5493 Commits

Author	SHA1	Message	Date
openssl-machine	88dafcee87	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Release: yes	2025-09-30 12:46:35 +00:00
Tomas Mraz	caf629215f	ossl_quic_conn_stream_conclude(): Fixup the quic_unlock() call name ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28651)	2025-09-24 15:10:43 +02:00
Neil Horman	7c28c5d2e6	Close small race condition on error raising in QUIC ... Github issue #28501 reported an odd condition in which a double free was occuring when a given thread was popping entries of its error stack. It was hypothesized that, because a few places in the quic stack save error state to a shared structure (ch->err_state, port->error_state, qtls->error_state), that multiple threads may attempt to mutate the shared structure during error save/restore in parallel. Investigation showed that all paths which led to such mutations were done under lock, so that shouldn't occur. Except for one case, which this PR addresses. In ossl_quic_conn_stream_conclude, we unlock our protecting mutex, prior to calling QUIC_RAISE_NON_NORMAL_ERROR. If that function is called with an reason code of SHUTDOWN, it attempts to restore the channel error state. Given that the lock was released first, this creates a small race condition in which two threads may manipulate the shared error state in the channel struct in parallel. According to the reporter, applying this patch prevents the reported error from occuring again. Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28642) (cherry picked from commit 1e70e8080a)	2025-09-24 12:21:34 +02:00
Tomas Mraz	3b1851a8ea	tls_common.c: Handle inner content type properly on Big Endian ... When passing the inner content type to msg_callback, the lowest byte of rec->type needs to be passed instead of directly passing the rec->type otherwise the value is incorrect on Big Endian platforms. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28627) (cherry picked from commit 2edf021463)	2025-09-23 16:39:24 +02:00
Nachel72	66f7afbb98	Fix: Check for wrong object. The converted sc should be checked instead of the original s ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/28248) (cherry picked from commit bc28ca499e) (cherry picked from commit 7e8d78d579)	2025-08-22 11:11:20 -04:00
Niels Dossche	e1c6bc1ba3	Fix reallocation failure condition in qtx_resize_txe() ... Returning the same pointer does not mean that the reallocation failed, it would also prevent updating alloc_len down below. This is similar code and a similar change to 043a41ddee. Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28317) (cherry picked from commit 220f5be690)	2025-08-22 09:25:54 -04:00
Alexandr Nedvedicky	c5f1fd77ed	- adding a missing file ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023) (cherry picked from commit d777deffba)	2025-07-27 05:01:39 -04:00
sashan	c3ae994388	- fix RFC reference and indentation ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023) (cherry picked from commit a43b926fd2)	2025-07-27 05:01:38 -04:00
Sashan	9fbc4ae3e7	Update ssl/quic/quic_ackm.c ... Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023) (cherry picked from commit b083613476)	2025-07-27 05:01:37 -04:00
Sashan	7a30cd3793	Update ssl/quic/quic_ackm.c ... Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023) (cherry picked from commit 4a3c954a0c)	2025-07-27 05:01:36 -04:00
sashan	c1a3e13a41	ACK manager must avoid infinite probe time when waiting handshake confirmation ... According to RFC 9002, section 6.2.2.1 the client the client must keep PTO (probe time out) armed if it has not seen HANDSHAKE_DONE quic message from server. Not following RFC spec here may cause the QUIC session to stale during TLS handshake. Fixes openssl/project#1266 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023) (cherry picked from commit cdbfacead0)	2025-07-27 05:01:35 -04:00
Alexandr Nedvedicky	6763aaaed8	QUIC receiver may accidentally ACK packet it fails to process ... we set ok to -1 as we enter ossl_quic_handle_frames(). If we set ok to 0 here we effectively assume successful processing of all frames found in packet. We do this just before we return from function: ``` 1479 1480 /* Now that special cases are out of the way, parse frames */ 1481 if (!PACKET_buf_init(&pkt, qpacket->hdr->data, qpacket->hdr->len) 1482 || !depack_process_frames(ch, &pkt, qpacket, 1483 enc_level, 1484 qpacket->time, 1485 &ackm_data)) 1486 goto end; 1487 1488 ok = 1; 1489 end: 1490 /* 1491 * ASSUMPTION: If this function is called at all, |qpacket| is 1492 * a legitimate packet, even if its contents aren't. 1493 * Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as 1494 * |ackm_data| has at least been initialized. 1495 */ 1496 if (ok >= 0) 1497 ossl_ackm_on_rx_packet(ch->ackm, &ackm_data); 1498 1499 return ok > 0; ``` if the call to `depack_process_frames()` at line 1492 fails, because barticualr frame in packet is corrupted/invalid we take a branch to `end:` goto target. In this case we must avoid the call to `ossl_ackm_on_rx_packet()`. Packet with malformed/invalid frame must not be accepted. See RFC 9000 section 13.1: Once the packet has been fully processed, a receiver acknowledges receipt by sending one or more ACK frames containing the packet number of the received packet. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28002) (cherry picked from commit e6c20588ef)	2025-07-10 12:06:20 +02:00
openssl-machine	b426d08003	Copyright year updates ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes	2025-07-01 11:55:48 +00:00
noctuelles	75417bcf06	fix: msg callback in dtls1_do_write that incorrectly shows message (like a certificate) that spans over multiple fragments. ... Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27811) (cherry picked from commit de5a619aa0)	2025-06-30 11:25:37 +01:00
Matt Caswell	3695409c4c	Ensure we pass the user SSL object for the SSL_set_verify callback ... When calling the verify callback we need to ensure we supply the user SSL object, and not any internal SSL object. Fixes #27830 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27848)	2025-06-19 14:04:50 +01:00
yexiaochuan	7c45da745e	fix: add parsing check in TLS compress_certificate extension handler ... The tls_parse_compress_certificate function was missing validation for trailing bytes after parsing the algorithm list, violating RFC8446 section 4.2 which requires sending a decode_error alert for unparseable messages. This commit adds a check for remaining bytes in the packet after the while loop and sends SSL_AD_DECODE_ERROR if any trailing bytes are found. Fixes #27717 CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27733) (cherry picked from commit 8e787b1028)	2025-06-10 19:39:58 +02:00
Matt Caswell	4c246610f0	Fix DTLS handling when receiving a no_renegotiation alert ... no_renegotiation is a warning alert sent from the server when it is not prepared to accept a renegotiation attempt. In TLS we abort the connection when we receive one of these - which is a reasonable response. However, in DTLS we incorrectly ignore this and keep trying to renegotiate. We bring the DTLS handling of a no_renegotiation alert into line with how TLS handles this. In versions prior to 3.2 handling of a warning alert in DTLS was mishandled resulting in a failure of the connection, which ends up being the right thing to do "by accident" in the case of "no_renegotiation". From 3.2 this mishandling was fixed, but exposed this latent bug. Fixes #27419 Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27591) (cherry picked from commit e5feca0659)	2025-06-04 17:24:17 +02:00
Norbert Pocs	b8c8b88a8e	s3_lib.c: Use illegal_parameter for failing encapsulation in ml_kem ... Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27627) (cherry picked from commit e66097fc66)	2025-05-16 11:11:27 +02:00
Norbert Pocs	e669960727	s3_lib.c: Handle weak x keys as illegal_parameter alert ... Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27597) (cherry picked from commit 5da4ea10be)	2025-05-15 10:49:12 +02:00
Matt Caswell	e26bb2d62d	Stop a TLSv1.3 server emitting an unsolicited PSK extension ... If we attempt to accept a connection on an SSL object, and the application has set an SSL_SESSION on that SSL object then we can mistakenly believe that we are resuming and emit an unsolicited PSK extension back to the client. This can especially happen when using SSL_clear() which leaves any SSL_SESSION associated with the SSL object. See https://github.com/openssl/openssl/discussions/27563#discussioncomment-13049352 and https://github.com/openssl/openssl/discussions/24567 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27584) (cherry picked from commit aa8bca2e81)	2025-05-13 14:12:54 +02:00
Matt Caswell	af712a5933	Add a test for app data received too early ... Add a test for app data which was received prior to the Finished is read correctly, and that if we continue to read we get the expected result. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/27543)	2025-05-08 14:14:14 -04:00
Matt Caswell	d459d00f97	Ensure we properly release DTLS buffered app data records ... If we read an app data record before we have read the Finished we buffer it. Once we've read it we need to make sure we've properly released it otherwise we will attempt to read it again (and this time there will be no data in it). Fixes #27316 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/27543)	2025-05-08 14:14:12 -04:00
Matt Caswell	3a7bb788ce	Drop empty app data records in DTLS ... App data records with 0 bytes of payload will confuse callers of SSL_read(). This will cause a successful read and return 0 bytes as read. Unfortunately a 0 return from SSL_read() is considered a failure response. A subsequent call to SSL_get_error() will then give the wrong result. Zero length app data records are actually allowed by the spec, but have never been handled correctly by OpenSSL. We already disallow creating such empty app data records. Since the SSL_read() API does not have a good way to handle this type of read, we simply ignore them. Partial fix for #27316 Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27541) (cherry picked from commit a23d5e20f1)	2025-05-07 14:36:51 +02:00
Dr. David von Oheimb	0080dd66e0	Fix SSL_{set1,add1}_host() handling of host name/IP address and related documentation ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27457) (cherry picked from commit 1eee02d3e7)	2025-05-06 15:11:56 +02:00
sashan	eb341e46c6	ossl_json_f64() seems to be unused, remove it to avoid libm dependency ... Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27434) (cherry picked from commit 0e41862899)	2025-04-29 19:40:06 +02:00
Anton Tieleman	fa2018545d	Test+fix handling "wrong" downgrade signals ... This accounts for cases that can only occur when een non-compliant server sends the wrong downgrade signal. (TLS1.1 signal when negotiating TLS1.2 or TLS1.2 signal when negotiating TLS1.0/TLS1.1). According to the TLS1.3 RFC these cases should be rejected: RFC8446, section 4.1.3: TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below MUST check that the last 8 bytes are not equal to either of these values. TLS 1.2 clients SHOULD also check that the last 8 bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27518) (cherry picked from commit 290fd4a0c8)	2025-04-29 19:32:14 +02:00
Andrey Tsygunka	4d682ffd4b	Fix potential NULL pointer dereference in final_maxfragmentlen() ... In the final_maxfragmentlen() function, s->session is checked for NULL after it was dereferenced earlier. So move this NULL check to the top of the function. CLA: trivial Fixes: fa49560451 (Fix handling of max_fragment_length extension for PSK) Signed-off-by: Andrey Tsygunka <aitsygunka@yandex.ru> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/27272) (cherry picked from commit 28de1f5004)	2025-04-14 15:55:43 +01:00
Graham Leggett	d2f2eafa7f	ssl/ssl_lib.c: Avoid crash when SSL_CONNECTION is NULL ... Detection for sc == NULL is performed after sc is used. Add the check to the correct place. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/27241) (cherry picked from commit 7f6cc862c6)	2025-04-14 15:38:06 +01:00
Benjamin Kaduk	8e0ecf20a5	statem: always save sigalgs during PHA ... We use the same extension-parsing function on server and client for convenience, but while the server might worry about tracking what was previously received and not overwriting it, on the client receiving a request for post-handshake authentication, we always want to use the values from the current extension (and should always have a new session object that we are free to mutate). It is somewhat unclear whether the server also needs the check for a resumed connection; it appears to have been added back in 2015 in commit 062178678f as part of a broad pass to handle extensions on resumption, but without specific documentation of each extension's handling. Fixes: #10370 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24651) (cherry picked from commit ddd99d52d3)	2025-04-01 15:11:52 +02:00
jay9827342	67cc9ae75b	Memory leak fix ktls_meth.c ... The OSSL_RECORD_LAYER needs to be properly freed when return code isnt success. Memory leak fix CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27111) (cherry picked from commit e5e4cf41c7)	2025-03-25 20:23:00 +01:00
Bernd Edlinger	6cb2c71015	Try to fix reported qlog issues ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27089) (cherry picked from commit 9f85a036e3)	2025-03-24 20:22:13 +01:00
Tomas Mraz	0987a4519c	qlog_event_helpers.c: Fix inverted condition ... We want to skip up to PACKET_remaining() and not "at least" PACKET_remaining() bytes. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27138) (cherry picked from commit 83b11af017)	2025-03-24 15:23:15 +01:00
Matt Caswell	d7c5d9fa8c	Fix a compilation failure in AIX ... AIX (at least for 7.1) defines some macros for "events" and "revents" which interferes with our own use of these names. Fixes #24236 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26933) (cherry picked from commit 5eb55ad8a7)	2025-03-04 09:22:47 -05:00
Matt Caswell	76c8363cb2	Move ssl_err.c into libcrypto ... We move ssl_err.c out of libssl and into libcrypto. This file is entirely self contained and is used to load error strings into the libcrypto error tables. By moving this file into libcrypto, libssl can be unloaded safely without having dangling references to this error information. Fixes #26672 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26931) (cherry picked from commit aaad33c5ac)	2025-03-03 10:41:44 +00:00
Neil Horman	a98b476c08	Change cipher suite alert for 0 length cipher_suites ... From RFC 8446: Note: TLS defines two generic alerts (see Section 6) to use upon failure to parse a message. Peers which receive a message which cannot be parsed according to the syntax (e.g., have a length extending beyond the message boundary or contain an out-of-range length) MUST terminate the connection with a "decode_error" alert. Peers which receive a message which is syntactically correct but semantically invalid (e.g., a DHE share of p - 1, or an invalid enum) MUST terminate the connection with an "illegal_parameter" alert. A zero length cipher suite list I think is considered out of range, and so we should return "decode_error" rather than "illegal_parameter" Fixes #25309 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26781) (cherry picked from commit 2ce46ad8ce)	2025-02-25 15:49:59 -05:00
Alexandr Nedvedicky	a04a5fe8a1	Fix read out of buffer bounds when dealing with BIO_ADDR ... This issue was discoevered while I was testing SSL_new_from_listener() using a newly created unit test. It has turned out the QUIC stack at few places contain pattern as follows: foo(QUIC_WHATEVER *q, BIO_ADDR *a) { q->a = *a; } The problem is that derefencning a that way is risky. If the address `a` comes from BIO_lookup_ex() it may actually be shorter than sizeof(BIO_ADDR). Using BIO_ADDR_copy() is the right thing to do here. Fixes #26241 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26252) (cherry picked from commit 395a83a617)	2025-02-25 15:56:31 +01:00
Tomas Mraz	348c5d768b	add_uris_recursive(): Avoid OSSL_STORE_INFO leak on error ... Fixes #26480 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26511) (cherry picked from commit be5965acad)	2025-02-25 15:51:00 +01:00
Matt Caswell	bc0d4577d6	Fix configuring provider certificate algs via config file ... A crash could occur when attempting to configure a certificate via a config file, where the algorithm for the certificate key was added dynamically via a provider. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26663) (cherry picked from commit 9cbaa8763c)	2025-02-11 17:39:26 +00:00
Viktor Dukhovni	d25c7e3977	Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list ... - The signature algorithms are already loaded in SSL_CTX_new() - Calling ssl_load_sigalgs() again is non-productive, and does not look thread safe. - And of course avoiding the call is cheaper. - Also fix broken loop test in ssl_cert_lookup_by_pkey() Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26671) (cherry picked from commit 3252fe646b)	2025-02-12 03:27:26 +11:00
openssl-machine	5f8049f2c5	Copyright year updates ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes	2025-02-11 14:27:50 +00:00
Viktor Dukhovni	d3d16e36cc	Use ERR marks also when verifying server X.509 certs ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (cherry picked from commit 739c4b2e92)	2025-02-11 08:40:30 -05:00
Viktor Dukhovni	738d4f9fde	With SSL_VERIFY_PEER client RPK should abort on X509 error ... While RPK performs X.509 checks correctly, at the SSL layer the SSL_VERIFY_PEER flag was not honoured and connections were allowed to complete even when the server was not verified. The client can of course determine this by calling SSL_get_verify_result(), but some may not know to do this. Added tests to make sure this does not regress. Fixes CVE-2024-12797 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (cherry picked from commit 6ae8e947d8)	2025-02-11 08:40:21 -05:00
Bernd Edlinger	39979919c3	use-of-uninitialized-value in quic_tserver_test ... Fixes #26277 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26269) (cherry picked from commit 9861be4eef)	2025-01-06 20:48:43 +01:00
cx	8371979716	Reject invalid FFDHE and ECDHE key shares with SSL_AD_ILLEGAL_PARAMETER alert ... This changes the alert according to RFC 8446. Fixes: #25402 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25547) (cherry picked from commit 0f6caf7409)	2025-01-02 14:15:55 +01:00
Neil Horman	7b07bc4c99	Fix potential use-after-free in REF_PRINT_COUNT ... We use REF_PRINT_COUNT to dump out the value of various reference counters in our code However, we commonly use this macro after an increment or decrement. On increment its fine, but on decrement its not, because the macro dereferences the object holding the counter value, which may be freed by another thread, as we've given up our ref count to it prior to using the macro. The rule is that we can't reference memory for an object once we've released our reference, so lets fix this by altering REF_PRINT_COUNT to accept the value returned by CRYPTO_[UP|DOWN]_REF instead. The eliminates the need to dereference the memory the object points to an allows us to use the call after we release our reference count Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25664) (cherry picked from commit dc10ffc283)	2024-12-10 14:58:51 +01:00
Neil Horman	7c09ce374c	Fix SSL_write_[ex|ex2] on blocking quic streams ... When writing to a blocking quic stream, we sometimes get duplicate transmitted data. This occurs when a call to quic_write_blocking has to wait for space to become available in the ring buffer. When we do a wait, the call sets *written to the value returned in args.total_written as filled out by the calls to block_until_pred->quic_write_again. However, the value there is based on the amount we requested, which is only the remaining data that we didn't append in xso_sstream_write. So if we call quic_write_blocking with a buffer of length X, and initially append Y bytes, and write the remainig X-Y bytes via a block_until_pred call, then *written will return with the value X-Y, even though we wrote the full X bytes to the ring buffer. Fix it by recording the initial amount appended into *written, and then add the args.total_written value if we have to wait on more space Fixes openssl/project#924 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26023) (cherry picked from commit 2de7e1d698)	2024-11-21 16:04:14 +01:00
Matt Caswell	e595f6cd32	Make sure we use the correct SSL object when making a callback ... When processing a callback within libssl that applies to TLS the original SSL object may have been created for TLS directly, or for QUIC. When making the callback we must make sure that we use the correct SSL object. In the case of QUIC we must not use the internal only SSL object. Fixes #25788 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25931)	2024-11-13 17:34:29 +01:00
Matt Caswell	6612799fb5	Keep hold of a reference to the user SSL in QUIC ... In some cases a QUIC SSL_CONNECTION object needs to get hold of a reference to the original SSL object as created by the user. We should keep a reference to it. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25931)	2024-11-13 17:34:29 +01:00
Neil Horman	7d0280a198	Fix SSL_stream_reset for stream objects which have FIN bit set ... When calling SSL_stream_reset on a QUIC stream object that has received all data that is expected to be sent (i.e. when the sender has sent a STREAM frame with the FIN bit set), we encounter the following segfault: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273 273 if (!qss->have_final_size) (gdb) bt 0) 0x00007ffff7f0bd28 in ossl_quic_sstream_get_final_size (qss=0x0, final_size=0x0) at ssl/quic/quic_sstream.c:273 1) 0x00007ffff7ef65bf in quic_validate_for_write (xso=0x5555555efcb0, err=0x7fffffffd5e0) at ssl/quic/quic_impl.c:2513 2) 0x00007ffff7ef8ae3 in ossl_quic_stream_reset (ssl=0x5555555efcb0, args=0x0, args_len=0) at ssl/quic/quic_impl.c:3657 3) 0x00007ffff7ebdaa6 in SSL_stream_reset (s=0x5555555efcb0, args=0x0, args_len=0) at ssl/ssl_lib.c:7635 4) 0x0000555555557527 in build_request_set ( req_list=0x55555555ebd0 "neil1.txt neil2.txt neil3.txt neil4.txt neil5.txt neil6.txt neil7.txt neil8.txt neil9.txt neil10.txt neil11.txt neil12.txt neil13.txt neil14.txt neil15.txt neil16.txt neil17.txt neil18.txt neil19.txt "..., ssl=0x5555555b6f80) at demos/guide/quic-hq-interop.c:545 5) 0x00005555555587b2 in main (argc=4, argv=0x7fffffffe568) at demos/guide/quic-hq-interop.c:941 This occurs because: 1) When the stream FIN bit is set, the quic stack frees the underlying stream structures immediately within the QUIC stack and 2) when SSL_stream_reset is called, the call stack indicates we call quic_validate_for_write, which attempts to access the xso->stream->sstream QUIC_SSTREAM object, which was already freed in (1) The fix I think is pretty straightforward. On receipt of a STREAM frame with a FIN bit set, the QUIC stack sets the QUIC_STREAM object state to QUIC_SSTREAM_STATE_DATA_RECVD, which means we can use that state to simply assert that the stream is valid for write, which allows it to be reset properly. Fixes #25410 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25910) (cherry picked from commit bbfffbcaf3)	2024-11-13 11:05:31 -05:00
Holger Dengler	4393fdd4a7	Fix memleaks in cmd_RecordPadding() ... Free the internal copy of parameter `value` on each early exit. Fixes #25906 Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25926) (cherry picked from commit 0abbd3e5ac)	2024-11-13 12:00:45 +01:00