Neil Horman [Fri, 21 Feb 2025 17:22:17 +0000 (12:22 -0500)]
Convert test_bio_ssl to use fake time
The test_bio_ssl test in quicapitest is failing on windows. Something
about the timing there is causing wide variance in how long it takes to
establish a handshake (between 130-6500 iterations).
Convert it to use fake time to make it run consistently.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
Viktor Dukhovni [Mon, 17 Feb 2025 15:41:51 +0000 (02:41 +1100)]
Add hybrid ML-KEM based groups to default TLS groups
- send two key shares by default
- trim down the list of default groups
The default TLS group list setting is now:
?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26801)
The interoperability tests disable client ip address
validation done by RETRY packet. All tests done in CI
take code path which sends a retry packet.
The first initial packet sent by client uses a different
initial encryption level keys to protect packet integrity.
The keys are derived from DCID chosen by client.
When server accepts connection on behalf of initial packet,
the 'DCID' gets changed which means the initial level encryption keys
are changing too. So when server skips sending a retry packet,
it must forget the qrx which was used to validate initial
packet sent by client.
Forgetting qrx is not straightforward, we must salvage the
unencrypted packets left there after they were validated.
Those unencrypted packets must be injected to newly created channel.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26808)
Perform initial AEAD validation before creating a channel
We let port to create qrx object and use it for
packet validation. If packet validates, we then
create channel and pass pre-created qrx to channel's
constructor.
Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26808)
Burkov Egor [Wed, 19 Feb 2025 13:42:07 +0000 (16:42 +0300)]
fix: add OOM handler for x509 fuzz test
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26830)
Bernd Edlinger [Mon, 24 Feb 2025 06:51:16 +0000 (07:51 +0100)]
Revert wrong macos RCU fix
This reverts #23974 which seems to be no longer needed now,
due to other fixes nearby. Most likely the change did just
slightly decrease the performance of the reader threads, and
did therefore create the wrong impression that it fixed the issue.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26881)
Viktor Dukhovni [Fri, 21 Feb 2025 08:47:36 +0000 (19:47 +1100)]
More seed and private key checks for ML-DSA
- Check seed/key consistency when generating from a seed and the private
key is also given.
- Improve error reporting when the private key does not match an
explicit public key.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26865)
Neil Horman [Thu, 20 Feb 2025 14:15:26 +0000 (09:15 -0500)]
separate intval into separate variable in OSSL_PARAMS
construction of int params holds a pointer to an int rather than an int
value, so we need to use separate variables when constructing separate
int params.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26851)
Fails because the fuzzer occasionaly provides inputs which drives the
fuzzer to create an octet-string for the context_string param which
violates the 255 byte constraint documented on that parameter.
Fix it by detecting that condition, expecting failure in the call to
EVP_sign_message_init, and bailing out when it occurs.
Fixes openssl/project#1109
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26851)
Bernd Edlinger [Wed, 19 Feb 2025 17:55:42 +0000 (18:55 +0100)]
Re-enable RCU torture test on MACOSX
This test was disabled due to "Stochastic failures in
the RCU test on MACOSX" by #23967, which sounds like an
issue that is probably fixed now.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26834)
Pauli [Fri, 21 Feb 2025 01:22:15 +0000 (12:22 +1100)]
doc: fixup FIPS self test names
Missing names and categories in the documentation
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Pauli [Fri, 21 Feb 2025 01:21:48 +0000 (12:21 +1100)]
fipsinstall: update tests to use corrent key gen test name
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Pauli [Fri, 21 Feb 2025 01:21:26 +0000 (12:21 +1100)]
fips: update FIPS self test defines
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Pauli [Fri, 21 Feb 2025 00:37:43 +0000 (11:37 +1100)]
fips: refactor to unify the ST_KAT_PARAM -> OSSL_PARAM code
This code was duplicated multiple times throughout the self tests.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Pauli [Fri, 21 Feb 2025 00:36:56 +0000 (11:36 +1100)]
fips: refactor ML-KEM tests so that key generation is separate
Encapsulation and decapsulation remain as their own CAST.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Pauli [Fri, 21 Feb 2025 00:36:48 +0000 (11:36 +1100)]
fips: add key generation name for ML-KEM CASTs
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26859)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26832)
Michael Baentsch [Thu, 20 Feb 2025 10:35:09 +0000 (11:35 +0100)]
Update oqsprovider git submodule and start testing with it again
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26848)
Clemens Lang [Thu, 20 Feb 2025 14:04:51 +0000 (15:04 +0100)]
Provide aliases to ML-DSA without dashes
oqsprovider did not use dashes in the algorithm names for ML-DSA. Make
the transition smoother by also accepting the names without dashes as
aliases.
See also #26326 for the same thing for ML-KEM.
Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26853)
Tomas Mraz [Wed, 19 Feb 2025 14:03:35 +0000 (15:03 +0100)]
cross-compiles.yml: Disable FIPS for cross compiles
When running tests things are too slow due to SLH-DSA POST.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26820)
Tomas Mraz [Wed, 19 Feb 2025 13:57:12 +0000 (14:57 +0100)]
run-checker-daily.yml: Add memory sanitizer run with SLH-DSA enabled
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26820)
Tomas Mraz [Wed, 19 Feb 2025 13:56:19 +0000 (14:56 +0100)]
make-test: No verbose tar output
This just clutters the logs otherwise.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26820)
Tomas Mraz [Wed, 19 Feb 2025 13:49:43 +0000 (14:49 +0100)]
run-checker-daily.yml: Adjust the list of jobs
Some of the disablables are already disabled by default.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26820)
Tomas Mraz [Tue, 18 Feb 2025 17:13:22 +0000 (18:13 +0100)]
Disable SLH-DSA in memory sanitizer
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26820)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26843)
Pauli [Wed, 19 Feb 2025 23:34:36 +0000 (10:34 +1100)]
fips: change SLH-DSA key generation to use a fast algorithm flavour
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26837)
Pauli [Wed, 19 Feb 2025 23:48:55 +0000 (10:48 +1100)]
slh-dsa: avoid pairwise test when doing key generation CAST
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Pauli [Wed, 19 Feb 2025 23:48:37 +0000 (10:48 +1100)]
ml-kem: avoid pairwise test when doing key generation CAST
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Pauli [Wed, 19 Feb 2025 23:48:25 +0000 (10:48 +1100)]
ml-dsa: avoid pairwise test when doing key generation CAST
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Pauli [Wed, 19 Feb 2025 23:41:56 +0000 (10:41 +1100)]
fips: add function to detect if the self tests are running
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26838)
Shakti Shah [Wed, 19 Feb 2025 16:08:36 +0000 (21:38 +0530)]
Make org.openssl.winstore: work in openssl-ts
Fixes #26739
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26833)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26831)
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26825)
Pauli [Wed, 19 Feb 2025 03:51:18 +0000 (14:51 +1100)]
slh-dsa: use fast flavours for FIPS Power Up Self Test
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26821)
Pauli [Fri, 14 Feb 2025 01:55:21 +0000 (12:55 +1100)]
slh-dsa: add signature generation tests
This marks the first use of the extended test feature in evp_test.
The reason behind this is the amount of time the full SLH-DSA tests consume.
The non-extended tests chosen so that they exercise all of the algorithms
at least once and all the varying combinations of features for the fast
algorithms.
On my build machine the full test suite takes: 290 seconds.
With the reduction to a dozen tests it takes: 10.5 seconds.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26750)
Viktor Dukhovni [Tue, 18 Feb 2025 07:42:41 +0000 (18:42 +1100)]
More consistent ML-KEM key checks
- Cross-check seed `z` value on import as well as load.
- In import/load When re-generating from a seed, check hash of any
explicit private key when both provided.
- Avoid leak of expanded key encoding when load fails.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26812)
Viktor Dukhovni [Tue, 18 Feb 2025 09:41:13 +0000 (20:41 +1100)]
Typo fix
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26813)
Viktor Dukhovni [Tue, 18 Feb 2025 14:44:17 +0000 (01:44 +1100)]
ssl3_ctrl(): Fix condition in SSL_CTRL_GET_PEER_SIGNATURE_NAME
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26819)
Neil Horman [Tue, 18 Feb 2025 14:01:40 +0000 (09:01 -0500)]
Relax checking of supported-groups/keyshare ordering
quic interop testing showed that interop with the mvfst client was
failing, due to detecting mis ordering of supported groups and keyshare
extensions
This is strictly a mvfst problem to fix, but RFC 8446 indicates that we
MAY check the ordering but don't strictly have to.
We've opened an issue with the client to fix this, but in the interests
of client compatibility relax the ordering check so that, instead of
issuing a fatal alert, we just log a trace message indicating the
discrepancy
Fixes openssl/project#1106
Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26818)
Pauli [Tue, 18 Feb 2025 01:45:58 +0000 (12:45 +1100)]
ssl_test: correctly handle ML-DSA being disabled
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26806)
Pauli [Mon, 17 Feb 2025 23:04:58 +0000 (10:04 +1100)]
mldsa: add run-checker workflow for no-ml-dsa option
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26806)
Pauli [Mon, 17 Feb 2025 23:08:11 +0000 (10:08 +1100)]
ml-kem: add ML-KEM to bulk disable cascade
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26807)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/26793)
Neil Horman [Mon, 17 Feb 2025 15:13:32 +0000 (10:13 -0500)]
Free hashtable prior to freeing atomic worker_lock
lhash_test uses a hashtable that may not be empty at the end of the test
Given that the free function frees the elements in the list and uses the
atomic worker_lock to do so, we need to free the hash table prior to
freeing the working lock to avoid the use of unallocated memory.
Fixes #26798
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26800)
projects / thirdparty / openssl.git / log
