Add support for integrity-only cipher suites for TLS v1.3

- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC onl

Add support for integrity-only cipher suites for TLS v1.3

- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC only to tls 1.3
- tls13_enc.c: extend function to add MAC only
- ssl_local.h: add ssl_cipher_get_evp_md_mac()
- s3_lib.c: add the new ciphers and add #ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
- ssl_ciph.c : add ssl_cipher_get_evp_md_mac() and use it
- tls13secretstest.c: add dummy test function
- Configure: add integrity-only-ciphers option
- document the new ciphers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22903)

show more ...

Adjust tests that were depending on X25519 and X448 in fips

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/o

Adjust tests that were depending on X25519 and X448 in fips

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24099)

show more ...

Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Lan

Copyright year updates

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)

show more ...

Add a test using the bandwidth limit filter

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/open

Add a test using the bandwidth limit filter

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23588)

show more ...

QUIC: Uniform changes for QUIC error code definitions rename

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/op

QUIC: Uniform changes for QUIC error code definitions rename

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23598)

show more ...

QUIC: Test that SSL_ctrl, SSL_set_mode are routed correctly on QSSOs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Huds

QUIC: Test that SSL_ctrl, SSL_set_mode are routed correctly on QSSOs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23581)

show more ...

Fix SSL_export_keying_material for QUIC

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

Fix SSL_export_keying_material for QUIC

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23567)

(cherry picked from commit 498d4e4c4f4a1e220cfa64cfcc76174e2f656fd0)

show more ...

tparam_on_enc_ext(): Remove dead code in cleanup

Fixes Coverity 1548382

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-

tparam_on_enc_ext(): Remove dead code in cleanup

Fixes Coverity 1548382

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22606)

show more ...

QUIC: Test missing/malformed/duplicate/etc. transport parameters

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.

QUIC: Test missing/malformed/duplicate/etc. transport parameters

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22523)

show more ...

QUIC TLS: Ensure QUIC_TLS is ticked between each processed RX packet

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://git

QUIC TLS: Ensure QUIC_TLS is ticked between each processed RX packet

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22476)

show more ...

QUIC: Test connection with large client and server cert chains

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github

QUIC: Test connection with large client and server cert chains

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22476)

show more ...

QUIC: Add handling of SSL_get_shutdown()

Return SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN with semantics
similar to TLS connections.

Reviewed-by: Hugo Landau <hlandau@openssl.

QUIC: Add handling of SSL_get_shutdown()

Return SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN with semantics
similar to TLS connections.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22408)

show more ...

Add testing of bitflips in packet headers

A new type of noise is introduced in the noisy dgram bio
filter.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dal

Add testing of bitflips in packet headers

A new type of noise is introduced in the noisy dgram bio
filter.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22267)

show more ...

Back off on generating noise in the event of a PING frame

If either endpoint issues a PING frame while we are introducing noise
into the communication then there is a danger that the con

Back off on generating noise in the event of a PING frame

If either endpoint issues a PING frame while we are introducing noise
into the communication then there is a danger that the connection itself
will fail. We detect the PING and then back off on generating noise for a
short while. It should be sufficient to just ensure that the next datagram
does not get dropped for each endpoint.

Fixes #22199

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22243)

show more ...

quicapitest: Enable test_ssl_trace with enable-zlib

To improve Coverage mapping in Coveralls make it
possible to run test_ssl_trace() with enable-zlib

Reviewed-by: Paul Dale <pa

quicapitest: Enable test_ssl_trace with enable-zlib

To improve Coverage mapping in Coveralls make it
possible to run test_ssl_trace() with enable-zlib

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22222)

show more ...

Test client certificate authentication with QUIC

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl

Test client certificate authentication with QUIC

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22207)

show more ...

Ensure client to server datagrams are noisy too

So far we've only applied noise to the server to client datagrams. Do the
same thing the other way around.

Reviewed-by: Tim Hudso

Ensure client to server datagrams are noisy too

So far we've only applied noise to the server to client datagrams. Do the
same thing the other way around.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)

show more ...

Add the ability to do client side tracing in quictestlib.c

We add a new flag QTEST_FLAG_CLIENT_TRACE to get debug tracing output if
required.

Reviewed-by: Tim Hudson <tjh@openss

Add the ability to do client side tracing in quictestlib.c

We add a new flag QTEST_FLAG_CLIENT_TRACE to get debug tracing output if
required.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)

show more ...

Extend the noisy dgram test so that packets are also affected by noise

Where multiple packets are in a single datagram we split them so that all
packets can be affected by the noise

Extend the noisy dgram test so that packets are also affected by noise

Where multiple packets are in a single datagram we split them so that all
packets can be affected by the noise

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)

show more ...

Use fake time rather than real time in the noisy dgram test

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/opens

Use fake time rather than real time in the noisy dgram test

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)

show more ...

Use test_random() to introduce better noise into the noisy dgram BIO

We drop some datagrams, and we delay some datagrams. We can also duplicate
some datagrams.

Reviewed-by: Tim

Use test_random() to introduce better noise into the noisy dgram BIO

We drop some datagrams, and we delay some datagrams. We can also duplicate
some datagrams.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)

show more ...

Extend the nosiy datagram test to send more data

We send several messages between client and server, and server and client,
and also create a new stream.

Reviewed-by: Tim Hudson

Extend the nosiy datagram test to send more data

We send several messages between client and server, and server and client,
and also create a new stream.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)

show more ...

Create a noisy dgram test

Create a noisy dgram test that can drop/duplicate/reorder UDP packets and
ensure that the QUIC connection is tolerant of this. At this stage we just
create

Create a noisy dgram test

Create a noisy dgram test that can drop/duplicate/reorder UDP packets and
ensure that the QUIC connection is tolerant of this. At this stage we just
create the outline of the test. Adding in the noise will come in future
commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)

show more ...

Test that a client that does not supply ALPN fails as expected

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.

Test that a client that does not supply ALPN fails as expected

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22066)

show more ...

Add a test for SSL_CIPHER_find() when used with a QUIC SSL object

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <t

Add a test for SSL_CIPHER_find() when used with a QUIC SSL object

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22011)

show more ...