summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2023-03-30QUIC Thread Assisted Mode: Add design documentHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Enhance quic_tserver test to fully test thread assisted modeHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30QUIC CHANNEL: Fix idle timeout handlingHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30QUIC CHANNEL: Allow time source to be overriddenHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30QUIC TXP: Allow caller to determine if an ACK-eliciting packet was sentHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Add basic test for thread assisted modeHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Switch to using ossl_crypto_mutex from CRYPTO_RWLOCKHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Add channel-only tick mode and use it for thread assisted modeHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Front End for QUIC Thread Assisted ModeHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30QUIC Thread Assist CoreHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Fix handshake lockingHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Add mutex to tserverHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Add locking to QUIC front-endHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Move channel mutex out of QUIC_CHANNEL for init/teardown flexibilityHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Annotate functions needing lockingHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30QUIC Channel: Add a mutexHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30QUIC Reactor: Allow a mutex to be released during waitsHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30threading: Add ossl_crypto_condvar_wait_timeoutHugo Landau
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
2023-03-30Add some documentation for the new advanced s_client command modeMatt Caswell
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20566)
2023-03-30Add a new advanced command mode to s_clientMatt Caswell
The s_client command mode just looks at the first letter on a line and if it is one that maps to a "command" then that command is executed and everything else on the line is ignored. This means it is impossible to send anything over s_client that starts with one of the "magic" letters unless you switch off command processing entirely. With the forthcoming quic support that will be added to s_client we expect a significant new number of commands being added (for example to send fin on a stream, or to list or swap between different streams, etc). This will use up more "letters" and reduces the usability of s_client. This PR adds a new "advanced" command processing mode. Commands are enclosed in braces {}, and can appear anywhere in the text typed into s_client. A brace can be escaped by sending a double {{. This gives much more flexibility without reducing the usability of s_client. Commands can also have "arguments" which also extends the scope of what they can be used for. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20566)
2023-03-30remove DSA512 from speed testingMichael Baentsch
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20603)
2023-03-29SM4 check should be for __aarch64__, not __ARM_MAX_ARCH__ >= 8Tom Cosgrove
(And then __arm__ and __arm tests are redundant) Fixes #20604 Change-Id: I4308e75b7fbf3be7b46490c3ea4125e2d91b00b8 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20620)
2023-03-29Ensure there's only one copy of OPENSSL_armcap_P in libcrypto.aTom Cosgrove
Change-Id: Ia94e528a2d55934435de6a2949784c52eb38d82f Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20621)
2023-03-29doc: add HOWTO document about Documenting public Functions and MacrosMichael Richardson
Co-authored-by: Matthias St. Pierre <matthias.st.pierre@ncp-e.com> Co-authored-by: Tomáš Mráz <tm@t8m.info> Co-authored-by: Lin2Jing4 <35728132+Lin2Jing4@users.noreply.github.com> Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17926)
2023-03-29Declare FIPS option functions in their own headerPauli
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-29test: test -drbg_allow_truncated_digests optionPauli
Verify that the option produces the correct output in the FIPS configuration file and that the default is as expected. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-29Let fipsinstall know about DRBG digiest limitingPauli
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-29changes: note the banning of truncated hashes with DRBGsPauli
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-29doc: note the restriction on digests used by DRBGs in FIPS mode.Pauli
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-29DRBG: restrict the digests that can be used with HMAC and Hash DRBGs.Pauli
According to FIP 140-3 IG D.R: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf Outside of FIPS, there remains no restriction other than not allowing XOF digests. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-29fips: rework the option handling codePauli
Add option for restricting digests available to DRBGs. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
2023-03-28RFC7250 (RPK) supportTodd Short
Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
2023-03-28Fix documentation of X509_VERIFY_PARAM_add0_policy()Tomas Mraz
The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20561)
2023-03-28Updated CHANGES.md and NEWS.md for CVE-2023-0465Matt Caswell
Also updated the entries for CVE-2023-0464 Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20585)
2023-03-28Add a Certificate Policies TestMatt Caswell
Test that a valid certificate policy is accepted and that an invalid certificate policy is rejected. Specifically we are checking that a leaf certificate with an invalid policy is detected. Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20585)
2023-03-28Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certsMatt Caswell
Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the leaf cert was bad. Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20585)
2023-03-28Generate some certificates with the certificatePolicies extensionMatt Caswell
Related-to: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20585)
2023-03-27`EVP_PKEY_CTX_dup` segmentation fault fixafshinpir
CLA: trivial The the provider, context duplication method for signature, key exchange, asymmetric cipher, and key encapsulation is optional. But if they are missing, we will get a segmentation fault in `EVP_PKEY_CTX_dup` because they are called without null pointer checking. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20581)
2023-03-27test: evp_extra: EC, read affine coordinatesJorge Ramirez-Ortiz
Add a test to read the EC X,Y coordinates. Support legacy keys. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20535)
2023-03-27translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requestsJorge Ramirez-Ortiz
Required by tpm2-tss to load legacy EC keys using the OpenSSL engine. Fixes: https://github.com/tpm2-software/tpm2-tss/issues/2581 Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20535)
2023-03-27Avoid duplication of OPENSSL_armcap_P on 32bit ARMTomas Mraz
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20558)
2023-03-27Print the duplicate symbols found in testTomas Mraz
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20558)
2023-03-25apps/lib/http_server.c: improve diagnostics, e.g., on port number already in useDr. David von Oheimb
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19947)
2023-03-2580-test_cmp_http.t: fix server port and confusion client vs. server configDr. David von Oheimb
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19947)
2023-03-25CMP add: fix -reqin option, which requires adding ↵Dr. David von Oheimb
OSSL_CMP_MSG_update_recipNonce() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20204)
2023-03-25apps/cmp.c: make sure that last -reqin argument is actually usedDr. David von Oheimb
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20204)
2023-03-25CMP app: improve doc and help output on -{req,rsp}{in,out} optionsDr. David von Oheimb
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20204)
2023-03-25Update the EVP_PKEY_get_id documentationMichael Baentsch
The documentation didn't mention the development where EVP_PKEY_get_id() returns a negative value for provider-only implementations, and the migration guide didn't mention how to cope with that. Fixes #20497 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20501)
2023-03-24tls1_set_groups_list: freeing *pext before overwritingPeter Kaestle
calling SSL_CTX_set1_groups_list() twice on one SSL_CTX* caused a memory leak visible in valgrind: 4 bytes in 1 blocks are definitely lost in loss record 1 of 1 at 0x4841888: malloc (vg_replace_malloc.c:381) by 0x4B1EE96: CRYPTO_memdup (in libcrypto.so.3) by 0x48993A0: tls1_set_groups_list (in libssl.so.3) by 0x487AA7E: ssl3_ctx_ctrl (in libssl.so.3) by 0x1091EA: main (mem_leak.c:10) LEAK SUMMARY: definitely lost: 4 bytes in 1 blocks Freeing *pext to fix it. CLA: trivial Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20317) (cherry picked from commit fcf3a9f7c6a10acb2d92f03aec5e45df7dd712d5)
2023-03-23OBJ_nid2obj(): Return UNDEF object instead of NULL for NID_undefTomas Mraz
Fixes a regression from 3.0 from the obj creation refactoring. Fixes #20555 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20556)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-24 03:19:34 +0000