Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Lan

Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)

show more ...

libssl: Make some global mutable structures constant

x

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://githu

libssl: Make some global mutable structures constant

x

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23450)

show more ...

Add appropriate NULL checks in EVP_CIPHER api

The EVP_CIPHER api currently assumes that calls made into several APIs
have already initalized the cipher in a given context via a call to

Add appropriate NULL checks in EVP_CIPHER api

The EVP_CIPHER api currently assumes that calls made into several APIs
have already initalized the cipher in a given context via a call to
EVP_CipherInit[_ex[2]]. If that hasnt been done, instead of an error,
the result is typically a SIGSEGV.

Correct that by adding missing NULL checks in the apropriate apis prior
to using ctx->cipher

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22995)

show more ...

Don't attempt to set provider params on an ENGINE based cipher

If an ENGINE has been loaded after the SSL_CTX has been created then
the cipher we have cached might be provider based, but

Don't attempt to set provider params on an ENGINE based cipher

If an ENGINE has been loaded after the SSL_CTX has been created then
the cipher we have cached might be provider based, but the cipher we
actually end up using might not be. Don't try to set provider params on
a cipher that is actually ENGINE based.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22864)

show more ...

Copyright year updates


Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

Fix typos found by codespell

Typos in doc/man* will be fixed in a different commit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(M

Fix typos found by codespell

Typos in doc/man* will be fixed in a different commit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20910)

show more ...

Rationalize FIPS sources

Avoid including QUIC related stuff in the FIPS sources.
Also avoid including libssl headers in ssl3_cbc.c.

Reviewed-by: Paul Dale <pauli@openssl.org>

Rationalize FIPS sources

Avoid including QUIC related stuff in the FIPS sources.
Also avoid including libssl headers in ssl3_cbc.c.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19658)

show more ...

Rename SSL3_RECORD to TLS_RL_RECORD

The SSL3 prefix no longer seems appropriate. We choose TLS_RL_RECORD instead
of TLS_RECORD because that type already exists elsewhere.

Review

Rename SSL3_RECORD to TLS_RL_RECORD

The SSL3 prefix no longer seems appropriate. We choose TLS_RL_RECORD instead
of TLS_RECORD because that type already exists elsewhere.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19586)

show more ...

Rename SSL3_BUFFER to TLS_BUFFER

The SSL3 prefix no longer seems appropriate.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Mer

Rename SSL3_BUFFER to TLS_BUFFER

The SSL3 prefix no longer seems appropriate.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19586)

show more ...

Pipeline output/input buf arrays must live until the EVP_Cipher is called

The pipeline input/output buf arrays must remain accessible to the
EVP_CIPHER_CTX until EVP_Cipher is subsequent

Pipeline output/input buf arrays must live until the EVP_Cipher is called

The pipeline input/output buf arrays must remain accessible to the
EVP_CIPHER_CTX until EVP_Cipher is subsequently called. This fixes an
asan error discovered by the newly added pipeline test.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19456)

show more ...

Remove dtls_write_records

The dtls_write_records function, after the previous series of commits,
was functionally equivalent to tls_write_records_default - so it can be
removed compl

Remove dtls_write_records

The dtls_write_records function, after the previous series of commits,
was functionally equivalent to tls_write_records_default - so it can be
removed completely.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)

show more ...

Move sequence increment to post encryption processing

This change make dtls_write_records virtuall the same as
tls_write_records_default, which will enable us to merge them in a
subs

Move sequence increment to post encryption processing

This change make dtls_write_records virtuall the same as
tls_write_records_default, which will enable us to merge them in a
subsequent commit.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)

show more ...

Consolidate sequence counter incrementing code

The sequence counter was incremented in numerous different ways in
numerous different locations. We introduce a single function to do this

Consolidate sequence counter incrementing code

The sequence counter was incremented in numerous different ways in
numerous different locations. We introduce a single function to do this
inside the record layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)

show more ...

Convert dtls_write_records to use standard record layer functions

We have standard functions for most of the work that dtls_write_records
does - so we convert it to use those functions i

Convert dtls_write_records to use standard record layer functions

We have standard functions for most of the work that dtls_write_records
does - so we convert it to use those functions instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)

show more ...

Start using WPACKET in the dtls write records code

Previously this was writing to the buffers directly. We use the safer
WPACKET instead

Reviewed-by: Richard Levitte <levitte@op

Start using WPACKET in the dtls write records code

Previously this was writing to the buffers directly. We use the safer
WPACKET instead

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)

show more ...

Use common tls_write_records() even for DTLS

In practice this just means have a DTLS specific write_records that the
common tls_write_records() just calls. We also replace the use of

Use common tls_write_records() even for DTLS

In practice this just means have a DTLS specific write_records that the
common tls_write_records() just calls. We also replace the use of
ssl3_write_pending() with tls_retry_write_records().

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)

show more ...

Use record layer buffers for DTLS rather than the buffers in s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hug

Use record layer buffers for DTLS rather than the buffers in s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)

show more ...

Introduce a step to prepare the BIO before writing

This removes some KTLS specific code from tls_retry_write_records().

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-b

Introduce a step to prepare the BIO before writing

This removes some KTLS specific code from tls_retry_write_records().

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)

show more ...

Add a post encryption processing step

For example in this we add the MAC if we are doing encrypt-then-mac.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz

Add a post encryption processing step

For example in this we add the MAC if we are doing encrypt-then-mac.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)

show more ...

Add a prepare for encryption step

This applies any mac that might be necessary, ensures that we have
enough space in the WPACKET to perform the encryption and sets up the
SSL3_RECORD

Add a prepare for encryption step

This applies any mac that might be necessary, ensures that we have
enough space in the WPACKET to perform the encryption and sets up the
SSL3_RECORD ready for that encryption.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)

show more ...

Move record padding out of tls_common.c

Only tls13_meth.c needs to handle adding record padding. All other
*_meth.c files can ignore it.

Reviewed-by: Hugo Landau <hlandau@openss

Move record padding out of tls_common.c

Only tls13_meth.c needs to handle adding record padding. All other
*_meth.c files can ignore it.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)

show more ...

Defer record header preparation to the protocol methods

We introduce a new function to prepare the record header. KTLS has its own
version since this is done by the kernel.

Revi

Defer record header preparation to the protocol methods

We introduce a new function to prepare the record header. KTLS has its own
version since this is done by the kernel.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)

show more ...

Abstract out the record type processing

Remove TLSv1.3 specific processing of the record type out of tls_common.c
and into tls13_meth.c

Reviewed-by: Hugo Landau <hlandau@openssl

Abstract out the record type processing

Remove TLSv1.3 specific processing of the record type out of tls_common.c
and into tls13_meth.c

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)

show more ...

Defer write buffer and WPACKET allocation/initialisation to protocol code

We move some protocol specific code for write buffer and WPACKET allocation
and initialisation out of tls_common

Defer write buffer and WPACKET allocation/initialisation to protocol code

We move some protocol specific code for write buffer and WPACKET allocation
and initialisation out of tls_common.c and into the protocol specific files.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)

show more ...

Enable the ability to query the COMP_METHOD being used in the record layer

We also convert to passing COMP_METHOD rather than SSL_COMP to the record
layer. The former is a public type wh

Enable the ability to query the COMP_METHOD being used in the record layer

We also convert to passing COMP_METHOD rather than SSL_COMP to the record
layer. The former is a public type while the latter is internal only - and
the only thing we need from SSL_COMP is the method.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)

show more ...