Commit Graph

33391 Commits

Author SHA1 Message Date
Rajeev Ranjan
1d32ec20fe CMP: support specifying certificate to be revoked via issuer and serial number
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21116)
2023-07-10 08:03:38 +02:00
Hugo Landau
780b252747 QUIC APL: Tick on SSL_read failure in non-blocking mode
...

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21381)
2023-07-10 09:09:30 +10:00
Tomas Mraz
bd38c6b61b Edit question template to direct users to GH Discussions
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21393)
2023-07-10 09:08:04 +10:00
Pauli
dc6f3b9b8d fips: make installations FIPS compliant by default
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21363)
2023-07-09 16:27:22 +10:00
Tomas Mraz
0345cac6d2 QUIC err handling: Add multi-stream test
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21087)
2023-07-07 15:13:29 +02:00
Tomas Mraz
ff0de1637b Test OSSL_ERR_STATE_save/restore()
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21087)
2023-07-07 15:13:29 +02:00
Tomas Mraz
9c3ea4e1d7 QUIC err handling: Save and restore error state
We save the error state from the thread that encountered
a permanent error condition caused by system or internal
error to the QUIC_CHANNEL.

Then we restore it whenever we are returning to a user
call when protocol is shutdown.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21087)
2023-07-07 15:13:29 +02:00
Tomas Mraz
5c3474ea56 QUIC err handling: Properly report network errors
We return SSL_ERROR_SYSCALL when network error is encountered.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21087)
2023-07-07 15:13:29 +02:00
Hugo Landau
76696a5413 QUIC: Fix multistream script 19 stochastic test failure
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21379)
2023-07-07 09:03:25 +01:00
atishkov
926601dc0f Remove unused internal functions
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21329)
2023-07-07 13:01:50 +10:00
Matt Caswell
61cc84d9f9 Don't build the QUIC ssl trace when DH is disabled
The test assumes certain options are on/off. DH must be on for this test.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21373)
2023-07-06 12:11:11 +01:00
Matt Caswell
47ef3b9fc0 Don't run the ssl trace test if no-ecx
no-ecx causes SSL_trace to give different output. The test compares
the output to a reference sample - so we disable it in the case of no-ecx.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21372)
2023-07-06 11:17:11 +01:00
Matt Caswell
c3832d79db Fix a no-ecx failure in test_tls13hrr
In the case of no-ecx test 3 in test_tls13hrr was failing because it was
setting the server side support groups to on P-256 in order to induce an
HRR. However with no-ecx the client insteads issues an initial key share
using P-256 anyway and so an HRR is not used. We swap to use P-384 instead.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21372)
2023-07-06 11:17:11 +01:00
Matt Caswell
f9fcc7c727 Allow qtestlib to use a "fake_now" implementation
We then use it in test_corrupted_data() to remove an OSSL_sleep() which
may fail in some builds.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Matt Caswell
d001006e50 Work around relocation errors in the m68k cross-compilation builds
Errors such as this seen:

libssl.a(libssl-lib-ssl_stat.o): in function `SSL_alert_desc_string_long':
ssl_stat.c:(.text+0xab2): relocation truncated to fit: R_68K_GOT16O against `.LC157'
test/libtestutil.a(libtestutil-lib-opt.o): in function `opt_pair':
opt.c:(.text+0x10b2): relocation truncated to fit: R_68K_GOT16O against `.LC53'
test/libtestutil.a(libtestutil-lib-opt.o): in function `opt_string':
opt.c:(.text+0x113c): relocation truncated to fit: R_68K_GOT16O against `.LC53'
libcrypto.a(libcrypto-lib-decoder_lib.o): in function `OSSL_DECODER_CTX_set_construct_data':
decoder_lib.c:(.text+0x5a4): relocation truncated to fit: R_68K_GOT16O against `__func__.2'
libcrypto.a(libcrypto-lib-decoder_pkey.o): in function `ossl_decoder_ctx_setup_for_pkey':
decoder_pkey.c:(.text+0x6c2): relocation truncated to fit: R_68K_GOT16O against `decoder_construct_pkey'
libcrypto.a(libcrypto-lib-tb_dsa.o): in function `ENGINE_register_DSA':
tb_dsa.c:(.text+0x5e): relocation truncated to fit: R_68K_GOT16O against `dummy_nid'
libcrypto.a(libcrypto-lib-tb_dsa.o): in function `ENGINE_set_default_DSA':
tb_dsa.c:(.text+0xc4): relocation truncated to fit: R_68K_GOT16O against `dummy_nid'
libcrypto.a(libcrypto-lib-asymcipher.o): in function `.L18':
asymcipher.c:(.text+0x168): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
asymcipher.c:(.text+0x2e8): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
asymcipher.c:(.text+0x33e): relocation truncated to fit: R_68K_GOT16O against `__func__.0'
libcrypto.a(libcrypto-lib-digest.o): in function `EVP_MD_CTX_ctrl':
digest.c:(.text+0xa52): additional relocation overflows omitted from the output
collect2: error: ld returned 1 exit status

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Matt Caswell
4890f1f752 Fix no-thread-pool building
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Matt Caswell
1be2ee683c Skip the QUIC ssltrace test under certain config options
Various options disturb the output expected from the ssl trace test, so we
skip it if necessary.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Matt Caswell
0cea6df239 Use %llx not %lx for uint64_t
Some compilers don't like %lx

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Matt Caswell
1a2a0e1dc8 Don't compile quic_thread_assist.c on OPENSSL_NO_QUIC_THREAD_ASSIST
If OPENSSL_NO_QUIC_THREAD_ASSIST is defined then we don't have the right
support for QUIC thread assisted mode so don't attempt to compile that
code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Matt Caswell
0e94bba0df Disable QUIC if TLSv1.3 is disabled
QUIC depends on TLSv1.3, so if the latter is disabled then we must do
the same for QUIC.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Matt Caswell
8a76420238 Enable QUIC by default
Ensure builds enable QUIC without explicitly having to ask for it. To
disable QUIC pass "no-quic" to Configure.

As a result we can remove all use of "enable-quic" from the various CI
runs.

We also add a CHANGES and NEWS entry for QUIC support.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21332)
2023-07-06 12:55:21 +10:00
Marcin Kolny
d88a0f5f39 Add limited support for WebAssembly WASI target
CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21344)
2023-07-06 12:54:17 +10:00
Heiko Stuebner
3e76b38852 riscv: Clarify dual-licensing wording for GCM and AES
The original text for the Apache + BSD dual licensing for riscv GCM and AES
perlasm was taken from other openSSL users like crypto/crypto/LPdir_unix.c .

Though Eric pointed out that the dual-licensing text could be read in a
way negating the second license [0] and suggested to clarify the text
even more.

So do this here for all of the GCM, AES and shared riscv.pm .

We already had the agreement of all involved developers for the actual
dual licensing in [0] and [1], so this is only a better clarification
for this.

[0] https://github.com/openssl/openssl/pull/20649#issuecomment-1589558790
[1] https://github.com/openssl/openssl/pull/21018

Signed-off-by: Heiko Stuebner <heiko.stuebner@vrull.eu>

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21357)
2023-07-06 12:53:27 +10:00
Hugo Landau
db2f98c4eb Rework options handling
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
9562842b33 Simplify QUIC API masking
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
18ca1c8fc0 Update SSL options handling
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
6e5550a104 Minor updates
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
9289e59c95 QUIC: Fix multistream test 19
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
5a75ef37e9 make update
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
3f7b67fb21 Remove unused server code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
d6e7ebba33 Minor fixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:03:04 +10:00
Hugo Landau
5f69db396c QUIC SSL: Block SSL_clear
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:27 +10:00
Hugo Landau
764817c4aa QUIC SSL: Block SSL_dup
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:27 +10:00
Hugo Landau
f66f0d3ce1 QUIC SSL: SSL_set_quiet_shutdown
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:27 +10:00
Hugo Landau
3ea30e76d7 QUIC SSL: Restrict SSL_CTX_set_ssl_version, SSL_set_ssl_method
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:27 +10:00
Hugo Landau
0eecf8418a QUIC SSL: Version setting restrictions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
38c0ff1f40 QUIC SSL: Forbid pipeline-related operations
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
5e6015af4d QUIC SSL: SSL_set_fd for BIO_s_datagram
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
a1c56bbe79 QUIC SSL: HelloRetryRequest
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
fe33e2c8c1 QUIC SSL: Buffer Management
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
82a2becab3 QUIC SSL: Prohibit early data functionailty
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
d0638fd5f0 QUIC SSL: Prohibit readahead-related functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
9280d26a3a QUIC: Implement SSL_has_pending
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
9ea0e72992 QUIC: Implement SSL_rstate_string(_long)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
7163617f33 QUIC: Prohibit post-handshake auth
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
f0d9757caf QUIC: Control SSL option setting
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
68dbff4c04 QUIC: Forbid NPN
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
09d56d20a2 QUIC: Forbid non-QUIC ciphers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
f082205bcf QUIC TLS: Prohibit SRTP-related calls for QUIC TLS
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00
Hugo Landau
43788fb3ac QUIC SSL Behaviours: Allow detection of an SSL connection used for QUIC handshake
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
2023-07-05 09:02:26 +10:00