QUIC: Add transport parameter and other constants

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/ope

QUIC: Add transport parameter and other constants

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC Wire Format Encoding: Fix handling of zero-length parameters

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github

QUIC Wire Format Encoding: Fix handling of zero-length parameters

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC RSTREAM: Allow pointer to be NULL when calling free

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/open

QUIC RSTREAM: Allow pointer to be NULL when calling free

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC TX: Do not have QTX handle refcount of BIOs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/open

QUIC TX: Do not have QTX handle refcount of BIOs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC RXFC: Don't emit a MAX_STREAM_DATA frame if we have a final size

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://gi

QUIC RXFC: Don't emit a MAX_STREAM_DATA frame if we have a final size

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC Wire Encoding: Support Retry Integrity Tag Calculation

This adds support for calculating and verifying retry integrity tags. In
order to support this, an 'unused' field is added to

QUIC Wire Encoding: Support Retry Integrity Tag Calculation

This adds support for calculating and verifying retry integrity tags. In
order to support this, an 'unused' field is added to the QUIC packet
header structure so we can ensure that the serialization of the header
is bit-for-bit identical to what was decoded.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC RX: Do not handle auto-discard of Initial EL inside the QRX

While the QUIC RFCs state that the Initial EL should be auto-discarded
when successfully processing a packet at a higher

QUIC RX: Do not handle auto-discard of Initial EL inside the QRX

While the QUIC RFCs state that the Initial EL should be auto-discarded
when successfully processing a packet at a higher EL, doing this inside
the QRX was not a good idea as this should be handled by the CSM.
We remove this functionality and adapt tests accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC RX: Fix QRX packet handling refactor w.r.t. list refactor

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.co

QUIC RX: Fix QRX packet handling refactor w.r.t. list refactor

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC RX: Support refcounted packets and eliminate wrapper

Previously, the QRX filled in a OSSL_QRX_PKT structure provided by the
caller. This necessitated the caller managing reference c

QUIC RX: Support refcounted packets and eliminate wrapper

Previously, the QRX filled in a OSSL_QRX_PKT structure provided by the
caller. This necessitated the caller managing reference counting itself
using a OSSL_QRX_PKT_WRAP structure. The need for this structure has
been eliminated by adding refcounting support to the QRX itself. The QRX
now outputs a pointer to an OSSL_QRX_PKT instead of filling in a
structure provided by the caller. The OSSL_QRX_PKT_WRAP structure has
been eliminated.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC: Dummy Handshake Layer for Prototyping

This disables -Wtype-limits /
-Wtautological-constant-out-of-range-compare. Since it generates
warnings for valid and reasonable code, IMO

QUIC: Dummy Handshake Layer for Prototyping

This disables -Wtype-limits /
-Wtautological-constant-out-of-range-compare. Since it generates
warnings for valid and reasonable code, IMO this actually encourages
people to write worse code.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC DEMUX: Allow BIO to be changed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1970

QUIC DEMUX: Allow BIO to be changed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC Congestion Control: API to determine deadline at which more credit will be available

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Me

QUIC Congestion Control: API to determine deadline at which more credit will be available

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

QUIC ACKM: Add support for psuedo-loss

This is required to support retries during connection establishment.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell

QUIC ACKM: Add support for psuedo-loss

This is required to support retries during connection establishment.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19703)

show more ...

Support all five EdDSA instances from RFC 8032

Fixes #6277

Description:
Make each of the five EdDSA instances defined in RFC 8032 -- Ed25519,
Ed25519ctx, Ed25519ph, Ed448, E

Support all five EdDSA instances from RFC 8032

Fixes #6277

Description:
Make each of the five EdDSA instances defined in RFC 8032 -- Ed25519,
Ed25519ctx, Ed25519ph, Ed448, Ed448ph -- available via the EVP APIs.

The desired EdDSA instance is specified via an OSSL_PARAM.

All instances, except for Ed25519, allow context strings as input.
Context strings are passed via an OSSL_PARAM. For Ed25519ctx, the
context string must be nonempty.

Ed25519, Ed25519ctx, Ed448 are PureEdDSA instances, which means that
the full message (not a digest) must be passed to sign and verify
operations.

Ed25519ph, Ed448ph are HashEdDSA instances, which means that the input
message is hashed before sign and verify.

Testing:
All 21 test vectors from RFC 8032 have been added to evppkey_ecx.txt
(thanks to Shane Lontis for showing how to do that). Those 21 test
vectors are exercised by evp_test.c and cover all five instances.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19705)

show more ...

fips: make EdDSA unapproved for FIPS

Likewise for the related ECX key exchanges.

NIST is mandating this until FIPS 186-5 is finalised.

Reviewed-by: Hugo Landau <hlandau@ope

fips: make EdDSA unapproved for FIPS

Likewise for the related ECX key exchanges.

NIST is mandating this until FIPS 186-5 is finalised.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20020)

show more ...

Make RSA_generate_multi_prime_key() not segfault if e is NULL.

This is not a big problem for higher level keygen, as these set e
beforehand to a default value. But the logic at the lower

Make RSA_generate_multi_prime_key() not segfault if e is NULL.

This is not a big problem for higher level keygen, as these set e
beforehand to a default value. But the logic at the lower level is
incorrect since it was doing a NULL check in one place but then
segfaulting during a later BN_copy().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20025)

show more ...

remove unused macro in rc2_local.h and rc5_local.h

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/open

remove unused macro in rc2_local.h and rc5_local.h

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20015)

show more ...

SSKDF with KMAC should return SIZE_MAX when EVP_KDF_CTX_get_kdf_size()
is used.

Fixes #19934

The existing code was looking for the digest size, and then returned
zero.

SSKDF with KMAC should return SIZE_MAX when EVP_KDF_CTX_get_kdf_size()
is used.

Fixes #19934

The existing code was looking for the digest size, and then returned
zero.

The example code in EVP_KDF-SS.pod has been corrected to not use a
digest.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19935)

show more ...

fix manpage of `d2i_X509(3)`

* capitalize `X509_NAME`
* add missing suffixes to `i2d_TYPE`

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by:

fix manpage of `d2i_X509(3)`

* capitalize `X509_NAME`
* add missing suffixes to `i2d_TYPE`

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20016)

show more ...

Do not check definition of a macro and use it in a single condition

The condition evaluation in #if conditions does not tolerate this
if the macro is not defined.

Fixes #19628

Do not check definition of a macro and use it in a single condition

The condition evaluation in #if conditions does not tolerate this
if the macro is not defined.

Fixes #19628

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20018)

show more ...

OSSL_PARAM_BLD and BIGNUM; ensure at least one byte is allocated

A zero BIGNUM contains zero bytes, while OSSL_PARAMs with an INTEGER (or
UNSIGNED INTEGER) data type are expected to have

OSSL_PARAM_BLD and BIGNUM; ensure at least one byte is allocated

A zero BIGNUM contains zero bytes, while OSSL_PARAMs with an INTEGER (or
UNSIGNED INTEGER) data type are expected to have at least one data byte
allocated, containing a zero. This wasn't handled correctly.

Fixes #20011

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20013)

show more ...

In OSSL_PARAM_set_BN(), make sure that the data_size field is at least 1

This way, we guarantee that a zero is represented with one byte of data
that's set to zero.

Reviewed-by:

In OSSL_PARAM_set_BN(), make sure that the data_size field is at least 1

This way, we guarantee that a zero is represented with one byte of data
that's set to zero.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20013)

show more ...

test/param_build_test.c: test zero BIGNUM

We also add tests where the zero bignum is the only parameter, to test what
that does with the allocated blocks that the OSSL_PARAM_BLD function

test/param_build_test.c: test zero BIGNUM

We also add tests where the zero bignum is the only parameter, to test what
that does with the allocated blocks that the OSSL_PARAM_BLD functionality
handles.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20013)

show more ...

Add empty migration guide for 3.1

Fixes #19953

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom

Add empty migration guide for 3.1

Fixes #19953

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20008)

show more ...

Doc: Update history section of EC_GROUP API's.

Fixes #8630

The remaining functions are at least as old as 0.9.8 so it is
not worth documenting this.

Reviewed-by: Nicola

Doc: Update history section of EC_GROUP API's.

Fixes #8630

The remaining functions are at least as old as 0.9.8 so it is
not worth documenting this.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19956)

show more ...