5756 Commits

Author	SHA1	Message	Date
Bob Beck	e70d3b1886	Add util/codespell-check.sh and run it ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28639)	2025-09-26 07:58:44 -04:00
Neil Horman	1e70e8080a	Close small race condition on error raising in QUIC ... Github issue #28501 reported an odd condition in which a double free was occuring when a given thread was popping entries of its error stack. It was hypothesized that, because a few places in the quic stack save error state to a shared structure (ch->err_state, port->error_state, qtls->error_state), that multiple threads may attempt to mutate the shared structure during error save/restore in parallel. Investigation showed that all paths which led to such mutations were done under lock, so that shouldn't occur. Except for one case, which this PR addresses. In ossl_quic_conn_stream_conclude, we unlock our protecting mutex, prior to calling QUIC_RAISE_NON_NORMAL_ERROR. If that function is called with an reason code of SHUTDOWN, it attempts to restore the channel error state. Given that the lock was released first, this creates a small race condition in which two threads may manipulate the shared error state in the channel struct in parallel. According to the reporter, applying this patch prevents the reported error from occuring again. Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28642)	2025-09-24 12:19:02 +02:00
Tomas Mraz	2edf021463	tls_common.c: Handle inner content type properly on Big Endian ... When passing the inner content type to msg_callback, the lowest byte of rec->type needs to be passed instead of directly passing the rec->type otherwise the value is incorrect on Big Endian platforms. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28627)	2025-09-23 16:37:35 +02:00
lan1120	e7f8839186	Fix the abnormal branch memory leak in ssl_set_cert_and_key function ... Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28619)	2025-09-23 16:36:23 +02:00
Ryan Hooper	f2a41c74ae	Updated SSL Trace to display the name for all MLKEM-based groups ... Make SSL Trace to display the name of the MLKEM512, MLKEM768, MLKEM1024 and SecP384r1MLKEM1024 groups. Fixes #28476 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28499)	2025-09-18 17:27:29 +02:00
Neil Horman	b74d5a175c	Fix ossl_prov_set_macctx ... This function fails to construct a param list that includes the passed in property query string in the param lists when allocating subordonate algorithms. Make sure we allow callers to pass a param list (so that providers for subordonate algorithms can be selected), and merge those into the param list that this function builds on its own. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28461)	2025-09-17 10:21:46 +10:00
Neil Horman	9831200edf	support passing prop querys to composite algs ... We have several composite alg usages (i.e. MAC/KDF) which pick the right digest implementation when using an engine, but fail to get the right one when using a provider because we don't pass the propquery in a parameter to their instantiation. Fix them up by constructing the appropriate parameters Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28461)	2025-09-17 10:21:46 +10:00
Frederik Wedel-Heinen	cb7da43fe8	Fix unnecessary casts between int and size_t ... Also update a check for a negative int length value in mem_write(). Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26438)	2025-09-09 09:51:32 +02:00
Pauli	3d68b70b9e	tls: explicitly clear the secure extensions on free ... Secure memory clears anyway but best to be explicit about it. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28413)	2025-09-04 16:03:24 +10:00
openssl-machine	e66332418f	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Release: yes	2025-09-02 13:05:45 +00:00
Nachel72	bc28ca499e	Fix: Check for wrong object. The converted sc should be checked instead of the original s ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/28248)	2025-08-22 11:06:25 -04:00
Niels Dossche	220f5be690	Fix reallocation failure condition in qtx_resize_txe() ... Returning the same pointer does not mean that the reallocation failed, it would also prevent updating alloc_len down below. This is similar code and a similar change to 043a41ddee. Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28317)	2025-08-22 09:11:15 -04:00
Alexandr Nedvedicky	1d92f3b8b0	Make SSL_poll() and SSL_shutdown() better friends ... Current QUIC stack may leave connection monitored by SSL_poll() to stale during regular shutdown. The issue is triggered when ACK for client's FIN gets delayed. The sequeance of operations to trigger the stale of QUIC connection at client goes as follows: - application calls SSL_shutdown() on connection, the shutdown can not proceed, because bi-directional stream must be flushed. The client awaits ACK from server acknowledging reception of FIN on client's stream - the stream object gets destroyed, because application received all data from server. - application updates poll set and passes to SSL_poll() - ssl poll ticks the engine. Engine receives delayed ACK and marks stream as flushed. At this point the SSL_shutdown() operation may proceed given the application calls the SSL_shutdown(). However there is no mechanism to make SSL_poll() return so application is unable to proceed with its event loop where SSL_shutdown() may get called. This change introduces ossl_quic_channel_notify_flush_done() function which notifies channel when all streams are flushed (all FINs got ACKed). The first thing SSL_shudown() does it calls ossl_quic_stream_map_begin_shutdown_flush(). The function walks list of all streams attached to channel and notes how many streams is missing ACK for their FIN. In our test case it finds one such stream. Call to SSL_shutdown() returns and application destroys the SSL stream object and updates a poll set. SSL_poll() gets called. The QUIC stack (engine) gets ticked and reads data from socket. It processes delayed ACK now. The ACK-manager updates the stream notifying the server ACKs the FIN sent by client. The stream is flushed now. Thw shutdown_flush_done() for stream gets called on behalf of ACK manager. The shutdown_flush_done() does two things: - it marks stream as flushed - it decrements the num_shutdown_flush counter initialized be earlier call to ossl_quic_stream_map_begin_shutdown_flush() called by SSL_shutdown() The change here calls ossl_quic_channel_notify_flush_done() when num_shutdown_flush reaches zero. The ossl_quic_channel_notify_flush_done() then calls function ossl_quic_channel_notify_flush_done(), which just moves the state of the channel (connection) from active to terminating state. The change of channel state is sufficent for SSL_poll() to signal _EC event on connection. Once application receives _EC event on connection it should check the state of the channel/reason of error. In regular case the error/channel state hints application to call SSL_shutdown() so connection object can proceed with connection shutdown. The SSL_shutdown() call done now moves channel to terminated state. So the next call to SSL_poll() can signal _ECD which tells application it's time to stop polling on SSL connection object and destroy it. Fixes openssl/project#1291 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28116)	2025-08-21 14:43:03 +02:00
Tomas Mraz	eaacf56ba9	Avoid doublefree of OCSP_SINGLERESP ... It is referenced by OCSP_BASICRESP and will be freed when that is freed. Issue and a proposed fix reported by Stanislav Fort (Aisle Research). Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28300)	2025-08-20 14:59:34 +02:00
Matt Caswell	47b0f172aa	Fail immediately if we have no key shares to send ... If we are configured in such a way that we have no valid key shares to send in the ClientHello we should immediately abort the connection. Fixes #28281 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28283)	2025-08-20 09:48:25 +01:00
Neil Horman	389728876b	set SSLfatal if tls1_set_shared_sigalgs has a malloc failure ... Detected another memfail failure https://github.com/openssl/openssl/actions/runs/16926186604/job/47962169870 Tracking it back, it occurs because tls1_set_server_sigalgs attempts to preform an allocation, and in the event of failure, returns 0 without setting SSLfatal, like the other failure paths in this function do when returning 0, which translates to a return of WORK_ERROR higher up the stack The result is that on the next call to check_fatal in read_state_machine, we fail the assert when deubg is enabled (as it is in the coverage tests). Fix it by calling SSLfatal when the call to OPENSSL_calloc fails in this function. Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28250)	2025-08-15 08:39:11 -04:00
Neil Horman	d2a71ed94e	Add CRYPTO_FREE_REF to ossl_quic_free_token_store ... ossl_quic_free_token_store doesn't call CRYPTO_FREE_REF on the hdl->reference object, which could lead to memory leaks on platforms that don't support atomics (where the call to CRYPTO_NEW_REF allocates a mutex as part of its function. It wasn't caught before because all the platforms we do ci on support threads. Fixes #28241 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28247)	2025-08-14 11:19:52 -04:00
Neil Horman	7d78cd722b	Assert SSLFatal on keylog failure ... We hit an check_failure assert during memfail testing in ssl_read_state_machine, based on a return of WORK_ERROR without an SSLFatal call being made. This occurs because, if we fail in ssl_log_secret (which we do due to memfail testing, we don't actually assert an SSL fatal error. Fix it by adding the SSLFatal call Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28216)	2025-08-12 14:15:50 -04:00
Norbert Pocs	c5ef06f4ab	quic_channel.c: NULL check SSL_CONNECTION ... Addresses coverity issue #1662037 Fixes: https://github.com/openssl/project/issues/1316 Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28208)	2025-08-10 17:16:02 -04:00
Eugene Syromiatnikov	351caebeac	ssl: use array memory (re)allocation routines ... Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059)	2025-08-08 12:22:10 -04:00
Eugene Syromiatnikov	731fc62908	crypto/params_dup.c: add overflow check to ossl_param_buf_alloc ... Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059)	2025-08-08 12:22:10 -04:00
Eugene Syromiatnikov	c4a91d5c26	ssl: drop multiplication by sizeof(char) in allocation size calculations ... Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059)	2025-08-08 12:22:10 -04:00
Neil Horman	0c1c243a80	Ensure that the largest_pn values are migrated to our channel qrx ... Recently, our overnight QUIC interop runs began failing in CI when an openssl server was tested against an ngtcp2 client: https://github.com/openssl/openssl/actions/runs/16739736813 The underlying cause bears some explination for historical purposes The problem began happening with a recent update to ngtcp2 in which ngtcp2 updated its wolfssl tls backend to support ML-KEM, which caused ngtcp to emit a client hello message that offered several groups (including X25519MLKEM768) but only provided a keyshare for x25519. This in turn triggered the openssl server to respond with a hello retry request (HRR), requesting an ML-KEM keyshare instead, which ngtcp2 obliged. However all subsequent frames from the client were discarded by the server, due to failing packet body decryption. The problem was tracked down to a mismatch in the initial vectors used by the client and server, leading to an AEAD tag mismatch. Packet protection keys generate their IV's in QUIC by xoring the packet number of the received frame with the base IV as derived via HKDF in the tls layer. The underlying problem was that openssl hit a very odd corner case with how we compute the packet number of the received frame. To save space, QUIC encodes packet numbers using a variable length integer, and only sends the changed bits in the packet number. This requires that the receiver (openssl) store the largest received pn of the connection, which we nominally do. However, in default_port_packet_handler (where QUIC frames are processed prior to having an established channel allocated) we use a temporary qrx to validate the packet protection of those frames. This temporary qrx may be incorporated into the channel in some cases, but is not in the case of a valid frame that generates an HRR at the TLS layer. In this case, the channel allocates its own qrx independently. When this occurs, the largest_pn value of the temporary qrx is lost, and subsequent frames are unable to be received, as the newly allocated qrx belives that the larges_pn for a given pn_space is 0, rather than the value received in the initial frame (which was a complete 32 bit value, rather than just the changed lower 8 bits). As a result the IV construction produced the wrong value, and the decrypt failed on those subsequent frames. Up to this point, that wasn't even a problem, as most quic implementations start their packet numbering at 0, so the next packet could still have its packet number computed properly. The combination of ngtcp using large random values for initial packet numbers, along with the HRR triggering a separate qrx creation on a channel led to the discovery of this discrepancy. The fix seems pretty straightforward. When we detect in port_default_packet_handler, that we have a separate qrx in the new channel, we migrate processed packets from the temporary qrx to the canonical channel qrx. In addition to doing that, we also need to migrate the largest_pn array from the temporary qrx to the channel_qrx so that subsequent frame reception is guaranteed to compute the received frame packet number properly, and as such, compute the proper IV for packet protection decryption. Fixes openssl/project#1296 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28115)	2025-08-07 13:16:25 -04:00
Norbert Pocs	4b6e6554b2	quic_channel: Handle HRR and the second transport params extension ... When HRR happens a second client hello is sent and it consist of a transport params extension. This must be processed and not cause failure. Fixes: https://github.com/openssl/project/issues/1296 Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28115)	2025-08-07 13:16:25 -04:00
Nikolas Gauder	95efe41d2e	ssl/quic/quic_channel.c: Fix endianness of supported versions from received version negotiation packets ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28169)	2025-08-06 08:19:48 -04:00
Nikolas Gauder	2b24455a9f	ssl/quic/quic_port.c: Fix endianness of supported versions in sent version negotiation packets ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28169)	2025-08-06 08:19:48 -04:00
Alexandr Nedvedicky	d777deffba	- adding a missing file ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023)	2025-07-27 04:48:28 -04:00
sashan	a43b926fd2	- fix RFC reference and indentation ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023)	2025-07-27 04:48:28 -04:00
Sashan	b083613476	Update ssl/quic/quic_ackm.c ... Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023)	2025-07-27 04:48:28 -04:00
Sashan	4a3c954a0c	Update ssl/quic/quic_ackm.c ... Co-authored-by: Andrew Dinh <andrewd@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023)	2025-07-27 04:48:28 -04:00
sashan	cdbfacead0	ACK manager must avoid infinite probe time when waiting handshake confirmation ... According to RFC 9002, section 6.2.2.1 the client the client must keep PTO (probe time out) armed if it has not seen HANDSHAKE_DONE quic message from server. Not following RFC spec here may cause the QUIC session to stale during TLS handshake. Fixes openssl/project#1266 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28023)	2025-07-27 04:48:28 -04:00
martin	b1b4b154fd	Add support for TLS 1.3 OCSP multi-stapling for server certs ... Co-authored-by: Michael Krueger Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20945)	2025-07-25 17:24:37 +02:00
Norbert Pocs	af2aaf3271	Deprecate ASN1_METH internal usage ... Some of them are needed and were kept by adding `#include "internal/deprecated"` and some had to be turned off. Signed-off-by: Norbert Pocs <norbertp@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27727)	2025-07-17 11:25:18 -04:00
Alexandr Nedvedicky	e6c20588ef	QUIC receiver may accidentally ACK packet it fails to process ... we set ok to -1 as we enter ossl_quic_handle_frames(). If we set ok to 0 here we effectively assume successful processing of all frames found in packet. We do this just before we return from function: ``` 1479 1480 /* Now that special cases are out of the way, parse frames */ 1481 if (!PACKET_buf_init(&pkt, qpacket->hdr->data, qpacket->hdr->len) 1482 || !depack_process_frames(ch, &pkt, qpacket, 1483 enc_level, 1484 qpacket->time, 1485 &ackm_data)) 1486 goto end; 1487 1488 ok = 1; 1489 end: 1490 /* 1491 * ASSUMPTION: If this function is called at all, |qpacket| is 1492 * a legitimate packet, even if its contents aren't. 1493 * Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as 1494 * |ackm_data| has at least been initialized. 1495 */ 1496 if (ok >= 0) 1497 ossl_ackm_on_rx_packet(ch->ackm, &ackm_data); 1498 1499 return ok > 0; ``` if the call to `depack_process_frames()` at line 1492 fails, because barticualr frame in packet is corrupted/invalid we take a branch to `end:` goto target. In this case we must avoid the call to `ossl_ackm_on_rx_packet()`. Packet with malformed/invalid frame must not be accepted. See RFC 9000 section 13.1: Once the packet has been fully processed, a receiver acknowledges receipt by sending one or more ACK frames containing the packet number of the received packet. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28002)	2025-07-10 12:05:44 +02:00
Michael Baentsch	51ce5499f9	Introduce SSL_OP_SERVER_PREFERENCE to replace SSL_OP_CIPHER_SERVER_PREFERENCE misnomer ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27981)	2025-07-09 12:10:57 +02:00
Andrew Dinh	74a0ec3c08	Add stream type flags to SSL_accept_stream ... Introduces SSL_ACCEPT_STREAM_UNI and SSL_ACCEPT_STREAM_BIDI flags to SSL_accept_stream, allowing callers to specify whether to accept only unidirectional or bidirectional streams. Returns the first of its type from the queue Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27883)	2025-07-02 20:55:24 -04:00
Tomas Mraz	abdbad370c	libssl: Silence warnings on Win64 builds ... Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27806)	2025-07-02 17:26:26 +02:00
noctuelles	de5a619aa0	fix: msg callback in dtls1_do_write that incorrectly shows message (like a certificate) that spans over multiple fragments. ... Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27811)	2025-06-30 11:23:40 +01:00
Dmitry Belyavskiy	e7e7950998	Enforce permissions 0600 for SSLKEYLOGFILE ... Fixes #27890 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27893)	2025-06-30 10:45:31 +01:00
Sergey Kandaurov	403ba31a02	Preserve connection custom extensions in SSL_set_SSL_CTX() ... The SSL_set_SSL_CTX() function is used to switch SSL contexts for the given SSL object. If contexts differ, this includes updating a cert structure with custom extensions from the new context. This however overwrites connection custom extensions previously set on top of inherited from the old context. The fix is to preserve connection custom extensions using a newly introduced flag SSL_EXT_FLAG_CONN in custom_ext_copy_conn(). Similar to custom_ext_copy(), it is a no-op if there are no custom extensions to copy. The only such consumer is ossl_quic_tls_configure() used to set the "quic_transport_parameters" extension. Before this change, context switch resulted in transport parameters not being sent due to the missing extension. Initially reported at https://github.com/nginx/nginx/issues/711 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27706)	2025-06-20 15:55:29 +01:00
Sergey Kandaurov	f7b10004dc	Add a helper function to copy custom extensions with old style arguments ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27706)	2025-06-20 15:55:29 +01:00
Matt Caswell	4b148ebb66	Ensure we pass the user SSL object for the SSL_set_verify callback ... When calling the verify callback we need to ensure we supply the user SSL object, and not any internal SSL object. Fixes #27830 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27838)	2025-06-17 16:12:39 -04:00
Alexis Goodfellow	52dba1c098	Begin incorporating stdbool usage when json encoding ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/27812)	2025-06-13 11:26:46 -04:00
sashan	5ee8248d08	ossl_rio_poll_builder_add_fd(): Fixup pfds after reallocation ... Local variable `pfds` used in `ossl_rio_poll_builder_add_fd()` must be consistent with `rpb->pfd_heap`. The function maintains array of SSL objects for SSL_poll(3ossl). It works with no issues until we need to reallocate `rbp->pfd_heap` in `rpb_ensure_alloc()`. After `rpb_ensure_alloc()` returns we must update local variable `pfds` with `rpb->pfd_heap` not doing so makes function to write to dead buffer. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27804)	2025-06-13 12:37:50 +02:00
yexiaochuan	8e787b1028	fix: add parsing check in TLS compress_certificate extension handler ... The tls_parse_compress_certificate function was missing validation for trailing bytes after parsing the algorithm list, violating RFC8446 section 4.2 which requires sending a decode_error alert for unparseable messages. This commit adds a check for remaining bytes in the packet after the while loop and sends SSL_AD_DECODE_ERROR if any trailing bytes are found. Fixes #27717 CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27733)	2025-06-10 19:39:29 +02:00
Matt Caswell	e5feca0659	Fix DTLS handling when receiving a no_renegotiation alert ... no_renegotiation is a warning alert sent from the server when it is not prepared to accept a renegotiation attempt. In TLS we abort the connection when we receive one of these - which is a reasonable response. However, in DTLS we incorrectly ignore this and keep trying to renegotiate. We bring the DTLS handling of a no_renegotiation alert into line with how TLS handles this. In versions prior to 3.2 handling of a warning alert in DTLS was mishandled resulting in a failure of the connection, which ends up being the right thing to do "by accident" in the case of "no_renegotiation". From 3.2 this mishandling was fixed, but exposed this latent bug. Fixes #27419 Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27591)	2025-06-04 17:21:16 +02:00
Andrew Dinh	9bad2b86e8	Reset qtls->local_transport_params_consumed to 0 on SSL_clear() ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27656)	2025-06-03 18:29:21 +02:00
Matt Caswell	098cfd216b	Ensure client read app data secret change occurs after write for QUIC ... We don't want read secrets to be issue before write for QUIC, because we want to avoid the situation where we want to ack something we've read but we don't have the write secret yet. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27732)	2025-06-03 17:06:31 +01:00
Matt Caswell	c7f9c4d7d1	Implement explicit storing of the server_finished_hash ... tls13_change_cipher_state was storing the server_finished_hash as a side effect of its operation. This decision is better made by the state machine which actually knows what state we are in. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27732)	2025-06-03 17:06:31 +01:00
Matt Caswell	86e7579262	Ensure client read handshake secret change occurs after write for QUIC ... We don't want read secrets to be issue before write for QUIC, because we want to avoid the situation where we want to ack something we've read but we don't have the write secret yet. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27732)	2025-06-03 17:06:31 +01:00