Commit Graph

33734 Commits

Author SHA1 Message Date
Tomas Mraz
975f372a6f Revert "drop! Make failing tests run on pull request to test"
This reverts commit 86051eb2bb.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21843)
2023-08-25 13:39:09 +02:00
Tomas Mraz
597ff76e28 Revert "drop! Make OS Zoo on pull request to test"
This reverts commit 467e5c1fb7.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21843)
2023-08-25 13:39:07 +02:00
Tomas Mraz
56562c472a 80-test_cmp_http.t: Skip IPv6 address test if IPv6 is unavailable
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21825)
2023-08-25 12:05:34 +01:00
Tomas Mraz
467e5c1fb7 drop! Make OS Zoo on pull request to test
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21825)
2023-08-25 12:05:34 +01:00
Tomas Mraz
7a12e7af0f The canonical localhost IPv6 address is [::1] not [::]
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21825)
2023-08-25 12:05:34 +01:00
Tomas Mraz
eb1eaa9af4 Always use uint8_t for TLS record type
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21823)
2023-08-25 12:04:00 +01:00
Tomas Mraz
86051eb2bb drop! Make failing tests run on pull request to test
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21823)
2023-08-25 12:04:00 +01:00
Tomas Mraz
d848520afe ch_init(): Add braces to appease older clang compilers
They produce a warning `suggest braces around initialization of subobject`
otherwise.

Add -Wno-missing-braces to silence old clang compilers

And drop unnecessary braces in zeroing initializers.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21823)
2023-08-25 12:03:54 +01:00
Tomas Mraz
5ad3cc1928 quic_tls.c: Fix wrong format string when raising error
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21823)
2023-08-25 12:03:46 +01:00
Tomas Mraz
1cc8c53b0f Avoid issues with endianness when type is used in SSL_trace()
The TLS record type is a single byte value so we can
use uint8_t for it. This allows passing its address
directly to SSL_trace() instead of converting it to
a single byte type first.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21823)
2023-08-25 12:03:46 +01:00
Matt Caswell
675481ee7a Add a link to the multi-stream QUIC client tutorial from the introduction
We've added a new page to the guide so we should add a link to it.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
02e36ed352 Update demos/tutorial to distinguish between stream and connection errors
We can use SSL_get_stream_read_state() to distinguish these cases.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
a855ee8576 Clarify SSL_accept_stream/SSL_new_stream behaviour with a default stream
Explain what happens if you call those functions and there is no default
stream present yet.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
8d74a13160 Add some additional comments to the demos
Add some additional explanation for some code lines in the demos that did
not have a comment.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
4a5ba9ae13 Provide introduction/tutorial page for QUIC multi-stream
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
f6225f4f69 Update quicserver to be able to handle multiple streams
We extend quicserver so that it can handle multiple requests with an
HTTP request on each one. If a uni-directional stream comes in we create
a uni-directional stream for the response

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
584140fa4b Add a QUIC multi-stream client demo
Demonstrate how to use the QUIC multi-stream APIs with a simple blocking
client.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
344ae0f39a Add an initial guide page for writing a multi-stream QUIC client
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
306101e5d9 Update some links within the guide to not use crypto(7)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
b7f3d5d67d Update the desciption of shutdown in the QUIC client blocking tutorial
Give a better description of the shutdown process in QUIC.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21765)
2023-08-25 11:42:51 +01:00
Matt Caswell
8c5284ff19 Test that we send multiple datagrams in one go if appropriate
If we have enough data for more than one datagram then we should send more
than one datagram

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21798)
2023-08-25 08:42:39 +02:00
Matt Caswell
0b31072e08 Don't keep creating CONNECTION_CLOSE frames
If we want to send a CONNECTION_CLOSE frame then one is enough unless we
are scheduled to send another one. Now that we can create more than one
datagram in one go this is now required.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21798)
2023-08-25 08:42:39 +02:00
Matt Caswell
aa433014bb Keep sending datagrams while we have data to send
If we've got more data to send than will fit in a single datagram we should
keep generating those datagrams until we've sent it all.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21798)
2023-08-25 08:42:39 +02:00
Ingo Franzki
e2972982c6 Allow RSA-PSS also in EVP_PKEY_assign() and EVP_PKEY_can_sign()
Treat keys with EVP_PKEY_RSA_PSS the same as EVP_PKEY_RSA in EVP_PKEY_can_sign()
and detect_foreign_key() which is called by EVP_PKEY_assign().

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21819)
2023-08-24 18:07:08 +02:00
Ingo Franzki
cf712830b7 ctrl_params_translate: Allow get_rsa_payload_x() also for RSA-PSS
The get_rsa_payload_x() functions should also allow to get the payload
for RSA-PSS keys.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21818)
2023-08-24 16:11:38 +02:00
Ingo Franzki
e2c2cca4b2 ctrl_params_translate: Allow RSA controls also for RSA-PSS
Controls 'rsa_keygen_pubexp' and 'rsa_keygen_primes' should also be allowed
for RSA-PSS keys.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21818)
2023-08-24 16:11:38 +02:00
Jakub Jelen
de4661b237 doc: Avoid usage of non-existing constant
CLA: trivial

Fixes: #21809

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21817)
2023-08-24 16:05:38 +02:00
Xu Yizhou
6399d7856c Optimize SM2 on aarch64
Signed-off-by: Xu Yizhou <xuyizhou1@huawei.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20754)
2023-08-24 14:57:35 +02:00
Hugo Landau
ce7a9e23fb QUIC: Rename SSL_set_initial_peer_addr to SSL_set1_initial_peer_addr
Fixes #21701

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21814)
2023-08-24 11:47:57 +01:00
Matt Caswell
f430713c8c Add a -trace option to quicserver to enable tracing of the communication
Trace output of the communication with the client is dumped to stderr if
the -trace options is supplied

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21800)
2023-08-24 10:33:58 +01:00
Matt Caswell
cb93128873 Add the ability to set SSL_trace as the msg_callback in tserver
This is useful for debugging purposes. The standard SSL_trace msgcallback
can be used with tserver.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21800)
2023-08-24 10:33:58 +01:00
olszomal
5ffad4bad9 Fixed default value of the "ess_cert_id_alg" option in man openssl-ts(1)
CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21805)
2023-08-24 10:45:46 +02:00
Matt Caswell
84a149254f Change the TLS handshake keys early if we're not doing early data
We change the client TLS handshake keys as late as possible so that we
don't disturb the keys if we are writing early data. However for QUIC we
want to do this as early as possible (after ServerHello). Since we will
never do TLS early data with QUIC we just do it as early as possible if
early data is not being used.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21810)
2023-08-24 07:43:13 +01:00
Matthias St. Pierre
27315a978e doc: add the migration guide to the new guide series
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21807)
2023-08-23 18:17:53 +01:00
Tomas Mraz
7542bdbff7 Update CHANGES.md and NEWS.md for the upcoming 3.2 release
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21802)
2023-08-23 17:42:12 +02:00
Tomas Mraz
8ee3ee10e3 quic_impl.c: Add QUIC_RAISE_NON_IO_ERROR() and use it
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21700)
2023-08-23 17:18:48 +02:00
Tomas Mraz
64fd69911e ossl_quic_tx_packetiser_generate(): Always report if packets were sent
Even in case of later failure we need to flush
the previous packets.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21700)
2023-08-23 17:18:48 +02:00
Tomas Mraz
96014840b6 QUIC: Miscellaneous error handling updates
Raise errors when appropriate.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21700)
2023-08-23 17:18:48 +02:00
Tomas Mraz
cb19528b93 QUIC: Add ERR_raise() calls for EVP call failures
This improves tracking where the failure was triggered.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21700)
2023-08-23 17:18:48 +02:00
Tomas Mraz
68b9a32aa3 Remove TODO(QUIC) about raising errors from ossl_quic_tls_tick()
This was already resolved by https://github.com/openssl/openssl/pull/21547

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21700)
2023-08-23 17:18:39 +02:00
Matt Caswell
8ef63b6ff8 Fix a leak in ossl_encode_ctx_setup_for_pkey
Make sure we free the stack of names we allocated in an error path.

Found by the reproducible error patch in #21668

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/21796)
2023-08-23 16:01:30 +01:00
Tomas Mraz
617cab094f qtest: Use fake time on both client and server
And use QTEST_FLAG_FAKE_TIME with test_ssl_trace().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21713)
2023-08-22 12:31:46 +02:00
Tomas Mraz
608a95f496 qtest: Run both client and server during connect
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21713)
2023-08-22 12:31:46 +02:00
Tomas Mraz
8fd32a0eda QUIC: Update ping deadline when we receive a packet
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21713)
2023-08-22 12:31:46 +02:00
Tomas Mraz
604a607222 quic_trace.c: Fix typo in traces
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21713)
2023-08-22 12:31:46 +02:00
Tomas Mraz
b7278eea44 Update the ssltraceref.txt
Also adds saving the new trace to ssltraceref-new.txt in
test-runs which can be handy when the trace changes and
needs to be updated.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21713)
2023-08-22 12:31:46 +02:00
Tomas Mraz
b6125b54ed QUIC: Do not discard the INITIAL el too early
RFC says that successful decryption of HANDSHAKE el packet
triggers the discard on server side only.

On client we discard INITIAL el when we successfully send
a HANDSHAKE packet.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21713)
2023-08-22 12:31:46 +02:00
Frederik Wedel-Heinen
c2a8226cba Updates documentation of RC4_CHAR and RC4_INT: Should not be used for new configuration targets
Fixes: #21358

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21391)
2023-08-20 13:32:50 +02:00
Matt Caswell
0fa6612ed6 Test that a thread blocking in SSL_read_ex() will wake up on FIN
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21780)
2023-08-20 13:28:33 +02:00
Matt Caswell
72622c0b96 Handle the case where the read buffer is empty but we have received FIN
In some cases where a FIN has been received but with no data quic_read_actual
was failing to raise SSL_ERROR_ZERO_RETURN. This meant that we could end up
blocking in SSL_read(_ex) for too long.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21780)
2023-08-20 13:28:33 +02:00