This repository was archived by the owner on Apr 10, 2025. It is now read-only.
Openssl 3.0.16+quic #177
Open
Openssl 3.0.16+quic #177
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
If the call to X509_ALGOR_set0 fails then the allocated ASN1_STRING variable passed as parameter leaks. Fix by explicitly freeing like how all other codepaths with X509_ALGOR_set0 do. Fixes openssl#22680 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#24868) (cherry picked from commit 5efc57c)
InterlockedExchangeAdd expects arguments of type LONG *, LONG but the int arguments were improperly cast to long *, long Note: - LONG is always 32 bit - long is 32 bit on Win32 VC x86/x64 and MingW-W64 - long is 64 bit on cygwin64 Signed-off-by: Georgi Valkov <gvalkov@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25360) (cherry picked from commit b0ed90c)
Fixes openssl#8310: Document that the number of authenticated bytes returned by EVP_CipherUpdate() varies with the cipher used. Mention that stream ciphers like ChaCha20 can handle 1 byte at a time, while OCB mode requires processing data one block at a time. Ensure it's clear that passing unpadded data in one call is safe. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#24961) (cherry picked from commit d15077d)
…ccm.c Fixes openssl#25270 CLA: trivial Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25318) (cherry picked from commit f2b7a00)
CLA:trivial Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25338) (cherry picked from commit 6fd9bc6)
CLA: trivial (deps): Bump actions/setup-python Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v5.1.1...v5.2.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25328) (cherry picked from commit 8af4c02)
Related to openssl#8441 This commit introduces a test suite for the password callback mechanism used when reading or writing encrypted and PEM or DER encoded keys via a BIO in OpenSSL. The test is designed to cover various edge cases, particularly focusing on scenarios where the password callback might return unexpected or malformed data from user code. By simulating different callback behaviors, including negative returns, zero-length passwords, passwords that exactly fill the buffer and wrongly reported lengths. Also testing for the correct behaviour of binary passwords that contain a null byte in the middle. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25330) (cherry picked from commit fa6ae88)
Fixes openssl#8441: Modify the password callback handling to reserve one byte in the buffer for a null terminator, ensuring compatibility with legacy behavior that puts a terminating null byte at the end. Additionally, validate the length returned by the callback to ensure it does not exceed the given buffer size. If the returned length is too large, the process now stops gracefully with an appropriate error, enhancing robustness by preventing crashes from out-of-bounds access. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25330) (cherry picked from commit 5387b71)
Refactor the callback test code to replace global variables with local structures, enhancing memory management and reducing reliance on redundant cleanup logic. Using a local struct containing a magic number and result flag to ensure the correct handling of user data and to verify that the callback function is invoked at least once during the test. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25330) (cherry picked from commit 9808ccc)
- Converted password declaration from `char*` to `const char[]`. - Updated `memcpy` and `return` statements accordingly to use `sizeof` instead of predefined lengths. - Renamed `key_password` into `weak_password` to match test name. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25330) (cherry picked from commit d52e92f)
Fixes openssl#8018 Documented the potential issue of premature connection closure in non-interactive environments, such as cron jobs, when using `s_client`. Added guidance on using the `-ign_eof` option and input redirection to ensure proper handling of `stdin` and completion of TLS session data exchange. Highlight potential issues with the `-ign_eof` flag and provide solutions for graceful disconnection in SMTP and HTTP/1.1 scenarios to avoid indefinite hangs. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25311) (cherry picked from commit 26521fd)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#24980) (cherry picked from commit a5cd06f)
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#24884) (cherry picked from commit e8498dc)
Related to openssl#8331 Addressing found issues by adding specific error messages to improve feedback when tag length checks fail for the `EVP_CTRL_AEAD_SET_TAG` parameter in the AES-OCB algorithm. - Added PROV_R_INVALID_TAG_LENGTH error to indicate when the current tag length exceeds the maximum tag length of the algorithm. - Added `PROV_R_INVALID_TAG_LENGTH` error to indicate when the current tag length in the context does not match a custom tag length provided as a parameter. - Added `ERR_R_PASSED_INVALID_ARGUMENT` error to handle cases where an invalid pointer is passed in encryption mode. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25425) (cherry picked from commit 645edf5)
When both -o and -MT are used, GCC 4.1 prints the object file twice in the dependency file. e.g.: foo.o foo.o: foo.c If the file name is long, then the second occurrence moves to the next line. e.g.: ssl/statem/libssl-shlib-statem_dtls.o \ ssl/statem/libssl-shlib-statem_dtls.o: ../ssl/statem/statem_dtls.c \ add-depends script scans one line at a time, so when the first line is processed, the object file becomes a dependency itself. Fix by removing -MT altogether. This also fixes makedepend for nonstop platform. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#25455) (cherry picked from commit 6288aa4)
Fixes openssl#8331: Updated the description for setting the tag length in OCB mode to remove the misleading “when encrypting” and “during encryption” phrasing. This change emphasizes that setting a custom tag length requires a call with NULL, applicable to both encryption and decryption contexts. Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25424) (cherry picked from commit 1299699)
CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25486) (cherry picked from commit f5a8f65)
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#23762) (cherry picked from commit e7abc21)
… on {OSSL_,}LIST_FOREACH{,_*}
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from openssl#25535)
(cherry picked from commit 91ec19e)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
…r_init() Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
…esses Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
…and of whitespace in no_proxy Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
… no_proxy Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
…host' or '::1' This is a trivial 'backport' of commit 1ef3032 fixing openssl#22467 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from openssl#25533)
Use non-usual params of pkcs11 module will trigger a null ptr deref bug. Fix it for openssl#25493 CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#25496) (cherry picked from commit 8ac42a5)
Can be squashed with `QUIC: Swap around README files`
Fixes quictls#2 and quictls#3 and quictls#22 Updates `Configure` script to disable QUIC with `no-bulk` and `no-ec` Updates build.info doc docs Fixes an issue with extension defintions and `no-quic`
As DTLS has changed, so too must QUIC.
We now let you call this function outside of the handshake, to provide post-handshake QUIC data. We also no longer have the limitation that the application must provide the TLS handshake message header in a single call.
The limit on the amount of queued data is to avoid being an amplification vector, specifically.
The QUIC APIs have no need to interact with TLS ciphers, since QUIC records use different cryptographic protections than TLS ciphers.
Fixes quictls#55 Had to fixup tests because SSL_accept() eventually calls SSL_clear() and it was removing the inital ClientHello sent via SSL_provide_quic_data() from the server SSL.
Undo SSL_clear() changes in test Break apart SSL_clear() into SSL_clear_quic() and SSL_clear_not_quic() In SSL_clear(), call both functions In SSL_accept(), call SSL_clear_not_quic() Don't make the new functions public.
Add link to OMCs plans. OpenSSL 3.0 is released, update tense. Fix some typos. Make relative URLs absolute.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Openssl 3.0.16+quic
Please fetch openssl-3.0.16 and rebase against it