mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-30 14:01:55 +08:00
Code Issues Packages Projects Releases Wiki Activity
33,663 Commits 34 Branches 385 Tags 448 MiB
644ef0bb69
Commit Graph

5046 Commits

Author SHA1 Message Date
Matt Caswell
644ef0bb69 Add a test for receiving a post-handshake CertificateRequest 
This should result in a QUIC PROTOCOL_VIOLATION

We also add tests for a post-handshake KeyUpdate, and a NewSessionTicket
with an invalid max_early_data value.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)
 2023-08-15 14:41:31 +01:00
Matt Caswell
614c08c239 Add the ability to send NewSessionTicket messages when we want them 
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)
 2023-08-15 14:41:31 +01:00
Matt Caswell
50a0af2e41 TLS KeyUpdate messages are not allowed in QUIC 
We already disallowed the sending of TLS KeyUpdate messages. We also treat
the receipt of a TLS KeyUpdate message as an unexpected message.

RFC 9001 section 6:
Endpoints MUST treat the receipt of a TLS KeyUpdate message as a connection
error of type 0x010a, equivalent to a fatal TLS alert of unexpected_message;
see Section 4.8.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)
 2023-08-15 14:41:31 +01:00
Matt Caswell
04c7fb53e0 NewSessionTickets with an early_data extension must have a valid max value 
The max_early_data value must be 0xffffffff if the extension is present in
a NewSessionTicket message in QUIC. Otherwise it is a PROTOCOL_VIOLATION.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)
 2023-08-15 14:41:31 +01:00
Matt Caswell
0f2add9e8d Don't forget we are doing QUIC if we clear the QUIC TLS data 
We should retain the TLS1_FLAGS_QUIC setting in in s3.flags even after a
"clear" operation.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)
 2023-08-15 14:41:31 +01:00
Matt Caswell
b644a9323f Unexpected QUIC post-handshake CertificateRequests are a PROTOCOL_VIOLATION 
An OpenSSL QUIC client does not send the post_handshake_auth extension.
Therefore if a server sends a post-handsahke CertificateRequest then this
would be treated as a TLS protocol violation with an "unexpected message"
alert code. However RFC 9001 specifically requires us to treat this as
QUIC PROTOCOL_VIOLATION. So we have to translate the "unexpected message"
alert code in this one instance.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)
 2023-08-15 14:41:31 +01:00
Tomas Mraz
f7b2942c04 ssl_local.h: Define SSL_OP_CISCO_ANYCONNECT if undefined in public headers 
Fixes #21626

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21677)
 2023-08-14 15:55:33 +02:00
Tomas Mraz
9d005bafac ossl_qrl_enc_level_set_provide_secret(): Clear el->md on error 
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21677)
 2023-08-14 15:55:33 +02:00
Hugo Landau
f2609004df Minor fixes 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
89b0948e53 QUIC CHANNEL: Tune RXFC default parameters 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
8761efb2cc QUIC UINT_SET: Fix null dereference (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
f540b6b4f6 QUIC TSERVER: Handle return value correctly (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
4669a3d79b QUIC APL: Add missing unlock call (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
23406e304f QUIC: Check block_until_pred return value in shutdown (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
a2d4915ab2 QUIC QTX: Handle negative IV values correctly (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
4d6ca88599 QUIC QTLS: Fix NULL dereference (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:51 +01:00
Hugo Landau
b538ae4fbf QUIC QRX: Handle negative IV length values correctly (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:50 +01:00
Hugo Landau
77a66117ab EVENT QUEUE: Fix memory leak (coverity) 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:50 +01:00
Hugo Landau
565d2987cd QUIC FIFD: Coverity 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:50 +01:00
Hugo Landau
dc5e5c51e2 QUIC UINT_SET: Fix regression after list refactor 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:50 +01:00
Hugo Landau
1623bf374d QUIC TEST: STREAM, MAX_DATA and MAX_STREAM_DATA testing 
Fixes https://github.com/openssl/project/issues/76

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:50 +01:00
Hugo Landau
6a2b70e21b QUIC TXP: Fix bug where TXPIM PKT could be used after free 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:50 +01:00
Hugo Landau
40c8c756c8 QUIC APL/CHANNEL: Wire up connection closure reason 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:45 +01:00
Hugo Landau
ed75eb32f3 QUIC TEST: Test NEW_CONN_ID frames 
Fixes https://github.com/openssl/project/issues/86

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:45 +01:00
Hugo Landau
17340e8785 QUIC TEST: Ensure PING causes ACK generation 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21565)
 2023-08-10 18:19:44 +01:00
Tomas Mraz
44cb36d04a Resolve some of the TODO(QUIC) items 
For some of the items we add FUTURE/SERVER/TESTING/MULTIPATH
designation to indicate these do not need to be resolved
in QUIC MVP release.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21539)
 2023-08-08 15:58:59 +02:00
Tomas Mraz
a2ca189e27 bio_ssl.c: Support most ctrls with QUIC based BIO_SSL 
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21539)
 2023-08-08 15:57:56 +02:00
Hugo Landau
7a2bb2101b QUIC TLS: Rethink error handling 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
828c9c6690 QUIC: Fix nit 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
398922463f QUIC: Move string conversion functions into a source file 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
741170bef3 QUIC CHANNEL: Improve error reporting 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
67e72ed575 QUIC WIRE: RFC 9000 s. 19.6 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
098914d0b7 QUIC CHANNEL: Apply flow control to CRYPTO streams 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
1051b4a0b9 QUIC FC: Rename stream count mode to reflect actual function 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
7c793cd343 QUIC CHANNEL: Fix typo 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
2a6f1f2f6e QUIC QRX: Don't process 1-RTT packets until handshake is complete 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
0c1cc36bbb QUIC QRX: Enforce PN monotonicity with key updates 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
3eb0f9a702 QUIC CHANNEL, TXP: Discard INITIAL EL correctly 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
80bcc4f1ae QUIC TLS: Report TLS errors properly as QUIC protocol errors 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
3ad5711e48 QUIC CHANNEL: Send correct alert code if no TPARAMs received 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
c5cb85b665 QUIC TXP: Allow PATH_RESPONSE to force padding 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
371c29582a QUIC CFQ: Unreliable transmission for PATH_RESPONSE 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Hugo Landau
7eb330ff7a QUIC: Echo PATH_CHALLENGE frames as PATH_RESPONSE frames 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21547)
 2023-08-08 14:33:42 +01:00
Pauli
bed2087487 quic compliance: 10.2.3 dropping instead of closing 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
 2023-08-04 11:55:45 +10:00
Pauli
6861f5a703 Fix type/legacy name 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
 2023-08-04 11:55:45 +10:00
Pauli
d15d5ea6a6 quic conformance: add comment about section 10.2.3 conformance 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
 2023-08-04 11:55:45 +10:00
Pauli
d11b901b0b trivial code nit 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
 2023-08-04 11:55:45 +10:00
Pauli
50e76846bf quic conformance: 10.2.1 rate limiting 
Implement the two requirements about limiting closing transmission size to
no more than thrice the received size.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
 2023-08-04 11:55:45 +10:00
Pauli
afe4a7978d quic conformance: section 10.2.2 requirements 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
 2023-08-04 11:55:34 +10:00
Pauli
6b3b5f9d28 quic conformance: section 10.2.1 requirements 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21429)
 2023-08-04 11:55:34 +10:00