaining(&ssubpkt))) {
-+ /* We found a match */
-+ *out = (unsigned char *)PACKET_data(&ssubpkt);
-+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+ return OPENSSL_NPN_NEGOTIATED;
-+ }
-+ }
-+ /* Ignore spurious trailing bytes in the client list */
-+ } else {
-+ /* This should never happen */
-+ return OPENSSL_NPN_NO_OVERLAP;
- }
-- j += client[j];
-- j++;
- }
-- i += server[i];
-- i++;
-+ /* Ignore spurious trailing bytes in the server list */
- }
-
-- /* There's no overlap between our protocols and the server's list. */
-- result = client;
-- status = OPENSSL_NPN_NO_OVERLAP;
--
-- found:
-- *out = (unsigned char *)result + 1;
-- *outlen = result[0];
-- return status;
-+ /*
-+ * There's no overlap between our protocols and the server's list. We use
-+ * the default opportunistic protocol selected earlier
-+ */
-+ return OPENSSL_NPN_NO_OVERLAP;
- }
-
- #ifndef OPENSSL_NO_NEXTPROTONEG
---
-2.46.0
-
diff --git a/0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch b/0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch
deleted file mode 100644
index 29d22c6..0000000
--- a/0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:18:27 +0100
-Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
- processing NPN
-
-In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
-the selected_len is 0 we should fail. Previously this would fail with an
-internal_error alert because calling OPENSSL_malloc(selected_len) will
-return NULL when selected_len is 0. We make this error detection more
-explicit and return a handshake failure alert.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- ssl/statem/extensions_clnt.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index 381a6c9d7b..1ab3c13d57 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
- if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
- &selected, &selected_len,
- PACKET_data(pkt), PACKET_remaining(pkt),
-- sctx->ext.npn_select_cb_arg) !=
-- SSL_TLSEXT_ERR_OK) {
-+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
-+ || selected_len == 0) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
- return 0;
- }
---
-2.46.0
-
diff --git a/0131-Use-correctly-formatted-ALPN-data-in-tserver.patch b/0131-Use-correctly-formatted-ALPN-data-in-tserver.patch
deleted file mode 100644
index 028732f..0000000
--- a/0131-Use-correctly-formatted-ALPN-data-in-tserver.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:22:13 +0100
-Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
-
-The QUIC test server was using incorrectly formatted ALPN data. With the
-previous implementation of SSL_select_next_proto this went unnoticed. With
-the new stricter implemenation it was failing.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- ssl/quic/quic_tserver.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
-index 86187d06ff..15694e723f 100644
---- a/ssl/quic/quic_tserver.c
-+++ b/ssl/quic/quic_tserver.c
-@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
-
- if (srv->args.alpn == NULL) {
- alpn = alpndeflt;
-- alpnlen = sizeof(alpn);
-+ alpnlen = sizeof(alpndeflt);
- } else {
- alpn = srv->args.alpn;
- alpnlen = srv->args.alpnlen;
---
-2.46.0
-
diff --git a/0132-Clarify-the-SSL_select_next_proto-documentation.patch b/0132-Clarify-the-SSL_select_next_proto-documentation.patch
deleted file mode 100644
index 34e6261..0000000
--- a/0132-Clarify-the-SSL_select_next_proto-documentation.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:46:38 +0100
-Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
-
-We clarify the input preconditions and the expected behaviour in the event
-of no overlap.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-index 05fee2fbec..79e1a252f6 100644
---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
- SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
- set the list of protocols available to be negotiated. The B<protos> must be in
- protocol-list format, described below. The length of B<protos> is specified in
--B<protos_len>.
-+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
-+protocols and no ALPN extension will be sent to the server.
-
- SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
- server to select which protocol to use for the incoming connection. When B<cb>
-@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
- described below. The first item in the B<server>, B<server_len> list that
- matches an item in the B<client>, B<client_len> list is selected, and returned
- in B<out>, B<outlen>. The B<out> value will point into either B<server> or
--B<client>, so it should be copied immediately. If no match is found, the first
--item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
--function can also be used in the NPN callback.
-+B<client>, so it should be copied immediately. The client list must include at
-+least one valid (nonempty) protocol entry in the list.
-+
-+The SSL_select_next_proto() helper function can be useful from either the ALPN
-+callback or the NPN callback (described below). If no match is found, the first
-+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
-+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
-+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
-+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
-+SSL_select_next_proto().
-
- SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
- client needs to select a protocol from the server's provided list, and a
-@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
- The length of the protocol name must be written into B<outlen>. The
- server's advertised protocols are provided in B<in> and B<inlen>. The
- callback can assume that B<in> is syntactically valid. The client must
--select a protocol. It is fatal to the connection if this callback returns
--a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
--set via SSL_CTX_set_next_proto_select_cb().
-+select a protocol (although it may be an empty, zero length protocol). It is
-+fatal to the connection if this callback returns a value other than
-+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
-+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
-
- SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
- when a TLS server needs a list of supported protocols for Next Protocol
-@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
- =item OPENSSL_NPN_NO_OVERLAP
-
- No match was found. The first item in B<client>, B<client_len> is returned in
--B<out>, B<outlen>.
-+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
-+B<client> is invalid).
-
- =back
-
---
-2.46.0
-
diff --git a/0133-Add-a-test-for-SSL_select_next_proto.patch b/0133-Add-a-test-for-SSL_select_next_proto.patch
deleted file mode 100644
index ccf1577..0000000
--- a/0133-Add-a-test-for-SSL_select_next_proto.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 16:35:16 +0100
-Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 137 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index ce163322cd..15cb9060cb 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
- return testresult;
- }
-
-+static struct next_proto_st {
-+ int serverlen;
-+ unsigned char server[40];
-+ int clientlen;
-+ unsigned char client[40];
-+ int expected_ret;
-+ size_t selectedlen;
-+ unsigned char selected[40];
-+} next_proto_tests[] = {
-+ {
-+ 4, { 3, 'a', 'b', 'c' },
-+ 4, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NEGOTIATED,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+ 4, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NEGOTIATED,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
-+ 4, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NEGOTIATED,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 4, { 3, 'a', 'b', 'c' },
-+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
-+ OPENSSL_NPN_NEGOTIATED,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 4, { 3, 'a', 'b', 'c' },
-+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+ OPENSSL_NPN_NEGOTIATED,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
-+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+ OPENSSL_NPN_NEGOTIATED,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
-+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-+ OPENSSL_NPN_NEGOTIATED,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 4, { 3, 'b', 'c', 'd' },
-+ 4, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NO_OVERLAP,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 0, { 0 },
-+ 4, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NO_OVERLAP,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ -1, { 0 },
-+ 4, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NO_OVERLAP,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 4, { 3, 'a', 'b', 'c' },
-+ 0, { 0 },
-+ OPENSSL_NPN_NO_OVERLAP,
-+ 0, { 0 }
-+ },
-+ {
-+ 4, { 3, 'a', 'b', 'c' },
-+ -1, { 0 },
-+ OPENSSL_NPN_NO_OVERLAP,
-+ 0, { 0 }
-+ },
-+ {
-+ 3, { 3, 'a', 'b', 'c' },
-+ 4, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NO_OVERLAP,
-+ 3, { 'a', 'b', 'c' }
-+ },
-+ {
-+ 4, { 3, 'a', 'b', 'c' },
-+ 3, { 3, 'a', 'b', 'c' },
-+ OPENSSL_NPN_NO_OVERLAP,
-+ 0, { 0 }
-+ }
-+};
-+
-+static int test_select_next_proto(int idx)
-+{
-+ struct next_proto_st *np = &next_proto_tests[idx];
-+ int ret = 0;
-+ unsigned char *out, *client, *server;
-+ unsigned char outlen;
-+ unsigned int clientlen, serverlen;
-+
-+ if (np->clientlen == -1) {
-+ client = NULL;
-+ clientlen = 0;
-+ } else {
-+ client = np->client;
-+ clientlen = (unsigned int)np->clientlen;
-+ }
-+ if (np->serverlen == -1) {
-+ server = NULL;
-+ serverlen = 0;
-+ } else {
-+ server = np->server;
-+ serverlen = (unsigned int)np->serverlen;
-+ }
-+
-+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
-+ client, clientlen),
-+ np->expected_ret))
-+ goto err;
-+
-+ if (np->selectedlen == 0) {
-+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
-+ goto err;
-+ } else {
-+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
-+ goto err;
-+ }
-+
-+ ret = 1;
-+ err:
-+ return ret;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
-
- int setup_tests(void)
-@@ -12053,6 +12189,7 @@ int setup_tests(void)
- ADD_ALL_TESTS(test_handshake_retry, 16);
- ADD_TEST(test_data_retry);
- ADD_ALL_TESTS(test_multi_resume, 5);
-+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
- return 1;
-
- err:
---
-2.46.0
-
diff --git a/0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch b/0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
deleted file mode 100644
index ae383c8..0000000
--- a/0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
+++ /dev/null
@@ -1,1169 +0,0 @@
-From 7ea1f6a85b299b976cb3f756b2a7f0153f31b2b6 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 4 Jun 2024 15:47:32 +0100
-Subject: [PATCH 06/10] Allow an empty NPN/ALPN protocol list in the tests
-
-Allow ourselves to configure an empty NPN/ALPN protocol list and test what
-happens if we do.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- test/helpers/handshake.c | 6 +
- test/ssl-tests/08-npn.cnf | 553 +++++++++++++++++++---------------
- test/ssl-tests/08-npn.cnf.in | 35 +++
- test/ssl-tests/09-alpn.cnf | 66 +++-
- test/ssl-tests/09-alpn.cnf.in | 33 ++
- 5 files changed, 449 insertions(+), 244 deletions(-)
-
-diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
-index e0422469e4..6b1629b942 100644
---- a/test/helpers/handshake.c
-+++ b/test/helpers/handshake.c
-@@ -348,6 +348,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen)
-
- len = strlen(protos);
-
-+ if (len == 0) {
-+ *out = NULL;
-+ *outlen = 0;
-+ return 1;
-+ }
-+
- /* Should never have reuse. */
- if (!TEST_ptr_null(*out)
- /* Test values are small, so we omit length limit checks. */
-diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf
-index f38b3f6975..1931d02de4 100644
---- a/test/ssl-tests/08-npn.cnf
-+++ b/test/ssl-tests/08-npn.cnf
-@@ -1,6 +1,6 @@
- # Generated with generate_ssl_tests.pl
-
--num_tests = 20
-+num_tests = 22
-
- test-0 = 0-npn-simple
- test-1 = 1-npn-client-finds-match
-@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref
- test-3 = 3-npn-client-first-pref-on-mismatch
- test-4 = 4-npn-no-server-support
- test-5 = 5-npn-no-client-support
--test-6 = 6-npn-with-sni-no-context-switch
--test-7 = 7-npn-with-sni-context-switch
--test-8 = 8-npn-selected-sni-server-supports-npn
--test-9 = 9-npn-selected-sni-server-does-not-support-npn
--test-10 = 10-alpn-preferred-over-npn
--test-11 = 11-sni-npn-preferred-over-alpn
--test-12 = 12-npn-simple-resumption
--test-13 = 13-npn-server-switch-resumption
--test-14 = 14-npn-client-switch-resumption
--test-15 = 15-npn-client-first-pref-on-mismatch-resumption
--test-16 = 16-npn-no-server-support-resumption
--test-17 = 17-npn-no-client-support-resumption
--test-18 = 18-alpn-preferred-over-npn-resumption
--test-19 = 19-npn-used-if-alpn-not-supported-resumption
-+test-6 = 6-npn-empty-client-list
-+test-7 = 7-npn-empty-server-list
-+test-8 = 8-npn-with-sni-no-context-switch
-+test-9 = 9-npn-with-sni-context-switch
-+test-10 = 10-npn-selected-sni-server-supports-npn
-+test-11 = 11-npn-selected-sni-server-does-not-support-npn
-+test-12 = 12-alpn-preferred-over-npn
-+test-13 = 13-sni-npn-preferred-over-alpn
-+test-14 = 14-npn-simple-resumption
-+test-15 = 15-npn-server-switch-resumption
-+test-16 = 16-npn-client-switch-resumption
-+test-17 = 17-npn-client-first-pref-on-mismatch-resumption
-+test-18 = 18-npn-no-server-support-resumption
-+test-19 = 19-npn-no-client-support-resumption
-+test-20 = 20-alpn-preferred-over-npn-resumption
-+test-21 = 21-npn-used-if-alpn-not-supported-resumption
- # ===========================================================
-
- [0-npn-simple]
-@@ -206,253 +208,318 @@ NPNProtocols = foo
-
- # ===========================================================
-
--[6-npn-with-sni-no-context-switch]
--ssl_conf = 6-npn-with-sni-no-context-switch-ssl
-+[6-npn-empty-client-list]
-+ssl_conf = 6-npn-empty-client-list-ssl
-
--[6-npn-with-sni-no-context-switch-ssl]
--server = 6-npn-with-sni-no-context-switch-server
--client = 6-npn-with-sni-no-context-switch-client
--server2 = 6-npn-with-sni-no-context-switch-server2
-+[6-npn-empty-client-list-ssl]
-+server = 6-npn-empty-client-list-server
-+client = 6-npn-empty-client-list-client
-
--[6-npn-with-sni-no-context-switch-server]
-+[6-npn-empty-client-list-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[6-npn-with-sni-no-context-switch-server2]
-+[6-npn-empty-client-list-client]
-+CipherString = DEFAULT
-+MaxProtocol = TLSv1.2
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-6]
-+ExpectedClientAlert = HandshakeFailure
-+ExpectedResult = ClientFail
-+server = 6-npn-empty-client-list-server-extra
-+client = 6-npn-empty-client-list-client-extra
-+
-+[6-npn-empty-client-list-server-extra]
-+NPNProtocols = foo
-+
-+[6-npn-empty-client-list-client-extra]
-+NPNProtocols =
-+
-+
-+# ===========================================================
-+
-+[7-npn-empty-server-list]
-+ssl_conf = 7-npn-empty-server-list-ssl
-+
-+[7-npn-empty-server-list-ssl]
-+server = 7-npn-empty-server-list-server
-+client = 7-npn-empty-server-list-client
-+
-+[7-npn-empty-server-list-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[6-npn-with-sni-no-context-switch-client]
-+[7-npn-empty-server-list-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-6]
-+[test-7]
-+ExpectedNPNProtocol = foo
-+server = 7-npn-empty-server-list-server-extra
-+client = 7-npn-empty-server-list-client-extra
-+
-+[7-npn-empty-server-list-server-extra]
-+NPNProtocols =
-+
-+[7-npn-empty-server-list-client-extra]
-+NPNProtocols = foo
-+
-+
-+# ===========================================================
-+
-+[8-npn-with-sni-no-context-switch]
-+ssl_conf = 8-npn-with-sni-no-context-switch-ssl
-+
-+[8-npn-with-sni-no-context-switch-ssl]
-+server = 8-npn-with-sni-no-context-switch-server
-+client = 8-npn-with-sni-no-context-switch-client
-+server2 = 8-npn-with-sni-no-context-switch-server2
-+
-+[8-npn-with-sni-no-context-switch-server]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[8-npn-with-sni-no-context-switch-server2]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[8-npn-with-sni-no-context-switch-client]
-+CipherString = DEFAULT
-+MaxProtocol = TLSv1.2
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-8]
- ExpectedNPNProtocol = foo
- ExpectedServerName = server1
--server = 6-npn-with-sni-no-context-switch-server-extra
--server2 = 6-npn-with-sni-no-context-switch-server2-extra
--client = 6-npn-with-sni-no-context-switch-client-extra
-+server = 8-npn-with-sni-no-context-switch-server-extra
-+server2 = 8-npn-with-sni-no-context-switch-server2-extra
-+client = 8-npn-with-sni-no-context-switch-client-extra
-
--[6-npn-with-sni-no-context-switch-server-extra]
-+[8-npn-with-sni-no-context-switch-server-extra]
- NPNProtocols = foo
- ServerNameCallback = IgnoreMismatch
-
--[6-npn-with-sni-no-context-switch-server2-extra]
-+[8-npn-with-sni-no-context-switch-server2-extra]
- NPNProtocols = bar
-
--[6-npn-with-sni-no-context-switch-client-extra]
-+[8-npn-with-sni-no-context-switch-client-extra]
- NPNProtocols = foo,bar
- ServerName = server1
-
-
- # ===========================================================
-
--[7-npn-with-sni-context-switch]
--ssl_conf = 7-npn-with-sni-context-switch-ssl
-+[9-npn-with-sni-context-switch]
-+ssl_conf = 9-npn-with-sni-context-switch-ssl
-
--[7-npn-with-sni-context-switch-ssl]
--server = 7-npn-with-sni-context-switch-server
--client = 7-npn-with-sni-context-switch-client
--server2 = 7-npn-with-sni-context-switch-server2
-+[9-npn-with-sni-context-switch-ssl]
-+server = 9-npn-with-sni-context-switch-server
-+client = 9-npn-with-sni-context-switch-client
-+server2 = 9-npn-with-sni-context-switch-server2
-
--[7-npn-with-sni-context-switch-server]
-+[9-npn-with-sni-context-switch-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[7-npn-with-sni-context-switch-server2]
-+[9-npn-with-sni-context-switch-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[7-npn-with-sni-context-switch-client]
-+[9-npn-with-sni-context-switch-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-7]
-+[test-9]
- ExpectedNPNProtocol = bar
- ExpectedServerName = server2
--server = 7-npn-with-sni-context-switch-server-extra
--server2 = 7-npn-with-sni-context-switch-server2-extra
--client = 7-npn-with-sni-context-switch-client-extra
-+server = 9-npn-with-sni-context-switch-server-extra
-+server2 = 9-npn-with-sni-context-switch-server2-extra
-+client = 9-npn-with-sni-context-switch-client-extra
-
--[7-npn-with-sni-context-switch-server-extra]
-+[9-npn-with-sni-context-switch-server-extra]
- NPNProtocols = foo
- ServerNameCallback = IgnoreMismatch
-
--[7-npn-with-sni-context-switch-server2-extra]
-+[9-npn-with-sni-context-switch-server2-extra]
- NPNProtocols = bar
-
--[7-npn-with-sni-context-switch-client-extra]
-+[9-npn-with-sni-context-switch-client-extra]
- NPNProtocols = foo,bar
- ServerName = server2
-
-
- # ===========================================================
-
--[8-npn-selected-sni-server-supports-npn]
--ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl
-+[10-npn-selected-sni-server-supports-npn]
-+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl
-
--[8-npn-selected-sni-server-supports-npn-ssl]
--server = 8-npn-selected-sni-server-supports-npn-server
--client = 8-npn-selected-sni-server-supports-npn-client
--server2 = 8-npn-selected-sni-server-supports-npn-server2
-+[10-npn-selected-sni-server-supports-npn-ssl]
-+server = 10-npn-selected-sni-server-supports-npn-server
-+client = 10-npn-selected-sni-server-supports-npn-client
-+server2 = 10-npn-selected-sni-server-supports-npn-server2
-
--[8-npn-selected-sni-server-supports-npn-server]
-+[10-npn-selected-sni-server-supports-npn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[8-npn-selected-sni-server-supports-npn-server2]
-+[10-npn-selected-sni-server-supports-npn-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[8-npn-selected-sni-server-supports-npn-client]
-+[10-npn-selected-sni-server-supports-npn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-8]
-+[test-10]
- ExpectedNPNProtocol = bar
- ExpectedServerName = server2
--server = 8-npn-selected-sni-server-supports-npn-server-extra
--server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
--client = 8-npn-selected-sni-server-supports-npn-client-extra
-+server = 10-npn-selected-sni-server-supports-npn-server-extra
-+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra
-+client = 10-npn-selected-sni-server-supports-npn-client-extra
-
--[8-npn-selected-sni-server-supports-npn-server-extra]
-+[10-npn-selected-sni-server-supports-npn-server-extra]
- ServerNameCallback = IgnoreMismatch
-
--[8-npn-selected-sni-server-supports-npn-server2-extra]
-+[10-npn-selected-sni-server-supports-npn-server2-extra]
- NPNProtocols = bar
-
--[8-npn-selected-sni-server-supports-npn-client-extra]
-+[10-npn-selected-sni-server-supports-npn-client-extra]
- NPNProtocols = foo,bar
- ServerName = server2
-
-
- # ===========================================================
-
--[9-npn-selected-sni-server-does-not-support-npn]
--ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl
-+[11-npn-selected-sni-server-does-not-support-npn]
-+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl
-
--[9-npn-selected-sni-server-does-not-support-npn-ssl]
--server = 9-npn-selected-sni-server-does-not-support-npn-server
--client = 9-npn-selected-sni-server-does-not-support-npn-client
--server2 = 9-npn-selected-sni-server-does-not-support-npn-server2
-+[11-npn-selected-sni-server-does-not-support-npn-ssl]
-+server = 11-npn-selected-sni-server-does-not-support-npn-server
-+client = 11-npn-selected-sni-server-does-not-support-npn-client
-+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2
-
--[9-npn-selected-sni-server-does-not-support-npn-server]
-+[11-npn-selected-sni-server-does-not-support-npn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[9-npn-selected-sni-server-does-not-support-npn-server2]
-+[11-npn-selected-sni-server-does-not-support-npn-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[9-npn-selected-sni-server-does-not-support-npn-client]
-+[11-npn-selected-sni-server-does-not-support-npn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-9]
-+[test-11]
- ExpectedServerName = server2
--server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
--client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
-+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra
-+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra
-
--[9-npn-selected-sni-server-does-not-support-npn-server-extra]
-+[11-npn-selected-sni-server-does-not-support-npn-server-extra]
- NPNProtocols = bar
- ServerNameCallback = IgnoreMismatch
-
--[9-npn-selected-sni-server-does-not-support-npn-client-extra]
-+[11-npn-selected-sni-server-does-not-support-npn-client-extra]
- NPNProtocols = foo,bar
- ServerName = server2
-
-
- # ===========================================================
-
--[10-alpn-preferred-over-npn]
--ssl_conf = 10-alpn-preferred-over-npn-ssl
-+[12-alpn-preferred-over-npn]
-+ssl_conf = 12-alpn-preferred-over-npn-ssl
-
--[10-alpn-preferred-over-npn-ssl]
--server = 10-alpn-preferred-over-npn-server
--client = 10-alpn-preferred-over-npn-client
-+[12-alpn-preferred-over-npn-ssl]
-+server = 12-alpn-preferred-over-npn-server
-+client = 12-alpn-preferred-over-npn-client
-
--[10-alpn-preferred-over-npn-server]
-+[12-alpn-preferred-over-npn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[10-alpn-preferred-over-npn-client]
-+[12-alpn-preferred-over-npn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-10]
-+[test-12]
- ExpectedALPNProtocol = foo
--server = 10-alpn-preferred-over-npn-server-extra
--client = 10-alpn-preferred-over-npn-client-extra
-+server = 12-alpn-preferred-over-npn-server-extra
-+client = 12-alpn-preferred-over-npn-client-extra
-
--[10-alpn-preferred-over-npn-server-extra]
-+[12-alpn-preferred-over-npn-server-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
-
--[10-alpn-preferred-over-npn-client-extra]
-+[12-alpn-preferred-over-npn-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
-
-
- # ===========================================================
-
--[11-sni-npn-preferred-over-alpn]
--ssl_conf = 11-sni-npn-preferred-over-alpn-ssl
-+[13-sni-npn-preferred-over-alpn]
-+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl
-
--[11-sni-npn-preferred-over-alpn-ssl]
--server = 11-sni-npn-preferred-over-alpn-server
--client = 11-sni-npn-preferred-over-alpn-client
--server2 = 11-sni-npn-preferred-over-alpn-server2
-+[13-sni-npn-preferred-over-alpn-ssl]
-+server = 13-sni-npn-preferred-over-alpn-server
-+client = 13-sni-npn-preferred-over-alpn-client
-+server2 = 13-sni-npn-preferred-over-alpn-server2
-
--[11-sni-npn-preferred-over-alpn-server]
-+[13-sni-npn-preferred-over-alpn-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[11-sni-npn-preferred-over-alpn-server2]
-+[13-sni-npn-preferred-over-alpn-server2]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[11-sni-npn-preferred-over-alpn-client]
-+[13-sni-npn-preferred-over-alpn-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-11]
-+[test-13]
- ExpectedNPNProtocol = bar
- ExpectedServerName = server2
--server = 11-sni-npn-preferred-over-alpn-server-extra
--server2 = 11-sni-npn-preferred-over-alpn-server2-extra
--client = 11-sni-npn-preferred-over-alpn-client-extra
-+server = 13-sni-npn-preferred-over-alpn-server-extra
-+server2 = 13-sni-npn-preferred-over-alpn-server2-extra
-+client = 13-sni-npn-preferred-over-alpn-client-extra
-
--[11-sni-npn-preferred-over-alpn-server-extra]
-+[13-sni-npn-preferred-over-alpn-server-extra]
- ALPNProtocols = foo
- ServerNameCallback = IgnoreMismatch
-
--[11-sni-npn-preferred-over-alpn-server2-extra]
-+[13-sni-npn-preferred-over-alpn-server2-extra]
- NPNProtocols = bar
-
--[11-sni-npn-preferred-over-alpn-client-extra]
-+[13-sni-npn-preferred-over-alpn-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
- ServerName = server2
-@@ -460,356 +527,356 @@ ServerName = server2
-
- # ===========================================================
-
--[12-npn-simple-resumption]
--ssl_conf = 12-npn-simple-resumption-ssl
-+[14-npn-simple-resumption]
-+ssl_conf = 14-npn-simple-resumption-ssl
-
--[12-npn-simple-resumption-ssl]
--server = 12-npn-simple-resumption-server
--client = 12-npn-simple-resumption-client
--resume-server = 12-npn-simple-resumption-server
--resume-client = 12-npn-simple-resumption-client
-+[14-npn-simple-resumption-ssl]
-+server = 14-npn-simple-resumption-server
-+client = 14-npn-simple-resumption-client
-+resume-server = 14-npn-simple-resumption-server
-+resume-client = 14-npn-simple-resumption-client
-
--[12-npn-simple-resumption-server]
-+[14-npn-simple-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[12-npn-simple-resumption-client]
-+[14-npn-simple-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-12]
-+[test-14]
- ExpectedNPNProtocol = foo
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 12-npn-simple-resumption-server-extra
--resume-server = 12-npn-simple-resumption-server-extra
--client = 12-npn-simple-resumption-client-extra
--resume-client = 12-npn-simple-resumption-client-extra
-+server = 14-npn-simple-resumption-server-extra
-+resume-server = 14-npn-simple-resumption-server-extra
-+client = 14-npn-simple-resumption-client-extra
-+resume-client = 14-npn-simple-resumption-client-extra
-
--[12-npn-simple-resumption-server-extra]
-+[14-npn-simple-resumption-server-extra]
- NPNProtocols = foo
-
--[12-npn-simple-resumption-client-extra]
-+[14-npn-simple-resumption-client-extra]
- NPNProtocols = foo
-
-
- # ===========================================================
-
--[13-npn-server-switch-resumption]
--ssl_conf = 13-npn-server-switch-resumption-ssl
-+[15-npn-server-switch-resumption]
-+ssl_conf = 15-npn-server-switch-resumption-ssl
-
--[13-npn-server-switch-resumption-ssl]
--server = 13-npn-server-switch-resumption-server
--client = 13-npn-server-switch-resumption-client
--resume-server = 13-npn-server-switch-resumption-resume-server
--resume-client = 13-npn-server-switch-resumption-client
-+[15-npn-server-switch-resumption-ssl]
-+server = 15-npn-server-switch-resumption-server
-+client = 15-npn-server-switch-resumption-client
-+resume-server = 15-npn-server-switch-resumption-resume-server
-+resume-client = 15-npn-server-switch-resumption-client
-
--[13-npn-server-switch-resumption-server]
-+[15-npn-server-switch-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[13-npn-server-switch-resumption-resume-server]
-+[15-npn-server-switch-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[13-npn-server-switch-resumption-client]
-+[15-npn-server-switch-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-13]
-+[test-15]
- ExpectedNPNProtocol = baz
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 13-npn-server-switch-resumption-server-extra
--resume-server = 13-npn-server-switch-resumption-resume-server-extra
--client = 13-npn-server-switch-resumption-client-extra
--resume-client = 13-npn-server-switch-resumption-client-extra
-+server = 15-npn-server-switch-resumption-server-extra
-+resume-server = 15-npn-server-switch-resumption-resume-server-extra
-+client = 15-npn-server-switch-resumption-client-extra
-+resume-client = 15-npn-server-switch-resumption-client-extra
-
--[13-npn-server-switch-resumption-server-extra]
-+[15-npn-server-switch-resumption-server-extra]
- NPNProtocols = bar,foo
-
--[13-npn-server-switch-resumption-resume-server-extra]
-+[15-npn-server-switch-resumption-resume-server-extra]
- NPNProtocols = baz,foo
-
--[13-npn-server-switch-resumption-client-extra]
-+[15-npn-server-switch-resumption-client-extra]
- NPNProtocols = foo,bar,baz
-
-
- # ===========================================================
-
--[14-npn-client-switch-resumption]
--ssl_conf = 14-npn-client-switch-resumption-ssl
-+[16-npn-client-switch-resumption]
-+ssl_conf = 16-npn-client-switch-resumption-ssl
-
--[14-npn-client-switch-resumption-ssl]
--server = 14-npn-client-switch-resumption-server
--client = 14-npn-client-switch-resumption-client
--resume-server = 14-npn-client-switch-resumption-server
--resume-client = 14-npn-client-switch-resumption-resume-client
-+[16-npn-client-switch-resumption-ssl]
-+server = 16-npn-client-switch-resumption-server
-+client = 16-npn-client-switch-resumption-client
-+resume-server = 16-npn-client-switch-resumption-server
-+resume-client = 16-npn-client-switch-resumption-resume-client
-
--[14-npn-client-switch-resumption-server]
-+[16-npn-client-switch-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[14-npn-client-switch-resumption-client]
-+[16-npn-client-switch-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[14-npn-client-switch-resumption-resume-client]
-+[16-npn-client-switch-resumption-resume-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-14]
-+[test-16]
- ExpectedNPNProtocol = bar
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 14-npn-client-switch-resumption-server-extra
--resume-server = 14-npn-client-switch-resumption-server-extra
--client = 14-npn-client-switch-resumption-client-extra
--resume-client = 14-npn-client-switch-resumption-resume-client-extra
-+server = 16-npn-client-switch-resumption-server-extra
-+resume-server = 16-npn-client-switch-resumption-server-extra
-+client = 16-npn-client-switch-resumption-client-extra
-+resume-client = 16-npn-client-switch-resumption-resume-client-extra
-
--[14-npn-client-switch-resumption-server-extra]
-+[16-npn-client-switch-resumption-server-extra]
- NPNProtocols = foo,bar,baz
-
--[14-npn-client-switch-resumption-client-extra]
-+[16-npn-client-switch-resumption-client-extra]
- NPNProtocols = foo,baz
-
--[14-npn-client-switch-resumption-resume-client-extra]
-+[16-npn-client-switch-resumption-resume-client-extra]
- NPNProtocols = bar,baz
-
-
- # ===========================================================
-
--[15-npn-client-first-pref-on-mismatch-resumption]
--ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl
-+[17-npn-client-first-pref-on-mismatch-resumption]
-+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl
-
--[15-npn-client-first-pref-on-mismatch-resumption-ssl]
--server = 15-npn-client-first-pref-on-mismatch-resumption-server
--client = 15-npn-client-first-pref-on-mismatch-resumption-client
--resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server
--resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client
-+[17-npn-client-first-pref-on-mismatch-resumption-ssl]
-+server = 17-npn-client-first-pref-on-mismatch-resumption-server
-+client = 17-npn-client-first-pref-on-mismatch-resumption-client
-+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server
-+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client
-
--[15-npn-client-first-pref-on-mismatch-resumption-server]
-+[17-npn-client-first-pref-on-mismatch-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[15-npn-client-first-pref-on-mismatch-resumption-resume-server]
-+[17-npn-client-first-pref-on-mismatch-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[15-npn-client-first-pref-on-mismatch-resumption-client]
-+[17-npn-client-first-pref-on-mismatch-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-15]
-+[test-17]
- ExpectedNPNProtocol = foo
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra
--resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
--client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
--resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
-+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra
-+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
-+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
-+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
-
--[15-npn-client-first-pref-on-mismatch-resumption-server-extra]
-+[17-npn-client-first-pref-on-mismatch-resumption-server-extra]
- NPNProtocols = bar
-
--[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
-+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
- NPNProtocols = baz
-
--[15-npn-client-first-pref-on-mismatch-resumption-client-extra]
-+[17-npn-client-first-pref-on-mismatch-resumption-client-extra]
- NPNProtocols = foo,bar
-
-
- # ===========================================================
-
--[16-npn-no-server-support-resumption]
--ssl_conf = 16-npn-no-server-support-resumption-ssl
-+[18-npn-no-server-support-resumption]
-+ssl_conf = 18-npn-no-server-support-resumption-ssl
-
--[16-npn-no-server-support-resumption-ssl]
--server = 16-npn-no-server-support-resumption-server
--client = 16-npn-no-server-support-resumption-client
--resume-server = 16-npn-no-server-support-resumption-resume-server
--resume-client = 16-npn-no-server-support-resumption-client
-+[18-npn-no-server-support-resumption-ssl]
-+server = 18-npn-no-server-support-resumption-server
-+client = 18-npn-no-server-support-resumption-client
-+resume-server = 18-npn-no-server-support-resumption-resume-server
-+resume-client = 18-npn-no-server-support-resumption-client
-
--[16-npn-no-server-support-resumption-server]
-+[18-npn-no-server-support-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[16-npn-no-server-support-resumption-resume-server]
-+[18-npn-no-server-support-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[16-npn-no-server-support-resumption-client]
-+[18-npn-no-server-support-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-16]
-+[test-18]
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 16-npn-no-server-support-resumption-server-extra
--client = 16-npn-no-server-support-resumption-client-extra
--resume-client = 16-npn-no-server-support-resumption-client-extra
-+server = 18-npn-no-server-support-resumption-server-extra
-+client = 18-npn-no-server-support-resumption-client-extra
-+resume-client = 18-npn-no-server-support-resumption-client-extra
-
--[16-npn-no-server-support-resumption-server-extra]
-+[18-npn-no-server-support-resumption-server-extra]
- NPNProtocols = foo
-
--[16-npn-no-server-support-resumption-client-extra]
-+[18-npn-no-server-support-resumption-client-extra]
- NPNProtocols = foo
-
-
- # ===========================================================
-
--[17-npn-no-client-support-resumption]
--ssl_conf = 17-npn-no-client-support-resumption-ssl
-+[19-npn-no-client-support-resumption]
-+ssl_conf = 19-npn-no-client-support-resumption-ssl
-
--[17-npn-no-client-support-resumption-ssl]
--server = 17-npn-no-client-support-resumption-server
--client = 17-npn-no-client-support-resumption-client
--resume-server = 17-npn-no-client-support-resumption-server
--resume-client = 17-npn-no-client-support-resumption-resume-client
-+[19-npn-no-client-support-resumption-ssl]
-+server = 19-npn-no-client-support-resumption-server
-+client = 19-npn-no-client-support-resumption-client
-+resume-server = 19-npn-no-client-support-resumption-server
-+resume-client = 19-npn-no-client-support-resumption-resume-client
-
--[17-npn-no-client-support-resumption-server]
-+[19-npn-no-client-support-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[17-npn-no-client-support-resumption-client]
-+[19-npn-no-client-support-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[17-npn-no-client-support-resumption-resume-client]
-+[19-npn-no-client-support-resumption-resume-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-17]
-+[test-19]
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 17-npn-no-client-support-resumption-server-extra
--resume-server = 17-npn-no-client-support-resumption-server-extra
--client = 17-npn-no-client-support-resumption-client-extra
-+server = 19-npn-no-client-support-resumption-server-extra
-+resume-server = 19-npn-no-client-support-resumption-server-extra
-+client = 19-npn-no-client-support-resumption-client-extra
-
--[17-npn-no-client-support-resumption-server-extra]
-+[19-npn-no-client-support-resumption-server-extra]
- NPNProtocols = foo
-
--[17-npn-no-client-support-resumption-client-extra]
-+[19-npn-no-client-support-resumption-client-extra]
- NPNProtocols = foo
-
-
- # ===========================================================
-
--[18-alpn-preferred-over-npn-resumption]
--ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl
-+[20-alpn-preferred-over-npn-resumption]
-+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl
-
--[18-alpn-preferred-over-npn-resumption-ssl]
--server = 18-alpn-preferred-over-npn-resumption-server
--client = 18-alpn-preferred-over-npn-resumption-client
--resume-server = 18-alpn-preferred-over-npn-resumption-resume-server
--resume-client = 18-alpn-preferred-over-npn-resumption-client
-+[20-alpn-preferred-over-npn-resumption-ssl]
-+server = 20-alpn-preferred-over-npn-resumption-server
-+client = 20-alpn-preferred-over-npn-resumption-client
-+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server
-+resume-client = 20-alpn-preferred-over-npn-resumption-client
-
--[18-alpn-preferred-over-npn-resumption-server]
-+[20-alpn-preferred-over-npn-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[18-alpn-preferred-over-npn-resumption-resume-server]
-+[20-alpn-preferred-over-npn-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[18-alpn-preferred-over-npn-resumption-client]
-+[20-alpn-preferred-over-npn-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-18]
-+[test-20]
- ExpectedALPNProtocol = foo
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 18-alpn-preferred-over-npn-resumption-server-extra
--resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra
--client = 18-alpn-preferred-over-npn-resumption-client-extra
--resume-client = 18-alpn-preferred-over-npn-resumption-client-extra
-+server = 20-alpn-preferred-over-npn-resumption-server-extra
-+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra
-+client = 20-alpn-preferred-over-npn-resumption-client-extra
-+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra
-
--[18-alpn-preferred-over-npn-resumption-server-extra]
-+[20-alpn-preferred-over-npn-resumption-server-extra]
- NPNProtocols = bar
-
--[18-alpn-preferred-over-npn-resumption-resume-server-extra]
-+[20-alpn-preferred-over-npn-resumption-resume-server-extra]
- ALPNProtocols = foo
- NPNProtocols = baz
-
--[18-alpn-preferred-over-npn-resumption-client-extra]
-+[20-alpn-preferred-over-npn-resumption-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar,baz
-
-
- # ===========================================================
-
--[19-npn-used-if-alpn-not-supported-resumption]
--ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl
-+[21-npn-used-if-alpn-not-supported-resumption]
-+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl
-
--[19-npn-used-if-alpn-not-supported-resumption-ssl]
--server = 19-npn-used-if-alpn-not-supported-resumption-server
--client = 19-npn-used-if-alpn-not-supported-resumption-client
--resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server
--resume-client = 19-npn-used-if-alpn-not-supported-resumption-client
-+[21-npn-used-if-alpn-not-supported-resumption-ssl]
-+server = 21-npn-used-if-alpn-not-supported-resumption-server
-+client = 21-npn-used-if-alpn-not-supported-resumption-client
-+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server
-+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client
-
--[19-npn-used-if-alpn-not-supported-resumption-server]
-+[21-npn-used-if-alpn-not-supported-resumption-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[19-npn-used-if-alpn-not-supported-resumption-resume-server]
-+[21-npn-used-if-alpn-not-supported-resumption-resume-server]
- Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
- CipherString = DEFAULT
- PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
--[19-npn-used-if-alpn-not-supported-resumption-client]
-+[21-npn-used-if-alpn-not-supported-resumption-client]
- CipherString = DEFAULT
- MaxProtocol = TLSv1.2
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
-
--[test-19]
-+[test-21]
- ExpectedNPNProtocol = baz
- HandshakeMode = Resume
- ResumptionExpected = Yes
--server = 19-npn-used-if-alpn-not-supported-resumption-server-extra
--resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra
--client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
--resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
-+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra
-+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra
-+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
-+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
-
--[19-npn-used-if-alpn-not-supported-resumption-server-extra]
-+[21-npn-used-if-alpn-not-supported-resumption-server-extra]
- ALPNProtocols = foo
- NPNProtocols = bar
-
--[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
-+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
- NPNProtocols = baz
-
--[19-npn-used-if-alpn-not-supported-resumption-client-extra]
-+[21-npn-used-if-alpn-not-supported-resumption-client-extra]
- ALPNProtocols = foo
- NPNProtocols = bar,baz
-
-diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in
-index 30783e45eb..1dc2704bdb 100644
---- a/test/ssl-tests/08-npn.cnf.in
-+++ b/test/ssl-tests/08-npn.cnf.in
-@@ -110,6 +110,41 @@ our @tests = (
- "ExpectedNPNProtocol" => undef,
- },
- },
-+ {
-+ name => "npn-empty-client-list",
-+ server => {
-+ extra => {
-+ "NPNProtocols" => "foo",
-+ },
-+ },
-+ client => {
-+ extra => {
-+ "NPNProtocols" => "",
-+ },
-+ "MaxProtocol" => "TLSv1.2"
-+ },
-+ test => {
-+ "ExpectedResult" => "ClientFail",
-+ "ExpectedClientAlert" => "HandshakeFailure"
-+ },
-+ },
-+ {
-+ name => "npn-empty-server-list",
-+ server => {
-+ extra => {
-+ "NPNProtocols" => "",
-+ },
-+ },
-+ client => {
-+ extra => {
-+ "NPNProtocols" => "foo",
-+ },
-+ "MaxProtocol" => "TLSv1.2"
-+ },
-+ test => {
-+ "ExpectedNPNProtocol" => "foo"
-+ },
-+ },
- {
- name => "npn-with-sni-no-context-switch",
- server => {
-diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf
-index e7e6cb9534..dd668739ab 100644
---- a/test/ssl-tests/09-alpn.cnf
-+++ b/test/ssl-tests/09-alpn.cnf
-@@ -1,6 +1,6 @@
- # Generated with generate_ssl_tests.pl
-
--num_tests = 16
-+num_tests = 18
-
- test-0 = 0-alpn-simple
- test-1 = 1-alpn-server-finds-match
-@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption
- test-13 = 13-alpn-alert-on-mismatch-resumption
- test-14 = 14-alpn-no-server-support-resumption
- test-15 = 15-alpn-no-client-support-resumption
-+test-16 = 16-alpn-empty-client-list
-+test-17 = 17-alpn-empty-server-list
- # ===========================================================
-
- [0-alpn-simple]
-@@ -617,3 +619,65 @@ ALPNProtocols = foo
- ALPNProtocols = foo
-
-
-+# ===========================================================
-+
-+[16-alpn-empty-client-list]
-+ssl_conf = 16-alpn-empty-client-list-ssl
-+
-+[16-alpn-empty-client-list-ssl]
-+server = 16-alpn-empty-client-list-server
-+client = 16-alpn-empty-client-list-client
-+
-+[16-alpn-empty-client-list-server]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[16-alpn-empty-client-list-client]
-+CipherString = DEFAULT
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-16]
-+server = 16-alpn-empty-client-list-server-extra
-+client = 16-alpn-empty-client-list-client-extra
-+
-+[16-alpn-empty-client-list-server-extra]
-+ALPNProtocols = foo
-+
-+[16-alpn-empty-client-list-client-extra]
-+ALPNProtocols =
-+
-+
-+# ===========================================================
-+
-+[17-alpn-empty-server-list]
-+ssl_conf = 17-alpn-empty-server-list-ssl
-+
-+[17-alpn-empty-server-list-ssl]
-+server = 17-alpn-empty-server-list-server
-+client = 17-alpn-empty-server-list-client
-+
-+[17-alpn-empty-server-list-server]
-+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-+CipherString = DEFAULT
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-+
-+[17-alpn-empty-server-list-client]
-+CipherString = DEFAULT
-+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-+VerifyMode = Peer
-+
-+[test-17]
-+ExpectedResult = ServerFail
-+ExpectedServerAlert = NoApplicationProtocol
-+server = 17-alpn-empty-server-list-server-extra
-+client = 17-alpn-empty-server-list-client-extra
-+
-+[17-alpn-empty-server-list-server-extra]
-+ALPNProtocols =
-+
-+[17-alpn-empty-server-list-client-extra]
-+ALPNProtocols = foo
-+
-+
-diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in
-index 81330756c6..322b7096a6 100644
---- a/test/ssl-tests/09-alpn.cnf.in
-+++ b/test/ssl-tests/09-alpn.cnf.in
-@@ -322,4 +322,37 @@ our @tests = (
- "ExpectedALPNProtocol" => undef,
- },
- },
-+ {
-+ name => "alpn-empty-client-list",
-+ server => {
-+ extra => {
-+ "ALPNProtocols" => "foo",
-+ },
-+ },
-+ client => {
-+ extra => {
-+ "ALPNProtocols" => "",
-+ },
-+ },
-+ test => {
-+ "ExpectedALPNProtocol" => undef,
-+ },
-+ },
-+ {
-+ name => "alpn-empty-server-list",
-+ server => {
-+ extra => {
-+ "ALPNProtocols" => "",
-+ },
-+ },
-+ client => {
-+ extra => {
-+ "ALPNProtocols" => "foo",
-+ },
-+ },
-+ test => {
-+ "ExpectedResult" => "ServerFail",
-+ "ExpectedServerAlert" => "NoApplicationProtocol",
-+ },
-+ },
- );
---
-2.46.0
-
diff --git a/0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch b/0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch
deleted file mode 100644
index 97c28ee..0000000
--- a/0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:41:55 +0100
-Subject: [PATCH 07/10] Correct return values for
- tls_construct_stoc_next_proto_neg
-
-Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
-rather than EXT_RETURN_SENT. This actually makes no difference at all to
-the current control flow since this return value is ignored in this case
-anyway. But lets make it correct anyway.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- ssl/statem/extensions_srvr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 800654450e..66ed7dacf2 100644
---- a/ssl/statem/extensions_srvr.c
-+++ b/ssl/statem/extensions_srvr.c
-@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
- return EXT_RETURN_FAIL;
- }
- s->s3.npn_seen = 1;
-+ return EXT_RETURN_SENT;
- }
-
-- return EXT_RETURN_SENT;
-+ return EXT_RETURN_NOT_SENT;
- }
- #endif
-
---
-2.46.0
-
diff --git a/0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch b/0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
deleted file mode 100644
index 135fa25..0000000
--- a/0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
+++ /dev/null
@@ -1,267 +0,0 @@
-From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:09:41 +0100
-Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
-
-We already had some tests elsewhere - but this extends that testing with
-additional tests.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 229 insertions(+)
-
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 15cb9060cb..7a55a2b721 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
- return ret;
- }
-
-+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
-+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
-+
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
-+ unsigned int *outlen, void *arg)
-+{
-+ int *idx = (int *)arg;
-+
-+ switch (*idx) {
-+ default:
-+ case 0:
-+ *out = fooprot;
-+ *outlen = sizeof(fooprot);
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ case 1:
-+ *outlen = 0;
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ case 2:
-+ return SSL_TLSEXT_ERR_NOACK;
-+ }
-+}
-+
-+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
-+ const unsigned char *in, unsigned int inlen, void *arg)
-+{
-+ int *idx = (int *)arg;
-+
-+ switch (*idx) {
-+ case 0:
-+ case 1:
-+ *out = (unsigned char *)(fooprot + 1);
-+ *outlen = *fooprot;
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ case 3:
-+ *out = (unsigned char *)(barprot + 1);
-+ *outlen = *barprot;
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ case 4:
-+ *outlen = 0;
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ default:
-+ case 2:
-+ return SSL_TLSEXT_ERR_ALERT_FATAL;
-+ }
-+}
-+
-+/*
-+ * Test the NPN callbacks
-+ * Test 0: advert = foo, select = foo
-+ * Test 1: advert = <empty>, select = foo
-+ * Test 2: no advert
-+ * Test 3: advert = foo, select = bar
-+ * Test 4: advert = foo, select = <empty> (should fail)
-+ */
-+static int test_npn(int idx)
-+{
-+ SSL_CTX *sctx = NULL, *cctx = NULL;
-+ SSL *serverssl = NULL, *clientssl = NULL;
-+ int testresult = 0;
-+
-+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+ TLS_client_method(), 0, TLS1_2_VERSION,
-+ &sctx, &cctx, cert, privkey)))
-+ goto end;
-+
-+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
-+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
-+
-+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+ NULL)))
-+ goto end;
-+
-+ if (idx == 4) {
-+ /* We don't allow empty selection of NPN, so this should fail */
-+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
-+ goto end;
-+ } else {
-+ const unsigned char *prot;
-+ unsigned int protlen;
-+
-+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
-+ goto end;
-+
-+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
-+ switch (idx) {
-+ case 0:
-+ case 1:
-+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+ goto end;
-+ break;
-+ case 2:
-+ if (!TEST_uint_eq(protlen, 0))
-+ goto end;
-+ break;
-+ case 3:
-+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
-+ goto end;
-+ break;
-+ default:
-+ TEST_error("Should not get here");
-+ goto end;
-+ }
-+ }
-+
-+ testresult = 1;
-+ end:
-+ SSL_free(serverssl);
-+ SSL_free(clientssl);
-+ SSL_CTX_free(sctx);
-+ SSL_CTX_free(cctx);
-+
-+ return testresult;
-+}
-+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
-+
-+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
-+ unsigned char *outlen, const unsigned char *in,
-+ unsigned int inlen, void *arg)
-+{
-+ int *idx = (int *)arg;
-+
-+ switch (*idx) {
-+ case 0:
-+ *out = (unsigned char *)(fooprot + 1);
-+ *outlen = *fooprot;
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ case 2:
-+ *out = (unsigned char *)(barprot + 1);
-+ *outlen = *barprot;
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ case 3:
-+ *outlen = 0;
-+ return SSL_TLSEXT_ERR_OK;
-+
-+ default:
-+ case 1:
-+ return SSL_TLSEXT_ERR_ALERT_FATAL;
-+ }
-+ return 0;
-+}
-+
-+/*
-+ * Test the ALPN callbacks
-+ * Test 0: client = foo, select = foo
-+ * Test 1: client = <empty>, select = none
-+ * Test 2: client = foo, select = bar (should fail)
-+ * Test 3: client = foo, select = <empty> (should fail)
-+ */
-+static int test_alpn(int idx)
-+{
-+ SSL_CTX *sctx = NULL, *cctx = NULL;
-+ SSL *serverssl = NULL, *clientssl = NULL;
-+ int testresult = 0;
-+ const unsigned char *prots = fooprot;
-+ unsigned int protslen = sizeof(fooprot);
-+
-+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-+ TLS_client_method(), 0, 0,
-+ &sctx, &cctx, cert, privkey)))
-+ goto end;
-+
-+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
-+
-+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-+ NULL)))
-+ goto end;
-+
-+ if (idx == 1) {
-+ prots = NULL;
-+ protslen = 0;
-+ }
-+
-+ /* SSL_set_alpn_protos returns 0 for success! */
-+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
-+ goto end;
-+
-+ if (idx == 2 || idx == 3) {
-+ /* We don't allow empty selection of NPN, so this should fail */
-+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
-+ goto end;
-+ } else {
-+ const unsigned char *prot;
-+ unsigned int protlen;
-+
-+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
-+ goto end;
-+
-+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
-+ switch (idx) {
-+ case 0:
-+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-+ goto end;
-+ break;
-+ case 1:
-+ if (!TEST_uint_eq(protlen, 0))
-+ goto end;
-+ break;
-+ default:
-+ TEST_error("Should not get here");
-+ goto end;
-+ }
-+ }
-+
-+ testresult = 1;
-+ end:
-+ SSL_free(serverssl);
-+ SSL_free(clientssl);
-+ SSL_CTX_free(sctx);
-+ SSL_CTX_free(cctx);
-+
-+ return testresult;
-+}
-+
- OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
-
- int setup_tests(void)
-@@ -12190,6 +12415,10 @@ int setup_tests(void)
- ADD_TEST(test_data_retry);
- ADD_ALL_TESTS(test_multi_resume, 5);
- ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-+ ADD_ALL_TESTS(test_npn, 5);
-+#endif
-+ ADD_ALL_TESTS(test_alpn, 4);
- return 1;
-
- err:
---
-2.46.0
-
diff --git a/0138-Add-a-test-for-an-empty-NextProto-message.patch b/0138-Add-a-test-for-an-empty-NextProto-message.patch
deleted file mode 100644
index 923ec66..0000000
--- a/0138-Add-a-test-for-an-empty-NextProto-message.patch
+++ /dev/null
@@ -1,199 +0,0 @@
-From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 14:29:26 +0100
-Subject: [PATCH 10/10] Add a test for an empty NextProto message
-
-It is valid according to the spec for a NextProto message to have no
-protocols listed in it. The OpenSSL implementation however does not allow
-us to create such a message. In order to check that we work as expected
-when communicating with a client that does generate such messages we have
-to use a TLSProxy test.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24717)
----
- test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
- util/perl/TLSProxy/Message.pm | 9 ++++
- util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
- util/perl/TLSProxy/Proxy.pm | 1 +
- 4 files changed, 137 insertions(+)
- create mode 100644 test/recipes/70-test_npn.t
- create mode 100644 util/perl/TLSProxy/NextProto.pm
-
-diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
-new file mode 100644
-index 0000000000..f82e71af6a
---- /dev/null
-+++ b/test/recipes/70-test_npn.t
-@@ -0,0 +1,73 @@
-+#! /usr/bin/env perl
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License"). You may not use
-+# this file except in compliance with the License. You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
-+use OpenSSL::Test::Utils;
-+
-+use TLSProxy::Proxy;
-+
-+my $test_name = "test_npn";
-+setup($test_name);
-+
-+plan skip_all => "TLSProxy isn't usable on $^O"
-+ if $^O =~ /^(VMS)$/;
-+
-+plan skip_all => "$test_name needs the dynamic engine feature enabled"
-+ if disabled("engine") || disabled("dynamic-engine");
-+
-+plan skip_all => "$test_name needs the sock feature enabled"
-+ if disabled("sock");
-+
-+plan skip_all => "$test_name needs NPN enabled"
-+ if disabled("nextprotoneg");
-+
-+plan skip_all => "$test_name needs TLSv1.2 enabled"
-+ if disabled("tls1_2");
-+
-+my $proxy = TLSProxy::Proxy->new(
-+ undef,
-+ cmdstr(app(["openssl"]), display => 1),
-+ srctop_file("apps", "server.pem"),
-+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
-+);
-+
-+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-+plan tests => 1;
-+
-+my $npnseen = 0;
-+
-+# Test 1: Check sending an empty NextProto message from the client works. This is
-+# valid as per the spec, but OpenSSL does not allow you to send it.
-+# Therefore we must be prepared to receive such a message but we cannot
-+# generate it except via TLSProxy
-+$proxy->clear();
-+$proxy->filter(\&npn_filter);
-+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
-+$proxy->serverflags("-nextprotoneg foo");
-+$proxy->start();
-+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
-+
-+sub npn_filter
-+{
-+ my $proxy = shift;
-+ my $message;
-+
-+ # The NextProto message always appears in flight 2
-+ return if $proxy->flight != 2;
-+
-+ foreach my $message (@{$proxy->message_list}) {
-+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
-+ # Our TLSproxy NextProto message support doesn't support parsing of
-+ # the message. If we repack it just creates an empty NextProto
-+ # message - which is exactly the scenario we want to test here.
-+ $message->repack();
-+ $npnseen = 1;
-+ }
-+ }
-+}
-diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
-index ce22187569..fb41b2ffc8 100644
---- a/util/perl/TLSProxy/Message.pm
-+++ b/util/perl/TLSProxy/Message.pm
-@@ -384,6 +384,15 @@ sub create_message
- [@message_frag_lens]
- );
- $message->parse();
-+ } elsif ($mt == MT_NEXT_PROTO) {
-+ $message = TLSProxy::NextProto->new(
-+ $server,
-+ $data,
-+ [@message_rec_list],
-+ $startoffset,
-+ [@message_frag_lens]
-+ );
-+ $message->parse();
- } else {
- #Unknown message type
- $message = TLSProxy::Message->new(
-diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
-new file mode 100644
-index 0000000000..0e18347546
---- /dev/null
-+++ b/util/perl/TLSProxy/NextProto.pm
-@@ -0,0 +1,54 @@
-+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License"). You may not use
-+# this file except in compliance with the License. You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+
-+package TLSProxy::NextProto;
-+
-+use vars '@ISA';
-+push @ISA, 'TLSProxy::Message';
-+
-+sub new
-+{
-+ my $class = shift;
-+ my ($server,
-+ $data,
-+ $records,
-+ $startoffset,
-+ $message_frag_lens) = @_;
-+
-+ my $self = $class->SUPER::new(
-+ $server,
-+ TLSProxy::Message::MT_NEXT_PROTO,
-+ $data,
-+ $records,
-+ $startoffset,
-+ $message_frag_lens);
-+
-+ return $self;
-+}
-+
-+sub parse
-+{
-+ # We don't support parsing at the moment
-+}
-+
-+# This is supposed to reconstruct the on-the-wire message data following changes.
-+# For now though since we don't support parsing we just create an empty NextProto
-+# message - this capability is used in test_npn
-+sub set_message_contents
-+{
-+ my $self = shift;
-+ my $data;
-+
-+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00);
-+ $self->data($data);
-+}
-+1;
-diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
-index 3de10eccb9..b707722b6b 100644
---- a/util/perl/TLSProxy/Proxy.pm
-+++ b/util/perl/TLSProxy/Proxy.pm
-@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
- use TLSProxy::CertificateVerify;
- use TLSProxy::ServerKeyExchange;
- use TLSProxy::NewSessionTicket;
-+use TLSProxy::NextProto;
-
- my $have_IPv6;
- my $IP_factory;
---
-2.46.0
-
diff --git a/0140-prov_no-cache.patch b/0140-prov_no-cache.patch
deleted file mode 100644
index 3dee746..0000000
--- a/0140-prov_no-cache.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-diff --git a/crypto/core_fetch.c b/crypto/core_fetch.c
-index d311158d77589..70715e7d6a99c 100644
---- a/crypto/core_fetch.c
-+++ b/crypto/core_fetch.c
-@@ -120,7 +120,7 @@ static void ossl_method_construct_this(OSSL_PROVIDER *provider,
- * It is *expected* that the put function increments the refcnt
- * of the passed method.
- */
-- data->mcm->put(data->store, method, provider, algo->algorithm_names,
-+ data->mcm->put(no_store ? data->store : NULL, method, provider, algo->algorithm_names,
- algo->property_definition, data->mcm_data);
-
- /* refcnt-- because we're dropping the reference */
-diff --git a/test/nocache-and-default.cnf b/test/nocache-and-default.cnf
-new file mode 100644
-index 0000000000000..cf5ca8d114151
---- /dev/null
-+++ b/test/nocache-and-default.cnf
-@@ -0,0 +1,18 @@
-+openssl_conf = openssl_init
-+
-+# Comment out the next line to ignore configuration errors
-+config_diagnostics = 1
-+
-+[openssl_init]
-+providers = provider_sect
-+
-+[provider_sect]
-+test = test_sect
-+default = default_sect
-+
-+[test_sect]
-+module = ../test/p_test.so
-+activate = true
-+
-+[default_sect]
-+activate = true
-diff --git a/test/p_test.c b/test/p_test.c
-index 2d20190d4d57b..05f71ec8347c0 100644
---- a/test/p_test.c
-+++ b/test/p_test.c
-@@ -230,12 +230,21 @@ static const OSSL_ITEM *p_get_reason_strings(void *_)
- return reason_strings;
- }
-
-+static const OSSL_ALGORITHM *p_query(OSSL_PROVIDER *prov,
-+ int operation_id,
-+ int *no_cache)
-+{
-+ *no_cache = 1;
-+ return NULL;
-+}
-+
- static const OSSL_DISPATCH p_test_table[] = {
- { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))p_gettable_params },
- { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params },
- { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS,
- (void (*)(void))p_get_reason_strings},
- { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown },
-+ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query },
- OSSL_DISPATCH_END
- };
-
-diff --git a/test/recipes/20-test_nocache.t b/test/recipes/20-test_nocache.t
-new file mode 100644
-index 0000000000000..734e44ec8c2e1
---- /dev/null
-+++ b/test/recipes/20-test_nocache.t
-@@ -0,0 +1,34 @@
-+#! /usr/bin/env perl
-+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License"). You may not use
-+# this file except in compliance with the License. You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+use warnings;
-+
-+use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/;
-+use OpenSSL::Test::Utils;
-+
-+setup("test_nocache");
-+
-+plan tests => 4;
-+
-+ok(run(app(["openssl", "list", "-mac-algorithms"],
-+ stdout => "listout.txt")),
-+"List mac algorithms - default configuration");
-+open DATA, "listout.txt";
-+my @match = grep /MAC/, <DATA>;
-+close DATA;
-+ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - default configuration");
-+
-+$ENV{OPENSSL_CONF} = bldtop_file("test", "nocache-and-default.cnf");
-+ok(run(app(["openssl", "list", "-mac-algorithms"],
-+ stdout => "listout.txt")),
-+"List mac algorithms");
-+open DATA, "listout.txt";
-+my @match = grep /MAC/, <DATA>;
-+close DATA;
-+ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - nocache-and-default");
diff --git a/openssl.spec b/openssl.spec
index 3fab779..c65dc75 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.2.2
-Release: 14%{?dist}
+Version: 3.2.4
+Release: 1%{?dist}
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@@ -154,8 +154,6 @@ Patch121: 0121-FIPS-cms-defaults.patch
# [PATCH 50/50] Assign IANA numbers for hybrid PQ KEX Porting the fix
# in https://github.com/openssl/openssl/pull/22803
Patch122: 0122-Assign-IANA-numbers-for-hybrid-PQ-KEX.patch
-# HKDF regression with older provider implementations
-Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
# https://github.com/openssl/openssl/issues/24577
Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch
# Downstream patch: enforce PBMAC1 in FIPS mode
@@ -165,21 +163,6 @@ Patch126: 0126-pkeyutl-encap.patch
# https://github.com/openssl/openssl/issues/25056
Patch127: 0127-speedup-SSL_add_cert_subjects_to_stack.patch
Patch128: 0128-SAST-findings.patch
-# https://github.com/openssl/openssl/pull/24717
-Patch129: 0129-Fix-SSL_select_next_proto.patch
-Patch130: 0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch
-Patch131: 0131-Use-correctly-formatted-ALPN-data-in-tserver.patch
-Patch132: 0132-Clarify-the-SSL_select_next_proto-documentation.patch
-Patch133: 0133-Add-a-test-for-SSL_select_next_proto.patch
-Patch134: 0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
-Patch135: 0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch
-Patch136: 0136-Add-ALPN-validation-in-the-client.patch
-Patch137: 0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
-Patch138: 0138-Add-a-test-for-an-empty-NextProto-message.patch
-# https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f
-Patch139: 0139-CVE-2024-6119.patch
-# https://github.com/openssl/openssl/pull/26197
-Patch140: 0140-prov_no-cache.patch
License: Apache-2.0
URL: http://www.openssl.org/
@@ -557,6 +540,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Wed Feb 12 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.4-1
+- Rebase to 3.2.4
+ Resolves: CVE-2024-12797
+
* Wed Jan 29 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-14
- Fixup for loading default cipher string
Resolves: rhbz#2342801
diff --git a/sources b/sources
index 6d3dc96..39048e6 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d
+SHA512 (openssl-3.2.4.tar.gz) = 24712cb722ed8daff51db9deec4db982256cccd1a537d3a8690a94a6fd41815fd85cab95e551212938f28a61ed658d285b07734f7b88d8a0b18a318602d424f2
reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100912874.1.5761947699493159853.rpms-openssl-b573e5f6bf53@fedoraproject.org \
--to=dbelyavs@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox