Move Record layer methods code into a sub-directory

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl

Move Record layer methods code into a sub-directory

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Move the TLS1.0/1.1/1.2 record crypto code into the new record layer

Only done for the read side so far. Still need to do TLS1.3 and SSL3.0.
Also need to separate out KTLS.

Revi

Move the TLS1.0/1.1/1.2 record crypto code into the new record layer

Only done for the read side so far. Still need to do TLS1.3 and SSL3.0.
Also need to separate out KTLS.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Convert ssl3_get_record to tls_read_record

We move the old ssl3_get_record function to conform with the new record
layer design.

Reviewed-by: Hugo Landau <hlandau@openssl.org>

Convert ssl3_get_record to tls_read_record

We move the old ssl3_get_record function to conform with the new record
layer design.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Add a DTLSv1_listen() test

Add a test to ensure that a connection started via DTLSv1_listen() can
be completed through to handshake success. Previous DTLSv1_listen()
testing only tes

Add a DTLSv1_listen() test

Add a test to ensure that a connection started via DTLSv1_listen() can
be completed through to handshake success. Previous DTLSv1_listen()
testing only tested the function itself and did not confirm that a
connection can actually be achieved using it.

This is important to test some codepaths being affected by the record layer
refactor.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Transfer the functionality from ssl3_read_n to the new record layer

This transfers the low level function ssl3_read_n to the new record layer.
We temporarily make the read_n function a t

Transfer the functionality from ssl3_read_n to the new record layer

This transfers the low level function ssl3_read_n to the new record layer.
We temporarily make the read_n function a top level record layer function.
Eventually, in later commits in this refactor, we will remove it as a top
level function and it will just be called from read_record.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Make settings and options parameters const in recordmethod.h

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.co

Make settings and options parameters const in recordmethod.h

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Add a skeleton TLS record method

It doesn't yet do anything. This is a placeholder which will be filled in
by susbsequent commits.

Reviewed-by: Hugo Landau <hlandau@openssl.org>

Add a skeleton TLS record method

It doesn't yet do anything. This is a placeholder which will be filled in
by susbsequent commits.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Fix compilation issues in the imported recordmethod.h

Also, rename the "new" function pointer to "new_record_layer" to avoid a
C++ reserved name

Reviewed-by: Hugo Landau <hlanda

Fix compilation issues in the imported recordmethod.h

Also, rename the "new" function pointer to "new_record_layer" to avoid a
C++ reserved name

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Add the recordmethod header from the draft design

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/o

Add the recordmethod header from the draft design

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

show more ...

Update session timeout code with OSSL_TIME

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pul

Update session timeout code with OSSL_TIME

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18985)

show more ...

Add some documentation for X509_gmtime_adj()

Other very similar functions were documented, but this one was missing.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by:

Add some documentation for X509_gmtime_adj()

Other very similar functions were documented, but this one was missing.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18974)

show more ...

Add CODE-OF-CONDUCT.md

Fixes #18820

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pu

Add CODE-OF-CONDUCT.md

Fixes #18820

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19002)

show more ...

cms: Create test for for purpose verification in cms application

The tests only cover the correct handling of the codesigning purpose in the certificates
in the context of the cms comman

cms: Create test for for purpose verification in cms application

The tests only cover the correct handling of the codesigning purpose in the certificates
in the context of the cms command line tool.
The interpretation of the certificate purpose is tested in the context of the "verify"
app. The correct handling of the cms objects is tested by other tests in 80-test_cms.t.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)

show more ...

X509: add tests for purpose code signing in verify application

Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging

Note: I

X509: add tests for purpose code signing in verify application

Correct configuration according to CA Browser forum:
KU: critical,digitalSignature
XKU: codeSiging

Note: I did not find any other document formally defining the requirements
for code signing certificates.

Some combinations are explicitly forbidden, some flags can be ignored

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)

show more ...

X509: Add "code sign" as purpose for verification of certificates

Code signing certificates have other properties as for example described in
CA Browser Forum documents. This leads to "u

X509: Add "code sign" as purpose for verification of certificates

Code signing certificates have other properties as for example described in
CA Browser Forum documents. This leads to "unsupported certificate purpose" errors when
verifying signed objects.
This patch adds the purpose "codesign" to the table in X.509 certificate verification and
the verification parameter "code_sign" to X509_VERIFY_PARAM.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)

show more ...

crypto/x509/x509_vpm.c: update format of X509_VERIFY_PARAM default_table

Put "}," on separate lines as suggested in PR #18567

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed

crypto/x509/x509_vpm.c: update format of X509_VERIFY_PARAM default_table

Put "}," on separate lines as suggested in PR #18567

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)

show more ...

Clarify documentation in regards to EC key parameters

Also clarify that EVP_PKEY_fromdata ignores parameters that
are unknown or incorrect for given selection.

Reviewed-by: Paul

Clarify documentation in regards to EC key parameters

Also clarify that EVP_PKEY_fromdata ignores parameters that
are unknown or incorrect for given selection.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18902)

show more ...

Add testcases for EVP_PKEY_get1_encoded_public_key

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/ope

Add testcases for EVP_PKEY_get1_encoded_public_key

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18902)

show more ...

ec_kmgmt.c: Do not crash when getting OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY

If the public key is not set on the key, return error instead of crash.

Fixes #18495

Reviewed-by: P

ec_kmgmt.c: Do not crash when getting OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY

If the public key is not set on the key, return error instead of crash.

Fixes #18495

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18902)

show more ...

Fix ossl_x509v3_cache_extensions(): EXFLAG_NO_FINGERPRINT should not be an error

This allows reverting the recent workaround on cmp_ctx_test regarding X509_new()

Reviewed-by: Tomas

Fix ossl_x509v3_cache_extensions(): EXFLAG_NO_FINGERPRINT should not be an error

This allows reverting the recent workaround on cmp_ctx_test regarding X509_new()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/16043)

show more ...

Rename "RX Frame Handler" to "RX Depacketizer" in the overview

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com

Rename "RX Frame Handler" to "RX Depacketizer" in the overview

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18610)

show more ...

RX depacketizer (QUIC)

The same-ish module as the TX packetizer, handling the opposite direction.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@open

RX depacketizer (QUIC)

The same-ish module as the TX packetizer, handling the opposite direction.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18610)

show more ...

Fix memory leak in BN_rand_range()

The patch enables BN_rand_range() to exit immediately
if BIGNUM *rnd is NULL.

CLA: trivial

Fixes: #18951

Reviewed-by: Matt C

Fix memory leak in BN_rand_range()

The patch enables BN_rand_range() to exit immediately
if BIGNUM *rnd is NULL.

CLA: trivial

Fixes: #18951

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18982)

show more ...

Ensure we build ub sanitizer builds with -DPEDANTIC

Otherwise we may get spurious results from ub sanitizer. For example we
assume we can tolerate some unaligned write without this defin

Ensure we build ub sanitizer builds with -DPEDANTIC

Otherwise we may get spurious results from ub sanitizer. For example we
assume we can tolerate some unaligned write without this define that ub
sanitizer will complain about.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18983)

show more ...

Don't incorrectly skip the multiblock test

sslapitest has a test for multiblock writes. Since multiblock writing is
only available on some platforms the multiblock test checks whether we

Don't incorrectly skip the multiblock test

sslapitest has a test for multiblock writes. Since multiblock writing is
only available on some platforms the multiblock test checks whether we are
on such a platform first, and skips the test if we are not. Unfortunately
a bug in the check meant that we always skipped the test regardless of the
platform.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18983)

show more ...