openssl

Commit Graph

Author	SHA1	Message	Date
Matt Caswell	fc8ff75814	Use correctly formatted ALPN data in tserver The QUIC test server was using incorrectly formatted ALPN data. With the previous implementation of SSL_select_next_proto this went unnoticed. With the new stricter implemenation it was failing. Follow on from CVE-2024-5535 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24716)	2024-06-27 10:30:51 +01:00
Richard Levitte	b646179229	Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit `0ce7d1f355`) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034)	2024-04-09 13:43:26 +02:00
Matt Caswell	fa4b1151c8	Free the tserver TLS object before freeing the channel The TLS object may make callbacks into QUIC during cleanup so we must free it first. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23256)	2024-01-31 10:10:55 +00:00
Hugo Landau	22739cc3ac	QUIC APL, TSERVER: Start using a QUIC_ENGINE object Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22674)	2023-12-21 08:12:06 +00:00
Hugo Landau	073e5bc781	QUIC CHANNEL: Remove legacy calls for functionality moved to QUIC_PORT Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22674)	2023-12-21 08:11:59 +00:00
Hugo Landau	4ed6b48d9d	QUIC PORT, CHANNEL: Move DEMUX and default packet handling out of CHANNEL Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22674)	2023-12-21 08:11:59 +00:00
Hugo Landau	2d80e45901	QUIC PORT: Make QUIC_PORT responsible for creation of all channels Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22674)	2023-12-21 08:11:59 +00:00
Hugo Landau	2954287041	QUIC PORT: Record a SSL_CTX for use when creating handshake layer objects Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22674)	2023-12-21 08:11:59 +00:00
Hugo Landau	34fa182e1d	QUIC CHANNEL, TSERVER: Move to using libctx/propq/mutex/now_cb via QUIC_PORT Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22674)	2023-12-21 08:11:59 +00:00
Hugo Landau	167e5f34c8	QUIC TSERVER: Provide a TSERVER's QUIC_CHANNEL with a currently unused QUIC_PORT Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22674)	2023-12-21 08:11:59 +00:00
Hugo Landau	eadebcc863	QUIC TSERVER: Fix erroneously static variable Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/22828)	2023-11-27 07:57:32 +00:00
Tomas Mraz	8e520d2714	Postpone two TODO(QUIC) items appropriately The one in ch_rx_handle_packet() is a tuning thing -> QUIC FUTURE The one in ossl_quic_tserver_shutdown() is a server thing -> QUIC SERVER Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22408)	2023-10-20 16:29:18 +01:00
Matt Caswell	18fd0ea04d	Ensure we free all the BIOs in a chain for QUIC like we do in TLS An application may pass in a whole BIO chain via SSL_set_bio(). When we free the BIO we should be using BIO_free_all() not BIO_free() like we do with TLS. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22157)	2023-09-22 13:56:43 +01:00
Matt Caswell	1e4fc0b2e5	Add a test for using a PSK with QUIC Check that we can set and use a PSK when establishing a QUIC connection. Fixes openssl/project#83 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22011)	2023-09-12 15:29:00 +02:00
Matt Caswell	da1c088f59	Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes	2023-09-07 09:59:15 +01:00
Hugo Landau	3bc38ba071	QUIC MULTISTREAM TEST: Test WAIT_PEER Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21815)	2023-08-30 08:28:22 +01:00
Matt Caswell	cb93128873	Add the ability to set SSL_trace as the msg_callback in tserver This is useful for debugging purposes. The standard SSL_trace msgcallback can be used with tserver. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21800)	2023-08-24 10:33:58 +01:00
Matt Caswell	644ef0bb69	Add a test for receiving a post-handshake CertificateRequest This should result in a QUIC PROTOCOL_VIOLATION We also add tests for a post-handshake KeyUpdate, and a NewSessionTicket with an invalid max_early_data value. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21686)	2023-08-15 14:41:31 +01:00
Matt Caswell	614c08c239	Add the ability to send NewSessionTicket messages when we want them Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21686)	2023-08-15 14:41:31 +01:00
Hugo Landau	f2609004df	Minor fixes Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21565)	2023-08-10 18:19:51 +01:00
Hugo Landau	f540b6b4f6	QUIC TSERVER: Handle return value correctly (coverity) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21565)	2023-08-10 18:19:51 +01:00
Hugo Landau	40c8c756c8	QUIC APL/CHANNEL: Wire up connection closure reason Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21565)	2023-08-10 18:19:45 +01:00
Hugo Landau	17340e8785	QUIC TEST: Ensure PING causes ACK generation Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21565)	2023-08-10 18:19:44 +01:00
Hugo Landau	7eb330ff7a	QUIC: Echo PATH_CHALLENGE frames as PATH_RESPONSE frames Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21547)	2023-08-08 14:33:42 +01:00
Matt Caswell	829eec9f86	Add the ability for tserver to use a pre-existing SSL_CTX Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21591)	2023-08-02 20:27:07 +01:00
Hugo Landau	5904a0a71f	QUIC TSERVER: Allow reading from a stream after connection termination Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21484)	2023-07-31 14:03:25 +01:00
Hugo Landau	f36504cc39	Minor fixups Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21135)	2023-07-17 08:18:05 +10:00
Hugo Landau	9ff3a99ea6	QUIC: Fix multistream test on macOS Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21135)	2023-07-17 08:18:05 +10:00
Hugo Landau	5ed3a435d5	QUIC QSM: Get rid of recv_fin_retired in favour of recv_state Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21135)	2023-07-17 08:18:05 +10:00
Hugo Landau	2f018d14f0	QUIC QSM/STREAM: Refactor to use RFC stream states Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21135)	2023-07-17 08:17:57 +10:00
Matt Caswell	37f27b91de	Add a test quicserver utility This QUIC server utility is intended for test purposes only and is expected to be replaced in a future version of OpenSSL by s_server. At that point it will be removed. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21204)	2023-06-28 09:53:22 +10:00
Hugo Landau	629b408c12	QUIC: Fix bugs where threading is disabled Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20856)	2023-05-24 10:34:54 +01:00
Hugo Landau	1df479a9f9	QUIC TSERVER: Allow detection of new incoming streams Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20856)	2023-05-24 10:34:47 +01:00
Tomas Mraz	80b9eca279	Add test for handling NEW_CONNECTION_ID frame Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20892)	2023-05-17 14:04:18 +01:00
Hugo Landau	f0e22d1be8	QUIC TSERVER: Allow STOP_SENDING/RESET_STREAM to be queried Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)	2023-05-12 14:47:13 +01:00
Hugo Landau	2289401685	QUIC TSERVER: Handle FINs correctly if ossl_quic_tserver_read is not called first Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)	2023-05-12 14:47:13 +01:00
Hugo Landau	723cbe8a73	QUIC CHANNEL: Do not copy terminate cause as it is not modified after termination Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)	2023-05-12 14:47:12 +01:00
Hugo Landau	b757beb5f3	QUIC TSERVER: Add support for multiple streams Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20765)	2023-05-12 14:47:11 +01:00
Juergen Christ	ca9ef8ebf5	Fix stack use-after-free in QUIC When running test_quicapi on master on a Fedora 38 with santizier, a stack use-after-free is reported: ``` 75-test_quicapi.t .. ================================================================= ==28379==ERROR: AddressSanitizer: stack-use-after-return on address 0x03ffa22a2961 at pc 0x03ffa507384a bp 0x03fffb576d68 sp 0x03fffb576550 READ of size 8 at 0x03ffa22a2961 thread T0 #0 0x3ffa5073849 in memcpy (/usr/lib64/libasan.so.8+0x73849) (BuildId: ce24d4ce2e06892c2e9105155979b957089a182c) #1 0x118b883 in tls_handle_alpn ssl/statem/statem_srvr.c:2221 #2 0x111569d in tls_parse_all_extensions ssl/statem/extensions.c:813 #3 0x118e2bf in tls_early_post_process_client_hello ssl/statem/statem_srvr.c:1957 #4 0x118e2bf in tls_post_process_client_hello ssl/statem/statem_srvr.c:2290 #5 0x113d797 in read_state_machine ssl/statem/statem.c:712 #6 0x113d797 in state_machine ssl/statem/statem.c:478 #7 0x10729f3 in SSL_do_handshake ssl/ssl_lib.c:4669 #8 0x11cec2d in ossl_quic_tls_tick ssl/quic/quic_tls.c:717 #9 0x11afb03 in ch_tick ssl/quic/quic_channel.c:1296 #10 0x10cd1a9 in ossl_quic_reactor_tick ssl/quic/quic_reactor.c:79 #11 0x10d948b in ossl_quic_tserver_tick ssl/quic/quic_tserver.c:160 #12 0x1021ead in qtest_create_quic_connection test/helpers/quictestlib.c:273 #13 0x102b81d in test_quic_write_read test/quicapitest.c:54 #14 0x12035a9 in run_tests test/testutil/driver.c:370 #15 0x1013203 in main test/testutil/main.c:30 #16 0x3ffa463262b in __libc_start_call_main (/usr/lib64/libc.so.6+0x3262b) (BuildId: 6bd4a775904d85009582d6887da4767128897d0e) #17 0x3ffa463272d in __libc_start_main_impl (/usr/lib64/libc.so.6+0x3272d) (BuildId: 6bd4a775904d85009582d6887da4767128897d0e) #18 0x101efb9 (/root/openssl/test/quicapitest+0x101efb9) (BuildId: 075e387adf6d0032320aaa18061f13e9565ab481) Address 0x03ffa22a2961 is located in stack of thread T0 at offset 33 in frame #0 0x10d868f in alpn_select_cb ssl/quic/quic_tserver.c:49 This frame has 1 object(s): [32, 41) 'alpn' (line 50) <== Memory access at offset 33 is inside this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions are supported) SUMMARY: AddressSanitizer: stack-use-after-return (/usr/lib64/libasan.so.8+0x73849) (BuildId: ce24d4ce2e06892c2e9105155979b957089a182c) in memcpy Shadow bytes around the buggy address: 0x03ffa22a2680: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2700: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2780: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2800: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2880: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 =>0x03ffa22a2900: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5[f5]f5 f5 f5 0x03ffa22a2980: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2a00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2a80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2b00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x03ffa22a2b80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28379==ABORTING ../../util/wrap.pl ../../test/quicapitest default ../../test/default.cnf ../../test/certs => 1 not ok 1 - running quicapitest ``` Fix this be making the protocols to select static constants and thereby moving them out of the stack frame of the callback function. Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20904)	2023-05-09 14:14:23 +01:00
Hugo Landau	9cf091a3c5	QUIC Thread Assisted mode: miscellaneous fixes Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)	2023-03-30 11:14:16 +01:00
Hugo Landau	c4208a6a98	QUIC Thread Assisted Mode: Fix typos and use of CRYPTO_RWLOCK type Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)	2023-03-30 11:14:10 +01:00
Hugo Landau	dbe7b51a8e	Minor fixes to thread assisted mode Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)	2023-03-30 11:14:09 +01:00
Hugo Landau	b212d554e7	QUIC CHANNEL: Allow time source to be overridden Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)	2023-03-30 11:14:09 +01:00
Hugo Landau	ccd3103771	Add channel-only tick mode and use it for thread assisted mode Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)	2023-03-30 11:14:08 +01:00
Hugo Landau	e053505f0c	Add mutex to tserver Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)	2023-03-30 11:14:08 +01:00
Matt Caswell	0c593328fe	Add a simple QUIC test for blocking mode We create "real" sockets for blocking mode so that we can block on them. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20514)	2023-03-20 09:35:55 +11:00
Matt Caswell	45bb98bfa2	Add const to some test tserver functions Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20030)	2023-02-22 05:34:06 +00:00
Matt Caswell	c12e111336	Rename various functions OSSL_QUIC_FAULT -> QTEST_FAULT Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20030)	2023-02-22 05:34:06 +00:00
Matt Caswell	ce8f20b6ae	Don't treat the Tserver as connected until the handshake is confirmed Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20030)	2023-02-22 05:34:04 +00:00
Matt Caswell	f10e5885f0	Add a test for a server that doesn't provide transport params Check that we fail if the server has failed to provide transport params. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20030)	2023-02-22 05:34:04 +00:00

1 2

58 Commits