3 files changed, 183 insertions, 4 deletions
diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
index f8e5cffd59..c8edf6311e 100644
--- a/src/lib/libssl/man/Makefile
+++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.68 2020/09/20 10:20:43 schwarze Exp $
+# $OpenBSD: Makefile,v 1.69 2020/09/21 08:53:56 schwarze Exp $
 .include <bsd.own.mk>
@@ -120,6 +120,9 @@ MAN =	BIO_f_ssl.3 \
        d2i_SSL_SESSION.3 \
        ssl.3
+# To be enabled after the release of OpenBSD 6.8:
+#       SSL_read_early_data.3 \
 all clean cleandir depend includes obj tags:
 install: maninstall
diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3
new file mode 100644
index 0000000000..71ad3c52a3
--- /dev/null
+++ b/src/lib/libssl/man/SSL_read_early_data.3
@@ -0,0 +1,175 @@
+.\" $OpenBSD: SSL_read_early_data.3,v 1.1 2020/09/21 08:53:56 schwarze Exp $
+.\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
+.\"
+.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: September 21 2020 $
+.Dt SSL_READ_EARLY_DATA 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_set_max_early_data ,
+.Nm SSL_set_max_early_data ,
+.Nm SSL_SESSION_set_max_early_data ,
+.Nm SSL_CTX_get_max_early_data ,
+.Nm SSL_get_max_early_data ,
+.Nm SSL_SESSION_get_max_early_data ,
+.Nm SSL_write_early_data ,
+.Nm SSL_read_early_data ,
+.Nm SSL_get_early_data_status
+.Nd transmit application data before the handshake is complete
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft int
+.Fo SSL_CTX_set_max_early_data
+.Fa "SSL_CTX *ctx"
+.Fa "uint32_t max_bytes"
+.Fc
+.Ft int
+.Fo SSL_set_max_early_data
+.Fa "SSL *ssl"
+.Fa "uint32_t max_bytes"
+.Fc
+.Ft int
+.Fo SSL_SESSION_set_max_early_data
+.Fa "SSL_SESSION *session"
+.Fa "uint32_t max_bytes"
+.Fc
+.Ft uint32_t
+.Fo SSL_CTX_get_max_early_data
+.Fa "const SSL_CTX *ctx"
+.Fc
+.Ft uint32_t
+.Fo SSL_get_max_early_data
+.Fa "const SSL *ssl"
+.Fc
+.Ft uint32_t
+.Fo SSL_SESSION_get_max_early_data
+.Fa "const SSL_SESSION *session"
+.Fc
+.Ft int
+.Fo SSL_write_early_data
+.Fa "SSL *ssl"
+.Fa "const void *buf"
+.Fa "size_t len"
+.Fa "size_t *written"
+.Fc
+.Ft int
+.Fo SSL_read_early_data
+.Fa "SSL *ssl"
+.Fa "void *buf"
+.Fa "size_t maxlen"
+.Fa "size_t *readbytes"
+.Fc
+.Ft int
+.Fo SSL_get_early_data_status
+.Fa "const SSL *ssl"
+.Fc
+.Sh DESCRIPTION
+In LibreSSL, these functions have no effect.
+They are only provided because some application programs
+expect the API to be available when TLSv1.3 is supported.
+Using these functions is strongly discouraged because they provide
+marginal benefit in the first place even when implemented and
+used as designed, because they have absurdly complicated semantics,
+and because when they are used, inconspicuous oversights are likely
+to cause serious security vulnerabilities.
+.Pp
+If these functions are used, other TLS implementations
+may allow the transfer of application data
+before the inital handshake is complete.
+Even when used as designed, security of the connection is compromised;
+in particular, application data is exchanged with unauthenticated peers,
+and there is no forward secrecy.
+Other downsides include an increased risk of replay attacks.
+.Pp
+.Fn SSL_CTX_set_max_early_data ,
+.Fn SSL_set_max_early_data ,
+and
+.Fn SSL_SESSION_set_max_early_data
+are intended to configure the maximum number of bytes per session
+that can be transmitted before the handshake is complete.
+With LibreSSL, all arguments are ignored.
+.Pp
+An endpoint can attempt to send application data with
+.Fn SSL_write_early_data
+before the handshake is complete.
+With LibreSSL, such attempts always fail and set
+.Pf * Fa written
+to 0.
+.Pp
+A server can attempt to read application data from the client using
+.Fn SSL_read_early_data
+before the handshake is complete.
+With LibreSSL, no such data is ever accepted and
+.Pf * Fa readbytes
+is always set to 0.
+.Sh RETURN VALUES
+.Fn SSL_CTX_set_max_early_data ,
+.Fn SSL_set_max_early_data ,
+and
+.Fn SSL_SESSION_set_max_early_data
+return 1 for success or 0 for failure.
+With LibreSSL, they always succeed.
+.Pp
+.Fn SSL_CTX_get_max_early_data ,
+.Fn SSL_get_max_early_data ,
+and
+.Fn SSL_SESSION_get_max_early_data
+return the maximum number of bytes of application data
+that will be accepted from the peer before the handshake is complete.
+With LibreSSL, they always return 0.
+.Pp
+.Fn SSL_write_early_data
+returns 1 for success or 0 for failure.
+With LibreSSL, it always fails.
+.Pp
+With LibreSSL,
+.Fn SSL_read_early_data
+always returns
+.Dv SSL_READ_EARLY_DATA_FINISH
+on the server side and
+.Dv SSL_READ_EARLY_DATA_ERROR
+on the client side.
+.Dv SSL_READ_EARLY_DATA_SUCCESS
+can occur with other implementations, but not with LibreSSL.
+.Pp
+With LibreSSL,
+.Fn SSL_get_early_data_status
+always returns
+.Dv SSL_EARLY_DATA_REJECTED .
+With other implementations, it might also return
+.Dv SSL_EARLY_DATA_NOT_SENT
+or
+.Dv SSL_EARLY_DATA_ACCEPTED .
+.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_read 3 ,
+.Xr SSL_write 3
+.Sh STANDARDS
+RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3:
+.Bl -tag -width "section 4.2.10" -compact
+.It Section 2.3
+0-RTT data
+.It Section 4.2.10
+Early Data Indication
+.It Section 8
+0-RTT and Anti-Replay
+.It Appendix E.5
+Replay Attacks on 0-RTT
+.El
+.Sh HISTORY
+These functions first appeared in OpenSSL 1.1.1
+and have been available since
+.Ox 6.9 .
diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3
index 26596a5f8c..81778df790 100644
--- a/src/lib/libssl/man/ssl.3
+++ b/src/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssl.3,v 1.19 2020/09/20 10:20:44 schwarze Exp $
+.\" $OpenBSD: ssl.3,v 1.20 2020/09/21 08:53:56 schwarze Exp $
 .\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
 .\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 20 2020 $
+.Dd $Mdocdate: September 21 2020 $
 .Dt SSL 3
 .Os
 .Sh NAME
@@ -301,7 +301,7 @@ To change the configuration:
 .Xr SSL_set_connect_state 3 ,
 .Xr SSL_set_fd 3 ,
 .Xr SSL_set_session 3 ,
-.Xr SSL_set1_host.3 ,
+.Xr SSL_set1_host 3 ,
 .Xr SSL_set_verify_result 3
 .Pp
 To inspect the configuration:
@@ -318,6 +318,7 @@ To transmit data:
 .Xr SSL_connect 3 ,
 .Xr SSL_do_handshake 3 ,
 .Xr SSL_read 3 ,
+.\" XXX enable after the 6.8 release: Xr SSL_read_early_data 3 ,
 .Xr SSL_renegotiate 3 ,
 .Xr SSL_shutdown 3 ,
 .Xr SSL_write 3

diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile index f8e5cffd59..c8edf6311e 100644 --- a/src/lib/libssl/man/Makefile +++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.68 2020/09/20 10:20:43 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.69 2020/09/21 08:53:56 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -120,6 +120,9 @@ MAN = BIO_f_ssl.3 \
120	d2i_SSL_SESSION.3 \	120	d2i_SSL_SESSION.3 \
121	ssl.3	121	ssl.3
122		122
		123	# To be enabled after the release of OpenBSD 6.8:
		124	# SSL_read_early_data.3 \
		125
123	all clean cleandir depend includes obj tags:	126	all clean cleandir depend includes obj tags:
124		127
125	install: maninstall	128	install: maninstall


diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3 new file mode 100644 index 0000000000..71ad3c52a3 --- /dev/null +++ b/src/lib/libssl/man/SSL_read_early_data.3
@@ -0,0 +1,175 @@
		1	.\" $OpenBSD: SSL_read_early_data.3,v 1.1 2020/09/21 08:53:56 schwarze Exp $
		2	.\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
		3	.\"
		4	.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
		5	.\"
		6	.\" Permission to use, copy, modify, and distribute this software for any
		7	.\" purpose with or without fee is hereby granted, provided that the above
		8	.\" copyright notice and this permission notice appear in all copies.
		9	.\"
		10	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		11	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		12	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		13	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		14	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		15	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		16	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		17	.\"
		18	.Dd $Mdocdate: September 21 2020 $
		19	.Dt SSL_READ_EARLY_DATA 3
		20	.Os
		21	.Sh NAME
		22	.Nm SSL_CTX_set_max_early_data ,
		23	.Nm SSL_set_max_early_data ,
		24	.Nm SSL_SESSION_set_max_early_data ,
		25	.Nm SSL_CTX_get_max_early_data ,
		26	.Nm SSL_get_max_early_data ,
		27	.Nm SSL_SESSION_get_max_early_data ,
		28	.Nm SSL_write_early_data ,
		29	.Nm SSL_read_early_data ,
		30	.Nm SSL_get_early_data_status
		31	.Nd transmit application data before the handshake is complete
		32	.Sh SYNOPSIS
		33	.In openssl/ssl.h
		34	.Ft int
		35	.Fo SSL_CTX_set_max_early_data
		36	.Fa "SSL_CTX *ctx"
		37	.Fa "uint32_t max_bytes"
		38	.Fc
		39	.Ft int
		40	.Fo SSL_set_max_early_data
		41	.Fa "SSL *ssl"
		42	.Fa "uint32_t max_bytes"
		43	.Fc
		44	.Ft int
		45	.Fo SSL_SESSION_set_max_early_data
		46	.Fa "SSL_SESSION *session"
		47	.Fa "uint32_t max_bytes"
		48	.Fc
		49	.Ft uint32_t
		50	.Fo SSL_CTX_get_max_early_data
		51	.Fa "const SSL_CTX *ctx"
		52	.Fc
		53	.Ft uint32_t
		54	.Fo SSL_get_max_early_data
		55	.Fa "const SSL *ssl"
		56	.Fc
		57	.Ft uint32_t
		58	.Fo SSL_SESSION_get_max_early_data
		59	.Fa "const SSL_SESSION *session"
		60	.Fc
		61	.Ft int
		62	.Fo SSL_write_early_data
		63	.Fa "SSL *ssl"
		64	.Fa "const void *buf"
		65	.Fa "size_t len"
		66	.Fa "size_t *written"
		67	.Fc
		68	.Ft int
		69	.Fo SSL_read_early_data
		70	.Fa "SSL *ssl"
		71	.Fa "void *buf"
		72	.Fa "size_t maxlen"
		73	.Fa "size_t *readbytes"
		74	.Fc
		75	.Ft int
		76	.Fo SSL_get_early_data_status
		77	.Fa "const SSL *ssl"
		78	.Fc
		79	.Sh DESCRIPTION
		80	In LibreSSL, these functions have no effect.
		81	They are only provided because some application programs
		82	expect the API to be available when TLSv1.3 is supported.
		83	Using these functions is strongly discouraged because they provide
		84	marginal benefit in the first place even when implemented and
		85	used as designed, because they have absurdly complicated semantics,
		86	and because when they are used, inconspicuous oversights are likely
		87	to cause serious security vulnerabilities.
		88	.Pp
		89	If these functions are used, other TLS implementations
		90	may allow the transfer of application data
		91	before the inital handshake is complete.
		92	Even when used as designed, security of the connection is compromised;
		93	in particular, application data is exchanged with unauthenticated peers,
		94	and there is no forward secrecy.
		95	Other downsides include an increased risk of replay attacks.
		96	.Pp
		97	.Fn SSL_CTX_set_max_early_data ,
		98	.Fn SSL_set_max_early_data ,
		99	and
		100	.Fn SSL_SESSION_set_max_early_data
		101	are intended to configure the maximum number of bytes per session
		102	that can be transmitted before the handshake is complete.
		103	With LibreSSL, all arguments are ignored.
		104	.Pp
		105	An endpoint can attempt to send application data with
		106	.Fn SSL_write_early_data
		107	before the handshake is complete.
		108	With LibreSSL, such attempts always fail and set
		109	.Pf * Fa written
		110	to 0.
		111	.Pp
		112	A server can attempt to read application data from the client using
		113	.Fn SSL_read_early_data
		114	before the handshake is complete.
		115	With LibreSSL, no such data is ever accepted and
		116	.Pf * Fa readbytes
		117	is always set to 0.
		118	.Sh RETURN VALUES
		119	.Fn SSL_CTX_set_max_early_data ,
		120	.Fn SSL_set_max_early_data ,
		121	and
		122	.Fn SSL_SESSION_set_max_early_data
		123	return 1 for success or 0 for failure.
		124	With LibreSSL, they always succeed.
		125	.Pp
		126	.Fn SSL_CTX_get_max_early_data ,
		127	.Fn SSL_get_max_early_data ,
		128	and
		129	.Fn SSL_SESSION_get_max_early_data
		130	return the maximum number of bytes of application data
		131	that will be accepted from the peer before the handshake is complete.
		132	With LibreSSL, they always return 0.
		133	.Pp
		134	.Fn SSL_write_early_data
		135	returns 1 for success or 0 for failure.
		136	With LibreSSL, it always fails.
		137	.Pp
		138	With LibreSSL,
		139	.Fn SSL_read_early_data
		140	always returns
		141	.Dv SSL_READ_EARLY_DATA_FINISH
		142	on the server side and
		143	.Dv SSL_READ_EARLY_DATA_ERROR
		144	on the client side.
		145	.Dv SSL_READ_EARLY_DATA_SUCCESS
		146	can occur with other implementations, but not with LibreSSL.
		147	.Pp
		148	With LibreSSL,
		149	.Fn SSL_get_early_data_status
		150	always returns
		151	.Dv SSL_EARLY_DATA_REJECTED .
		152	With other implementations, it might also return
		153	.Dv SSL_EARLY_DATA_NOT_SENT
		154	or
		155	.Dv SSL_EARLY_DATA_ACCEPTED .
		156	.Sh SEE ALSO
		157	.Xr ssl 3 ,
		158	.Xr SSL_read 3 ,
		159	.Xr SSL_write 3
		160	.Sh STANDARDS
		161	RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3:
		162	.Bl -tag -width "section 4.2.10" -compact
		163	.It Section 2.3
		164	0-RTT data
		165	.It Section 4.2.10
		166	Early Data Indication
		167	.It Section 8
		168	0-RTT and Anti-Replay
		169	.It Appendix E.5
		170	Replay Attacks on 0-RTT
		171	.El
		172	.Sh HISTORY
		173	These functions first appeared in OpenSSL 1.1.1
		174	and have been available since
		175	.Ox 6.9 .


diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3 index 26596a5f8c..81778df790 100644 --- a/src/lib/libssl/man/ssl.3 +++ b/src/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssl.3,v 1.19 2020/09/20 10:20:44 schwarze Exp $	1	.\" $OpenBSD: ssl.3,v 1.20 2020/09/21 08:53:56 schwarze Exp $
2	.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100	2	.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
3	.\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800	3	.\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800
4	.\"	4	.\"
@@ -51,7 +51,7 @@
51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
53	.\"	53	.\"
54	.Dd $Mdocdate: September 20 2020 $	54	.Dd $Mdocdate: September 21 2020 $
55	.Dt SSL 3	55	.Dt SSL 3
56	.Os	56	.Os
57	.Sh NAME	57	.Sh NAME
@@ -301,7 +301,7 @@ To change the configuration:
301	.Xr SSL_set_connect_state 3 ,	301	.Xr SSL_set_connect_state 3 ,
302	.Xr SSL_set_fd 3 ,	302	.Xr SSL_set_fd 3 ,
303	.Xr SSL_set_session 3 ,	303	.Xr SSL_set_session 3 ,
304	.Xr SSL_set1_host.3 ,	304	.Xr SSL_set1_host 3 ,
305	.Xr SSL_set_verify_result 3	305	.Xr SSL_set_verify_result 3
306	.Pp	306	.Pp
307	To inspect the configuration:	307	To inspect the configuration:
@@ -318,6 +318,7 @@ To transmit data:
318	.Xr SSL_connect 3 ,	318	.Xr SSL_connect 3 ,
319	.Xr SSL_do_handshake 3 ,	319	.Xr SSL_do_handshake 3 ,
320	.Xr SSL_read 3 ,	320	.Xr SSL_read 3 ,
		321	.\" XXX enable after the 6.8 release: Xr SSL_read_early_data 3 ,
321	.Xr SSL_renegotiate 3 ,	322	.Xr SSL_renegotiate 3 ,
322	.Xr SSL_shutdown 3 ,	323	.Xr SSL_shutdown 3 ,
323	.Xr SSL_write 3	324	.Xr SSL_write 3