Matt Caswell [Wed, 10 Aug 2022 14:31:00 +0000 (15:31 +0100)]
Fix usage of custom EVP_CIPHER objects
If a custom EVP_CIPHER object has been passed to EVP_CipherInit() then it
should be used in preference to a fetched cipher.
We also fix a possible NULL pointer deref in the same code for digests.
If the custom cipher passed to EVP_CipherInit() happens to use NID_undef
(which should be a discouraged practice), then in the previous
implementation this could result in the NULL cipher being fetched and
hence NULL encryption being unexpectedly used.
CVE-2022-3358
Fixes #18970
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19300)
References: draft-ietf-sidrops-signed-tal
Title: "RPKI Signed Object for Trust Anchor Key"
OID permanently assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19221)
The IRIX mips64-cpu, n32-abi configurations include SIXTY_FOUR_BIT in bn_ops,
but it is missing from mips64*-linux-*abin32 (which OpenSSL calls
"linux-mips64"). This causes heap corruption when verifying TLS certificates
(which tend to be RSA-signed) with openssl 1.1.1q:
Applying this patch and recompiling produces the expected output instead of a
crash.
Note that Gentoo (and to my knowledge all other other distributions which
support mips64n32) use the `linux-generic32` configuration, which uses only
32-bit arithmetic (rather than full 64-bit arithmetic) and lacks assembler
implementations for the SHA hash functions:
For support in nixpkgs we would like to use the full 64-bit integer registers
and perlasm routines, so I'm submitting this upstream as well.
Fixes #19319
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19320)
Graham Woodward [Tue, 27 Sep 2022 12:21:10 +0000 (13:21 +0100)]
Fix missing null check
Don't add 1 if strchr returns NULL
PR update
Fixes #19279
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19282)
ERR: replace remnant ECerr() and EVPerr() calls in crypto/
except those throwing ERR_R_MALLOC_FAILURE
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19302)
Makefile: Add check-format target, operating on all .c sources and crypto+ssl headers
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)
Makefile: Exclude dummy header asn1_mac.h from CRYPTOHEADERS
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)
Makefile: Update but disable 'lint' target, using splint with some quirks
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)
Makefile: Add SRCS list of all .c (and any .cc and .cpp) files
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)
80-test_cmp_http.t: some generalizations and minor improvements of diagnostic output
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18895)
Richard Levitte [Tue, 27 Sep 2022 16:51:57 +0000 (18:51 +0200)]
OpenSSL::config: Fix trivial bugs
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19285)
Richard Levitte [Tue, 27 Sep 2022 16:57:35 +0000 (18:57 +0200)]
OpenSSL::config: Fix VMS guesses
The MACHINE value from POSIX::uname() isn't trustworthy at all.
MACHINE names like this has been seen:
_HP__VMM___(1.67GHz/9.0MB)
Perl's `$Config{archname}` is much more trustworthy, especially since
VMS isn't a multiarch operating system, at least yet.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19285)
Richard Levitte [Tue, 27 Sep 2022 16:31:15 +0000 (18:31 +0200)]
OpenSSL::config: determine the MSVC target architecture by asking cl
Since cl knows what architecture it builds fore, all depending on what
the user set up, it makes sense to ask it, and use that result primarly,
and only use the POSIX::uname() MACHINE value as a fallback.
Also, this does indeed determine if cl is present or not.
We drop the explicit names in .github/workflows/windows.yml as proof
of concept.
Fixes #19281
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19285)
We don't have <complex.h> on djgpp, so this entire test can be skipped.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19286)
djgpp: Set TZ=UTC to convert UTC timestamp to time_t
Since djgpp has neither a timezone variable or timegm(), this horrible
method must be used. It is the only one I could find that produces
accurate results, and is recommended as portable alternative to
timegm() by the GNU libc manual. Reference:
This works due to the fact that mktime() populates the tm_gmtoff and
tm_isdst fields in the source timestamp. It is accurate everywhere in
the world, *except* on Lord Howe Island, Australia, where a 30 minute
DST offset is used.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19274)
djgpp: Define WATT32_NO_OLDIES before including socket headers
If this macro is left undefined, Watt-32 will "helpfully" declare some
typedefs such as 'byte' and 'word' in the global namespace. This broke
compilation of apps/s_client.c.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19274)
This part failed to compile due to a circular dependency between
internal/e_os.h and internal/time.h, when ossl_sleep() falls back to a
busy wait. However, djgpp has a usleep function, so it can use the
regular Unix version of ossl_sleep().
It's not great though. The resolution is only ~55ms, and it may break
when a user program hooks the timer interrupt without periodically
updating BIOS time. A high-resolution alternative is uclock(), but
that is generally less desirable since it reprograms the system timer.
The circular dependency is still there and may still cause trouble for
other platforms.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19274)
Build failed on djgpp due to missing config vars 'AR' and 'ARFLAGS'.
Additionally, '-lz' was not added to 'lflags' when zlib support was
enabled. Inheriting configuration variables from BASE_unix solves both
these issues.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19274)
Juergen Christ [Mon, 29 Aug 2022 15:05:41 +0000 (17:05 +0200)]
apps/speed.c: Lock buffer in memory
Lock the buffers used for throughput measurements into memory. This removes
some side effects of paging.
Errors from the memory locking functions are ignored since they are not
critical to the application.
This feature is limited to Linux and Windows.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19091)
test/trace_api_test.c: fix gcc error on -Werror=strict-prototypes
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19277)
Tomas Mraz [Tue, 27 Sep 2022 15:50:35 +0000 (17:50 +0200)]
dgram_pair_read_inner(): Do not move buf pointer if it is NULL
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19284)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19284)
Tomas Mraz [Tue, 27 Sep 2022 15:39:01 +0000 (17:39 +0200)]
A static const variable is implicitly zero initialized
Older clang versions complain about the explicit initializer
because the first member of the struct is a struct.
But it is not necessary to explicitly initialize it anyway.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19284)
Newly computed traffic secrets are now logged upon key update
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19241)
The IKM was not respected by the s390x specific implementations of X25519 and
X448 keygen. This caused test failures and wrong results if the PCC
instruction was actually available and supported X25519 and/or X448.
Fixes: 78c44b05945b ("Add HPKE DHKEM provider support for EC, X25519 and X448.") Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19278)
Hugo Landau [Mon, 22 Aug 2022 14:32:16 +0000 (15:32 +0100)]
QUIC Flow Control
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19040)
Todd Short [Wed, 21 Sep 2022 18:06:23 +0000 (14:06 -0400)]
Add documentation for the OPENSSL_gmtime functions
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19257)
Richard Levitte [Tue, 6 Sep 2022 12:08:15 +0000 (14:08 +0200)]
Modify test/quic_record_test.c to also depacketize
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18838)
Richard Levitte [Mon, 22 Aug 2022 06:45:26 +0000 (08:45 +0200)]
Implement packet type checks in the RX Depacketizer
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18838)
Richard Levitte [Mon, 22 Aug 2022 06:11:10 +0000 (08:11 +0200)]
Extend the RX Depacketizer frame table with what packet types they are valid in
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18838)
Richard Levitte [Thu, 21 Jul 2022 08:54:48 +0000 (10:54 +0200)]
Implement the RX Depacketizer
Implements the design doc/designs/quic-design/rx-depacketizer.md.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18838)
Richard Levitte [Tue, 6 Sep 2022 11:59:25 +0000 (13:59 +0200)]
Move the QUIC_CONNECTION typedef to internal headers
Also add internal functionality to get a QUIC_CONNECTION pointer from
an SSL pointer, and setters / getters for the GQX and ACKM fields.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18838)
Matt Caswell [Tue, 13 Sep 2022 17:01:18 +0000 (18:01 +0100)]
Fix a record layer mem leak
Make sure we free the record layer before we free the connection BIOs
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Mon, 12 Sep 2022 14:50:26 +0000 (15:50 +0100)]
Restructure the write code
Move the multiblock code into a separate file and introduce the usage of
record_functions_st for some write functions.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Mon, 12 Sep 2022 14:02:14 +0000 (15:02 +0100)]
Remove some outstanding TODOs
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Fri, 9 Sep 2022 15:14:37 +0000 (16:14 +0100)]
Ensure that prefix records use a small buffer
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Fri, 9 Sep 2022 14:53:40 +0000 (15:53 +0100)]
Move the pipelining code into the record layer
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Fri, 9 Sep 2022 14:34:52 +0000 (15:34 +0100)]
Resove some outstanding TODOs
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Fri, 9 Sep 2022 12:26:50 +0000 (13:26 +0100)]
Re-enable the multiblock code and move it into the record layer
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Wed, 31 Aug 2022 20:03:22 +0000 (21:03 +0100)]
Make sure we call get_max_records() in the record layer code
We use the returned data to decide how to split the data we want to write
into records.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Wed, 31 Aug 2022 16:37:48 +0000 (17:37 +0100)]
Convert the write record layer to supply proper return values
This also means we can convert SSLfatal calls to RLAYERfatal
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Wed, 31 Aug 2022 15:45:55 +0000 (16:45 +0100)]
Remove some miscellaneous references to SSL_CONNECTION
There were a small number of references to the SSL_CONNECTION that can
be removed easily and replaced with record layer equivalents.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Wed, 31 Aug 2022 15:39:36 +0000 (16:39 +0100)]
Move the record block_padding capability fully into the record layer
Previously we were referencing the block_padding value through the
SSL_CONNECTION. Now it is held within OSSL_RECORD_LAYER.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Wed, 31 Aug 2022 14:41:16 +0000 (15:41 +0100)]
Move the record padding callback fully into the record layer
We wrap the callback and pass it to the record layer via the dispatch
array, in order to avoid accessing it directly via SSL_CONNECTION.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Tue, 30 Aug 2022 16:15:25 +0000 (17:15 +0100)]
Remove use of SSL_CONNECTION_TREAT_AS_TLS13() from the record layer
In all cases we should be able to replace this with a simple check
against rl->version.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Tue, 30 Aug 2022 15:26:33 +0000 (16:26 +0100)]
Move need_empty_fragments inside the record layer
This flag can now be managed entirely by the new record layer code so we
move it into ossl_record_layer_st.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Tue, 30 Aug 2022 15:04:31 +0000 (16:04 +0100)]
Remove empty_fragment_done
Now that we are no longer recursively addinng the prefix record this
doesn't seem necessary any more. We always add it every time we do
tls_write_records.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Fri, 26 Aug 2022 16:34:40 +0000 (17:34 +0100)]
Move logic for figuring out the record version out of record layer
This calculation is based on lots of information from state machine and
elsewhere that the record layer cannot access. In reality it is sufficient
to simply tell the record layer what version to use.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Thu, 25 Aug 2022 16:34:48 +0000 (17:34 +0100)]
Move numwpipes in the write record layer
We retain a numwpipes for now in the old record layer structure for use
by DTLS. This will eventually be removed when DTLS moves over to the new
way of doing things.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Thu, 25 Aug 2022 14:05:13 +0000 (15:05 +0100)]
Move write buffer management into the write record layer
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Mon, 22 Aug 2022 15:09:23 +0000 (16:09 +0100)]
Replace references to s->wbio with rl->bio
We use the record layer reference to the BIO rather than the SSL object
reference. This removes an unneeded SSL object usage.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Mon, 22 Aug 2022 15:03:41 +0000 (16:03 +0100)]
Use the record layer msg_callback not the SSL object msg_callback
This removes unnecessary usage of the SSL object from the record layer.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Mon, 22 Aug 2022 14:49:53 +0000 (15:49 +0100)]
Move checking for alerts to dispatch out of the record layer
This isn't a record layer responsibility so should be removed from
write_records.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Fri, 19 Aug 2022 15:54:09 +0000 (16:54 +0100)]
Create the write record layer method and object and use it
Make sure we set the write record layer method and create the object
where appropriate. Move the newly restructured writing code into the
record layer object.
For now we are cheating and still accessing the underlying SSL_CONNECTION
object. This will be removed in subsequent commits.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
Matt Caswell [Fri, 12 Aug 2022 08:51:51 +0000 (09:51 +0100)]
Move initial TLS write record layer code into new structure
The new write record layer architecture splits record writing into
a "write_records" call and a "retry_write_records" call - where multiple
records can be sent to "write_records" in one go. We restructure the code
into that format in order that future commits can move these functions into
the new record layer more easily.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19198)
ASYNC_init_thread() will be called automatically by ASYNC_start_job(),
so ASYNC_cleanup_thread() must be called at last, otherwise it will
cause memory leak.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16703)
Tomas Mraz [Tue, 20 Sep 2022 14:48:59 +0000 (16:48 +0200)]
Maximum return value of BIO_ctrl_(w)pending is SIZE_MAX
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19240)
Tomas Mraz [Mon, 19 Sep 2022 08:36:21 +0000 (10:36 +0200)]
Fix error return values from BIO_ctrl_(w)pending()
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19240)
Pauli [Tue, 19 Jul 2022 02:47:58 +0000 (12:47 +1000)]
Add design document for the QUIC connection ID cache.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18824)
Pauli [Mon, 25 Jul 2022 04:36:44 +0000 (14:36 +1000)]
update overview with a note about many to one connection ID cache
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18824)
slontis [Fri, 26 Aug 2022 01:54:35 +0000 (11:54 +1000)]
Add HPKE DHKEM provider support for EC, X25519 and X448.
The code is derived from @sftcd's work in PR #17172.
This PR puts the DHKEM algorithms into the provider layer as
KEM algorithms for EC and ECX.
This PR only implements the DHKEM component of HPKE as specified in
RFC 9180.
crypto/hpke/hpke_util.c has been added for fuctions that will
be shared between DHKEM and HPKE.
API's for EVP_PKEY_auth_encapsulate_init() and EVP_PKEY_auth_decapsulate_init()
have been added to support authenticated encapsulation. auth_init() functions
were chosen rather that a EVP_PKEY_KEM_set_auth() interface to support
future algorithms that could possibly need different init functions.
Internal code has been refactored, so that it can be shared between the DHKEM
and other systems. Since DHKEM operates on low level keys it needs to be
able to do low level ECDH and ECXDH calls without converting the keys
back into EVP_PKEY/EVP_PKEY_CTX form. See ossl_ecx_compute_key(),
ossl_ec_public_from_private()
DHKEM requires API's to derive a key using a seed (IKM). This did not sit
well inside the DHKEM itself as dispatch functions. This functionality
fits better inside the EC and ECX keymanagers keygen, since
they are just variations of keygen where the private key is generated
in a different manner. This should mainly be used for testing purposes.
See ossl_ec_generate_key_dhkem().
It supports this by allowing a settable param to be passed to keygen
(See OSSL_PKEY_PARAM_DHKEM_IKM).
The keygen calls code within ec and ecx dhkem implementation to handle this.
See ossl_ecx_dhkem_derive_private() and ossl_ec_dhkem_derive_private().
These 2 functions are also used by the EC/ECX DHKEM implementations to generate
the sender ephemeral keys.
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19068)
OSSL_PROVIDER_set_default_search_path() return value
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19239)
Matt Caswell [Thu, 23 Jun 2022 10:39:38 +0000 (11:39 +0100)]
Correctly handle a retransmitted ClientHello
If we receive a ClientHello and send back a HelloVerifyRequest, we need
to be able to handle the scenario where the HelloVerifyRequest gets lost
and we receive another ClientHello with the message sequence number set to
0.
Fixes #18635
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18654)
Hugo Landau [Tue, 20 Sep 2022 19:40:36 +0000 (20:40 +0100)]
Add deferred datagram limit to QUIC Record Layer RX
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19251)
Pauli [Mon, 19 Sep 2022 00:48:07 +0000 (10:48 +1000)]
Remove unnecessary define
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19237)
Pauli [Mon, 19 Sep 2022 00:47:06 +0000 (10:47 +1000)]
Runtime detect FIPS RNG usage in test
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19237)
Pauli [Mon, 19 Sep 2022 00:31:12 +0000 (10:31 +1000)]
Remove FIPS condition on IV gen test.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19237)
Pauli [Mon, 19 Sep 2022 00:28:25 +0000 (10:28 +1000)]
Remove FIPS condition on SM2 test.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19237)
APPS: Move load_csr_autofmt() from apps/cmp.c to apps.c and use it also for apps, too
Also add related references to FR #15725.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19234)
Update documentation, standard input is expected to be in binary format too
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19234)
Matt Caswell [Fri, 12 Aug 2022 12:27:21 +0000 (13:27 +0100)]
Use an enum for the return value from a construction function
Construction return values are no longer boolean but can return 3 different
values, so we use an enum to represent them.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18990)
Matt Caswell [Fri, 12 Aug 2022 12:24:19 +0000 (13:24 +0100)]
If a ticket key callback returns 0 in TLSv1.3 don't send a ticket
If we can't construct the ticket don't send one. This requires a change
to the TLS state machine to be able to a handle a construction function
deciding not to send a message after all.
Fixes #18977
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18990)
Matt Caswell [Fri, 12 Aug 2022 11:14:18 +0000 (12:14 +0100)]
Test a 0 return from the ticket key callback
A 0 return from a ticket key callback should indicate that crypto parameters
are not currently available and that the handshake should continue without
generating/using the ticket.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18990)
Tomas Mraz [Wed, 14 Sep 2022 08:41:04 +0000 (10:41 +0200)]
Fix detection of ktls support in cross-compile environment on Linux
Fixes #19212
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19213)
Daniel Fiala [Tue, 6 Sep 2022 05:51:59 +0000 (07:51 +0200)]
Add an EVP demo for AES key wrap
Fixes openssl#14119
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19141)
stack.c: add missing direct error reporting and improve coding style
Doing so, had to fix sloppiness in using the stack API in crypto/conf/conf_def.c,
ssl/ssl_ciph.c, ssl/statem/statem_srvr.c, and mostly in test/helpers/ssltestlib.c.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18918)
x509_vpm.c: add missing direct error reporting and improve coding style
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18918)
Daniel Fiala [Fri, 5 Aug 2022 02:44:51 +0000 (04:44 +0200)]
Add tests for trace_api.
Fixes openssl#17422
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19096)
Pauli [Tue, 13 Sep 2022 22:39:29 +0000 (08:39 +1000)]
Add CI to test old FIPS provider versions
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19201)
Tomas Mraz [Tue, 13 Sep 2022 20:38:30 +0000 (22:38 +0200)]
With fips provider 3.0.0 skip tests related to explicit curves handling
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19201)
Tomáš Mráz [Tue, 13 Sep 2022 04:37:05 +0000 (14:37 +1000)]
EVP_PKEY_eq: regain compatibility with the 3.0.0 FIPS provider
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19201)
Pauli [Tue, 13 Sep 2022 01:23:03 +0000 (11:23 +1000)]
Fix default padding regression against 3.0.0 FIPS provider
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19201)