mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-18 20:40:45 +08:00
Code Issues Packages Projects Releases Wiki Activity
36,265 Commits 31 Branches 393 Tags
Commit Graph

36265 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Frederik Wedel-Heinen
a332453634 Duplicate TLS 1.3 sslapitests for DTLS 1.3 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26912)
 2025-04-02 12:09:52 +02:00
Frederik Wedel-Heinen
8edf1b4494 test_server_mtu_larger_than_max_fragment_length() should be run for DTLS 1.3 
Previously it was forced to run on DTLS 1.2>. But the underlying issue was fixed on master and it works now that the feature branch has been rebased on top of a more recent master.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26574)
 2025-03-25 20:29:13 +01:00
Frederik Wedel-Heinen
42d467380c Support DTLS 1.3 Unified Headers 
Also set correct AAD for DTLS 1.3 message de-/encryption.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25668)
 2025-03-18 18:56:41 +01:00
Frederik Wedel-Heinen
374768c6cf Adds a workaround for false negative test results with TLSProxy 
The server is not able to shut down correctly
when the client sends an alert in epoch 0 and the
server has sent its Finished message.
As a workaround we accept a bad exit code for a failing
DTLS test run.

Fixes #26915

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26922)
 2025-02-27 07:12:37 +01:00
Frederik Wedel-Heinen
0c37be3a7c TLSProxy: Handle partial messages with DTLS 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26532)
 2025-02-26 15:03:59 +01:00
Frederik Wedel-Heinen
6a233c31de Reduce the number of mallocs in dtls1_new() by allocating message queues together with the d1 struct. 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26150)
 2025-02-25 12:06:27 +01:00
Frederik Wedel-Heinen
718f5b4cfb This change fixes an issue where a DTLS 1.3 would calculate a wrong transcript hash. 
A wrong transcript hash was calculated when the client received a HRR which caused interop failures with WolfSSL. This change also refactors the internal calls to ssl3_finish_mac() that no longer requires the "incl_hdr" argument.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26465)
 2025-02-19 12:08:12 +01:00
Frederik Wedel-Heinen
1ee54c646b Sequence number cipher context is NULL for TLS connections 
Fix memory sanitizer report of use of uninitialized variable: be explicit
that sequence number cipher context is NULL for TLS connections when
calling ssl_set_new_record_layer().

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26401)
 2025-01-15 15:31:03 +01:00
Frederik Wedel-Heinen
1465a55241 Check result of set_protocol_version() and use the version passed as argument 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26226)
 2025-01-09 18:08:57 +01:00
Frederik Wedel-Heinen
55c95848d1 Avoid mallocing unprocessed_rcds and processed_rcds in dtls record layer 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26211)
 2025-01-09 18:08:57 +01:00
Frederik Wedel-Heinen
acbb7f73f5 Fix DTLS 1.3 handshake transcript hash 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26035)
 2025-01-09 18:08:56 +01:00
Frederik Wedel-Heinen
919c71e2f5 DTLS 1.3 record number encryption 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23511)
 2025-01-09 18:07:49 +01:00
Frederik Wedel-Heinen
344262cddf Support dtls 1.3 downgrade mechanism 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23320)
 2025-01-09 18:07:48 +01:00
Frederik Wedel-Heinen
85aad3e553 Update epochs when changing key and cipher state for dtls 1.3 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23229)
 2025-01-09 18:06:57 +01:00
Frederik Wedel-Heinen
cb86ed419a Refactor handshake msg header parsing etc. 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24607)
 2025-01-09 18:06:55 +01:00
Frederik Wedel-Heinen
6c75a12d87 Fix SCTP todo 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24605)
 2025-01-09 18:05:42 +01:00
Frederik Wedel-Heinen
bf9a4f8caa Run 70-test_tls13certcomp.t with dtls 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
 2025-01-09 18:05:42 +01:00
Frederik Wedel-Heinen
d4c8312a70 Run 70-test_tls13kexmodes.t with dtls 
It is currently unsupported because of missing support in TLSProxy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
 2025-01-09 18:05:38 +01:00
Frederik Wedel-Heinen
c072b0e4ba Run 70-test_tls13messages.t with dtls 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
 2025-01-09 18:03:08 +01:00
Frederik Wedel-Heinen
df46d865e2 Add support for running 70-test_tls13psk.t with dtls 
Has to be currently disabled because it fails.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
 2025-01-09 17:53:42 +01:00
Frederik Wedel-Heinen
24bc207b02 Run 70-test_tls13hrr.t with dtls 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
 2025-01-09 17:53:40 +01:00
Frederik Wedel-Heinen
c8273a2a54 Run 70-test_tls13cookie.t with dtls 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
 2025-01-09 17:45:49 +01:00
Frederik Wedel-Heinen
99f00d917a Run 70-test_tls13alerts.t with dtls 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24525)
 2025-01-09 17:45:49 +01:00
Frederik Wedel-Heinen
c979483a7b Fix an assertion failure which happens when a DTLS 1.3 client receives a HelloVerifyRequest. 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24509)
 2025-01-09 17:45:49 +01:00
Frederik Wedel-Heinen
4bfc8b46d7 Use WPACKET in dtls1_do_write() 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24426)
 2025-01-09 17:45:49 +01:00
Frederik Wedel-Heinen
f964317a01 Place start of ClientHello correctly when calculating binder for DTLS 1.3 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24426)
 2025-01-09 17:45:47 +01:00
Frederik Wedel-Heinen
2e9a90704f Re-enable mtu assertion which previously failed for DTLS 1.3 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24524)
 2025-01-09 17:41:34 +01:00
Frederik Wedel-Heinen
554b56e969 Refactor code and fix a couple of missing DTLSv1.3 checks. 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24345)
 2025-01-09 17:41:31 +01:00
Frederik Wedel-Heinen
02146a0879 Add design document for DTLS 1.3 implementation 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23041)
 2025-01-09 17:06:56 +01:00
Frederik Wedel-Heinen
25ab23242f Run test_cookie() test with DTLS 1.3 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24425)
 2025-01-09 17:06:56 +01:00
Frederik Wedel-Heinen
6600141962 Adds DTLSv1.3 to protocol_version.pm for additional protocol version tests. 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23242)
 2025-01-09 17:06:56 +01:00
Frederik Wedel-Heinen
3df9414688 Continue processing cookieless client hellos for dtls1.3 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22400)
 2025-01-09 17:06:56 +01:00
Frederik Wedel-Heinen
e5e3c15523 Fix description of version field of ssl connection struct 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22937)
 2025-01-09 17:06:56 +01:00
Frederik Wedel-Heinen
f7553c08ca Updates SSL_CONF_cmd.pod to be explicit when features are for both TLS and DTLS 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22363)
 2025-01-09 17:04:14 +01:00
Frederik Wedel-Heinen
5ae9809930 Update documentation for DTLS1.3 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22363)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
7f4e2b3890 Correct traces for certificates in dtls13 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22935)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
a4461dba43 Clear old messages from queues in order to avoid leaks of record layer objects. 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
fef3985424 Disable middlebox for dtls 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
36561a2aa0 Check that both tls1.3 and dtls1.3 is disabled before removing code from compilation path. 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
d2526d8f35 Fix test_ssl_new tests 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
d888cb8646 Run some failing tests with DTLS1.2 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
86b4c0a05f Fix renegotiation check that was added in https://github.com/openssl/openssl/pull/24161 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
eda3b4b93a Fix version check to avoid unsupported protocol error in ssl_choose_server_version() 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
5fc85f277e Update DTLS version tests 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
bc86e5b81e Remove obsolete TODO and guards for post handshake authentication in DTLS 1.3 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
9ca8f6653c Update dtls max version 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
652e4506cf Fix sanity tests for ssl_version_cmp for dtls 1.3 branch 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24293)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
2af74c5a16 Sanity tests of inputs to ssl_version_cmp 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24293)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
34538ecc51 Fix ssl_lib functions for dtls 1.3 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22378)
 2025-01-09 17:02:19 +01:00
Frederik Wedel-Heinen
e41c916a22 tls_post_encryption_processing_default() and tls_validate_record_header() 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22376)
 2025-01-09 17:02:19 +01:00