Commit Graph

32516 Commits

Author SHA1 Message Date
Hugo Landau
2477e99f10 QUIC Probes Support: Minor tweaks
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
2023-01-30 09:44:59 +01:00
Hugo Landau
fee8f48e35 QUIC TXP: Allow TXP to generate probes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
2023-01-30 09:44:59 +01:00
Hugo Landau
e2212b20bc QUIC ACKM: Rework probe reporting to allow use for bookkeeping
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
2023-01-30 09:44:59 +01:00
Hugo Landau
8ca3baa9bd QUIC ACKM: Clarify probe types
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19925)
2023-01-30 09:42:29 +01:00
Steffen Nurpmeso
51cf034433 SSL_conf_cmd: add support for IgnoreUnexpectedEOF
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20089)
2023-01-30 09:37:00 +01:00
Tom Cosgrove
d79bb5316e Enable AES optimisation on Apple Silicon M2-based systems
Gives a performance enhancement of 16-38%, similar to the M1.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20141)
2023-01-30 09:49:13 +11:00
Pauli
a4347a9a57 coverity 1520506: error handling
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)
2023-01-30 08:34:16 +11:00
Pauli
00407fbf0b coverity 1520505: error handling
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)
2023-01-30 08:34:16 +11:00
Tomas Mraz
6a94535725 compute_pqueue_growth(): Fix the return type
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20012)
2023-01-27 16:11:38 +01:00
Tomas Mraz
3a857b9532 Implement BIO_s_dgram_mem() reusing the BIO_s_dgram_pair() code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20012)
2023-01-27 16:11:38 +01:00
Tomas Mraz
6e193d4d03 Revert "Give BIO_s_mem() the ability to support datagrams"
This reverts commit 5a4ba72f00.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20012)
2023-01-27 16:11:18 +01:00
Hugo Landau
ff6e3a26f9 QUIC FIN Support: Documentation fixups
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:15 +00:00
Hugo Landau
1d40b151e2 QUIC FIN Support: Various fixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:15 +00:00
Hugo Landau
c8e7f842b0 QUIC TSERVER: Fix probable nondeterminism in some OS network stacks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:15 +00:00
Hugo Landau
522fb49dbc QUIC: Add documentation for stream and connection shutdown functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:15 +00:00
Hugo Landau
c0f694039a QUIC Test Server: Exercise end-of-stream condition on read and write
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:15 +00:00
Hugo Landau
a9979965bf QUIC Front End I/O API: Add support for signalling and detecting end-of-stream
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:15 +00:00
Hugo Landau
cf06f34727 QUIC TXP: Fix handling of FIN stream chunks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:15 +00:00
Hugo Landau
e8043229ea QUIC: Refine SSL_shutdown and begin to implement SSL_shutdown_ex
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19897)
2023-01-27 14:19:14 +00:00
Tomas Mraz
d4c5d8ff48 Add notes about ignoring initialization failures on contexts
Fixes #20130

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20136)
2023-01-27 11:04:45 +01:00
slontis
6e3b1c8173 Document that the RSA e value is mandatory when importing.
The lab tried doing a RSA decryption primitive using just n (using p, q) and d.

This failed for 2 reasons:
(1) e is required when importing
(2) Internally e is used for blinding.

Note n and e can be calculated using:
n = pq
e = (1/d) mod (p-1)(q-1)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20133)
2023-01-26 11:04:30 +01:00
Pauli
01a17b24f6 Fix Coverity 1520485: logically dead code
The check is unnecessary as the condition is already checked
before the switch statement.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20121)
2023-01-26 10:25:33 +01:00
Christoph Müllner
45972000b4 Revert "CI: cross-compile: riscv: Add RV64 machine with Zb* and Zk*"
This reverts commit e787c57c53.

The current CI host system is Ubuntu 22.04, which ships with QEMU 6.2.
This QEMU release is too old for the required RISC-V extensions.
We would need at least QEMU 7.1 (Aug 2022) for this patch.

Let's revert the patch.

Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20139)
2023-01-26 10:20:14 +01:00
Viktor Dukhovni
a4aa977d3a Clarify the change of enc -S behavior in 3.0
Fixes  #19730

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19732)
2023-01-26 10:05:22 +01:00
Dr. David von Oheimb
b02997c571 rename 90-test_traceapi.t to 90-test_trace_api.t for consistency
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18704)
2023-01-26 09:16:52 +01:00
Dr. David von Oheimb
35b76bc818 OSSL_HTTP_REQ_CTX_nbio(): use OSSL_TRACE_STRING() for msg body where it makes sense
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18704)
2023-01-26 09:16:52 +01:00
Dr. David von Oheimb
0243e82147 add OSSL_TRACE_STRING(), OSSL_TRACE_STRING_MAX, and OSSL_trace_string()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18704)
2023-01-26 09:16:51 +01:00
Niels Dossche
114d99b46b Fix incomplete checks for EVP_CIPHER_asn1_to_param
EVP_CIPHER_asn1_to_param() returns a value <= 0 in case of an error, and
a value greater than 0 in case of success. Two callsites only check for
< 0 instead of <= 0. The other callsites perform this check correctly.
Change the two callsites to <= 0. Additionally correctly handle a zero
return value from EVP_CIPHER_get_asn1_iv as success.

Fixes: #20116

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/201213)
2023-01-25 14:27:14 +00:00
Matt Caswell
e95d6e1eec Remove the user_ssl field
The user_ssl field in an SSL_CONNECTION is no longer used - so remove it.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
4e3a55fd14 Add QUIC-TLS server support
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
c28f1a8bb9 Remove the old Dummy Handshake code
Now that we have a real TLS handshake we no longer need the dummy handshake
implementation and it can be removed.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
1d57dbac19 Add support for the msg_callback
Having support for the msg_callback will improve debug capabilities.

For record headers we "manufacture" dummy ones so that as far as the
callback is concerned we are doing "normal" TLS.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
2723d705b5 Replace use of the Dummy Handshake Layer with the real one
We start using the QUIC TLS implementation rather than the dummy one.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
19863d497d Add an initial QUIC-TLS implementation
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
f6da3bbfb7 Add the ability to add a custom extension on an SSL object
Previously we could only do this at the SSL_CTX level. We add the ability
to also do this on an SSL - but only for internal code.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
3f9175c7a4 Extend the new_record_layer function
Add the ability to pass the main secret and length, as well as the
digest used for the KDF.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
bea8d70498 Add support for setting a custom TLS Record Layer
This is just an internal API for now. Something like this will be made
public API at some point - but it is likely to be based on the provider
interface rather that a direct setting of a METHOD like we do for now.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
e5103dfc12 Remove an unneeded OSSL_RECORD_METHOD function
The reset() function was never called so it can be removed.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
ca20f61fd7 Move recordmethod.h to be an "internal" header
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell
a7f41885b3 Create the SSL object for QUIC-TLS
The "user" SSL object which represents the QUIC connection should have an
"inner" SSL object to represent the TLS connection.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Dr. David von Oheimb
342e3652c7 APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
2023-01-24 15:16:47 +01:00
Dr. David von Oheimb
66fc90f18c apps/req.c: properly report parse errors by duplicated(); simplify the function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
2023-01-24 15:16:25 +01:00
Dr. David von Oheimb
7e0013d973 X509{,_CRL,_REVOKED}_{set,sign}*(): fix 'modified' field and return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
2023-01-24 15:16:25 +01:00
Pauli
d8523bf162 test: note that a default property query must be included for FIPS validity
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
2023-01-24 12:35:37 +00:00
Pauli
d4e105f6d5 changes entry about non-approved FIPS algorithms
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
2023-01-24 12:35:37 +00:00
Pauli
8948b57494 Put X25519 and X448 back as approved algorithms
CMVP's answer when questioned about this being:

    X448 and X25519 uses Curve448 and Curve25519, respectfully, within an
    ECDH scheme.  Therefore, it is possible for a key agreement scheme
    that uses Curve448 and Curve25519 to be used in the approved mode
    and be viewed as an allowed algorithm if requirements of Scenario
    X2 of IG D.8 and IG A.2 are met (or Scenario 3 of D.F and IG C.A for
    FIPS 140-3).  The use of EdDSA in the approved mode is not permitted
    until FIPS 186-5 is published and part of CMVP guidance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
2023-01-24 12:35:36 +00:00
Pauli
8353b2dfac fips: document that the EdDSA algorithms are not-validated
Ed25519 and Ed448 are included in the FIPS 140-3 provider for
compatibility purposes but are flagged as "fips=no" to prevent their accidental
use.  This therefore requires that applications always specify the "fips=yes"
property query to enforce FIPS correctness.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20079)
2023-01-24 12:35:36 +00:00
Dr. David von Oheimb
bfd5680e6b OSSL_trace_set_channel(): add important statement that it takes BIO ownership
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19959)
2023-01-24 12:31:57 +00:00
Dr. David von Oheimb
0fec2121c0 set_trace_data(): prevent double free on OPENSSL_strdup() failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19959)
2023-01-24 12:31:57 +00:00
FdaSilvaYY
91b968bc8e Typos fixing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20109)
2023-01-24 11:03:20 +00:00