The CWM might prevent a stream from being writeable. We should not report
a stream as writeable if there is no credit.
Fixes#27312
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27319)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27264)
We use the same extension-parsing function on server and client
for convenience, but while the server might worry about tracking
what was previously received and not overwriting it, on the client
receiving a request for post-handshake authentication, we always
want to use the values from the current extension (and should
always have a new session object that we are free to mutate).
It is somewhat unclear whether the server also needs the check
for a resumed connection; it appears to have been added back in
2015 in commit 062178678f5374b09f00d70796f6e692e8775aca as part
of a broad pass to handle extensions on resumption, but without
specific documentation of each extension's handling.
Fixes: #10370
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24651)
- Tolerate RSA PKCS#1 *certificate* signatures when
the peer sigals include RSA PSS with the same digest.
Now that we're more strict about not sending sigalgs that are out of
protocol range, when the client supports TLS 1.3 only, we might refuse
to return an RSA PKCS#1-signed cert.
- Don't send TLS 1.3 sigalgs when requesting client certs from
a TLS 1.2 client.
Fixes: #1144Fixes: #25277
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27166)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27175)
Used RAND_priv_bytes_ex instead of RAND_bytes_ex to guarantee higher isolation
for cryptographic keys.
Replaced OPENSSL_free with OPENSSL_clear_free to wipe sensitive data and free
it.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/27029)
The OSSL_RECORD_LAYER needs to be properly freed when return code isnt success.
Memory leak fix
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27111)
We want to skip up to PACKET_remaining() and not "at least"
PACKET_remaining() bytes.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27138)
On the server side we were changing the handshake rx secret a little late.
This meant the application was forced to call SSL_do_handshake() again
even if there was nothing to read in order to get the secret. We move it
a little earlier int the process to avoid this.
Fixes the issue described in:
https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27101)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27091)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27091)
During SSL_free() we may get a QUIC TLS callback being called to clean up
any remaining record data. We should ensure that SSL_get_app_data()
continues to work, even in this scenario.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27091)
In a failure situation we may incorrectly decrement the amount of data
released. Only decrement the counter if we successfully released.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27091)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26991)
- The default sigalg list now puts ML-DSA-65 first, then ML-DSA-87
and then ML-DSA-44. (87 vs. 44 Subject to bikeshedding).
- The mintls and maxtls versions are now taken into account for
both built-in and provided algorithms.
- Some algorithms have a separate TLSv1.2-specific name for future
reporting via openssl-list(1).
- ML-DSA aside, any new provided algorithms go at the end of the
default list (backwards-compatible inclusion).
- The built-in algorithms now also have min/max DTLS versions.
Though the provider TLS-SIGALG capability was extended to also report
the DTLS version range, the minimum supported DTLS is 1.3, which we
don't yet have, so it is not yet possible to add DTLS sigalgs via a
provider
- The TLS 1.3 brainpool sigalgs got their correct IANA names, with
the legacy names as purported TLS 1.2 alternatives, but since
these are for TLS 1.3 and up those names are for matching only,
the reported value will still be the 1.3 name.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26975)
It may occur that the qrx we allocate in port_default_packet handler to
do AEAD validation isn't the one the channel ultimately uses (like if we
turn off address validation). In that event, we need to ensure that
anything we have on that qrx isn't returned to its free list to avoid
early freeing when we free the qrx at the end of
port_default_packet_handler, while those frames are still pending on the
channel qrx
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27004)
With the addition of larger client hellos, stemming from the use of
larger PQC key shares, it may happen that we get a client hello accross
multiple datagrams. Normally this is not a problem as
port_default_packet_handler allocates a qrx and initializes its initial
secret immediately. But if server address validation is disabled, then
the channel creates the qrx in port_bind_channel itself, without initial
secrets. As a result, we validate the first datagram in
port_default_packet_handler, but the subsequent datagrams containing the
remaining client hello fragments fail decode.
Fix it by ensuring that we add the initial secret in port_bind_channel
if we don't give it a preconfigured qrx
Fixesopenssl/project#1131
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27006)
Windows XP doesn't support setting socket handles to be non-inheritable,
but the rio_notifier attempts to do so. WSASocketA will there return
an error when the NO_INHERIT flag is set. In that case, just retry the
call without the flag.
Fixes#26943
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26970)
The change checks for all HTTP methods in ssl_record, not only GET, POST,
PUT and HEAD. (additionally PATCH, DELETE, OPTIONS and TRACE)
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26968)
AIX (at least for 7.1) defines some macros for "events" and "revents" which
interferes with our own use of these names.
Fixes#24236
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26933)
We move ssl_err.c out of libssl and into libcrypto. This file is entirely
self contained and is used to load error strings into the libcrypto error
tables. By moving this file into libcrypto, libssl can be unloaded safely
without having dangling references to this error information.
Fixes#26672
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26931)
From RFC 8446:
Note: TLS defines two generic alerts (see Section 6) to use upon
failure to parse a message. Peers which receive a message which
cannot be parsed according to the syntax (e.g., have a length
extending beyond the message boundary or contain an out-of-range
length) MUST terminate the connection with a "decode_error" alert.
Peers which receive a message which is syntactically correct but
semantically invalid (e.g., a DHE share of p - 1, or an invalid enum)
MUST terminate the connection with an "illegal_parameter" alert.
A zero length cipher suite list I think is considered out of range, and
so we should return "decode_error" rather than "illegal_parameter"
Fixes#25309
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26781)
This issue was discoevered while I was testing SSL_new_from_listener()
using a newly created unit test. It has turned out the QUIC stack
at few places contain pattern as follows:
foo(QUIC_WHATEVER *q, BIO_ADDR *a)
{
q->a = *a;
}
The problem is that derefencning a that way is risky. If the address `a`
comes from BIO_lookup_ex() it may actually be shorter than sizeof(BIO_ADDR).
Using BIO_ADDR_copy() is the right thing to do here.
Fixes#26241
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26252)
It is no longer static.
Also add it to libssl only with quic enabled.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26882)
Do not raise ERR_LIB_CONF codes from libssl.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
Of course TLS-1.3 won't be usable with such configuration.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
- send two key shares by default
- trim down the list of default groups
The default TLS group list setting is now:
?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
The interoperability tests disable client ip address
validation done by RETRY packet. All tests done in CI
take code path which sends a retry packet.
The first initial packet sent by client uses a different
initial encryption level keys to protect packet integrity.
The keys are derived from DCID chosen by client.
When server accepts connection on behalf of initial packet,
the 'DCID' gets changed which means the initial level encryption keys
are changing too. So when server skips sending a retry packet,
it must forget the qrx which was used to validate initial
packet sent by client.
Forgetting qrx is not straightforward, we must salvage the
unencrypted packets left there after they were validated.
Those unencrypted packets must be injected to newly created channel.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26808)
We let port to create qrx object and use it for
packet validation. If packet validates, we then
create channel and pass pre-created qrx to channel's
constructor.
Co-authored-by: Andrew Dinh <andrewd@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26808)
SHARED_SOURCE doesn't pull in siphash if its disabled in the
configuration leading to undefined symbols, which we need for quic.
If siphash is disabled in the build, then pull it in via a SOURCE
addition, otherwise pull it in via SHARED_SOURCE
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26874)
In preparation for using siphash in our hash function
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26849)
This is in preparation for using siphash to compute lcidm hash table
values
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26849)
The TLS EndOfEarlyData message is not applicable in some scenarios (e.g., QUIC).
This adds a macro to handle this message.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26552)
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26819)
quic interop testing showed that interop with the mvfst client was
failing, due to detecting mis ordering of supported groups and keyshare
extensions
This is strictly a mvfst problem to fix, but RFC 8446 indicates that we
MAY check the ordering but don't strictly have to.
We've opened an issue with the client to fix this, but in the interests
of client compatibility relax the ordering check so that, instead of
issuing a fatal alert, we just log a trace message indicating the
discrepancy
Fixesopenssl/project#1106
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26818)
