From b2762763e9015e778eff0d303a38f0b6082c8591 Mon Sep 17 00:00:00 2001 From: openssl-machine Date: Wed, 12 Mar 2025 13:37:30 +0000 Subject: [PATCH 0001/1171] Prepare for 3.6 Reviewed-by: Neil Horman Reviewed-by: Matt Caswell Release: yes --- CHANGES.md | 4 ++++ NEWS.md | 4 ++++ VERSION.dat | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index e2484046d845b..8385a97b5a369 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,6 +28,10 @@ OpenSSL Releases OpenSSL 3.5 ----------- +### Changes between 3.5 and 3.6 [xx XXX xxxx] + + * none yet + ### Changes between 3.4 and 3.5 [xx XXX xxxx] * Added server side support for QUIC diff --git a/NEWS.md b/NEWS.md index 0bbfec0c0a1c6..0c74a8bc62d27 100644 --- a/NEWS.md +++ b/NEWS.md @@ -23,6 +23,10 @@ OpenSSL Releases OpenSSL 3.5 ----------- +### Major changes between OpenSSL 3.5 and OpenSSL 3.6 [under development] + + * none + ### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [under development] OpenSSL 3.5.0 is a feature release adding significant new functionality to diff --git a/VERSION.dat b/VERSION.dat index 281d284b7fbd5..7c604defb1f34 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,5 +1,5 @@ MAJOR=3 -MINOR=5 +MINOR=6 PATCH=0 PRE_RELEASE_TAG=dev BUILD_METADATA= From 2fb4cfe143daa4644cf10b9f1ed3cdd940c5e1f8 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Sun, 9 Mar 2025 15:19:40 -0400 Subject: [PATCH 0002/1171] Exclude retry test with msquic server from interop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the addition of larger ml-kem keys in our tls handshake, we've uncovered a interop failure, as described here: https://github.com/microsoft/msquic/issues/4905 In short, when we send a client hello that spans multiple datagrams, the servers sends an ACK frame in a datagram prior to sending its server hello. msquic however, recomputes a new SCID always when sending its sserver hello, which is fine nominally, but because in this test the server sends a retry frame to update the SCID, followed by an ACK using that SCID (which is an initial packet), msquic violates the RFC in section 7.2 which states: Once a client has received a valid Initial packet from the server, it MUST discard any subsequent packet it receives on that connection with a different Source Connection ID Because msquic sent an initial packet with that ACK frame, we are required to discard subsequent frames on the connection containing a different SCID. Until msquic fixes that in their implementation we are going to fail the retry interop test, so for now, lets exclude the test. Also, while we're at it, re-add chrome into the client list for our server tests, as that seems to have been lost during the merge. Fixes openssl/project#1132 Reviewed-by: Saša Nedvědický Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/27014) --- .github/workflows/run_quic_interop.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/run_quic_interop.yml b/.github/workflows/run_quic_interop.yml index 1f04ec4b863fc..43679c9606029 100644 --- a/.github/workflows/run_quic_interop.yml +++ b/.github/workflows/run_quic_interop.yml @@ -12,6 +12,9 @@ jobs: matrix: tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6] servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy] + exclude: + - clients: msquic + tests: retry fail-fast: false runs-on: ubuntu-latest steps: @@ -39,7 +42,7 @@ jobs: strategy: matrix: tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6] - clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl] + clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome] exclude: - clients: mvfst tests: amplificationlimit From 7097d2e00ea9f0119a5e42f13a51487fb1e67aa3 Mon Sep 17 00:00:00 2001 From: Andrew Dinh Date: Tue, 4 Mar 2025 22:32:56 +0700 Subject: [PATCH 0003/1171] Fix RCU TODOs - Update allocate_new_qp_group to take unsigned int - Move id_ctr in rcu_lock_st for better stack alignment Reviewed-by: Tomas Mraz Reviewed-by: Bernd Edlinger Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/26972) --- crypto/threads_pthread.c | 11 ++++------- crypto/threads_win.c | 11 ++++------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index 6b8fc258dc7d1..c0598c5a616d5 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -217,13 +217,12 @@ struct rcu_lock_st { /* The context we are being created against */ OSSL_LIB_CTX *ctx; - /* rcu generation counter for in-order retirement */ - uint32_t id_ctr; - - /* TODO: can be moved before id_ctr for better alignment */ /* Array of quiescent points for synchronization */ struct rcu_qp *qp_group; + /* rcu generation counter for in-order retirement */ + uint32_t id_ctr; + /* Number of elements in qp_group array */ uint32_t group_count; @@ -422,10 +421,8 @@ static void retire_qp(CRYPTO_RCU_LOCK *lock, struct rcu_qp *qp) pthread_mutex_unlock(&lock->alloc_lock); } -/* TODO: count should be unsigned, e.g uint32_t */ -/* a negative value could result in unexpected behaviour */ static struct rcu_qp *allocate_new_qp_group(CRYPTO_RCU_LOCK *lock, - int count) + uint32_t count) { struct rcu_qp *new = OPENSSL_zalloc(sizeof(*new) * count); diff --git a/crypto/threads_win.c b/crypto/threads_win.c index 084125b4aad9c..72f54f118c9af 100644 --- a/crypto/threads_win.c +++ b/crypto/threads_win.c @@ -83,13 +83,12 @@ struct rcu_lock_st { /* The context we are being created against */ OSSL_LIB_CTX *ctx; - /* rcu generation counter for in-order retirement */ - uint32_t id_ctr; - - /* TODO: can be moved before id_ctr for better alignment */ /* Array of quiescent points for synchronization */ struct rcu_qp *qp_group; + /* rcu generation counter for in-order retirement */ + uint32_t id_ctr; + /* Number of elements in qp_group array */ uint32_t group_count; @@ -124,10 +123,8 @@ struct rcu_lock_st { CRYPTO_RWLOCK *rw_lock; }; -/* TODO: count should be unsigned, e.g uint32_t */ -/* a negative value could result in unexpected behaviour */ static struct rcu_qp *allocate_new_qp_group(struct rcu_lock_st *lock, - int count) + uint32_t count) { struct rcu_qp *new = OPENSSL_zalloc(sizeof(*new) * count); From c8654f79f4e40e6ca0e05cc111f515ca11248e29 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 4 Mar 2025 18:43:18 +0100 Subject: [PATCH 0004/1171] Keep the provided peer EVP_PKEY in the EVP_PKEY_CTX too Reviewed-by: Tim Hudson Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/26976) --- crypto/evp/exchange.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index 225b2be10cdc4..dae3a2c5a85c0 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -442,7 +442,10 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, */ if (provkey == NULL) goto legacy; - return ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey); + ret = ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey); + if (ret <= 0) + return ret; + goto common; legacy: #ifdef FIPS_MODULE @@ -497,6 +500,9 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer); if (ret <= 0) return ret; +#endif + + common: if (!EVP_PKEY_up_ref(peer)) return -1; @@ -504,7 +510,6 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, ctx->peerkey = peer; return 1; -#endif } int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) From ff030ad5bd1c6196e640b1338dac23c1ce3a3154 Mon Sep 17 00:00:00 2001 From: "Randall S. Becker" Date: Wed, 12 Feb 2025 14:40:59 +0000 Subject: [PATCH 0005/1171] Wrap use of poll.h to prevent including on NonStop. Fixes: #26724 Signed-off-by: Randall S. Becker Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/26726) --- include/internal/sockets.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/internal/sockets.h b/include/internal/sockets.h index 8e2f4414b52e7..d28208b313407 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -98,7 +98,6 @@ typedef size_t socklen_t; /* Currently appears to be missing on VMS */ # include # include # else -# include # include # if !defined(NO_SYS_UN_H) && defined(AF_UNIX) && !defined(OPENSSL_NO_UNIX_SOCK) # include From 85cabd94958303859b1551364a609d4ff40b67a5 Mon Sep 17 00:00:00 2001 From: Danny Tsen Date: Tue, 11 Feb 2025 13:48:01 -0500 Subject: [PATCH 0006/1171] Fix Minerva timing side-channel signal for P-384 curve on PPC 1. bn_ppc.c: Used bn_mul_mont_int() instead of bn_mul_mont_300_fixed_n6() for Montgomery multiplication. 2. ecp_nistp384-ppc64.pl: - Re-wrote p384_felem_mul and p384_felem_square for easier maintenance with minumum perl wrapper. - Implemented p384_felem_reduce, p384_felem_mul_reduce and p384_felem_square_reduce. - Implemented p384_felem_diff64, felem_diff_128_64 and felem_diff128 in assembly. 3. ecp_nistp384.c: - Added wrapper function for p384_felem_mul_reduce and p384_felem_square_reduce. Signed-off-by: Danny Tsen Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26709) --- crypto/bn/bn_ppc.c | 3 + crypto/ec/asm/ecp_nistp384-ppc64.pl | 1704 +++++++++++++++++++++++---- crypto/ec/ecp_nistp384.c | 28 +- 3 files changed, 1494 insertions(+), 241 deletions(-) diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c index 1e9421bee213d..29293bad55b34 100644 --- a/crypto/bn/bn_ppc.c +++ b/crypto/bn/bn_ppc.c @@ -41,12 +41,15 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, */ #if defined(_ARCH_PPC64) && !defined(__ILP32__) + /* Minerva side-channel fix danny */ +# if defined(USE_FIXED_N6) if (num == 6) { if (OPENSSL_ppccap_P & PPC_MADD300) return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); else return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); } +# endif #endif return bn_mul_mont_int(rp, ap, bp, np, n0, num); diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl index 28f4168e52181..b663bddfc6461 100755 --- a/crypto/ec/asm/ecp_nistp384-ppc64.pl +++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl @@ -7,13 +7,15 @@ # https://www.openssl.org/source/license.html # # ==================================================================== -# Written by Rohan McLure for the OpenSSL -# project. +# Written by Danny Tsen # for the OpenSSL project. +# +# Copyright 2025- IBM Corp. # ==================================================================== # -# p384 lower-level primitives for PPC64 using vector instructions. +# p384 lower-level primitives for PPC64. # + use strict; use warnings; @@ -21,7 +23,7 @@ my $output = ""; while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} if (!$output) { - $output = "-"; + $output = "-"; } my ($xlate, $dir); @@ -35,272 +37,1496 @@ my $code = ""; -my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12"); - -my $vzero = "v32"; - -sub startproc($) -{ - my ($name) = @_; - - $code.=<<___; - .globl ${name} - .align 5 -${name}: - -___ -} +$code.=<<___; +.machine "any" +.text -sub endproc($) -{ - my ($name) = @_; +.globl p384_felem_mul +.type p384_felem_mul,\@function +.align 4 +p384_felem_mul: + + stdu 1, -176(1) + mflr 0 + std 14, 56(1) + std 15, 64(1) + std 16, 72(1) + std 17, 80(1) + std 18, 88(1) + std 19, 96(1) + std 20, 104(1) + std 21, 112(1) + std 22, 120(1) + + bl _p384_felem_mul_core + + mtlr 0 + ld 14, 56(1) + ld 15, 64(1) + ld 16, 72(1) + ld 17, 80(1) + ld 18, 88(1) + ld 19, 96(1) + ld 20, 104(1) + ld 21, 112(1) + ld 22, 120(1) + addi 1, 1, 176 + blr +.size p384_felem_mul,.-p384_felem_mul + +.globl p384_felem_square +.type p384_felem_square,\@function +.align 4 +p384_felem_square: + + stdu 1, -176(1) + mflr 0 + std 14, 56(1) + std 15, 64(1) + std 16, 72(1) + std 17, 80(1) + + bl _p384_felem_square_core + + mtlr 0 + ld 14, 56(1) + ld 15, 64(1) + ld 16, 72(1) + ld 17, 80(1) + addi 1, 1, 176 + blr +.size p384_felem_square,.-p384_felem_square - $code.=<<___; - blr - .size ${name},.-${name} +# +# Felem mul core function - +# r3, r4 and r5 need to pre-loaded. +# +.type _p384_felem_mul_core,\@function +.align 4 +_p384_felem_mul_core: + + ld 6,0(4) + ld 14,0(5) + ld 7,8(4) + ld 15,8(5) + ld 8,16(4) + ld 16,16(5) + ld 9,24(4) + ld 17,24(5) + ld 10,32(4) + ld 18,32(5) + ld 11,40(4) + ld 19,40(5) + ld 12,48(4) + ld 20,48(5) + + # out0 + mulld 21, 14, 6 + mulhdu 22, 14, 6 + std 21, 0(3) + std 22, 8(3) + + vxor 0, 0, 0 + + # out1 + mtvsrdd 32+13, 14, 6 + mtvsrdd 32+14, 7, 15 + vmsumudm 1, 13, 14, 0 + + # out2 + mtvsrdd 32+15, 15, 6 + mtvsrdd 32+16, 7, 16 + mtvsrdd 32+17, 0, 8 + mtvsrdd 32+18, 0, 14 + vmsumudm 19, 15, 16, 0 + vmsumudm 2, 17, 18, 19 + + # out3 + mtvsrdd 32+13, 16, 6 + mtvsrdd 32+14, 7, 17 + mtvsrdd 32+15, 14, 8 + mtvsrdd 32+16, 9, 15 + vmsumudm 19, 13, 14, 0 + vmsumudm 3, 15, 16, 19 + + # out4 + mtvsrdd 32+13, 17, 6 + mtvsrdd 32+14, 7, 18 + mtvsrdd 32+15, 15, 8 + mtvsrdd 32+16, 9, 16 + mtvsrdd 32+17, 0, 10 + mtvsrdd 32+18, 0, 14 + vmsumudm 19, 13, 14, 0 + vmsumudm 4, 15, 16, 19 + vmsumudm 4, 17, 18, 4 + + # out5 + mtvsrdd 32+13, 18, 6 + mtvsrdd 32+14, 7, 19 + mtvsrdd 32+15, 16, 8 + mtvsrdd 32+16, 9, 17 + mtvsrdd 32+17, 14, 10 + mtvsrdd 32+18, 11, 15 + vmsumudm 19, 13, 14, 0 + vmsumudm 5, 15, 16, 19 + vmsumudm 5, 17, 18, 5 + + stxv 32+1, 16(3) + stxv 32+2, 32(3) + stxv 32+3, 48(3) + stxv 32+4, 64(3) + stxv 32+5, 80(3) + + # out6 + mtvsrdd 32+13, 19, 6 + mtvsrdd 32+14, 7, 20 + mtvsrdd 32+15, 17, 8 + mtvsrdd 32+16, 9, 18 + mtvsrdd 32+17, 15, 10 + mtvsrdd 32+18, 11, 16 + vmsumudm 19, 13, 14, 0 + vmsumudm 6, 15, 16, 19 + mtvsrdd 32+13, 0, 12 + mtvsrdd 32+14, 0, 14 + vmsumudm 19, 17, 18, 6 + vmsumudm 6, 13, 14, 19 + + # out7 + mtvsrdd 32+13, 19, 7 + mtvsrdd 32+14, 8, 20 + mtvsrdd 32+15, 17, 9 + mtvsrdd 32+16, 10, 18 + mtvsrdd 32+17, 15, 11 + mtvsrdd 32+18, 12, 16 + vmsumudm 19, 13, 14, 0 + vmsumudm 7, 15, 16, 19 + vmsumudm 7, 17, 18, 7 + + # out8 + mtvsrdd 32+13, 19, 8 + mtvsrdd 32+14, 9, 20 + mtvsrdd 32+15, 17, 10 + mtvsrdd 32+16, 11, 18 + mtvsrdd 32+17, 0, 12 + mtvsrdd 32+18, 0, 16 + vmsumudm 19, 13, 14, 0 + vmsumudm 8, 15, 16, 19 + vmsumudm 8, 17, 18, 8 + + # out9 + mtvsrdd 32+13, 19, 9 + mtvsrdd 32+14, 10, 20 + mtvsrdd 32+15, 17, 11 + mtvsrdd 32+16, 12, 18 + vmsumudm 19, 13, 14, 0 + vmsumudm 9, 15, 16, 19 + + # out10 + mtvsrdd 32+13, 19, 10 + mtvsrdd 32+14, 11, 20 + mtvsrdd 32+15, 0, 12 + mtvsrdd 32+16, 0, 18 + vmsumudm 19, 13, 14, 0 + vmsumudm 10, 15, 16, 19 + + # out11 + mtvsrdd 32+17, 19, 11 + mtvsrdd 32+18, 12, 20 + vmsumudm 11, 17, 18, 0 + + stxv 32+6, 96(3) + stxv 32+7, 112(3) + stxv 32+8, 128(3) + stxv 32+9, 144(3) + stxv 32+10, 160(3) + stxv 32+11, 176(3) + + # out12 + mulld 21, 20, 12 + mulhdu 22, 20, 12 # out12 + + std 21, 192(3) + std 22, 200(3) + + blr +.size _p384_felem_mul_core,.-_p384_felem_mul_core -___ -} +# +# Felem square core function - +# r3 and r4 need to pre-loaded. +# +.type _p384_felem_square_core,\@function +.align 4 +_p384_felem_square_core: + + ld 6, 0(4) + ld 7, 8(4) + ld 8, 16(4) + ld 9, 24(4) + ld 10, 32(4) + ld 11, 40(4) + ld 12, 48(4) + + vxor 0, 0, 0 + + # out0 + mulld 14, 6, 6 + mulhdu 15, 6, 6 + std 14, 0(3) + std 15, 8(3) + + # out1 + add 14, 6, 6 + mtvsrdd 32+13, 0, 14 + mtvsrdd 32+14, 0, 7 + vmsumudm 1, 13, 14, 0 + + # out2 + mtvsrdd 32+15, 7, 14 + mtvsrdd 32+16, 7, 8 + vmsumudm 2, 15, 16, 0 + + # out3 + add 15, 7, 7 + mtvsrdd 32+13, 8, 14 + mtvsrdd 32+14, 15, 9 + vmsumudm 3, 13, 14, 0 + + # out4 + mtvsrdd 32+13, 9, 14 + mtvsrdd 32+14, 15, 10 + mtvsrdd 32+15, 0, 8 + vmsumudm 4, 13, 14, 0 + vmsumudm 4, 15, 15, 4 + + # out5 + mtvsrdd 32+13, 10, 14 + mtvsrdd 32+14, 15, 11 + add 16, 8, 8 + mtvsrdd 32+15, 0, 16 + mtvsrdd 32+16, 0, 9 + vmsumudm 5, 13, 14, 0 + vmsumudm 5, 15, 16, 5 + + stxv 32+1, 16(3) + stxv 32+2, 32(3) + stxv 32+3, 48(3) + stxv 32+4, 64(3) + + # out6 + mtvsrdd 32+13, 11, 14 + mtvsrdd 32+14, 15, 12 + mtvsrdd 32+15, 9, 16 + mtvsrdd 32+16, 9, 10 + stxv 32+5, 80(3) + vmsumudm 19, 13, 14, 0 + vmsumudm 6, 15, 16, 19 + + # out7 + add 17, 9, 9 + mtvsrdd 32+13, 11, 15 + mtvsrdd 32+14, 16, 12 + mtvsrdd 32+15, 0, 17 + mtvsrdd 32+16, 0, 10 + vmsumudm 19, 13, 14, 0 + vmsumudm 7, 15, 16, 19 + + # out8 + mtvsrdd 32+13, 11, 16 + mtvsrdd 32+14, 17, 12 + mtvsrdd 32+15, 0, 10 + vmsumudm 19, 13, 14, 0 + vmsumudm 8, 15, 15, 19 + + # out9 + add 14, 10, 10 + mtvsrdd 32+13, 11, 17 + mtvsrdd 32+14, 14, 12 + vmsumudm 9, 13, 14, 0 + + # out10 + mtvsrdd 32+13, 11, 14 + mtvsrdd 32+14, 11, 12 + vmsumudm 10, 13, 14, 0 + + stxv 32+6, 96(3) + stxv 32+7, 112(3) + + # out11 + #add 14, 11, 11 + #mtvsrdd 32+13, 0, 14 + #mtvsrdd 32+14, 0, 12 + #vmsumudm 11, 13, 14, 0 + + mulld 6, 12, 11 + mulhdu 7, 12, 11 + addc 8, 6, 6 + adde 9, 7, 7 + + stxv 32+8, 128(3) + stxv 32+9, 144(3) + stxv 32+10, 160(3) + #stxv 32+11, 176(3) + + # out12 + mulld 14, 12, 12 + mulhdu 15, 12, 12 + + std 8, 176(3) + std 9, 184(3) + std 14, 192(3) + std 15, 200(3) + + blr +.size _p384_felem_square_core,.-_p384_felem_square_core -sub load_vrs($$) -{ - my ($pointer, $reg_list) = @_; +# +# widefelem (128 bits) * 8 +# +.macro F128_X_8 _off1 _off2 + ld 9,\\_off1(3) + ld 8,\\_off2(3) + srdi 10,9,61 + rldimi 10,8,3,0 + sldi 9,9,3 + std 9,\\_off1(3) + std 10,\\_off2(3) +.endm - for (my $i = 0; $i <= 6; $i++) { - my $offset = $i * 8; - $code.=<<___; - lxsd $reg_list->[$i],$offset($pointer) -___ - } +.globl p384_felem128_mul_by_8 +.type p384_felem128_mul_by_8, \@function +.align 4 +p384_felem128_mul_by_8: - $code.=<<___; + F128_X_8 0, 8 -___ -} + F128_X_8 16, 24 -sub store_vrs($$) -{ - my ($pointer, $reg_list) = @_; + F128_X_8 32, 40 - for (my $i = 0; $i <= 12; $i++) { - my $offset = $i * 16; - $code.=<<___; - stxv $reg_list->[$i],$offset($pointer) -___ - } + F128_X_8 48, 56 - $code.=<<___; + F128_X_8 64, 72 -___ -} + F128_X_8 80, 88 -$code.=<<___; -.machine "any" -.text + F128_X_8 96, 104 -___ + F128_X_8 112, 120 -{ - # mul/square common - my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43"); - my ($zero, $one) = ("r8", "r9"); - my $out = "v51"; + F128_X_8 128, 136 - { - # - # p384_felem_mul - # + F128_X_8 144, 152 - my ($in1p, $in2p) = ("r4", "r5"); - my @in1 = map("v$_",(44..50)); - my @in2 = map("v$_",(35..41)); + F128_X_8 160, 168 - startproc("p384_felem_mul"); + F128_X_8 176, 184 - $code.=<<___; - vspltisw $vzero,0 + F128_X_8 192, 200 -___ + blr +.size p384_felem128_mul_by_8,.-p384_felem128_mul_by_8 - load_vrs($in1p, \@in1); - load_vrs($in2p, \@in2); - - $code.=<<___; - vmsumudm $out,$in1[0],$in2[0],$vzero - stxv $out,0($outp) - - xxpermdi $t1,$in1[0],$in1[1],0b00 - xxpermdi $t2,$in2[1],$in2[0],0b00 - vmsumudm $out,$t1,$t2,$vzero - stxv $out,16($outp) - - xxpermdi $t2,$in2[2],$in2[1],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$in1[2],$in2[0],$out - stxv $out,32($outp) - - xxpermdi $t2,$in2[1],$in2[0],0b00 - xxpermdi $t3,$in1[2],$in1[3],0b00 - xxpermdi $t4,$in2[3],$in2[2],0b00 - vmsumudm $out,$t1,$t4,$vzero - vmsumudm $out,$t3,$t2,$out - stxv $out,48($outp) - - xxpermdi $t2,$in2[4],$in2[3],0b00 - xxpermdi $t4,$in2[2],$in2[1],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$t3,$t4,$out - vmsumudm $out,$in1[4],$in2[0],$out - stxv $out,64($outp) - - xxpermdi $t2,$in2[5],$in2[4],0b00 - xxpermdi $t4,$in2[3],$in2[2],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$t3,$t4,$out - xxpermdi $t4,$in2[1],$in2[0],0b00 - xxpermdi $t1,$in1[4],$in1[5],0b00 - vmsumudm $out,$t1,$t4,$out - stxv $out,80($outp) - - xxpermdi $t1,$in1[0],$in1[1],0b00 - xxpermdi $t2,$in2[6],$in2[5],0b00 - xxpermdi $t4,$in2[4],$in2[3],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$t3,$t4,$out - xxpermdi $t2,$in2[2],$in2[1],0b00 - xxpermdi $t1,$in1[4],$in1[5],0b00 - vmsumudm $out,$t1,$t2,$out - vmsumudm $out,$in1[6],$in2[0],$out - stxv $out,96($outp) - - xxpermdi $t1,$in1[1],$in1[2],0b00 - xxpermdi $t2,$in2[6],$in2[5],0b00 - xxpermdi $t3,$in1[3],$in1[4],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$t3,$t4,$out - xxpermdi $t3,$in2[2],$in2[1],0b00 - xxpermdi $t1,$in1[5],$in1[6],0b00 - vmsumudm $out,$t1,$t3,$out - stxv $out,112($outp) - - xxpermdi $t1,$in1[2],$in1[3],0b00 - xxpermdi $t3,$in1[4],$in1[5],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$t3,$t4,$out - vmsumudm $out,$in1[6],$in2[2],$out - stxv $out,128($outp) - - xxpermdi $t1,$in1[3],$in1[4],0b00 - vmsumudm $out,$t1,$t2,$vzero - xxpermdi $t1,$in1[5],$in1[6],0b00 - vmsumudm $out,$t1,$t4,$out - stxv $out,144($outp) - - vmsumudm $out,$t3,$t2,$vzero - vmsumudm $out,$in1[6],$in2[4],$out - stxv $out,160($outp) - - vmsumudm $out,$t1,$t2,$vzero - stxv $out,176($outp) - - vmsumudm $out,$in1[6],$in2[6],$vzero - stxv $out,192($outp) -___ +# +# widefelem (128 bits) * 2 +# +.macro F128_X_2 _off1 _off2 + ld 9,\\_off1(3) + ld 8,\\_off2(3) + srdi 10,9,63 + rldimi 10,8,1,0 + sldi 9,9,1 + std 9,\\_off1(3) + std 10,\\_off2(3) +.endm + +.globl p384_felem128_mul_by_2 +.type p384_felem128_mul_by_2, \@function +.align 4 +p384_felem128_mul_by_2: + + F128_X_2 0, 8 + + F128_X_2 16, 24 + + F128_X_2 32, 40 + + F128_X_2 48, 56 + + F128_X_2 64, 72 + + F128_X_2 80, 88 + + F128_X_2 96, 104 + + F128_X_2 112, 120 + + F128_X_2 128, 136 + + F128_X_2 144, 152 + + F128_X_2 160, 168 + + F128_X_2 176, 184 + + F128_X_2 192, 200 + + blr +.size p384_felem128_mul_by_2,.-p384_felem128_mul_by_2 + +.globl p384_felem_diff128 +.type p384_felem_diff128, \@function +.align 4 +p384_felem_diff128: + + addis 5, 2, .LConst_two127\@toc\@ha + addi 5, 5, .LConst_two127\@toc\@l + + ld 10, 0(3) + ld 8, 8(3) + li 9, 0 + addc 10, 10, 9 + li 7, -1 + rldicr 7, 7, 0, 0 # two127 + adde 8, 8, 7 + ld 11, 0(4) + ld 12, 8(4) + subfc 11, 11, 10 + subfe 12, 12, 8 + std 11, 0(3) # out0 + std 12, 8(3) + + # two127m71 = (r10, r9) + ld 8, 16(3) + ld 7, 24(3) + ld 10, 24(5) # two127m71 + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 16(4) + ld 12, 24(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 16(3) # out1 + std 12, 24(3) + + ld 8, 32(3) + ld 7, 40(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 32(4) + ld 12, 40(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 32(3) # out2 + std 12, 40(3) + + ld 8, 48(3) + ld 7, 56(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 48(4) + ld 12, 56(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 48(3) # out3 + std 12, 56(3) + + ld 8, 64(3) + ld 7, 72(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 64(4) + ld 12, 72(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 64(3) # out4 + std 12, 72(3) + + ld 8, 80(3) + ld 7, 88(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 80(4) + ld 12, 88(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 80(3) # out5 + std 12, 88(3) + + ld 8, 96(3) + ld 7, 104(3) + ld 6, 40(5) # two127p111m79m71 + addc 8, 8, 9 + adde 7, 7, 6 + ld 11, 96(4) + ld 12, 104(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 96(3) # out6 + std 12, 104(3) + + ld 8, 112(3) + ld 7, 120(3) + ld 6, 56(5) # two127m119m71 + addc 8, 8, 9 + adde 7, 7, 6 + ld 11, 112(4) + ld 12, 120(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 112(3) # out7 + std 12, 120(3) + + ld 8, 128(3) + ld 7, 136(3) + ld 6, 72(5) # two127m95m71 + addc 8, 8, 9 + adde 7, 7, 6 + ld 11, 128(4) + ld 12, 136(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 128(3) # out8 + std 12, 136(3) + + ld 8, 144(3) + ld 7, 152(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 144(4) + ld 12, 152(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 144(3) # out9 + std 12, 152(3) + + ld 8, 160(3) + ld 7, 168(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 160(4) + ld 12, 168(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 160(3) # out10 + std 12, 168(3) + + ld 8, 176(3) + ld 7, 184(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 176(4) + ld 12, 184(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 176(3) # out11 + std 12, 184(3) + + ld 8, 192(3) + ld 7, 200(3) + addc 8, 8, 9 + adde 7, 7, 10 + ld 11, 192(4) + ld 12, 200(4) + subfc 11, 11, 8 + subfe 12, 12, 7 + std 11, 192(3) # out12 + std 12, 200(3) + + blr +.size p384_felem_diff128,.-p384_felem_diff128 + +.data +.align 4 +.LConst_two127: +#two127 +.long 0x00000000, 0x00000000, 0x00000000, 0x80000000 +#two127m71 +.long 0x00000000, 0x00000000, 0xffffff80, 0x7fffffff +#two127p111m79m71 +.long 0x00000000, 0x00000000, 0xffff7f80, 0x80007fff +#two127m119m71 +.long 0x00000000, 0x00000000, 0xffffff80, 0x7f7fffff +#two127m95m71 +.long 0x00000000, 0x00000000, 0x7fffff80, 0x7fffffff - endproc("p384_felem_mul"); - } +.text - { - # - # p384_felem_square - # +.globl p384_felem_diff_128_64 +.type p384_felem_diff_128_64, \@function +.align 4 +p384_felem_diff_128_64: + addis 5, 2, .LConst_128_two64\@toc\@ha + addi 5, 5, .LConst_128_two64\@toc\@l + + ld 9, 0(3) + ld 10, 8(3) + ld 8, 48(5) # two64p48m16 + li 7, 0 + addc 9, 9, 8 + li 6, 1 + adde 10, 10, 6 + ld 11, 0(4) + subfc 8, 11, 9 + subfe 12, 7, 10 + std 8, 0(3) # out0 + std 12, 8(3) + + ld 9, 16(3) + ld 10, 24(3) + ld 8, 0(5) # two64m56m8 + addc 9, 9, 8 + addze 10, 10 + ld 11, 8(4) + subfc 11, 11, 9 + subfe 12, 7, 10 + std 11, 16(3) # out1 + std 12, 24(3) + + ld 9, 32(3) + ld 10, 40(3) + ld 8, 16(5) # two64m32m8 + addc 9, 9, 8 + addze 10, 10 + ld 11, 16(4) + subfc 11, 11, 9 + subfe 12, 7, 10 + std 11, 32(3) # out2 + std 12, 40(3) + + ld 10, 48(3) + ld 8, 56(3) + #ld 9, 32(5) # two64m8 + li 9, -256 # two64m8 + addc 10, 10, 9 + addze 8, 8 + ld 11, 24(4) + subfc 11, 11, 10 + subfe 12, 7, 8 + std 11, 48(3) # out3 + std 12, 56(3) + + ld 10, 64(3) + ld 8, 72(3) + addc 10, 10, 9 + addze 8, 8 + ld 11, 32(4) + subfc 11, 11, 10 + subfe 12, 7, 8 + std 11, 64(3) # out4 + std 12, 72(3) + + ld 10, 80(3) + ld 8, 88(3) + addc 10, 10, 9 + addze 8, 8 + ld 11, 40(4) + subfc 11, 11, 10 + subfe 12, 7, 8 + std 11, 80(3) # out5 + std 12, 88(3) + + ld 10, 96(3) + ld 8, 104(3) + addc 10, 10, 9 + addze 9, 8 + ld 11, 48(4) + subfc 11, 11, 10 + subfe 12, 7, 9 + std 11, 96(3) # out6 + std 12, 104(3) + + blr +.size p384_felem_diff_128_64,.-p384_felem_diff_128_64 + +.data +.align 4 +.LConst_128_two64: +#two64m56m8 +.long 0xffffff00, 0xfeffffff, 0x00000000, 0x00000000 +#two64m32m8 +.long 0xffffff00, 0xfffffffe, 0x00000000, 0x00000000 +#two64m8 +.long 0xffffff00, 0xffffffff, 0x00000000, 0x00000000 +#two64p48m16 +.long 0xffff0000, 0x0000ffff, 0x00000001, 0x00000000 + +.LConst_two60: +#two60m52m4 +.long 0xfffffff0, 0x0fefffff, 0x0, 0x0 +#two60p44m12 +.long 0xfffff000, 0x10000fff, 0x0, 0x0 +#two60m28m4 +.long 0xeffffff0, 0x0fffffff, 0x0, 0x0 +#two60m4 +.long 0xfffffff0, 0x0fffffff, 0x0, 0x0 - my ($inp) = ("r4"); - my @in = map("v$_",(44..50)); - my @inx2 = map("v$_",(35..41)); +.text +# +# static void felem_diff64(felem out, const felem in) +# +.globl p384_felem_diff64 +.type p384_felem_diff64, \@function +.align 4 +p384_felem_diff64: + addis 5, 2, .LConst_two60\@toc\@ha + addi 5, 5, .LConst_two60\@toc\@l + + ld 9, 0(3) + ld 8, 16(5) # two60p44m12 + li 7, 0 + add 9, 9, 8 + ld 11, 0(4) + subf 8, 11, 9 + std 8, 0(3) # out0 + + ld 9, 8(3) + ld 8, 0(5) # two60m52m4 + add 9, 9, 8 + ld 11, 8(4) + subf 11, 11, 9 + std 11, 8(3) # out1 + + ld 9, 16(3) + ld 8, 32(5) # two60m28m4 + add 9, 9, 8 + ld 11, 16(4) + subf 11, 11, 9 + std 11, 16(3) # out2 + + ld 10, 24(3) + ld 9, 48(5) # two60m4 + add 10, 10, 9 + ld 12, 24(4) + subf 12, 12, 10 + std 12, 24(3) # out3 + + ld 10, 32(3) + add 10, 10, 9 + ld 11, 32(4) + subf 11, 11, 10 + std 11, 32(3) # out4 + + ld 10, 40(3) + add 10, 10, 9 + ld 12, 40(4) + subf 12, 12, 10 + std 12, 40(3) # out5 + + ld 10, 48(3) + add 10, 10, 9 + ld 11, 48(4) + subf 11, 11, 10 + std 11, 48(3) # out6 + + blr +.size p384_felem_diff64,.-p384_felem_diff64 - startproc("p384_felem_square"); +.text +# +# Shift 128 bits right +# +.macro SHR o_h o_l in_h in_l nbits + srdi \\o_l, \\in_l, \\nbits # shift lower right + rldimi \\o_l, \\in_h, 64-\\nbits, 0 # insert <64-nbits> from hi + srdi \\o_h, \\in_h, \\nbits # shift higher right +.endm - $code.=<<___; - vspltisw $vzero,0 +# +# static void felem_reduce(felem out, const widefelem in) +# +.global p384_felem_reduce +.type p384_felem_reduce,\@function +.align 4 +p384_felem_reduce: + + stdu 1, -208(1) + mflr 0 + std 14, 56(1) + std 15, 64(1) + std 16, 72(1) + std 17, 80(1) + std 18, 88(1) + std 19, 96(1) + std 20, 104(1) + std 21, 112(1) + std 22, 120(1) + std 23, 128(1) + std 24, 136(1) + std 25, 144(1) + std 26, 152(1) + std 27, 160(1) + std 28, 168(1) + std 29, 176(1) + std 30, 184(1) + std 31, 192(1) + + bl _p384_felem_reduce_core + + mtlr 0 + ld 14, 56(1) + ld 15, 64(1) + ld 16, 72(1) + ld 17, 80(1) + ld 18, 88(1) + ld 19, 96(1) + ld 20, 104(1) + ld 21, 112(1) + ld 22, 120(1) + ld 23, 128(1) + ld 24, 136(1) + ld 25, 144(1) + ld 26, 152(1) + ld 27, 160(1) + ld 28, 168(1) + ld 29, 176(1) + ld 30, 184(1) + ld 31, 192(1) + addi 1, 1, 208 + blr +.size p384_felem_reduce,.-p384_felem_reduce -___ +# +# Felem reduction core function - +# r3 and r4 need to pre-loaded. +# +.type _p384_felem_reduce_core,\@function +.align 4 +_p384_felem_reduce_core: + addis 12, 2, .LConst\@toc\@ha + addi 12, 12, .LConst\@toc\@l + + # load constat p + ld 11, 8(12) # hi - two124m68 + + # acc[6] = in[6] + two124m68; + ld 26, 96(4) # in[6].l + ld 27, 96+8(4) # in[6].h + add 27, 27, 11 + + # acc[5] = in[5] + two124m68; + ld 24, 80(4) # in[5].l + ld 25, 80+8(4) # in[5].h + add 25, 25, 11 + + # acc[4] = in[4] + two124m68; + ld 22, 64(4) # in[4].l + ld 23, 64+8(4) # in[4].h + add 23, 23, 11 + + # acc[3] = in[3] + two124m68; + ld 20, 48(4) # in[3].l + ld 21, 48+8(4) # in[3].h + add 21, 21, 11 + + ld 11, 48+8(12) # hi - two124m92m68 + + # acc[2] = in[2] + two124m92m68; + ld 18, 32(4) # in[2].l + ld 19, 32+8(4) # in[2].h + add 19, 19, 11 + + ld 11, 16+8(12) # high - two124m116m68 + + # acc[1] = in[1] + two124m116m68; + ld 16, 16(4) # in[1].l + ld 17, 16+8(4) # in[1].h + add 17, 17, 11 + + ld 11, 32+8(12) # high - two124p108m76 + + # acc[0] = in[0] + two124p108m76; + ld 14, 0(4) # in[0].l + ld 15, 0+8(4) # in[0].h + add 15, 15, 11 + + # compute mask + li 7, -1 + + # Eliminate in[12] + + # acc[8] += in[12] >> 32; + ld 5, 192(4) # in[12].l + ld 6, 192+8(4) # in[12].h + SHR 9, 10, 6, 5, 32 + ld 30, 128(4) # in[8].l + ld 31, 136(4) # in[8].h + addc 30, 30, 10 + adde 31, 31, 9 + + # acc[7] += (in[12] & 0xffffffff) << 24; + srdi 11, 7, 32 # 0xffffffff + and 11, 11, 5 + sldi 11, 11, 24 # << 24 + ld 28, 112(4) # in[7].l + ld 29, 120(4) # in[7].h + addc 28, 28, 11 + addze 29, 29 + + # acc[7] += in[12] >> 8; + SHR 9, 10, 6, 5, 8 + addc 28, 28, 10 + adde 29, 29, 9 + + # acc[6] += (in[12] & 0xff) << 48; + andi. 11, 5, 0xff + sldi 11, 11, 48 + addc 26, 26, 11 + addze 27, 27 + + # acc[6] -= in[12] >> 16; + SHR 9, 10, 6, 5, 16 + subfc 26, 10, 26 + subfe 27, 9, 27 + + # acc[5] -= (in[12] & 0xffff) << 40; + srdi 11, 7, 48 # 0xffff + and 11, 11, 5 + sldi 11, 11, 40 # << 40 + li 9, 0 + subfc 24, 11, 24 + subfe 25, 9, 25 + + # acc[6] += in[12] >> 48; + SHR 9, 10, 6, 5, 48 + addc 26, 26, 10 + adde 27, 27, 9 + + # acc[5] += (in[12] & 0xffffffffffff) << 8; + srdi 11, 7, 16 # 0xffffffffffff + and 11, 11, 5 + sldi 11, 11, 8 # << 8 + addc 24, 24, 11 + addze 25, 25 + + # Eliminate in[11] + + # acc[7] += in[11] >> 32; + ld 5, 176(4) # in[11].l + ld 6, 176+8(4) # in[11].h + SHR 9, 10, 6, 5, 32 + addc 28, 28, 10 + adde 29, 29, 9 + + # acc[6] += (in[11] & 0xffffffff) << 24; + srdi 11, 7, 32 # 0xffffffff + and 11, 11, 5 + sldi 11, 11, 24 # << 24 + addc 26, 26, 11 + addze 27, 27 + + # acc[6] += in[11] >> 8; + SHR 9, 10, 6, 5, 8 + addc 26, 26, 10 + adde 27, 27, 9 + + # acc[5] += (in[11] & 0xff) << 48; + andi. 11, 5, 0xff + sldi 11, 11, 48 + addc 24, 24, 11 + addze 25, 25 + + # acc[5] -= in[11] >> 16; + SHR 9, 10, 6, 5, 16 + subfc 24, 10, 24 + subfe 25, 9, 25 + + # acc[4] -= (in[11] & 0xffff) << 40; + srdi 11, 7, 48 # 0xffff + and 11, 11, 5 + sldi 11, 11, 40 # << 40 + li 9, 0 + subfc 22, 11, 22 + subfe 23, 9, 23 + + # acc[5] += in[11] >> 48; + SHR 9, 10, 6, 5, 48 + addc 24, 24, 10 + adde 25, 25, 9 + + # acc[4] += (in[11] & 0xffffffffffff) << 8; + srdi 11, 7, 16 # 0xffffffffffff + and 11, 11, 5 + sldi 11, 11, 8 # << 8 + addc 22, 22, 11 + addze 23, 23 + + # Eliminate in[10] + + # acc[6] += in[10] >> 32; + ld 5, 160(4) # in[10].l + ld 6, 160+8(4) # in[10].h + SHR 9, 10, 6, 5, 32 + addc 26, 26, 10 + adde 27, 27, 9 + + # acc[5] += (in[10] & 0xffffffff) << 24; + srdi 11, 7, 32 # 0xffffffff + and 11, 11, 5 + sldi 11, 11, 24 # << 24 + addc 24, 24, 11 + addze 25, 25 + + # acc[5] += in[10] >> 8; + SHR 9, 10, 6, 5, 8 + addc 24, 24, 10 + adde 25, 25, 9 + + # acc[4] += (in[10] & 0xff) << 48; + andi. 11, 5, 0xff + sldi 11, 11, 48 + addc 22, 22, 11 + addze 23, 23 + + # acc[4] -= in[10] >> 16; + SHR 9, 10, 6, 5, 16 + subfc 22, 10, 22 + subfe 23, 9, 23 + + # acc[3] -= (in[10] & 0xffff) << 40; + srdi 11, 7, 48 # 0xffff + and 11, 11, 5 + sldi 11, 11, 40 # << 40 + li 9, 0 + subfc 20, 11, 20 + subfe 21, 9, 21 + + # acc[4] += in[10] >> 48; + SHR 9, 10, 6, 5, 48 + addc 22, 22, 10 + adde 23, 23, 9 + + # acc[3] += (in[10] & 0xffffffffffff) << 8; + srdi 11, 7, 16 # 0xffffffffffff + and 11, 11, 5 + sldi 11, 11, 8 # << 8 + addc 20, 20, 11 + addze 21, 21 + + # Eliminate in[9] + + # acc[5] += in[9] >> 32; + ld 5, 144(4) # in[9].l + ld 6, 144+8(4) # in[9].h + SHR 9, 10, 6, 5, 32 + addc 24, 24, 10 + adde 25, 25, 9 + + # acc[4] += (in[9] & 0xffffffff) << 24; + srdi 11, 7, 32 # 0xffffffff + and 11, 11, 5 + sldi 11, 11, 24 # << 24 + addc 22, 22, 11 + addze 23, 23 + + # acc[4] += in[9] >> 8; + SHR 9, 10, 6, 5, 8 + addc 22, 22, 10 + adde 23, 23, 9 + + # acc[3] += (in[9] & 0xff) << 48; + andi. 11, 5, 0xff + sldi 11, 11, 48 + addc 20, 20, 11 + addze 21, 21 + + # acc[3] -= in[9] >> 16; + SHR 9, 10, 6, 5, 16 + subfc 20, 10, 20 + subfe 21, 9, 21 + + # acc[2] -= (in[9] & 0xffff) << 40; + srdi 11, 7, 48 # 0xffff + and 11, 11, 5 + sldi 11, 11, 40 # << 40 + li 9, 0 + subfc 18, 11, 18 + subfe 19, 9, 19 + + # acc[3] += in[9] >> 48; + SHR 9, 10, 6, 5, 48 + addc 20, 20, 10 + adde 21, 21, 9 + + # acc[2] += (in[9] & 0xffffffffffff) << 8; + srdi 11, 7, 16 # 0xffffffffffff + and 11, 11, 5 + sldi 11, 11, 8 # << 8 + addc 18, 18, 11 + addze 19, 19 + + # Eliminate acc[8] + + # acc[4] += acc[8] >> 32; + mr 5, 30 # acc[8].l + mr 6, 31 # acc[8].h + SHR 9, 10, 6, 5, 32 + addc 22, 22, 10 + adde 23, 23, 9 + + # acc[3] += (acc[8] & 0xffffffff) << 24; + srdi 11, 7, 32 # 0xffffffff + and 11, 11, 5 + sldi 11, 11, 24 # << 24 + addc 20, 20, 11 + addze 21, 21 + + # acc[3] += acc[8] >> 8; + SHR 9, 10, 6, 5, 8 + addc 20, 20, 10 + adde 21, 21, 9 + + # acc[2] += (acc[8] & 0xff) << 48; + andi. 11, 5, 0xff + sldi 11, 11, 48 + addc 18, 18, 11 + addze 19, 19 + + # acc[2] -= acc[8] >> 16; + SHR 9, 10, 6, 5, 16 + subfc 18, 10, 18 + subfe 19, 9, 19 + + # acc[1] -= (acc[8] & 0xffff) << 40; + srdi 11, 7, 48 # 0xffff + and 11, 11, 5 + sldi 11, 11, 40 # << 40 + li 9, 0 + subfc 16, 11, 16 + subfe 17, 9, 17 + + #acc[2] += acc[8] >> 48; + SHR 9, 10, 6, 5, 48 + addc 18, 18, 10 + adde 19, 19, 9 + + # acc[1] += (acc[8] & 0xffffffffffff) << 8; + srdi 11, 7, 16 # 0xffffffffffff + and 11, 11, 5 + sldi 11, 11, 8 # << 8 + addc 16, 16, 11 + addze 17, 17 + + # Eliminate acc[7] + + # acc[3] += acc[7] >> 32; + mr 5, 28 # acc[7].l + mr 6, 29 # acc[7].h + SHR 9, 10, 6, 5, 32 + addc 20, 20, 10 + adde 21, 21, 9 + + # acc[2] += (acc[7] & 0xffffffff) << 24; + srdi 11, 7, 32 # 0xffffffff + and 11, 11, 5 + sldi 11, 11, 24 # << 24 + addc 18, 18, 11 + addze 19, 19 + + # acc[2] += acc[7] >> 8; + SHR 9, 10, 6, 5, 8 + addc 18, 18, 10 + adde 19, 19, 9 + + # acc[1] += (acc[7] & 0xff) << 48; + andi. 11, 5, 0xff + sldi 11, 11, 48 + addc 16, 16, 11 + addze 17, 17 + + # acc[1] -= acc[7] >> 16; + SHR 9, 10, 6, 5, 16 + subfc 16, 10, 16 + subfe 17, 9, 17 + + # acc[0] -= (acc[7] & 0xffff) << 40; + srdi 11, 7, 48 # 0xffff + and 11, 11, 5 + sldi 11, 11, 40 # << 40 + li 9, 0 + subfc 14, 11, 14 + subfe 15, 9, 15 + + # acc[1] += acc[7] >> 48; + SHR 9, 10, 6, 5, 48 + addc 16, 16, 10 + adde 17, 17, 9 + + # acc[0] += (acc[7] & 0xffffffffffff) << 8; + srdi 11, 7, 16 # 0xffffffffffff + and 11, 11, 5 + sldi 11, 11, 8 # << 8 + addc 14, 14, 11 + addze 15, 15 + + # + # Carry 4 -> 5 -> 6 + # + # acc[5] += acc[4] >> 56; + # acc[4] &= 0x00ffffffffffffff; + SHR 9, 10, 23, 22, 56 + addc 24, 24, 10 + adde 25, 25, 9 + srdi 11, 7, 8 # 0x00ffffffffffffff + and 22, 22, 11 + li 23, 0 + + # acc[6] += acc[5] >> 56; + # acc[5] &= 0x00ffffffffffffff; + SHR 9, 10, 25, 24, 56 + addc 26, 26, 10 + adde 27, 27, 9 + and 24, 24, 11 + li 25, 0 + + # [3]: Eliminate high bits of acc[6] */ + # temp = acc[6] >> 48; + # acc[6] &= 0x0000ffffffffffff; + SHR 31, 30, 27, 26, 48 # temp = acc[6] >> 48 + srdi 11, 7, 16 # 0x0000ffffffffffff + and 26, 26, 11 + li 27, 0 + + # temp < 2^80 + # acc[3] += temp >> 40; + SHR 9, 10, 31, 30, 40 + addc 20, 20, 10 + adde 21, 21, 9 + + # acc[2] += (temp & 0xffffffffff) << 16; + srdi 11, 7, 24 # 0xffffffffff + and 10, 30, 11 + sldi 10, 10, 16 + addc 18, 18, 10 + addze 19, 19 + + # acc[2] += temp >> 16; + SHR 9, 10, 31, 30, 16 + addc 18, 18, 10 + adde 19, 19, 9 + + # acc[1] += (temp & 0xffff) << 40; + srdi 11, 7, 48 # 0xffff + and 10, 30, 11 + sldi 10, 10, 40 + addc 16, 16, 10 + addze 17, 17 + + # acc[1] -= temp >> 24; + SHR 9, 10, 31, 30, 24 + subfc 16, 10, 16 + subfe 17, 9, 17 + + # acc[0] -= (temp & 0xffffff) << 32; + srdi 11, 7, 40 # 0xffffff + and 10, 30, 11 + sldi 10, 10, 32 + li 9, 0 + subfc 14, 10, 14 + subfe 15, 9, 15 + + # acc[0] += temp; + addc 14, 14, 30 + adde 15, 15, 31 + + # Carry 0 -> 1 -> 2 -> 3 -> 4 -> 5 -> 6 + # + # acc[1] += acc[0] >> 56; /* acc[1] < acc_old[1] + 2^72 */ + SHR 9, 10, 15, 14, 56 + addc 16, 16, 10 + adde 17, 17, 9 + + # acc[0] &= 0x00ffffffffffffff; + srdi 11, 7, 8 # 0x00ffffffffffffff + and 14, 14, 11 + li 15, 0 + + # acc[2] += acc[1] >> 56; /* acc[2] < acc_old[2] + 2^72 + 2^16 */ + SHR 9, 10, 17, 16, 56 + addc 18, 18, 10 + adde 19, 19, 9 + + # acc[1] &= 0x00ffffffffffffff; + and 16, 16, 11 + li 17, 0 + + # acc[3] += acc[2] >> 56; /* acc[3] < acc_old[3] + 2^72 + 2^16 */ + SHR 9, 10, 19, 18, 56 + addc 20, 20, 10 + adde 21, 21, 9 + + # acc[2] &= 0x00ffffffffffffff; + and 18, 18, 11 + li 19, 0 + + # acc[4] += acc[3] >> 56; + SHR 9, 10, 21, 20, 56 + addc 22, 22, 10 + adde 23, 23, 9 + + # acc[3] &= 0x00ffffffffffffff; + and 20, 20, 11 + li 21, 0 + + # acc[5] += acc[4] >> 56; + SHR 9, 10, 23, 22, 56 + addc 24, 24, 10 + adde 25, 25, 9 + + # acc[4] &= 0x00ffffffffffffff; + and 22, 22, 11 + + # acc[6] += acc[5] >> 56; + SHR 9, 10, 25, 24, 56 + addc 26, 26, 10 + adde 27, 27, 9 + + # acc[5] &= 0x00ffffffffffffff; + and 24, 24, 11 + + std 14, 0(3) + std 16, 8(3) + std 18, 16(3) + std 20, 24(3) + std 22, 32(3) + std 24, 40(3) + std 26, 48(3) + blr +.size _p384_felem_reduce_core,.-_p384_felem_reduce_core + +.data +.align 4 +.LConst: +# two124m68: +.long 0x0, 0x0, 0xfffffff0, 0xfffffff +# two124m116m68: +.long 0x0, 0x0, 0xfffffff0, 0xfefffff +#two124p108m76: +.long 0x0, 0x0, 0xfffff000, 0x10000fff +#two124m92m68: +.long 0x0, 0x0, 0xeffffff0, 0xfffffff - load_vrs($inp, \@in); +.text - $code.=<<___; - li $zero,0 - li $one,1 - mtvsrdd $t1,$one,$zero -___ +# +# void p384_felem_square_reduce(felem out, const felem in) +# +.global p384_felem_square_reduce +.type p384_felem_square_reduce,\@function +.align 4 +p384_felem_square_reduce: + stdu 1, -512(1) + mflr 0 + std 14, 56(1) + std 15, 64(1) + std 16, 72(1) + std 17, 80(1) + std 18, 88(1) + std 19, 96(1) + std 20, 104(1) + std 21, 112(1) + std 22, 120(1) + std 23, 128(1) + std 24, 136(1) + std 25, 144(1) + std 26, 152(1) + std 27, 160(1) + std 28, 168(1) + std 29, 176(1) + std 30, 184(1) + std 31, 192(1) + + std 3, 496(1) + addi 3, 1, 208 + bl _p384_felem_square_core + + mr 4, 3 + ld 3, 496(1) + bl _p384_felem_reduce_core + + ld 14, 56(1) + ld 15, 64(1) + ld 16, 72(1) + ld 17, 80(1) + ld 18, 88(1) + ld 19, 96(1) + ld 20, 104(1) + ld 21, 112(1) + ld 22, 120(1) + ld 23, 128(1) + ld 24, 136(1) + ld 25, 144(1) + ld 26, 152(1) + ld 27, 160(1) + ld 28, 168(1) + ld 29, 176(1) + ld 30, 184(1) + ld 31, 192(1) + addi 1, 1, 512 + mtlr 0 + blr +.size p384_felem_square_reduce,.-p384_felem_square_reduce - for (my $i = 0; $i <= 6; $i++) { - $code.=<<___; - vsld $inx2[$i],$in[$i],$t1 -___ - } - - $code.=<<___; - vmsumudm $out,$in[0],$in[0],$vzero - stxv $out,0($outp) - - vmsumudm $out,$in[0],$inx2[1],$vzero - stxv $out,16($outp) - - vmsumudm $out,$in[0],$inx2[2],$vzero - vmsumudm $out,$in[1],$in[1],$out - stxv $out,32($outp) - - xxpermdi $t1,$in[0],$in[1],0b00 - xxpermdi $t2,$inx2[3],$inx2[2],0b00 - vmsumudm $out,$t1,$t2,$vzero - stxv $out,48($outp) - - xxpermdi $t4,$inx2[4],$inx2[3],0b00 - vmsumudm $out,$t1,$t4,$vzero - vmsumudm $out,$in[2],$in[2],$out - stxv $out,64($outp) - - xxpermdi $t2,$inx2[5],$inx2[4],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$in[2],$inx2[3],$out - stxv $out,80($outp) - - xxpermdi $t2,$inx2[6],$inx2[5],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$in[2],$inx2[4],$out - vmsumudm $out,$in[3],$in[3],$out - stxv $out,96($outp) - - xxpermdi $t3,$in[1],$in[2],0b00 - vmsumudm $out,$t3,$t2,$vzero - vmsumudm $out,$in[3],$inx2[4],$out - stxv $out,112($outp) - - xxpermdi $t1,$in[2],$in[3],0b00 - vmsumudm $out,$t1,$t2,$vzero - vmsumudm $out,$in[4],$in[4],$out - stxv $out,128($outp) - - xxpermdi $t1,$in[3],$in[4],0b00 - vmsumudm $out,$t1,$t2,$vzero - stxv $out,144($outp) - - vmsumudm $out,$in[4],$inx2[6],$vzero - vmsumudm $out,$in[5],$in[5],$out - stxv $out,160($outp) - - vmsumudm $out,$in[5],$inx2[6],$vzero - stxv $out,176($outp) - - vmsumudm $out,$in[6],$in[6],$vzero - stxv $out,192($outp) +# +# void p384_felem_mul_reduce(felem out, const felem in1, const felem in2) +# +.global p384_felem_mul_reduce +.type p384_felem_mul_reduce,\@function +.align 5 +p384_felem_mul_reduce: + stdu 1, -512(1) + mflr 0 + std 14, 56(1) + std 15, 64(1) + std 16, 72(1) + std 17, 80(1) + std 18, 88(1) + std 19, 96(1) + std 20, 104(1) + std 21, 112(1) + std 22, 120(1) + std 23, 128(1) + std 24, 136(1) + std 25, 144(1) + std 26, 152(1) + std 27, 160(1) + std 28, 168(1) + std 29, 176(1) + std 30, 184(1) + std 31, 192(1) + + std 3, 496(1) + addi 3, 1, 208 + bl _p384_felem_mul_core + + mr 4, 3 + ld 3, 496(1) + bl _p384_felem_reduce_core + + ld 14, 56(1) + ld 15, 64(1) + ld 16, 72(1) + ld 17, 80(1) + ld 18, 88(1) + ld 19, 96(1) + ld 20, 104(1) + ld 21, 112(1) + ld 22, 120(1) + ld 23, 128(1) + ld 24, 136(1) + ld 25, 144(1) + ld 26, 152(1) + ld 27, 160(1) + ld 28, 168(1) + ld 29, 176(1) + ld 30, 184(1) + ld 31, 192(1) + addi 1, 1, 512 + mtlr 0 + blr +.size p384_felem_mul_reduce,.-p384_felem_mul_reduce ___ - endproc("p384_felem_square"); - } -} - $code =~ s/\`([^\`]*)\`/eval $1/gem; print $code; close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c index 44ac1cea3d0c0..1bdf0e74273a5 100644 --- a/crypto/ec/ecp_nistp384.c +++ b/crypto/ec/ecp_nistp384.c @@ -252,6 +252,16 @@ static void felem_neg(felem out, const felem in) out[6] = two60m4 - in[6]; } +#if defined(ECP_NISTP384_ASM) +void p384_felem_diff64(felem out, const felem in); +void p384_felem_diff128(widefelem out, const widefelem in); +void p384_felem_diff_128_64(widefelem out, const felem in); + +# define felem_diff64 p384_felem_diff64 +# define felem_diff128 p384_felem_diff128 +# define felem_diff_128_64 p384_felem_diff_128_64 + +#else /*- * felem_diff64 subtracts |in| from |out| * On entry: @@ -369,6 +379,7 @@ static void felem_diff128(widefelem out, const widefelem in) for (i = 0; i < 2*NLIMBS-1; i++) out[i] -= in[i]; } +#endif /* ECP_NISTP384_ASM */ static void felem_square_ref(widefelem out, const felem in) { @@ -503,7 +514,7 @@ static void felem_mul_ref(widefelem out, const felem in1, const felem in2) * [3]: Y = 2^48 (acc[6] >> 48) * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d) */ -static void felem_reduce(felem out, const widefelem in) +static void felem_reduce_ref(felem out, const widefelem in) { /* * In order to prevent underflow, we add a multiple of p before subtracting. @@ -682,8 +693,11 @@ static void (*felem_square_p)(widefelem out, const felem in) = static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) = felem_mul_wrapper; +static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref; + void p384_felem_square(widefelem out, const felem in); void p384_felem_mul(widefelem out, const felem in1, const felem in2); +void p384_felem_reduce(felem out, const widefelem in); # if defined(_ARCH_PPC64) # include "crypto/ppc_arch.h" @@ -695,6 +709,7 @@ static void felem_select(void) if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { felem_square_p = p384_felem_square; felem_mul_p = p384_felem_mul; + felem_reduce_p = p384_felem_reduce; return; } @@ -703,6 +718,7 @@ static void felem_select(void) /* Default */ felem_square_p = felem_square_ref; felem_mul_p = felem_mul_ref; + felem_reduce_p = p384_felem_reduce; } static void felem_square_wrapper(widefelem out, const felem in) @@ -719,10 +735,17 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2) # define felem_square felem_square_p # define felem_mul felem_mul_p +# define felem_reduce felem_reduce_p + +void p384_felem_square_reduce(felem out, const felem in); +void p384_felem_mul_reduce(felem out, const felem in1, const felem in2); + +# define felem_square_reduce p384_felem_square_reduce +# define felem_mul_reduce p384_felem_mul_reduce #else # define felem_square felem_square_ref # define felem_mul felem_mul_ref -#endif +# define felem_reduce felem_reduce_ref static ossl_inline void felem_square_reduce(felem out, const felem in) { @@ -739,6 +762,7 @@ static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem felem_mul(tmp, in1, in2); felem_reduce(out, tmp); } +#endif /*- * felem_inv calculates |out| = |in|^{-1} From 5db7b99914c9a13798e9d7783a02e68ae7e411d8 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 14 Mar 2025 16:08:04 -0400 Subject: [PATCH 0007/1171] Fix interop ci yaml Somehow I mistakenly listed clients in the exlude list, when it should have been servers, resulting in an invalid yml file Reviewed-by: Viktor Dukhovni Reviewed-by: Tim Hudson Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/27066) --- .github/workflows/run_quic_interop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run_quic_interop.yml b/.github/workflows/run_quic_interop.yml index 43679c9606029..4f0511f9ee867 100644 --- a/.github/workflows/run_quic_interop.yml +++ b/.github/workflows/run_quic_interop.yml @@ -13,7 +13,7 @@ jobs: tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6] servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy] exclude: - - clients: msquic + - servers: msquic tests: retry fail-fast: false runs-on: ubuntu-latest From 4a1a7fe5ce088964010779e1f5a90560903ecc76 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 3 Mar 2025 23:46:12 +0100 Subject: [PATCH 0008/1171] Fix a memory order issue with weakly ordered systems this adds a dummy atomic release operation to update_qp, which should make sure that the new value of reader_idx is visible in get_hold_current_qp, directly after incrementing the users count. Fixes: #26875 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/26964) --- crypto/threads_pthread.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index c0598c5a616d5..f69b3d6f45670 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -407,6 +407,13 @@ static struct rcu_qp *update_qp(CRYPTO_RCU_LOCK *lock, uint32_t *curr_id) ATOMIC_STORE_N(uint32_t, &lock->reader_idx, lock->current_alloc_idx, __ATOMIC_RELAXED); + /* + * this should make sure that the new value of reader_idx is visible in + * get_hold_current_qp, directly after incrementing the users count + */ + ATOMIC_ADD_FETCH(&lock->qp_group[current_idx].users, (uint64_t)0, + __ATOMIC_RELEASE); + /* wake up any waiters */ pthread_cond_signal(&lock->alloc_signal); pthread_mutex_unlock(&lock->alloc_lock); From a532f2302d9eac7a2ba52b9929b790c20347c9ba Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Sun, 9 Mar 2025 11:20:43 +0100 Subject: [PATCH 0009/1171] Do some more cleanup in the RCU code Only a minimum of 2 qp's are necessary: one for the readers, and at least one that writers can wait on for retirement. There is no need for one additional qp that is always unused. Also only one ACQUIRE barrier is necessary in get_hold_current_qp, so the ATOMIC_LOAD of the reader_idx can be changed to RELAXED. And finally clarify some comments. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27012) --- crypto/threads_pthread.c | 15 +++++++-------- crypto/threads_win.c | 8 +++----- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index f69b3d6f45670..750ef201210b7 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -261,6 +261,8 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock) /* get the current qp index */ for (;;) { + qp_idx = ATOMIC_LOAD_N(uint32_t, &lock->reader_idx, __ATOMIC_RELAXED); + /* * Notes on use of __ATOMIC_ACQUIRE * We need to ensure the following: @@ -271,10 +273,7 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock) * of the lock is flushed from a local cpu cache so that we see any * updates prior to the load. This is a non-issue on cache coherent * systems like x86, but is relevant on other arches - * Note: This applies to the reload below as well */ - qp_idx = ATOMIC_LOAD_N(uint32_t, &lock->reader_idx, __ATOMIC_ACQUIRE); - ATOMIC_ADD_FETCH(&lock->qp_group[qp_idx].users, (uint64_t)1, __ATOMIC_ACQUIRE); @@ -475,6 +474,8 @@ void ossl_synchronize_rcu(CRYPTO_RCU_LOCK *lock) * prior __ATOMIC_RELEASE write operation in ossl_rcu_read_unlock * is visible prior to our read * however this is likely just necessary to silence a tsan warning + * because the read side should not do any write operation + * outside the atomic itself */ do { count = ATOMIC_LOAD_N(uint64_t, &qp->users, __ATOMIC_ACQUIRE); @@ -531,10 +532,10 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx) struct rcu_lock_st *new; /* - * We need a minimum of 3 qp's + * We need a minimum of 2 qp's */ - if (num_writers < 3) - num_writers = 3; + if (num_writers < 2) + num_writers = 2; ctx = ossl_lib_ctx_get_concrete(ctx); if (ctx == NULL) @@ -550,8 +551,6 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx) pthread_mutex_init(&new->alloc_lock, NULL); pthread_cond_init(&new->prior_signal, NULL); pthread_cond_init(&new->alloc_signal, NULL); - /* By default our first writer is already alloced */ - new->writers_alloced = 1; new->qp_group = allocate_new_qp_group(new, num_writers); if (new->qp_group == NULL) { diff --git a/crypto/threads_win.c b/crypto/threads_win.c index 72f54f118c9af..97b6d3eb73989 100644 --- a/crypto/threads_win.c +++ b/crypto/threads_win.c @@ -138,10 +138,10 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx) struct rcu_lock_st *new; /* - * We need a minimum of 3 qps + * We need a minimum of 2 qps */ - if (num_writers < 3) - num_writers = 3; + if (num_writers < 2) + num_writers = 2; ctx = ossl_lib_ctx_get_concrete(ctx); if (ctx == NULL) @@ -160,8 +160,6 @@ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx) new->alloc_lock = ossl_crypto_mutex_new(); new->prior_lock = ossl_crypto_mutex_new(); new->qp_group = allocate_new_qp_group(new, num_writers); - /* By default the first qp is already alloced */ - new->writers_alloced = 1; if (new->qp_group == NULL || new->alloc_signal == NULL || new->prior_signal == NULL From 2d50cb660cdf1802a9c3e4b5fc5366a85e2158b4 Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Fri, 14 Mar 2025 14:09:10 +0200 Subject: [PATCH 0010/1171] docs(provider-base): Add HISTORY note for OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS (and MAX) This commit adds a small note about definitions for `OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS` and `OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS` being first added in OpenSSL 3.5. PR #26975 added these definitions for OpenSSL 3.5, but the documentation update omitted a history note for the addition. Reviewed-by: Paul Dale Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/27063) --- doc/man7/provider-base.pod | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index ae4dd55c240d6..0302900a73146 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -977,6 +977,12 @@ L The concept of providers and everything surrounding them was introduced in OpenSSL 3.0. +Definitions for +B +and +B +were added in OpenSSL 3.5. + =head1 COPYRIGHT Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. From 108079fcbbde3bfd2966312ea6bd1912bc23673b Mon Sep 17 00:00:00 2001 From: sashan Date: Mon, 17 Mar 2025 10:23:19 +0100 Subject: [PATCH 0011/1171] require GNU assembler 2.30 or higher to build aesni-xtx-avx512.pl The peralsm in aesni-xts-avx512 currently checks for GNU assembler 2.26 or higher. According to reporters it looks like we need 2.30. This PR just attempts fix version check so people with older tool chains can build OpenSSL. Fixes #27049 Reviewed-by: Neil Horman Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27078) --- crypto/aes/asm/aesni-xts-avx512.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/aes/asm/aesni-xts-avx512.pl b/crypto/aes/asm/aesni-xts-avx512.pl index 55cbb14c66f4f..8b676bfa5f526 100644 --- a/crypto/aes/asm/aesni-xts-avx512.pl +++ b/crypto/aes/asm/aesni-xts-avx512.pl @@ -36,7 +36,7 @@ if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1` =~ /GNU assembler version ([2-9]\.[0-9]+)/) { - $avx512vaes = ($1>=2.26); + $avx512vaes = ($1>=2.30); } if (!$avx512vaes && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) && From 978e23a472a6acdee737ab70d0d74e173affa5ef Mon Sep 17 00:00:00 2001 From: ak4153 Date: Sat, 8 Mar 2025 21:37:59 +0200 Subject: [PATCH 0012/1171] Fix missing OSSL_FUNC_DIGEST_GET_PARAMS in provider-digest.pod Fixes #26626 CLA: trivial Reviewed-by: Viktor Dukhovni Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27009) --- doc/man7/provider-digest.pod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod index 751321c84b20e..bb0b73bb6c053 100644 --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -94,7 +94,8 @@ macros in L, as follows: A digest algorithm implementation may not implement all of these functions. In order to be usable all or none of OSSL_FUNC_digest_newctx, OSSL_FUNC_digest_freectx, -OSSL_FUNC_digest_init, OSSL_FUNC_digest_update and OSSL_FUNC_digest_final should be implemented. +OSSL_FUNC_digest_init, OSSL_FUNC_digest_update, OSSL_FUNC_digest_final +and OSSL_FUNC_digest_get_params should be implemented. All other functions are optional. =head2 Context Management Functions From 482d3f9338b3d4c7537a1d112dce9c8e370c8d9f Mon Sep 17 00:00:00 2001 From: Martin Oliveira Date: Wed, 12 Mar 2025 11:09:04 -0600 Subject: [PATCH 0013/1171] Fix gettable_params() for ECX The OSSL_PKEY_PARAM_MANDATORY_DIGEST parameter is only handled by the ed25519_get_params() and ed448_get_params(). The x25519 and x448 versions of get_params() always ignore that parameter, so it should not be in the list of gettable params. Fixes: 1a7328c88256 ("PROV: Ensure that ED25519 & ED448 keys have a mandatory digest") cla: trivial Reviewed-by: Viktor Dukhovni Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27043) --- providers/implementations/keymgmt/ecx_kmgmt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index b8d316ba8e9c8..b229b0bf39ca2 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -359,7 +359,6 @@ static const OSSL_PARAM ecx_gettable_params[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), - OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0), OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0), ECX_KEY_TYPES(), OSSL_FIPS_IND_GETTABLE_CTX_PARAM() @@ -370,6 +369,7 @@ static const OSSL_PARAM ed_gettable_params[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_MANDATORY_DIGEST, NULL, 0), ECX_KEY_TYPES(), OSSL_PARAM_END }; From 05c05d43bfe69b3dbe1ff0238688fc2beaaeec49 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Mon, 17 Mar 2025 09:57:40 +0100 Subject: [PATCH 0014/1171] Doc fix in EVP_PKEY-ML-DSA/KEM.pod files Fix the references to OSSL_PROVIDER_add_conf_parameter in the 'SEE ALSO' section. Signed-off-by: Ingo Franzki Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/27077) --- doc/man7/EVP_PKEY-ML-DSA.pod | 2 +- doc/man7/EVP_PKEY-ML-KEM.pod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man7/EVP_PKEY-ML-DSA.pod b/doc/man7/EVP_PKEY-ML-DSA.pod index c647c4f5093e4..3948fe6a5a454 100644 --- a/doc/man7/EVP_PKEY-ML-DSA.pod +++ b/doc/man7/EVP_PKEY-ML-DSA.pod @@ -285,7 +285,7 @@ L, L, L, L, -LOSSL_PROVIDER_add_conf_parameter(3)>, +L, L, L diff --git a/doc/man7/EVP_PKEY-ML-KEM.pod b/doc/man7/EVP_PKEY-ML-KEM.pod index b83f5fb905259..ea9a5f0b4119e 100644 --- a/doc/man7/EVP_PKEY-ML-KEM.pod +++ b/doc/man7/EVP_PKEY-ML-KEM.pod @@ -305,7 +305,7 @@ L, L, L, L, -LOSSL_PROVIDER_add_conf_parameter(3)>, +L, L, L From 58d548d84edd332a7ec1b74dd87defc2d8271b45 Mon Sep 17 00:00:00 2001 From: Jon Spillett Date: Tue, 18 Mar 2025 13:37:15 +1000 Subject: [PATCH 0015/1171] Use text compare for PEM and text files - Fix ml_dsa_codecs test - Fix ml_kem_codecs test - Fix pkey test - Fix dsaparam test - Fix dhparam test - Fix pkcs8 test Reviewed-by: Tim Hudson Reviewed-by: Shane Lontis Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27082) --- test/recipes/15-test_dsaparam.t | 4 ++-- test/recipes/15-test_ml_dsa_codecs.t | 18 +++++++++--------- test/recipes/15-test_ml_kem_codecs.t | 18 +++++++++--------- test/recipes/15-test_pkey.t | 14 +++++++------- test/recipes/20-test_dhparam.t | 4 ++-- test/recipes/25-test_pkcs8.t | 2 +- 6 files changed, 30 insertions(+), 30 deletions(-) diff --git a/test/recipes/15-test_dsaparam.t b/test/recipes/15-test_dsaparam.t index 5fd854c474dcd..abe561261d468 100644 --- a/test/recipes/15-test_dsaparam.t +++ b/test/recipes/15-test_dsaparam.t @@ -11,7 +11,7 @@ use warnings; use File::Spec; use File::Copy; -use File::Compare qw/compare/; +use File::Compare qw/compare_text/; use OpenSSL::Glob; use OpenSSL::Test qw/:DEFAULT data_file/; use OpenSSL::Test::Utils; @@ -84,4 +84,4 @@ my $inout = "inout.pem"; copy($input, $inout); ok(run(app(['openssl', 'dsaparam', '-in', $inout, '-out', $inout])), "identical infile and outfile"); -ok(!compare($input, $inout), "converted file $inout did not change"); +ok(!compare_text($input, $inout), "converted file $inout did not change"); diff --git a/test/recipes/15-test_ml_dsa_codecs.t b/test/recipes/15-test_ml_dsa_codecs.t index 9f4d5e595fa35..527e39daf0a71 100644 --- a/test/recipes/15-test_ml_dsa_codecs.t +++ b/test/recipes/15-test_ml_dsa_codecs.t @@ -63,7 +63,7 @@ foreach my $alg (@algs) { ok(run(app(['openssl', 'genpkey', '-out', $pem, '-pkeyopt', "hexseed:$seed", '-algorithm', "ml-dsa-$alg", '-provparam', "ml-dsa.output_formats=$f"]))); - ok(!compare($in, $pem), + ok(!compare_text($in, $pem), sprintf("prvkey PEM match: %s, %s", $alg, $f)); ok(run(app(['openssl', 'pkey', '-in', $in, '-noout', @@ -95,7 +95,7 @@ foreach my $alg (@algs) { ok(run(app([qw(openssl genpkey -provparam ml-dsa.retain_seed=no), '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed", '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via cli key match: %s", $alg)); { local $ENV{'OPENSSL_CONF'} = data_file("ml-dsa.cnf"); @@ -104,14 +104,14 @@ foreach my $alg (@algs) { ok(run(app(['openssl', 'genpkey', '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed", '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via config match: %s", $alg)); my $seedfull = sprintf("seedfull-%s.gen.conf+cli.pem", $alg); ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-dsa.retain_seed=yes', '-algorithm', "ml-dsa-$alg", '-pkeyopt', "hexseed:$seed", '-out', $seedfull]))); - ok(!compare(data_file($formats{'seed-priv'}), $seedfull), + ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull), sprintf("seedfull via cli vs. conf key match: %s", $alg)); } @@ -120,7 +120,7 @@ foreach my $alg (@algs) { $seedless = sprintf("seedless-%s.dec.cli.pem", $alg); ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.retain_seed=no', '-in', data_file($formats{'seed-only'}), '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via provparam key match: %s", $alg)); { local $ENV{'OPENSSL_CONF'} = data_file("ml-dsa.cnf"); @@ -128,13 +128,13 @@ foreach my $alg (@algs) { $seedless = sprintf("seedless-%s.dec.cnf.pem", $alg); ok(run(app(['openssl', 'pkey', '-in', data_file($formats{'seed-only'}), '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via config match: %s", $alg)); my $seedfull = sprintf("seedfull-%s.dec.conf+cli.pem", $alg); ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.retain_seed=yes', '-in', data_file($formats{'seed-only'}), '-out', $seedfull]))); - ok(!compare(data_file($formats{'seed-priv'}), $seedfull), + ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull), sprintf("seedfull via cli vs. conf key match: %s", $alg)); } @@ -143,7 +143,7 @@ foreach my $alg (@algs) { my $privpref = sprintf("privpref-%s.dec.cli.pem", $alg); ok(run(app(['openssl', 'pkey', '-provparam', 'ml-dsa.prefer_seed=no', '-in', data_file($formats{'seed-priv'}), '-out', $privpref]))); - ok(!compare(data_file($formats{'priv-only'}), $privpref), + ok(!compare_text(data_file($formats{'priv-only'}), $privpref), sprintf("seed non-preference via provparam key match: %s", $alg)); # (2 * @formats) tests @@ -154,7 +154,7 @@ foreach my $alg (@algs) { my $out = sprintf("prv-%s-%s.txt", $alg, $f); ok(run(app(['openssl', 'pkey', '-in', data_file($kf), '-noout', '-text', '-out', $out]))); - ok(!compare(data_file($txt), $out), + ok(!compare_text(data_file($txt), $out), sprintf("text form private key: %s with %s", $alg, $f)); } diff --git a/test/recipes/15-test_ml_kem_codecs.t b/test/recipes/15-test_ml_kem_codecs.t index 72e1b3333435d..eaa9b2cad1e95 100644 --- a/test/recipes/15-test_ml_kem_codecs.t +++ b/test/recipes/15-test_ml_kem_codecs.t @@ -59,7 +59,7 @@ foreach my $alg (@algs) { ok(run(app(['openssl', 'genpkey', '-out', $pem, '-pkeyopt', "hexseed:$seed", '-algorithm', "ml-kem-$alg", '-provparam', "ml-kem.output_formats=$f"]))); - ok(!compare($in, $pem), + ok(!compare_text($in, $pem), sprintf("prvkey PEM match: %s, %s", $alg, $f)); ok(run(app(['openssl', 'pkey', '-in', $in, '-noout', @@ -97,7 +97,7 @@ foreach my $alg (@algs) { ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-kem.retain_seed=no', '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed", '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via cli key match: %s", $alg)); { local $ENV{'OPENSSL_CONF'} = data_file("ml-kem.cnf"); @@ -106,14 +106,14 @@ foreach my $alg (@algs) { ok(run(app(['openssl', 'genpkey', '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed", '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via config match: %s", $alg)); my $seedfull = sprintf("seedfull-%s.gen.conf+cli.pem", $alg); ok(run(app(['openssl', 'genpkey', '-provparam', 'ml-kem.retain_seed=yes', '-algorithm', "ml-kem-$alg", '-pkeyopt', "hexseed:$seed", '-out', $seedfull]))); - ok(!compare(data_file($formats{'seed-priv'}), $seedfull), + ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull), sprintf("seedfull via cli vs. conf key match: %s", $alg)); } @@ -122,7 +122,7 @@ foreach my $alg (@algs) { $seedless = sprintf("seedless-%s.dec.cli.pem", $alg); ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.retain_seed=no', '-in', data_file($formats{'seed-only'}), '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via provparam key match: %s", $alg)); { local $ENV{'OPENSSL_CONF'} = data_file("ml-kem.cnf"); @@ -130,13 +130,13 @@ foreach my $alg (@algs) { $seedless = sprintf("seedless-%s.dec.cnf.pem", $alg); ok(run(app(['openssl', 'pkey', '-in', data_file($formats{'seed-only'}), '-out', $seedless]))); - ok(!compare(data_file($formats{'priv-only'}), $seedless), + ok(!compare_text(data_file($formats{'priv-only'}), $seedless), sprintf("seedless via config match: %s", $alg)); my $seedfull = sprintf("seedfull-%s.dec.conf+cli.pem", $alg); ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.retain_seed=yes', '-in', data_file($formats{'seed-only'}), '-out', $seedfull]))); - ok(!compare(data_file($formats{'seed-priv'}), $seedfull), + ok(!compare_text(data_file($formats{'seed-priv'}), $seedfull), sprintf("seedfull via cli vs. conf key match: %s", $alg)); } @@ -145,7 +145,7 @@ foreach my $alg (@algs) { my $privpref = sprintf("privpref-%s.dec.cli.pem", $alg); ok(run(app(['openssl', 'pkey', '-provparam', 'ml-kem.prefer_seed=no', '-in', data_file($formats{'seed-priv'}), '-out', $privpref]))); - ok(!compare(data_file($formats{'priv-only'}), $privpref), + ok(!compare_text(data_file($formats{'priv-only'}), $privpref), sprintf("seed non-preference via provparam key match: %s", $alg)); # (2 * @formats) tests @@ -156,7 +156,7 @@ foreach my $alg (@algs) { my $out = sprintf("prv-%s-%s.txt", $alg, $f); ok(run(app(['openssl', 'pkey', '-in', data_file($k), '-noout', '-text', '-out', $out]))); - ok(!compare(data_file($txt), $out), + ok(!compare_text(data_file($txt), $out), sprintf("text form private key: %s with %s", $alg, $f)); } diff --git a/test/recipes/15-test_pkey.t b/test/recipes/15-test_pkey.t index 9242f49a5f267..85b870f5a9e7c 100644 --- a/test/recipes/15-test_pkey.t +++ b/test/recipes/15-test_pkey.t @@ -11,7 +11,7 @@ use warnings; use OpenSSL::Test::Utils; use File::Copy; -use File::Compare qw(compare); +use File::Compare qw(compare_text); use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_pkey"); @@ -40,7 +40,7 @@ subtest "=== pkey typical en-/decryption (using AES256-CBC) ===" => sub { ok(run(app([@app, '-in', $encrypted_key, '-out', $decrypted_key, '-passin', $pass])), "decrypt key"); - is(compare($in_key, $decrypted_key), 0, + is(compare_text($in_key, $decrypted_key), 0, "Same file contents after encrypting and decrypting in separate files"); }; @@ -61,7 +61,7 @@ subtest "=== pkey handling of identical input and output files (using 3DES) and ok(run(app([@app, '-in', $inout, '-out', $inout, '-passin', $pass])), "decrypt using identical infile and outfile"); - is(compare($in_key, $inout), 0, + is(compare_text($in_key, $inout), 0, "Same file contents after encrypting and decrypting using same file"); }; @@ -75,19 +75,19 @@ subtest "=== pkey handling of public keys (Ed25519) ===" => sub { my $pub_out1 = 'pub1.pem'; ok(run(app([@app, '-in', $in_ed_key, '-pubout', '-out', $pub_out1])), "extract public key"); - is(compare($in_pubkey, $pub_out1), 0, + is(compare_text($in_pubkey, $pub_out1), 0, "extracted public key is same as original public key"); my $pub_out2 = 'pub2.pem'; ok(run(app([@app, '-in', $in_pubkey, '-pubin', '-pubout', '-out', $pub_out2])), "read public key from pubfile"); - is(compare($in_pubkey, $pub_out2), 0, + is(compare_text($in_pubkey, $pub_out2), 0, "public key read using pubfile is same as original public key"); my $pub_out3 = 'pub3.pem'; ok(run(app([@app, '-in', $in_ed_key, '-pubin', '-pubout', '-out', $pub_out3])), "extract public key from pkey file with -pubin"); - is(compare($in_pubkey, $pub_out3), 0, + is(compare_text($in_pubkey, $pub_out3), 0, "public key extraced from pkey file with -pubin is same as original"); }; @@ -108,7 +108,7 @@ subtest "=== pkey handling of DER encoding ===" => sub { ok(run(app([@app, '-in', $der_out, '-inform', 'DER', '-out', $pem_out])), "read DER-encoded key"); - is(compare($in_key, $pem_out), 0, + is(compare_text($in_key, $pem_out), 0, "Same file contents after converting to DER and back"); }; diff --git a/test/recipes/20-test_dhparam.t b/test/recipes/20-test_dhparam.t index f81e74c5667c4..cfae79ab57b8e 100644 --- a/test/recipes/20-test_dhparam.t +++ b/test/recipes/20-test_dhparam.t @@ -11,7 +11,7 @@ use strict; use warnings; use File::Copy; -use File::Compare qw/compare/; +use File::Compare qw/compare_text/; use OpenSSL::Test qw(:DEFAULT data_file srctop_file); use OpenSSL::Test::Utils; @@ -221,4 +221,4 @@ my $inout = "inout.pem"; copy($input, $inout); ok(run(app(['openssl', 'dhparam', '-in', $inout, '-out', $inout])), "identical infile and outfile"); -ok(!compare($input, $inout), "converted file $inout did not change"); +ok(!compare_text($input, $inout), "converted file $inout did not change"); diff --git a/test/recipes/25-test_pkcs8.t b/test/recipes/25-test_pkcs8.t index a0f8644744827..cb8a77dd3d0ce 100644 --- a/test/recipes/25-test_pkcs8.t +++ b/test/recipes/25-test_pkcs8.t @@ -28,7 +28,7 @@ ok(run(app(['openssl', 'pkcs8', '-topk8', '-in', $inout, ok(run(app(['openssl', 'pkcs8', '-in', $inout, '-out', $inout, '-passin', 'pass:password'])), "identical infile and outfile, from PKCS#8"); -is(compare($pc5_key, $inout), 0, +is(compare_text($pc5_key, $inout), 0, "Same file contents after converting forth and back"); ok(run(app(([ 'openssl', 'pkcs8', '-topk8', From 064bb16454ec4d55a1e40cb673232c54e9f28196 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 17 Mar 2025 15:24:33 +1100 Subject: [PATCH 0016/1171] Tolerate PKCS#8 V2 with optional public keys - Presently any included public key is unused. - We don't check that v1 PKCS#8 structures omit the public key. Reviewed-by: Tim Hudson Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27076) --- crypto/asn1/p8_pkey.c | 26 +++++++-- include/crypto/x509.h | 1 + test/evp_extra_test.c | 130 +++++++++++++++++++++++++++++++++++++++++- 3 files changed, 151 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/p8_pkey.c b/crypto/asn1/p8_pkey.c index dee188519c22c..503b65b7c69a9 100644 --- a/crypto/asn1/p8_pkey.c +++ b/crypto/asn1/p8_pkey.c @@ -17,11 +17,25 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { - /* Since the structure must still be valid use ASN1_OP_FREE_PRE */ - if (operation == ASN1_OP_FREE_PRE) { - PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval; + PKCS8_PRIV_KEY_INFO *key; + int version; + + switch (operation) { + case ASN1_OP_FREE_PRE: + /* The structure is still valid during ASN1_OP_FREE_PRE */ + key = (PKCS8_PRIV_KEY_INFO *)*pval; if (key->pkey) OPENSSL_cleanse(key->pkey->data, key->pkey->length); + break; + case ASN1_OP_D2I_POST: + /* Insist on a valid version now that the structure is decoded */ + key = (PKCS8_PRIV_KEY_INFO *)*pval; + version = ASN1_INTEGER_get(key->version); + if (version < 0 || version > 1) + return 0; + if (version == 0 && key->kpub != NULL) + return 0; + break; } return 1; } @@ -30,7 +44,8 @@ ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = { ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER), ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR), ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_OCTET_STRING), - ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0) + ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0), + ASN1_IMP_OPT(PKCS8_PRIV_KEY_INFO, kpub, ASN1_BIT_STRING, 1) } ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO) IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) @@ -40,6 +55,9 @@ int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, int ptype, void *pval, unsigned char *penc, int penclen) { if (version >= 0) { + /* We only support PKCS#8 v1 (0) and v2 (1). */ + if (version > 1) + return 0; if (!ASN1_INTEGER_set(priv->version, version)) return 0; } diff --git a/include/crypto/x509.h b/include/crypto/x509.h index 8439c1be6104c..b66eab72c63bb 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -292,6 +292,7 @@ struct pkcs8_priv_key_info_st { X509_ALGOR *pkeyalg; ASN1_OCTET_STRING *pkey; STACK_OF(X509_ATTRIBUTE) *attributes; + ASN1_OCTET_STRING *kpub; }; struct X509_sig_st { diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 982081f461ac5..426c25ee6c458 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -459,7 +459,7 @@ static const unsigned char kSignature[] = { }; /* - * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8 + * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS#8 v1 * PrivateKeyInfo. */ static const unsigned char kExampleRSAKeyPKCS8[] = { @@ -518,6 +518,79 @@ static const unsigned char kExampleRSAKeyPKCS8[] = { 0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf, }; +/* + * kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS#8 v2 + * PrivateKeyInfo (with an optional public key). + */ +static const unsigned char kExampleRSAKeyPKCS8_v2[] = { + 0x30, 0x82, 0x03, 0x06, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, + 0x02, 0x60, 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, + 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, + 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, + 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, + 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, + 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, + 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, + 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, + 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, + 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, + 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, + 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, + 0x00, 0x01, 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a, + 0x6d, 0xc7, 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5, + 0x32, 0x85, 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6, + 0x5f, 0xee, 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8, + 0x66, 0x85, 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6, + 0xa4, 0x0a, 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f, + 0xc2, 0x15, 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c, + 0x5b, 0x83, 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78, + 0x80, 0x1b, 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71, + 0x99, 0x73, 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60, + 0x1f, 0x99, 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d, + 0xb1, 0x02, 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3, + 0x40, 0x41, 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d, + 0x3d, 0x59, 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18, + 0xc6, 0xd9, 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d, + 0x9f, 0xef, 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32, + 0x46, 0x87, 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc, + 0x2c, 0xdf, 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63, + 0x55, 0xf5, 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05, + 0xcd, 0xb5, 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16, + 0xb3, 0x62, 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3, + 0x9b, 0x64, 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85, + 0xfa, 0xb8, 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97, + 0xe8, 0xba, 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7, + 0xe7, 0xfe, 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99, + 0x75, 0xe7, 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4, + 0x9d, 0xfe, 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d, + 0xf1, 0xdb, 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40, + 0x5a, 0x34, 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26, + 0x84, 0x27, 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1, + 0xe9, 0xc0, 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c, + 0xb9, 0xba, 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30, + 0x10, 0x06, 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea, + 0x52, 0x2c, 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b, + 0xc4, 0x1e, 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e, + 0x49, 0xaf, 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9, + 0xd1, 0x8a, 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae, + 0x17, 0x17, 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d, + 0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf, + /* Implicit optional Public key BIT STRING */ + 0x81, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, + 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, + 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, + 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, + 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, + 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, + 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, + 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, + 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, + 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, + 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, + 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01 +}; + #ifndef OPENSSL_NO_EC /* * kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey @@ -537,6 +610,28 @@ static const unsigned char kExampleECKeyDER[] = { 0xc1, }; +static const unsigned char kExampleECKeyPKCS8_v2[] = { + 0x30, 0x81, 0xcb, 0x02, 0x01, 0x01, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, + 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x07, 0x0f, 0x08, 0x72, 0x7a, 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, + 0x4d, 0x89, 0x68, 0x77, 0x08, 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, + 0xe8, 0xd1, 0xc9, 0xce, 0x0a, 0x8b, 0xb4, 0x6a, 0xa1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, + 0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, + 0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, + 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, + 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, + 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1, + /* Optional implicit public key BIT STRING */ + 0x81, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69, 0xe2, 0xbf, 0x65, 0x9f, 0x97, + 0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c, 0xd5, 0x97, 0x6b, 0xb7, 0xa9, + 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9, 0x1e, 0x9d, 0xdc, 0xba, 0x5a, + 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18, 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, + 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16, 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, + 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22, 0xc1 +}; + /* * kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey * structure. The private key is equal to the order and will fail to import @@ -765,6 +860,13 @@ static APK_DATA keydata[] = { #endif }; +static APK_DATA keydata_v2[] = { + {kExampleRSAKeyPKCS8_v2, sizeof(kExampleRSAKeyPKCS8_v2), "RSA", EVP_PKEY_RSA}, +#ifndef OPENSSL_NO_EC + {kExampleECKeyPKCS8_v2, sizeof(kExampleECKeyPKCS8_v2), "EC", EVP_PKEY_EC} +#endif +}; + static APK_DATA keycheckdata[] = { {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1, 0}, @@ -2126,7 +2228,6 @@ static int test_invalide_ec_char2_pub_range_decode(int id) return ret; } -/* Tests loading a bad key in PKCS8 format */ static int test_EVP_PKCS82PKEY(void) { int ret = 0; @@ -2155,6 +2256,30 @@ static int test_EVP_PKCS82PKEY(void) } #endif + +static int test_EVP_PKCS82PKEY_v2(int i) +{ + int ret = 0; + const unsigned char *p; + const APK_DATA *ak = &keydata_v2[i]; + const unsigned char *input = ak->kder; + size_t input_len = ak->size; + PKCS8_PRIV_KEY_INFO *p8inf = NULL; + + /* Can we parse PKCS#8 v2, ignoring the public key for now? */ + p = input; + p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, input_len); + if (!TEST_ptr(p8inf) + || !TEST_true(p == input + input_len)) + goto done; + + ret = 1; + done: + PKCS8_PRIV_KEY_INFO_free(p8inf); + return ret; +} + +/* Tests loading a bad key in PKCS8 format */ static int test_EVP_PKCS82PKEY_wrong_tag(void) { EVP_PKEY *pkey = NULL; @@ -6595,6 +6720,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata)); ADD_TEST(test_privatekey_to_pkcs8); ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag); + ADD_ALL_TESTS(test_EVP_PKCS82PKEY_v2, OSSL_NELEM(keydata_v2)); #ifndef OPENSSL_NO_EC ADD_TEST(test_EVP_PKCS82PKEY); #endif From 1bf328edf93a25e7b7bf8d2b5b75aa5e03793dc1 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Tue, 18 Mar 2025 17:11:40 +0100 Subject: [PATCH 0017/1171] correctly mark the release as prerelease release must be marked as prerelease if "alpha" or "beta" is in tag name Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27092) --- .github/workflows/make-release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index ab0255d405df2..1e2c7f25f7cb2 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -38,4 +38,5 @@ jobs: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} run: | VERSION=$(echo ${{ github.ref_name }} | cut -d "-" -f 2-) - gh release create ${{ github.ref_name }} -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/* + PRE_RELEASE=$([[ ${{ github.ref_name }} =~ alpha|beta ]] && echo "-p" || echo "") + gh release create ${{ github.ref_name }} $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes " " -R ${{ github.repository }} ${{ github.ref_name }}/assets/* From c658a60aae5b3ac5a22cc11ad59d687bafcc6fbf Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 11 Mar 2025 18:58:25 +0100 Subject: [PATCH 0018/1171] Remove workaround for an old ppc64le compiler bug Lowering the optimization level is no longer needed, since the old compiler bug from ubuntu-20.04 has been fixed meanwhile. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27033) --- .github/workflows/cross-compiles.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 2232e50a88444..fe2d4de308fd5 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -103,10 +103,7 @@ jobs: }, { arch: powerpc64le-linux-gnu, libs: libc6-dev-ppc64el-cross, - # The default compiler for this platform on Ubuntu 20.04 seems - # buggy and causes test failures. Dropping the optimisation level - # resolves it. - target: -O2 linux-ppc64le, + target: linux-ppc64le, fips: no }, { arch: riscv64-linux-gnu, From 2ebae654d5baf1c3781d1228ce0fd9d28e02d08b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 11:36:01 +0000 Subject: [PATCH 0019/1171] Add a test for calling SSL_get_app_data() from QUIC TLS callbacks Check that we get the expected app data when using the QUIC TLS callbacks. Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- test/sslapitest.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 391a76b8de622..90fe59c5bf437 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -12590,6 +12590,22 @@ struct quic_tls_test_data { int err; }; +static int clientquicdata = 0xff, serverquicdata = 0xfe; + +static int check_app_data(SSL *s) +{ + int *data, *comparedata; + + /* Check app data works */ + data = (int *)SSL_get_app_data(s); + comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata; + + if (comparedata != data) + return 0; + + return 1; +} + static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len, size_t *consumed, void *arg) { @@ -12598,6 +12614,11 @@ static int crypto_send_cb(SSL *s, const unsigned char *buf, size_t buf_len, size_t max_len = sizeof(peer->rcd_data[data->wenc_level]) - peer->rcd_data_len[data->wenc_level]; + if (!check_app_data(s)) { + data->err = 1; + return 0; + } + if (buf_len > max_len) buf_len = max_len; @@ -12618,6 +12639,11 @@ static int crypto_recv_rcd_cb(SSL *s, const unsigned char **buf, { struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg; + if (!check_app_data(s)) { + data->err = 1; + return 0; + } + *bytes_read = data->rcd_data_len[data->renc_level]; *buf = data->rcd_data[data->renc_level]; return 1; @@ -12627,6 +12653,11 @@ static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg) { struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg; + if (!check_app_data(s)) { + data->err = 1; + return 0; + } + if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level]) || !TEST_size_t_gt(bytes_read, 0)) { data->err = 1; @@ -12643,6 +12674,9 @@ static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction, { struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg; + if (!check_app_data(s)) + goto err; + if (prot_level < OSSL_RECORD_PROTECTION_LEVEL_EARLY || prot_level > OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) goto err; @@ -12680,6 +12714,11 @@ static int got_transport_params_cb(SSL *s, const unsigned char *params, { struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg; + if (!check_app_data(s)) { + data->err = 1; + return 0; + } + if (!TEST_size_t_le(params_len, sizeof(data->params))) { data->err = 1; return 0; @@ -12695,6 +12734,11 @@ static int alert_cb(SSL *s, unsigned char alert_code, void *arg) { struct quic_tls_test_data *data = (struct quic_tls_test_data *)arg; + if (!check_app_data(s)) { + data->err = 1; + return 0; + } + data->alert = 1; return 1; } @@ -12743,6 +12787,10 @@ static int test_quic_tls(void) NULL))) goto end; + if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata)) + || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata))) + goto end; + if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata)) || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata)) || !TEST_true(SSL_set_quic_tls_transport_params(clientssl, cparams, @@ -12861,7 +12909,11 @@ static int test_quic_tls_early_data(void) if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) || !TEST_true(SSL_set_session(clientssl, sess))) - return 0; + goto end; + + if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata)) + || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata))) + goto end; if (!TEST_true(SSL_set_quic_tls_cbs(clientssl, qtdis, &cdata)) || !TEST_true(SSL_set_quic_tls_cbs(serverssl, qtdis, &sdata)) From f2488a567ba3376c7d2e2cb4567a20111c6df23b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 12:04:15 +0000 Subject: [PATCH 0020/1171] Check SSL_get_app_data() from QUIC cb in a failure situation Ensure SSL_get_app_data() works even in a failure situation from SSL_free() Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- test/sslapitest.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 90fe59c5bf437..cfa304e1350a5 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -12588,6 +12588,7 @@ struct quic_tls_test_data { size_t params_len; int alert; int err; + int forcefail; }; static int clientquicdata = 0xff, serverquicdata = 0xfe; @@ -12600,7 +12601,7 @@ static int check_app_data(SSL *s) data = (int *)SSL_get_app_data(s); comparedata = SSL_is_server(s) ? &serverquicdata : &clientquicdata; - if (comparedata != data) + if (!TEST_true(comparedata == data)) return 0; return 1; @@ -12658,6 +12659,13 @@ static int crypto_release_rcd_cb(SSL *s, size_t bytes_read, void *arg) return 0; } + /* See if we need to force a failure in this callback */ + if (data->forcefail) { + data->forcefail = 0; + data->err = 1; + return 0; + } + if (!TEST_size_t_eq(bytes_read, data->rcd_data_len[data->renc_level]) || !TEST_size_t_gt(bytes_read, 0)) { data->err = 1; @@ -12745,8 +12753,10 @@ static int alert_cb(SSL *s, unsigned char alert_code, void *arg) /* * Test the QUIC TLS API + * Test 0: Normal run + * Test 1: Force a failure */ -static int test_quic_tls(void) +static int test_quic_tls(int idx) { SSL_CTX *sctx = NULL, *cctx = NULL; SSL *serverssl = NULL, *clientssl = NULL; @@ -12777,6 +12787,8 @@ static int test_quic_tls(void) memset(&cdata, 0, sizeof(cdata)); sdata.peer = &cdata; cdata.peer = &sdata; + if (idx == 1) + sdata.forcefail = 1; if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_3_VERSION, 0, @@ -12799,8 +12811,17 @@ static int test_quic_tls(void) sizeof(sparams)))) goto end; - if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + if (idx == 0) { + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + } else { + /* We expect this connection to fail */ + if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + testresult = 1; + sdata.err = 0; goto end; + } /* Check no problems during the handshake */ if (!TEST_false(sdata.alert) @@ -12838,6 +12859,10 @@ static int test_quic_tls(void) SSL_CTX_free(sctx); SSL_CTX_free(cctx); + /* Check that we didn't suddenly hit an unexpected failure during cleanup */ + if (!TEST_false(sdata.err) || !TEST_false(cdata.err)) + testresult = 0; + return testresult; } @@ -13319,7 +13344,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_alpn, 4); #if !defined(OSSL_NO_USABLE_TLS1_3) - ADD_TEST(test_quic_tls); + ADD_ALL_TESTS(test_quic_tls, 2); ADD_TEST(test_quic_tls_early_data); #endif return 1; From 4ad45969b028dbf2521fa42ea463978402b3584b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 12:05:08 +0000 Subject: [PATCH 0021/1171] Don't decrement the unreleased counter if we failed to release a record In a failure situation we may incorrectly decrement the amount of data released. Only decrement the counter if we successfully released. Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- ssl/quic/quic_tls.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index a48ee923dacba..0ed227ff894ec 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -423,18 +423,15 @@ static int quic_release_record(OSSL_RECORD_LAYER *rl, void *rechandle, return OSSL_RECORD_RETURN_FATAL; } - rl->recunreleased -= length; - - if (rl->recunreleased > 0) - return OSSL_RECORD_RETURN_SUCCESS; - - if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread, - rl->qtls->args.crypto_release_rcd_cb_arg)) { - QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return OSSL_RECORD_RETURN_FATAL; + if (rl->recunreleased == length) { + if (!rl->qtls->args.crypto_release_rcd_cb(rl->recread, + rl->qtls->args.crypto_release_rcd_cb_arg)) { + QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return OSSL_RECORD_RETURN_FATAL; + } + rl->recread = 0; } - - rl->recread = 0; + rl->recunreleased -= length; return OSSL_RECORD_RETURN_SUCCESS; } From 2100cf2ee0d377976d28c9e04eefae4e1b5373ea Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 12:10:59 +0000 Subject: [PATCH 0022/1171] Ensure SSL_get_app_data() continues to work even in SSL_free() During SSL_free() we may get a QUIC TLS callback being called to clean up any remaining record data. We should ensure that SSL_get_app_data() continues to work, even in this scenario. Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- ssl/ssl_lib.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fd0d6e2bb7473..912c6b121e733 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1428,11 +1428,10 @@ void SSL_free(SSL *s) return; REF_ASSERT_ISNT(i < 0); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); - if (s->method != NULL) s->method->ssl_free(s); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); SSL_CTX_free(s->ctx); CRYPTO_THREAD_lock_free(s->lock); CRYPTO_FREE_REF(&s->references); @@ -1448,15 +1447,17 @@ void ossl_ssl_connection_free(SSL *ssl) if (s == NULL) return; - X509_VERIFY_PARAM_free(s->param); - dane_final(&s->dane); - - /* Ignore return value */ + /* + * Ignore return values. This could result in user callbacks being called + * e.g. for the QUIC TLS record layer. So we do this early before we have + * freed other things. + */ ssl_free_wbio_buffer(s); - - /* Ignore return value */ RECORD_LAYER_clear(&s->rlayer); + X509_VERIFY_PARAM_free(s->param); + dane_final(&s->dane); + BUF_MEM_free(s->init_buf); /* add extra stuff */ From 445c0942cd19d78a96ea5c351c25c2613ab76c56 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 12:49:48 +0000 Subject: [PATCH 0023/1171] Test that using the QUIC TLS API does not require BIOs to be set When using the QUIC TLS API it does not make sense to require BIOs to be set. Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- test/sslapitest.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/sslapitest.c b/test/sslapitest.c index cfa304e1350a5..caff458985e74 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -12799,6 +12799,10 @@ static int test_quic_tls(int idx) NULL))) goto end; + /* Reset the BIOs we set in create_ssl_objects. We should not need them */ + SSL_set_bio(serverssl, NULL, NULL); + SSL_set_bio(clientssl, NULL, NULL); + if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata)) || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata))) goto end; @@ -12936,6 +12940,10 @@ static int test_quic_tls_early_data(void) || !TEST_true(SSL_set_session(clientssl, sess))) goto end; + /* Reset the BIOs we set in create_ssl_objects. We should not need them */ + SSL_set_bio(serverssl, NULL, NULL); + SSL_set_bio(clientssl, NULL, NULL); + if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata)) || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata))) goto end; From 228a26fde43e63a46b0f4c16031d08c6a9dd04c7 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 12:51:29 +0000 Subject: [PATCH 0024/1171] Always use NULL BIOs when using the QUIC TLS API Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- ssl/quic/quic_tls.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index 0ed227ff894ec..dba1ec338fb75 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -708,10 +708,21 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code, int ossl_quic_tls_configure(QUIC_TLS *qtls) { SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s); + BIO *nullbio; if (sc == NULL || !SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION)) return RAISE_INTERNAL_ERROR(qtls); + nullbio = BIO_new(BIO_s_null()); + if (nullbio == NULL) + return RAISE_INTERNAL_ERROR(qtls); + + /* + * Our custom record layer doesn't use the BIO - but libssl generally + * expects one to be present. + */ + SSL_set_bio(qtls->args.s, nullbio, nullbio); + SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls); @@ -768,7 +779,6 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) if (!qtls->configured) { SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s); SSL_CTX *sctx; - BIO *nullbio; if (sc == NULL) return RAISE_INTERNAL_ERROR(qtls); @@ -792,16 +802,6 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) if (!ossl_quic_tls_configure(qtls)) return RAISE_INTERNAL_ERROR(qtls); - nullbio = BIO_new(BIO_s_null()); - if (nullbio == NULL) - return RAISE_INTERNAL_ERROR(qtls); - - /* - * Our custom record layer doesn't use the BIO - but libssl generally - * expects one to be present. - */ - SSL_set_bio(qtls->args.s, nullbio, nullbio); - if (qtls->args.is_server) SSL_set_accept_state(qtls->args.s); else From 366b2643cb6f63c9e73b95c22b979c77e93625ec Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 14:36:14 +0000 Subject: [PATCH 0025/1171] Add a test for using CCM ciphersuites with QUIC TLS API Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- test/sslapitest.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index caff458985e74..413e3181ba436 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -12755,6 +12755,7 @@ static int alert_cb(SSL *s, unsigned char alert_code, void *arg) * Test the QUIC TLS API * Test 0: Normal run * Test 1: Force a failure + * Test 3: Use a CCM based ciphersuite */ static int test_quic_tls(int idx) { @@ -12803,6 +12804,12 @@ static int test_quic_tls(int idx) SSL_set_bio(serverssl, NULL, NULL); SSL_set_bio(clientssl, NULL, NULL); + if (idx == 2) { + if (!TEST_true(SSL_set_ciphersuites(serverssl, "TLS_AES_128_CCM_SHA256")) + || !TEST_true(SSL_set_ciphersuites(clientssl, "TLS_AES_128_CCM_SHA256"))) + goto end; + } + if (!TEST_true(SSL_set_app_data(clientssl, &clientquicdata)) || !TEST_true(SSL_set_app_data(serverssl, &serverquicdata))) goto end; @@ -12815,7 +12822,7 @@ static int test_quic_tls(int idx) sizeof(sparams)))) goto end; - if (idx == 0) { + if (idx != 1) { if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; } else { @@ -13352,7 +13359,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_alpn, 4); #if !defined(OSSL_NO_USABLE_TLS1_3) - ADD_ALL_TESTS(test_quic_tls, 2); + ADD_ALL_TESTS(test_quic_tls, 3); ADD_TEST(test_quic_tls_early_data); #endif return 1; From 207cd5bb975f1cda542757b9695ac4e5bdb71576 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Mar 2025 14:36:28 +0000 Subject: [PATCH 0026/1171] Fix the use of CCM ciphersuites with QUIC TLS API Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27091) --- include/internal/ssl.h | 2 ++ include/openssl/ssl3.h | 1 + ssl/quic/quic_impl.c | 4 ++-- ssl/quic/quic_port.c | 2 +- ssl/quic/quic_tls.c | 2 ++ ssl/s3_lib.c | 2 +- ssl/ssl_local.h | 1 + ssl/t1_lib.c | 2 +- 8 files changed, 11 insertions(+), 5 deletions(-) diff --git a/include/internal/ssl.h b/include/internal/ssl.h index 8a0c797496724..622be7ec69a5b 100644 --- a/include/internal/ssl.h +++ b/include/internal/ssl.h @@ -20,5 +20,7 @@ int ossl_ssl_get_error(const SSL *s, int i, int check_err); /* Set if this is the QUIC handshake layer */ # define TLS1_FLAGS_QUIC 0x2000 +/* Set if this is our QUIC handshake layer */ +# define TLS1_FLAGS_QUIC_INTERNAL 0x4000 #endif diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 4f076c6c9dfb9..05373a8d60d2d 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -308,6 +308,7 @@ extern "C" { # define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 /* 0x2000 is reserved for TLS1_FLAGS_QUIC (internal) */ +/* 0x4000 is reserved for TLS1_FLAGS_QUIC_INTERNAL (internal) */ # define SSL3_MT_HELLO_REQUEST 0 # define SSL3_MT_CLIENT_HELLO 1 diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 5fa422473d4ae..4e9b63b046d2c 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -583,7 +583,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx) } /* override the user_ssl of the inner connection */ - sc->s3.flags |= TLS1_FLAGS_QUIC; + sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL; /* Restrict options derived from the SSL_CTX. */ sc->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN; @@ -4436,7 +4436,7 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags) QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); goto err; } - sc->s3.flags |= TLS1_FLAGS_QUIC; + sc->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL; qc->default_ssl_options = OSSL_QUIC_PERMITTED_OPTIONS; qc->last_error = SSL_ERROR_NONE; diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index 9ab350fb762d7..9097f56aa1c31 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -490,7 +490,7 @@ static SSL *port_new_handshake_layer(QUIC_PORT *port, QUIC_CHANNEL *ch) } /* Override the user_ssl of the inner connection. */ - tls_conn->s3.flags |= TLS1_FLAGS_QUIC; + tls_conn->s3.flags |= TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL; /* Restrict options derived from the SSL_CTX. */ tls_conn->options &= OSSL_QUIC_PERMITTED_OPTIONS_CONN; diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index dba1ec338fb75..d31c93dcf9b55 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -802,6 +802,8 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) if (!ossl_quic_tls_configure(qtls)) return RAISE_INTERNAL_ERROR(qtls); + sc->s3.flags |= TLS1_FLAGS_QUIC_INTERNAL; + if (qtls->args.is_server) SSL_set_accept_state(qtls->args.s); else diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 08b40420109b3..22095fbf2329e 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3498,7 +3498,7 @@ int ssl3_clear(SSL *s) * NULL/zero-out everything in the s3 struct, but remember if we are doing * QUIC. */ - flags = sc->s3.flags & TLS1_FLAGS_QUIC; + flags = sc->s3.flags & (TLS1_FLAGS_QUIC | TLS1_FLAGS_QUIC_INTERNAL); memset(&sc->s3, 0, sizeof(sc->s3)); sc->s3.flags |= flags; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 81b94ad1c2aa1..3a7c809881768 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -315,6 +315,7 @@ # define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE) # define SSL_IS_QUIC_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC) != 0) +# define SSL_IS_QUIC_INT_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC_INTERNAL) != 0) /* no end of early data */ # define SSL_NO_EOED(s) SSL_IS_QUIC_HANDSHAKE(s) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8f5f9b4c4bdbd..a201a71cf361e 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2874,7 +2874,7 @@ int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c, if (s->s3.tmp.max_ver == 0) return 1; - if (SSL_IS_QUIC_HANDSHAKE(s)) + if (SSL_IS_QUIC_INT_HANDSHAKE(s)) /* For QUIC, only allow these ciphersuites. */ switch (SSL_CIPHER_get_id(c)) { case TLS1_3_CK_AES_128_GCM_SHA256: From 952d9b83b20359e9ed0fff8f18a84add29949f6f Mon Sep 17 00:00:00 2001 From: Ankit Kekre Date: Thu, 13 Mar 2025 21:29:54 +0530 Subject: [PATCH 0027/1171] apps/cms.c, apps/ocsp.c: Added NULL pointer checks Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27059) --- apps/cms.c | 2 +- apps/ocsp.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/cms.c b/apps/cms.c index 5227ec2357fc8..919d306ff687f 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1011,7 +1011,7 @@ int cms_main(int argc, char **argv) goto end; pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); - if (kparam != NULL) { + if (pctx != NULL && kparam != NULL) { if (!cms_set_pkey_param(pctx, kparam->param)) goto end; } diff --git a/apps/ocsp.c b/apps/ocsp.c index bd01cf127dfbc..bac054e9fcb4f 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1049,6 +1049,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req } bs = OCSP_BASICRESP_new(); + if (bs == NULL) { + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs); + goto end; + } thisupd = X509_gmtime_adj(NULL, 0); if (ndays != -1) nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL); From 27b88364e41f01cc1be6ff2941dd07919f286c89 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 17 Mar 2025 14:08:52 +1100 Subject: [PATCH 0028/1171] Avoid erroneous legacy code path when provided Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27075) --- crypto/evp/ctrl_params_translate.c | 4 ++++ crypto/evp/pmeth_lib.c | 6 ++++-- test/evp_extra_test.c | 4 +++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index a932d38c06085..ddc2f898433c2 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -2895,11 +2895,15 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, int evp_pkey_ctx_set_params_to_ctrl(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params) { + if (ctx->keymgmt != NULL) + return 0; return evp_pkey_ctx_setget_params_to_ctrl(ctx, SET, (OSSL_PARAM *)params); } int evp_pkey_ctx_get_params_to_ctrl(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) { + if (ctx->keymgmt != NULL) + return 0; return evp_pkey_ctx_setget_params_to_ctrl(ctx, GET, params); } diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 846a790152c2e..665cafbc21a73 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -701,8 +701,9 @@ int EVP_PKEY_CTX_set_params(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params) ctx->op.encap.kem->set_ctx_params(ctx->op.encap.algctx, params); break; -#ifndef FIPS_MODULE case EVP_PKEY_STATE_UNKNOWN: + break; +#ifndef FIPS_MODULE case EVP_PKEY_STATE_LEGACY: return evp_pkey_ctx_set_params_to_ctrl(ctx, params); #endif @@ -745,8 +746,9 @@ int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params) evp_keymgmt_gen_get_params(ctx->keymgmt, ctx->op.keymgmt.genctx, params); break; -#ifndef FIPS_MODULE case EVP_PKEY_STATE_UNKNOWN: + break; +#ifndef FIPS_MODULE case EVP_PKEY_STATE_LEGACY: return evp_pkey_ctx_get_params_to_ctrl(ctx, params); #endif diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 426c25ee6c458..9e96d80a3e01f 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1047,7 +1047,9 @@ static EVP_PKEY *make_key_fromdata(char *keytype, OSSL_PARAM *params) if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, testpropq))) goto err; - if (!TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) + /* Check that premature EVP_PKEY_CTX_set_params() fails gracefully */ + if (!TEST_int_eq(EVP_PKEY_CTX_set_params(pctx, params), 0) + || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &tmp_pkey, EVP_PKEY_KEYPAIR, params), 0)) goto err; From c1d27789e99543d366a8e0498cbab2d9543ef2cb Mon Sep 17 00:00:00 2001 From: Daniel Van Geest Date: Tue, 18 Mar 2025 12:56:53 +0000 Subject: [PATCH 0029/1171] Fix use of SHAKE as a digest in CMS draft-ietf-lamps-cms-sphincs-plus-19 specifies SHAKE as the message digest algorithm for SLH-DSA-SHAKE-* in CMS. SHAKE doesn't have a default digest length, so this adds a SHAKE-specific kludge in CMS. Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27087) --- crypto/cms/cms_lib.c | 20 +++++ test/recipes/80-test_cms.t | 64 ++++++++++++++- test/smime-certs/mksmime-certs.sh | 15 +++- test/smime-certs/sm_mldsa44.pem | 99 +++++++++++++++++++++++ test/smime-certs/sm_slhdsa_sha2_128s.pem | 19 +++++ test/smime-certs/sm_slhdsa_shake_128s.pem | 19 +++++ test/smime-certs/sm_slhdsa_shake_256s.pem | 22 +++++ 7 files changed, 256 insertions(+), 2 deletions(-) mode change 100644 => 100755 test/smime-certs/mksmime-certs.sh create mode 100644 test/smime-certs/sm_mldsa44.pem create mode 100644 test/smime-certs/sm_slhdsa_sha2_128s.pem create mode 100644 test/smime-certs/sm_slhdsa_shake_128s.pem create mode 100644 test/smime-certs/sm_slhdsa_shake_256s.pem diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index e8aeb806b2e9f..2bf043103078d 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -14,6 +14,7 @@ #include #include #include +#include #include "internal/sizes.h" #include "internal/cryptlib.h" #include "crypto/x509.h" @@ -407,6 +408,7 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, const EVP_MD *digest = NULL; EVP_MD *fetched_digest = NULL; char alg[OSSL_MAX_NAME_SIZE]; + size_t xof_len = 0; X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm); OBJ_obj2txt(alg, sizeof(alg), digestoid, 0); @@ -431,6 +433,24 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, ERR_raise(ERR_LIB_CMS, CMS_R_MD_BIO_INIT_ERROR); goto err; } + if (EVP_MD_xof(digest)) { + if (EVP_MD_is_a(digest, SN_shake128)) + xof_len = 32; + else if (EVP_MD_is_a(digest, SN_shake256)) + xof_len = 64; + if (xof_len > 0) { + EVP_MD_CTX *mdctx; + OSSL_PARAM params[2]; + + if (BIO_get_md_ctx(mdbio, &mdctx) <= 0 || mdctx == NULL) + goto err; + params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, + &xof_len); + params[1] = OSSL_PARAM_construct_end(); + if (!EVP_MD_CTX_set_params(mdctx, params)) + goto err; + } + } EVP_MD_free(fetched_digest); return mdbio; err: diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 361dd34512393..21d787fbad167 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -52,7 +52,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 28; +plan tests => 30; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1398,3 +1398,65 @@ subtest "EdDSA tests for CMS \n" => sub { "accept CMS verify with Ed25519"); } }; + +subtest "ML-DSA tests for CMS \n" => sub { + plan tests => 2; + + SKIP: { + skip "ML-DSA is not supported in this build", 2 + if disabled("ml-dsa"); + + my $sig1 = "sig1.cms"; + + # draft-ietf-lamps-cms-ml-dsa: use SHA512 with ML-DSA + ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "sha512", "-in", $smcont, + "-certfile", $smroot, "-signer", catfile($smdir, "sm_mldsa44.pem"), + "-out", $sig1])), + "accept CMS signature with ML-DSA-44"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1, + "-CAfile", $smroot, "-content", $smcont])), + "accept CMS verify with ML-DSA-44"); + } +}; + +subtest "SLH-DSA tests for CMS \n" => sub { + plan tests => 6; + + SKIP: { + skip "SLH-DSA is not supported in this build", 6 + if disabled("slh-dsa"); + + my $sig1 = "sig1.cms"; + + # draft-ietf-lamps-cms-sphincs-plus: use SHA512 with SLH-DSA-SHA2 + ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "sha512", "-in", $smcont, + "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_sha2_128s.pem"), + "-out", $sig1])), + "accept CMS signature with SLH-DSA-SHA2-128s"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1, + "-CAfile", $smroot, "-content", $smcont])), + "accept CMS verify with SLH-DSA-SHA2-128s"); + + # draft-ietf-lamps-cms-sphincs-plus: use SHAKE128 with SLH-DSA-SHAKE-128* + ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "shake128", "-in", $smcont, + "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_shake_128s.pem"), + "-out", $sig1])), + "accept CMS signature with SLH-DSA-SHAKE-128s"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1, + "-CAfile", $smroot, "-content", $smcont])), + "accept CMS verify with SLH-DSA-SHAKE-128s"); + + # draft-ietf-lamps-cms-sphincs-plus: use SHAKE256 with SLH-DSA-SHAKE-256* + ok(run(app(["openssl", "cms", @prov, "-sign", "-md", "shake256", "-in", $smcont, + "-certfile", $smroot, "-signer", catfile($smdir, "sm_slhdsa_shake_256s.pem"), + "-out", $sig1])), + "accept CMS signature with SLH-DSA-SHAKE-256s"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig1, + "-CAfile", $smroot, "-content", $smcont])), + "accept CMS verify with SLH-DSA-SHAKE-256s"); + } +}; diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh old mode 100644 new mode 100755 index 0edf1d789e3f4..d989683faae09 --- a/test/smime-certs/mksmime-certs.sh +++ b/test/smime-certs/mksmime-certs.sh @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -67,3 +67,16 @@ gen smdh.pem "/CN=Test SMIME EE DH" dh_cert >>smdh.pem # EE RSA code signing end entity certificate with respective extensions cp ../certs/ee-key.pem csrsa1.pem gen csrsa1.pem "/CN=Test CodeSign EE RSA" codesign_cert >>csrsa1.pem + +# Create PQ certificates with respective extensions +$OPENSSL genpkey -algorithm ML-DSA-44 -out sm_mldsa44.pem +gen sm_mldsa44.pem "/CN=Test SMIME EE ML-DSA-44" signer_cert >>sm_mldsa44.pem +$OPENSSL genpkey -algorithm SLH-DSA-SHA2-128s -out sm_slhdsa_sha2_128s.pem +gen sm_slhdsa_sha2_128s.pem "/CN=Test SMIME EE SLH-DSA-SHA2-128s" \ + signer_cert >>sm_slhdsa_sha2_128s.pem +$OPENSSL genpkey -algorithm SLH-DSA-SHAKE-128s -out sm_slhdsa_shake_128s.pem +gen sm_slhdsa_shake_128s.pem "/CN=Test SMIME EE SLH-DSA-SHAKE-128s" \ + signer_cert >>sm_slhdsa_shake_128s.pem +$OPENSSL genpkey -algorithm SLH-DSA-SHAKE-256s -out sm_slhdsa_shake_256s.pem +gen sm_slhdsa_shake_256s.pem "/CN=Test SMIME EE SLH-DSA-SHAKE-256s" \ + signer_cert >>sm_slhdsa_shake_256s.pem diff --git a/test/smime-certs/sm_mldsa44.pem b/test/smime-certs/sm_mldsa44.pem new file mode 100644 index 0000000000000..e4b6ebe1a1e91 --- /dev/null +++ b/test/smime-certs/sm_mldsa44.pem @@ -0,0 +1,99 @@ +-----BEGIN PRIVATE KEY----- +MIIKPgIBADALBglghkgBZQMEAxEEggoqMIIKJgQgmsSm9eI30++j5lPGc4VSUHl8 +RHdUYZ2HyINZ2noG/FsEggoAdnnaWN8r8QxVgVFSizuW+sZ0zqlCUOM5HFD0RYnm +ueIk3OZUr/c53pCu4pz8eiyfhhlwToeroamymUVGZF984cjWlyIbK7sm0WwPstIw +4cTMACIvOBspVFrxHib0IoyIb8RdM0a8EVdE7+5gUuwm3fwZ/TjTpi1PW+k2L6zP +z5AhF0gTJIUjwmUEBQVCABECh2WKtonKQm0ZRS1byIHhMCFQCIlYEgoQo00SAxIA +AokMBGLUNGYAAmAKiYXMNCIYhGmQMpEIsGQJAUxUMIyMQJIKKSHYwDHUpogUICIY +NiDkqC0Uo1EbMyjjCC3gRIgZFSBgyAkasWEZBnIDOZAjwzBDGCxhGGnbQElLQoHE +BCUkRUAJISwUhlESRXKLxgHMRhBKFEwBsGDKEgqQEg3JCI1ICCUjyU0UtpCSBAmb +hmDbBoGRpm2BlAkQx0jDMoGAQiVKRkQIKSHJkAWKIiYCqUSSsCiTOCJQQI1BJi1C +MJIZQIBLsCyUpgiYECAkRJDbCCwYQCQDR2nbhGgZCC6MAiRjpGWBNgnCQmzbEAjb +mICYOIjUIpDIliwZOW6Eom0LuYkkSBLksm1iEiRiIlECtiWAAnCiMCkSMZESkQ2B +AALjxJFgRGRbFAlMNGwLpknLMDFLImjiFmQIgGCDAo2kJErhRFALuSiiAg5QKAFT +OE6iFgwQSFBCCFKLSALRwGRkAIrjAggjgIWKhkgkhmXkxIULgpHZBFAAFUwbCW0A +RAHIlCkJljGaQoBKIpLRoDEbFIVbMAWKloEIE3GjGGYiBCxMMEESMCUDRWlAomgS +NXIkNjBaqECbsihAEinAlokZyQDJBoAQpFEMAS2DAFIZtgiQtBAIoGkaRHGUmCDR +kkkRhRHEwiTYtkkgOGFIgmGcgo0TskkQRCQTEUxiMGlQSG1SIoqiCG6kpCXcpAgK +xEgBxRBgRihZRHGgAkQBqEEkgi0CNymQKGBQiCmJMIwQkZEZRA4IMC4YRXAKGU1c +pgFYFCXLRoBBSAESM0IBQWnAxgGbwoghRUUSESpBogRjFI4Ig1FaEI7jwAHbxAjj +IGLAhmzSBGIIQ0pTpE2gMo5bqAxMtCQLxhGCMAjcsIkRRkFTRhEkpwiDGGBDlgAU +BS0iNTIRhSkiQ0kIuIxRwGiAQmwRtHAZt1FQkAxLlE2RIkEZtiEJImpcAmwCQijE +sgFeAKKEuHpy3oMPABBvFJQoBB5V1/+oelrPmUyEuaDw3/Yrlh1OM28QYLO0tbBD ++Xp9mDfAOF9jT/RT9x5QZUOaVfCctxPAkzfXwX9SZ9ClyOZwOGzB64bfxXw6EEvB +37tO8wBlEtddXkpsQ/cx9C1nuMxGmlscSiA6L0pRkNme7JneAjDKY5IDVPrMUkoY +wjNtI0CQ5FrE9E0PnbL7Sj+671QIZM77HA1FUOxbmqcKOtSeZY9QrEezt8plwX+8 +uY8QTr0mUcvVODvO5498J/qBTnlQrjLBx2SxyeYIYEClfdO8nWax4VgQT7ZMK/vR +if0ijT+Q0qx+UYyEdALMp8US8d64njeggh3L6m8TX6+y1I9ezAi14Q8ofH4lSoWL +o0YDlsi41LWxyHJDr88Nyd7ordFFp4x+yChxHJYoxxJOezP89uLev526aP40oUsL +i3wXbFd+7g0p8rXl4PYBAcifxj/WBVUk9oa1MLdkKO54PTFZWFLWqnVVMgFS25w7 +Ldf+41pQUVP8RzfpyDvoHIsNNhrgZ8fZtssVtj0OBAsSQ1u5TJZjJDwXSh6LLUsW +QpFeWS5Jw/gaZG9K3IuMjSDGvqTYL+CewC7AYH+B7S6Gc7bgtbu71osE/U2hHSfo +nDGFdAk9se5RCfTiv7L6XquAqNvraZPOhlgX0dYmX8GpTgNNs+ryu/q8BdxnkiQO +uUBjOxC4rKKNip2pOdVVpThIlGW03nE1oPiwW06HMmkfinto8dDN14a2hp1Zg+4B +vNunwUU/sJ3OeHIxiOkCvEbORb+TUwwJGyHMmT7b+eEgYMoX0awAUP+QGBtNtHFi +0cDftErapblEwsZEjBNurYF/XGijFUp03q/L/KN2obHTjg/rwLiQa98J74CSLJAh +qUwWoqqhh6NGYb68ysT35xfZcf+OzhK0U26GGDIoqCqyOVU90YD2qQrGG4DGGH+i +Dxjn2x5MjArscY62chnMcsgIesdlZfoHNOeGA0j7hD1u+OkBksOH5h6IJ+vl69Xv +8Gg6Hw3R03TsifCaOg3TfoZ6vsczgKLeHxqJVcKWAsQmaBqFNsFYeZGjTGOGe85I +yR46NvKXITVgeiyKDF743XctQniZrg8zKTygkERZELsB9lZd3l+qmdjY9Sk+1G7r +mwpVfONDIpZmJUvLhrz8la4wwcaTKov5ib1KESQLbti4vTtM00LV4fgNGdlpoGsd +9KTEOUi66j1ES82N16fClA53ULSlathgi66YgGu/1MHDc39zG5W1fUMcDPW3ufgv +0u35/FvF4POrcAcx37n8bzLmqk2/+j4d39DUuViti9QFctK2jsbtQqthjRhRcaat +l86Pn2f+fZHWhr7tQGx8bMcQnqVmVfMm6osQoaKNqdrrIQ9ACDVQlpSVIpR5bCeG +CzcQu09NFS+GsESmZyMm5B2/WDPno6U5cGF6vP9v1oyrJt+/O+5Bwo3U6i+RRnkJ +73AhkocMF4cIPBVtslMPwDK1dP3tlbp+e0dvq/vKdELIuoFY4Tyw1OAawXuwF85J +MJUctKM44X8LMeADxPJvJN5XLYKCRCunoA3+MSUIHQT5oy2czouIwWKIv+F7FI/D +8SBa9klkCT6mZrAKL1YCRg2WxjLzlgB5Tw4TEEi3FUlD6s5sCPT4OxkzaVqaWvpU +9D2Vd4HfY6p0yjJiuLUjR4cjrRCJBP3A1XTYWvRgSu7uUqjK6z5HgkwWBJlZisJ7 +U1W6YCmWHhwC0Y9mjGahXPJx4FhA5btLX9EYCB9whTyBXicM6MrSa2aM5jCo9JIf +ExDoCqBpDmZ+5kjFyDeTtYyUtwWCU+9tIKvtmFGYnzdERTf8w/vWszU6QugYn1FW +WB4fGc/xKOz58xIm/I2B7NnQxmA5HvAEHDvF9n2mrHMRUYkoSsMjUhSAg1scMAFP +vmvaQQ+AWOylhYQaQgx41y2oTw+9Iievm0hg2lB9qDORem/nwx1a8+4gP1wfjqSW +xwiUz0Cy/0TtTfZrZGqxQtn02OIKInBpabGH0RSTtBPruNk/XotdSVm5uSN9mBQE +2xiPnjF48auRYIUH8giNNN7MjZ4z5T40+mJHctegwllavzWKlEjTI5sC8g/pSkJV +CD8i49DLVGf5sbfEAJB2xDW2f+6l65SpJYV7dY0dhK7R2KT2NrqABk/7w/6wb7VY +bPVseTnHfXpVTRGdUSFLb5hyaNTiWFlMTX0OmfqQ6R9iOA== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIHYzCCBkugAwIBAgIUTrKnsAj5Isy6498h/MK7WAAxIQEwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw +MzE4MDgzMjE4WjAiMSAwHgYDVQQDDBdUZXN0IFNNSU1FIEVFIE1MLURTQS00NDCC +BTIwCwYJYIZIAWUDBAMRA4IFIQB2edpY3yvxDFWBUVKLO5b6xnTOqUJQ4zkcUPRF +iea54lR2/8XNOhJQ4oWszhrbSHpB1+DZ76n1tez5wc6N5X6s3BEOsp+IPj8W8D7F +ppWAqoCvbHHflfEVh8mvy4MtPUVGf6XoIl9QgV/afzTZGec+G7GytiEHNBhld2Yq +POfKPP/IK9mPbnFcPUpPscbHX84TFq8IM6VLgoFnakbQuID/G71nPTFo9f4k3EcT +kVGIQnWK4lgQW+1WDh8yamFnvg+Du111jA1/c5So3EH++DJDspq03/ALgbMOROuN +zSYPt6w6EVnqyx8sTWL52lQGx23Q0T8H0WtITz0KbGjgrOsfkrR1qL7DXP8aC83i +LKMZMitt1OpsKngyBRdQ3fuBOU/bYkmyaWnMR2MuC40XNnKzd41IpO2mjAOyVhe+ +WlhDgABOzsxOjC/WI0oHYTOewTSsjqQhNYU513poeyC5g00QrJYt5HqCwvlPRCb8 +wCsc4ahj+NIdVCOR9KrPh0aXVqQn/Yz7njL76tzQezX7gaoSr3vhr6eQ8In/75bD +UFRVSJW/6A0sVnQXc4dKyHQQMl9vVTWvoeM8njgMrwHsUT0fjKdJQQGetKGKl1YL +L9kTnHMem8Zo1gwhs51iecIzj9hwN54ZoawidJy0CNt81Pzin0OaqH8MuI8/RaYy +3LYMgswpsAXpwYHRY9R4BzrvVXLlNusuba4fHK6x5shr2pDFKe6CJOl5OgsIp9nY +7+YkIuqOXEMtPrLFNkpgReN0Wj8i5+kNm6V4rviF5Bo67d3dNeIK68O+ZJQditdr +wixBwhshLTZNp6UzYUJ7ZrfIZoj4wOyDEzWLO9Je1J3bcJzRUVt2hH/DN/Buslrj +2md4X/MYJjAGQyzBYVVxf9HIH409JPOlb/J4uhL7oeTymdD14wtf2khZRq28kheO +I3169hxfQo2sq05Me93J/nAglPXstMIPLKIW//544tkluzjn0CoCaHH6nS749TmM +4QcEQ3ttPy7PmhjAJii+tJ08OoMdVwZ2UWH8R5FwEN4sF0Yb4CeM18AjWS45QNBR +GDDOoCCN9BnnblyKd697L99KvhrQTy0v9XNXH6BFzuuAyPQ5khlgnlsSJyMhnTMo +Zeh8WCu+zC7+z4vEAYJlMRVmKMIPH/GqPkNDhxTMc+FSsKSjEOfkZQh1JZ38oOdO +RM4FJ4htsMHpn2g8OQuGSgUQo5dyqLpB8k/6sY//pGua3Y/PGjeBdYpydTUzAprU +YMuFxVe+ymDSpQrB9OALRe9UwPbiUtaVJHlRchX7H1YB+RX6zywHH2sTD5NQfcwm +3/To0Fe1Xw3dVczekXqN246GetDMwy4RYp1RsPIBRICaAwGEuDs1gX9aM5tLLaw1 +3RpF76+JruAICXZ2v8Q7wHZkM+MPZ6E4/l4zjXk5PJM/R3SfuOdQiEICbmmp8GL8 +c3Scu8Pi4TSvq0ajrpnKo//aNPaVJI3DQWDQf6+h29QyHqrbpjZ2nkrMmT34aVUl +R0XI95qdjAB4U7neWx3AZVQd+MhP76aXvB/DvefVfnGOn2hQQd77VC9EB7FwTk5l +m+DGBzzI1C5nKTfeTIeTdG69VB5BmU/AitRzu90X3ef2IrMuL+kIzWsPFixaqRX5 +7WFHx76mwanDgxgHgbNh5/AuVHT4nJ2bBe+U2fR2Q+ggVWwjs+gGUZLLby8FLOl/ +WRrb2shpJIs8yl6ReeaMj9j3NlpHQ8ETfslf3g0f1kPLJBrWo10wWzAJBgNVHRME +AjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUlJUkGXaMnS/r8k6VzIDQ3EcK +TBQwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQEL +BQADggEBAEgW7XK6cZJcSdRTIuRTbZ9ssJZj6WwLYJmygldKQg6hnYWpPYLNCxqb +AOO2xicCa9hv3HkgvyYK1tqbwFtuef/KSk+wOlDfgqtFVryVyK0js3x5r3mpCbmk +5ihpTIuSVTgMCFlx4AXgLZGacei7hvCCP05bnhUvQmdu96bKnwlxvjLHgn3X5Cfw ++7b0q60oZTkOn4PStVnuOVTgLzs6Ta/KHh5M9OVVyEsRz2m3lmG2idXX/pTWXkE3 +VNSJCepP45RBFuxPSeEHW4EM/JPDqhBY5H19NHxcM42uXDykpR1ChSIhKruzjijA +wme8H314QJnFKfUcGNNrNN/dElirhmU= +-----END CERTIFICATE----- diff --git a/test/smime-certs/sm_slhdsa_sha2_128s.pem b/test/smime-certs/sm_slhdsa_sha2_128s.pem new file mode 100644 index 0000000000000..45ba8545f8e6d --- /dev/null +++ b/test/smime-certs/sm_slhdsa_sha2_128s.pem @@ -0,0 +1,19 @@ +-----BEGIN PRIVATE KEY----- +MFICAQAwCwYJYIZIAWUDBAMUBECT5RmZe6OO8vsKNkthvx+UPRB8d7wbvTJB1UgM +zLwGZWYszdtLdA++kdkjuW5vJNeZVVKuVhhsqT7/bm5Rdz2I +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIICZzCCAU+gAwIBAgIUDjFC0337VoVD3qOifcn8/v6cYSowDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw +MzE4MDgzMjE4WjAqMSgwJgYDVQQDDB9UZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB +Mi0xMjhzMDAwCwYJYIZIAWUDBAMUAyEAZizN20t0D76R2SO5bm8k15lVUq5WGGyp +Pv9ublF3PYijXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQW +BBThF4u5GJ2SIU/Uq8ZC97+3tZMX6DAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg +1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAajeFlF3LMr6Z3i0YF+guYeY7+o6O +Q7VVBKyaFWfb+m8IMo0iM7fvYeP1B+VXRO0bPrvCE8jsgv+kkZn5PUTkZApaLbkj +eu0Pj1ik4/A7/en3aGGjzHRGrcjScE18SPrB8KtoDWuq7nb0PQX1LPDEJLAkJt8F +qD4uGGHXkFHse2IE+wlCXC8xOoaMmVmdbCz+lz1TNIpmFYAgv9gsMOlEDN/lcFL4 +DGebKespZapcDBVROVWZceOSY/3o8CdnFjrsm9F/q6SUoq08Lf595+THace+N1nB +rYn6Enlx7OLoONpjsas50h28tTKKnuFHFd+emD7ga3GEwjDwMnOQ2bOFrQ== +-----END CERTIFICATE----- diff --git a/test/smime-certs/sm_slhdsa_shake_128s.pem b/test/smime-certs/sm_slhdsa_shake_128s.pem new file mode 100644 index 0000000000000..84af464d5f11e --- /dev/null +++ b/test/smime-certs/sm_slhdsa_shake_128s.pem @@ -0,0 +1,19 @@ +-----BEGIN PRIVATE KEY----- +MFICAQAwCwYJYIZIAWUDBAMaBEBtEDfB3z2GkApieWwYEcUwym4LqAn+f3ekIXpy +3Ih301cGLuxKkbFlC18GqkEFy2hrtjlDrRImYToCJ1S4HlzY +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIICaDCCAVCgAwIBAgIUP4qMOjsrV/JbvCEgSaqBovSvz1cwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODA4MzIxOFoYDzIxMjUw +MzE4MDgzMjE4WjArMSkwJwYDVQQDDCBUZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB +S0UtMTI4czAwMAsGCWCGSAFlAwQDGgMhAFcGLuxKkbFlC18GqkEFy2hrtjlDrRIm +YToCJ1S4HlzYo10wWzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4E +FgQUO+o1zTM0Z+/LQz6qk3AWGA1jlTQwHwYDVR0jBBgwFoAUFcETIWviVV+nah1X +INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAEumBy00rMY5HqpqoTRjVj3TNhXH +i42pLoOXkAlNDpyHAkn5nM4iPeefHOha521RYiIIPv8XZIiAixHtZJjXtZnMgD6G +XsdCtci82Lgry/6pzg3hPb/LuaC7ochG4RSNv6QdIFgB+YcD6qaQnvtWuK3zsMQQ +1Fr2qGRljbgDdreaViIJxEXYakXnHvLHYn9UOT8punXsM6jksugvt8wysUucHMA5 +KhB1o1yYgXFbE3IcAmsX8cQpIDHwSPDdnYmxBptTKld3SOKt0O0TjLzjgix/3IQm +8l1MHH0UEuLdhXCOiSbQiXqYfWJig+2AmM5VLeWAysX6BixVKxG25jSsAZE= +-----END CERTIFICATE----- diff --git a/test/smime-certs/sm_slhdsa_shake_256s.pem b/test/smime-certs/sm_slhdsa_shake_256s.pem new file mode 100644 index 0000000000000..5d177be9c4155 --- /dev/null +++ b/test/smime-certs/sm_slhdsa_shake_256s.pem @@ -0,0 +1,22 @@ +-----BEGIN PRIVATE KEY----- +MIGTAgEAMAsGCWCGSAFlAwQDHgSBgG4ItImtx5rfHYI99Xo2Wl4PSpqyeMaZrjtW +QYKovvW2pKvcIc4Re7OnKKHMjIvow/1TaRQUHRUQQFQC/DygeacNpVdWjGZ1/jnc +D0XfWgfvX0KwATwmXO9NM7Rq7B5OZ1uyykT3e8mPhn5afbRkNvfhKgID07Ukiz1c +/6XQf7nU +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIICiDCCAXCgAwIBAgIUStYfQbEa4PtzChfKNmTE65EId3YwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTI1MDMxODEyNDExMFoYDzIxMjUw +MzE4MTI0MTEwWjArMSkwJwYDVQQDDCBUZXN0IFNNSU1FIEVFIFNMSC1EU0EtU0hB +S0UtMjU2czBQMAsGCWCGSAFlAwQDHgNBAA2lV1aMZnX+OdwPRd9aB+9fQrABPCZc +700ztGrsHk5nW7LKRPd7yY+Gflp9tGQ29+EqAgPTtSSLPVz/pdB/udSjXTBbMAkG +A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBTSJYn48biBTinA1pDo +k2odLpFi0zAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG +9w0BAQsFAAOCAQEARP3DGNCSUHkAsQCgWgIF50k3qe8t2cjFnpMBdpoSTFo0VSIo +58cCN0yusCzHvrtVSXXf/B9t4kLunmXKH5+4nAbnc7Yi2PxiN30qPfr1XYqfKcUd +k04xB7pJF1YjNqVOlrPSA4O5Mi7aXgmkv7pyHFbY8056u1Ea3xcm2Ib5cpCBQd90 +47ARf8XH/94zhBebFALffrWRn1NgsOgwSq3GAZSvEkWpZHyr4XWpCvHXZ0ImfghU +BqM077E+r/uLk3kT+L1FoUwLXtQkNrtWJtrSBdp5AexOZqqjqjRR+oG9tAG1KUnl ++4+ts3nVjUeEsRdGMv+gl3/926nsxozJtUO5OA== +-----END CERTIFICATE----- From 95051052b319d346a8aa3d34d6105d683bb77294 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 19 Mar 2025 15:18:06 +0000 Subject: [PATCH 0030/1171] Move the Handshake read secret change earlier in the process for QUIC 0-RTT On the server side we were changing the handshake rx secret a little late. This meant the application was forced to call SSL_do_handshake() again even if there was nothing to read in order to get the secret. We move it a little earlier int the process to avoid this. Fixes the issue described in: https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083 Reviewed-by: Tim Hudson Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27101) --- include/internal/statem.h | 2 ++ ssl/ssl_lib.c | 6 ------ ssl/statem/statem.c | 16 +++++++--------- ssl/statem/statem_clnt.c | 3 ++- ssl/statem/statem_srvr.c | 15 +++++++++++++++ test/sslapitest.c | 6 +++--- 6 files changed, 29 insertions(+), 19 deletions(-) diff --git a/include/internal/statem.h b/include/internal/statem.h index 62dc4eec0ba7c..261d7967cc9a6 100644 --- a/include/internal/statem.h +++ b/include/internal/statem.h @@ -26,6 +26,8 @@ typedef enum { WORK_FINISHED_STOP, /* We're done working move onto the next thing */ WORK_FINISHED_CONTINUE, + /* We're done writing, start reading (or vice versa) */ + WORK_FINISHED_SWAP, /* We're working on phase A */ WORK_MORE_A, /* We're working on phase B */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 912c6b121e733..4c7b62e14232d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4968,12 +4968,6 @@ int SSL_do_handshake(SSL *s) } } - if (ret == 1 && SSL_IS_QUIC_HANDSHAKE(sc) && !SSL_is_init_finished(s)) { - sc->rwstate = SSL_READING; - BIO_clear_retry_flags(SSL_get_rbio(s)); - BIO_set_retry_read(SSL_get_rbio(s)); - ret = 0; - } return ret; } diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index e76fde810b6b4..05b491c3956af 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -244,15 +244,6 @@ int ossl_statem_skip_early_data(SSL_CONNECTION *s) */ int ossl_statem_check_finish_init(SSL_CONNECTION *s, int sending) { - int i = SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ; - - if (s->server && SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED - && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING - && s->statem.hand_state == TLS_ST_EARLY_DATA) { - s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; - if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s, i)) - return 0; - } if (sending == -1) { if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END || s->statem.hand_state == TLS_ST_EARLY_DATA) { @@ -737,6 +728,7 @@ static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s) st->read_state = READ_STATE_HEADER; break; + case WORK_FINISHED_SWAP: case WORK_FINISHED_STOP: if (SSL_CONNECTION_IS_DTLS(s)) { dtls1_stop_timer(s); @@ -882,6 +874,9 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s) st->write_state = WRITE_STATE_SEND; break; + case WORK_FINISHED_SWAP: + return SUB_STATE_FINISHED; + case WORK_FINISHED_STOP: return SUB_STATE_END_HANDSHAKE; } @@ -955,6 +950,9 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s) st->write_state = WRITE_STATE_TRANSITION; break; + case WORK_FINISHED_SWAP: + return SUB_STATE_FINISHED; + case WORK_FINISHED_STOP: return SUB_STATE_END_HANDSHAKE; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 9989d6bb93421..3990a2b0c2194 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -573,7 +573,8 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) return WRITE_TRAN_CONTINUE; case TLS_ST_CW_CLNT_HELLO: - if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { + if (s->early_data_state == SSL_EARLY_DATA_CONNECTING + && !SSL_IS_QUIC_HANDSHAKE(s)) { /* * We are assuming this is a TLSv1.3 connection, although we haven't * actually selected a version yet. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index cd062a00d5be8..b93a97999de26 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -839,6 +839,21 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) return WORK_FINISHED_CONTINUE; + + /* + * In QUIC with 0-RTT we just carry on when otherwise we would stop + * to allow the server to read early data + */ + if (SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED + && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING) { + s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; + if (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE + | SSL3_CHANGE_CIPHER_SERVER_READ)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return WORK_ERROR; + } + return WORK_FINISHED_SWAP; + } /* Fall through */ case TLS_ST_OK: diff --git a/test/sslapitest.c b/test/sslapitest.c index 413e3181ba436..a20d1f720342c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -12969,15 +12969,15 @@ static int test_quic_tls_early_data(void) SSL_set_msg_callback(serverssl, assert_no_end_of_early_data); SSL_set_msg_callback(clientssl, assert_no_end_of_early_data); - if (!TEST_int_eq(SSL_connect(clientssl), 0) - || !TEST_int_eq(SSL_accept(serverssl), 0) + if (!TEST_int_eq(SSL_connect(clientssl), -1) + || !TEST_int_eq(SSL_accept(serverssl), -1) || !TEST_int_eq(SSL_get_early_data_status(serverssl), SSL_EARLY_DATA_ACCEPTED) || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_READ) || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_READ)) goto end; /* Check the encryption levels are what we expect them to be */ - if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY) + if (!TEST_true(sdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE) || !TEST_true(sdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_APPLICATION) || !TEST_true(cdata.renc_level == OSSL_RECORD_PROTECTION_LEVEL_NONE) || !TEST_true(cdata.wenc_level == OSSL_RECORD_PROTECTION_LEVEL_EARLY)) From 3c1f50ad6f3d9dbbce095e83a59e6cd64cabe65e Mon Sep 17 00:00:00 2001 From: slontis Date: Fri, 21 Mar 2025 15:46:52 +1100 Subject: [PATCH 0031/1171] ML_DSA - Fix bug in OSSL_PKEY_PARAM_SECURITY_BITS getter. Reported by @romen It was off by a factor of 8. Reviewed-by: Tim Hudson Reviewed-by: Viktor Dukhovni Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27110) --- providers/implementations/keymgmt/ml_dsa_kmgmt.c | 2 +- test/ml_dsa_test.c | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/providers/implementations/keymgmt/ml_dsa_kmgmt.c b/providers/implementations/keymgmt/ml_dsa_kmgmt.c index ba39ae9479dda..9105847e6dc79 100644 --- a/providers/implementations/keymgmt/ml_dsa_kmgmt.c +++ b/providers/implementations/keymgmt/ml_dsa_kmgmt.c @@ -316,7 +316,7 @@ static int ml_dsa_get_params(void *keydata, OSSL_PARAM params[]) && !OSSL_PARAM_set_int(p, 8 * ossl_ml_dsa_key_get_pub_len(key))) return 0; if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL - && !OSSL_PARAM_set_int(p, 8 * ossl_ml_dsa_key_get_collision_strength_bits(key))) + && !OSSL_PARAM_set_int(p, ossl_ml_dsa_key_get_collision_strength_bits(key))) return 0; if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL && !OSSL_PARAM_set_int(p, ossl_ml_dsa_key_get_sig_len(key))) diff --git a/test/ml_dsa_test.c b/test/ml_dsa_test.c index 9e23887d907cd..895bc7394a496 100644 --- a/test/ml_dsa_test.c +++ b/test/ml_dsa_test.c @@ -89,6 +89,7 @@ static int ml_dsa_keygen_test(int tst_id) EVP_PKEY *pkey = NULL; uint8_t priv[5 * 1024], pub[3 * 1024], seed[ML_DSA_SEED_BYTES]; size_t priv_len, pub_len, seed_len; + int bits = 0, sec_bits = 0, sig_len = 0; if (!TEST_ptr(pkey = do_gen_key(tst->name, tst->seed, tst->seed_len)) || !TEST_true(EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_ML_DSA_SEED, @@ -99,7 +100,16 @@ static int ml_dsa_keygen_test(int tst_id) pub, sizeof(pub), &pub_len)) || !TEST_mem_eq(pub, pub_len, tst->pub, tst->pub_len) || !TEST_mem_eq(priv, priv_len, tst->priv, tst->priv_len) - || !TEST_mem_eq(seed, seed_len, tst->seed, tst->seed_len)) + || !TEST_mem_eq(seed, seed_len, tst->seed, tst->seed_len) + /* The following checks assume that algorithm is ML-DSA-65 */ + || !TEST_true(EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_BITS, &bits)) + || !TEST_int_eq(bits, 1952 * 8) + || !TEST_true(EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_SECURITY_BITS, + &sec_bits)) + || !TEST_int_eq(sec_bits, 192) + || !TEST_true(EVP_PKEY_get_int_param(pkey, OSSL_PKEY_PARAM_MAX_SIZE, + &sig_len)) + || !TEST_int_ge(sig_len, 3309)) goto err; ret = 1; err: From 83b11af01738196b0ebde28a2f91df351c1c72fc Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 24 Mar 2025 10:53:02 +0100 Subject: [PATCH 0032/1171] qlog_event_helpers.c: Fix inverted condition We want to skip up to PACKET_remaining() and not "at least" PACKET_remaining() bytes. Reviewed-by: Paul Dale Reviewed-by: Neil Horman Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/27138) --- ssl/quic/qlog_event_helpers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/quic/qlog_event_helpers.c b/ssl/quic/qlog_event_helpers.c index 55cc28d9f9b70..190b6968fc001 100644 --- a/ssl/quic/qlog_event_helpers.c +++ b/ssl/quic/qlog_event_helpers.c @@ -542,7 +542,7 @@ static int log_frames(QLOG *qlog_instance, if (need_skip > 0) { size_t adv = need_skip; - if (adv < PACKET_remaining(&pkt)) + if (adv > PACKET_remaining(&pkt)) adv = PACKET_remaining(&pkt); if (!PACKET_forward(&pkt, adv)) From 21b170df9fd2c6080da119144eac969a940dee38 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Sat, 15 Mar 2025 21:02:54 +0100 Subject: [PATCH 0033/1171] Adds the concept of thunks to OPENSSL_sk interface This allows applications to call functions of correct signature when free'ing OPENSSL_sk items which UBSan complains about. Related to #22896. Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27071) --- CHANGES.md | 14 +++++++++++--- crypto/stack/stack.c | 21 ++++++++++++++++++--- doc/man3/DEFINE_STACK_OF.pod | 13 +++++++++---- include/openssl/safestack.h.in | 27 +++++++++++++++++++++++++-- include/openssl/stack.h | 4 +++- util/libcrypto.num | 1 + util/perl/OpenSSL/stackhash.pm | 2 +- 7 files changed, 68 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 8385a97b5a369..28e96ee6707e0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12,6 +12,7 @@ appropriate release branch. OpenSSL Releases ---------------- + - [OpenSSL 3.6](#openssl-36) - [OpenSSL 3.5](#openssl-35) - [OpenSSL 3.4](#openssl-34) - [OpenSSL 3.3](#openssl-33) @@ -25,16 +26,23 @@ OpenSSL Releases - [OpenSSL 1.0.0](#openssl-100) - [OpenSSL 0.9.x](#openssl-09x) -OpenSSL 3.5 +OpenSSL 3.6 ----------- ### Changes between 3.5 and 3.6 [xx XXX xxxx] - * none yet + * Support setting a free function thunk to OPENSSL_sk stack types. Using a thunk + allows the type specific free function to be called with the correct type + information from generic functions like OPENSSL_sk_pop_free(). + + *Frederik Wedel-Heinen* + +OpenSSL 3.5 +----------- ### Changes between 3.4 and 3.5 [xx XXX xxxx] -* Added server side support for QUIC + * Added server side support for QUIC *Hugo Landau, Matt Caswell, Tomáš Mráz, Neil Horman, Sasha Nedvedicky, Andrew Dinh* diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index e813989624707..bdf90546886fd 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -30,6 +30,7 @@ struct stack_st { int sorted; int num_alloc; OPENSSL_sk_compfunc comp; + OPENSSL_sk_freefunc_thunk free_thunk; }; OPENSSL_sk_compfunc OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk, @@ -255,6 +256,14 @@ int OPENSSL_sk_reserve(OPENSSL_STACK *st, int n) return sk_reserve(st, n, 1); } +OPENSSL_STACK *OPENSSL_sk_set_thunks(OPENSSL_STACK *st, OPENSSL_sk_freefunc_thunk f_thunk) +{ + if (st != NULL) + st->free_thunk = f_thunk; + + return st; +} + int OPENSSL_sk_insert(OPENSSL_STACK *st, const void *data, int loc) { if (st == NULL) { @@ -434,9 +443,15 @@ void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func) if (st == NULL) return; - for (i = 0; i < st->num; i++) - if (st->data[i] != NULL) - func((char *)st->data[i]); + + for (i = 0; i < st->num; i++) { + if (st->data[i] != NULL) { + if (st->free_thunk != NULL) + st->free_thunk(func, (void *)st->data[i]); + else + func((void *)st->data[i]); + } + } OPENSSL_sk_free(st); } diff --git a/doc/man3/DEFINE_STACK_OF.pod b/doc/man3/DEFINE_STACK_OF.pod index ff2074820f682..0d8a8298ae557 100644 --- a/doc/man3/DEFINE_STACK_OF.pod +++ b/doc/man3/DEFINE_STACK_OF.pod @@ -16,8 +16,8 @@ OPENSSL_sk_dup, OPENSSL_sk_find, OPENSSL_sk_find_ex, OPENSSL_sk_find_all, OPENSSL_sk_free, OPENSSL_sk_insert, OPENSSL_sk_is_sorted, OPENSSL_sk_new, OPENSSL_sk_new_null, OPENSSL_sk_new_reserve, OPENSSL_sk_num, OPENSSL_sk_pop, OPENSSL_sk_pop_free, OPENSSL_sk_push, OPENSSL_sk_reserve, OPENSSL_sk_set, -OPENSSL_sk_set_cmp_func, OPENSSL_sk_shift, OPENSSL_sk_sort, -OPENSSL_sk_unshift, OPENSSL_sk_value, OPENSSL_sk_zero +OPENSSL_sk_set_thunks, OPENSSL_sk_set_cmp_func, OPENSSL_sk_shift, +OPENSSL_sk_sort, OPENSSL_sk_unshift, OPENSSL_sk_value, OPENSSL_sk_zero - stack container =head1 SYNOPSIS @@ -241,8 +241,11 @@ OPENSSL_sk_free(), OPENSSL_sk_insert(), OPENSSL_sk_is_sorted(), OPENSSL_sk_new(), OPENSSL_sk_new_null(), OPENSSL_sk_new_reserve(), OPENSSL_sk_num(), OPENSSL_sk_pop(), OPENSSL_sk_pop_free(), OPENSSL_sk_push(), OPENSSL_sk_reserve(), OPENSSL_sk_set(), OPENSSL_sk_set_cmp_func(), -OPENSSL_sk_shift(), OPENSSL_sk_sort(), OPENSSL_sk_unshift(), -OPENSSL_sk_value(), OPENSSL_sk_zero(). +OPENSSL_sk_set_thunks(), OPENSSL_sk_shift(), OPENSSL_sk_sort(), +OPENSSL_sk_unshift(), OPENSSL_sk_value(), OPENSSL_sk_zero(). + +OPENSSL_sk_set_thunks(), while public by necessity, is actually an internal +function and should not be used. =head1 RETURN VALUES @@ -299,6 +302,8 @@ B_sort>() should be called before these find operations. Before OpenSSL 3.3.0 B_push>() returned -1 if I was NULL. It was changed to return 0 in this condition as for other errors. +OPENSSL_sk_set_thunks() was added in OpenSSL 3.6.0. + =head1 COPYRIGHT Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/safestack.h.in b/include/openssl/safestack.h.in index 6b36607928ff8..e50220abebe97 100644 --- a/include/openssl/safestack.h.in +++ b/include/openssl/safestack.h.in @@ -39,6 +39,11 @@ extern "C" { typedef int (*sk_##t1##_compfunc)(const t3 * const *a, const t3 *const *b); \ typedef void (*sk_##t1##_freefunc)(t3 *a); \ typedef t3 * (*sk_##t1##_copyfunc)(const t3 *a); \ + static ossl_inline void sk_##t1##_freefunc_thunk(OPENSSL_sk_freefunc freefunc_arg, void *ptr) \ + { \ + sk_##t1##_freefunc freefunc = (sk_##t1##_freefunc) freefunc_arg; \ + freefunc((t3 *)ptr); \ + } \ static ossl_unused ossl_inline t2 *ossl_check_##t1##_type(t2 *ptr) \ { \ return ptr; \ @@ -69,6 +74,11 @@ extern "C" { typedef int (*sk_##t1##_compfunc)(const t3 * const *a, const t3 *const *b); \ typedef void (*sk_##t1##_freefunc)(t3 *a); \ typedef t3 * (*sk_##t1##_copyfunc)(const t3 *a); \ + static ossl_inline void sk_##t1##_freefunc_thunk(OPENSSL_sk_freefunc freefunc_arg, void *ptr) \ + { \ + sk_##t1##_freefunc freefunc = (sk_##t1##_freefunc) freefunc_arg;\ + freefunc((t3 *)ptr);\ + } \ static ossl_unused ossl_inline int sk_##t1##_num(const STACK_OF(t1) *sk) \ { \ return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \ @@ -79,7 +89,11 @@ extern "C" { } \ static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new(sk_##t1##_compfunc compare) \ { \ - return (STACK_OF(t1) *)OPENSSL_sk_new((OPENSSL_sk_compfunc)compare); \ + OPENSSL_STACK *ret = OPENSSL_sk_new((OPENSSL_sk_compfunc)compare); \ + OPENSSL_sk_freefunc_thunk f_thunk; \ + \ + f_thunk = (OPENSSL_sk_freefunc_thunk)sk_##t1##_freefunc_thunk; \ + return (STACK_OF(t1) *)OPENSSL_sk_set_thunks(ret, f_thunk); \ } \ static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \ { \ @@ -87,7 +101,11 @@ extern "C" { } \ static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_reserve(sk_##t1##_compfunc compare, int n) \ { \ - return (STACK_OF(t1) *)OPENSSL_sk_new_reserve((OPENSSL_sk_compfunc)compare, n); \ + OPENSSL_STACK *ret = OPENSSL_sk_new_reserve((OPENSSL_sk_compfunc)compare, n); \ + OPENSSL_sk_freefunc_thunk f_thunk; \ + \ + f_thunk = (OPENSSL_sk_freefunc_thunk)sk_##t1##_freefunc_thunk; \ + return (STACK_OF(t1) *)OPENSSL_sk_set_thunks(ret, f_thunk); \ } \ static ossl_unused ossl_inline int sk_##t1##_reserve(STACK_OF(t1) *sk, int n) \ { \ @@ -128,6 +146,11 @@ extern "C" { } \ static ossl_unused ossl_inline void sk_##t1##_pop_free(STACK_OF(t1) *sk, sk_##t1##_freefunc freefunc) \ { \ + OPENSSL_sk_freefunc_thunk f_thunk; \ + \ + f_thunk = (OPENSSL_sk_freefunc_thunk)sk_##t1##_freefunc_thunk; \ + sk = (STACK_OF(t1) *)OPENSSL_sk_set_thunks((OPENSSL_STACK *)sk, f_thunk); \ + \ OPENSSL_sk_pop_free((OPENSSL_STACK *)sk, (OPENSSL_sk_freefunc)freefunc); \ } \ static ossl_unused ossl_inline int sk_##t1##_insert(STACK_OF(t1) *sk, t2 *ptr, int idx) \ diff --git a/include/openssl/stack.h b/include/openssl/stack.h index f0c5c54765af5..b31b0254a5d13 100644 --- a/include/openssl/stack.h +++ b/include/openssl/stack.h @@ -24,6 +24,7 @@ typedef struct stack_st OPENSSL_STACK; /* Use STACK_OF(...) instead */ typedef int (*OPENSSL_sk_compfunc)(const void *, const void *); typedef void (*OPENSSL_sk_freefunc)(void *); +typedef void (*OPENSSL_sk_freefunc_thunk)(OPENSSL_sk_freefunc, void *); typedef void *(*OPENSSL_sk_copyfunc)(const void *); int OPENSSL_sk_num(const OPENSSL_STACK *); @@ -34,9 +35,10 @@ void *OPENSSL_sk_set(OPENSSL_STACK *st, int i, const void *data); OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_compfunc cmp); OPENSSL_STACK *OPENSSL_sk_new_null(void); OPENSSL_STACK *OPENSSL_sk_new_reserve(OPENSSL_sk_compfunc c, int n); +OPENSSL_STACK *OPENSSL_sk_set_thunks(OPENSSL_STACK *st, OPENSSL_sk_freefunc_thunk f_thunk); int OPENSSL_sk_reserve(OPENSSL_STACK *st, int n); void OPENSSL_sk_free(OPENSSL_STACK *); -void OPENSSL_sk_pop_free(OPENSSL_STACK *st, void (*func) (void *)); +void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func); OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *, OPENSSL_sk_copyfunc c, OPENSSL_sk_freefunc f); diff --git a/util/libcrypto.num b/util/libcrypto.num index d86007f719fcb..322c7b42d61d4 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5924,3 +5924,4 @@ OSSL_AA_DIST_POINT_free ? 3_5_0 EXIST::FUNCTION: OSSL_AA_DIST_POINT_new ? 3_5_0 EXIST::FUNCTION: OSSL_AA_DIST_POINT_it ? 3_5_0 EXIST::FUNCTION: PEM_ASN1_write_bio_ctx ? 3_5_0 EXIST::FUNCTION: +OPENSSL_sk_set_thunks ? 3_6_0 EXIST::FUNCTION: diff --git a/util/perl/OpenSSL/stackhash.pm b/util/perl/OpenSSL/stackhash.pm index 7c2459b8a4061..b777f15556be5 100644 --- a/util/perl/OpenSSL/stackhash.pm +++ b/util/perl/OpenSSL/stackhash.pm @@ -40,7 +40,7 @@ SKM_DEFINE_STACK_OF_INTERNAL(${nametype}, ${realtype}, ${plaintype}) #define sk_${nametype}_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)) #define sk_${nametype}_pop(sk) ((${realtype} *)OPENSSL_sk_pop(ossl_check_${nametype}_sk_type(sk))) #define sk_${nametype}_shift(sk) ((${realtype} *)OPENSSL_sk_shift(ossl_check_${nametype}_sk_type(sk))) -#define sk_${nametype}_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_${nametype}_sk_type(sk),ossl_check_${nametype}_freefunc_type(freefunc)) +#define sk_${nametype}_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_freefunc_type(freefunc)) #define sk_${nametype}_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr), (idx)) #define sk_${nametype}_set(sk, idx, ptr) ((${realtype} *)OPENSSL_sk_set(ossl_check_${nametype}_sk_type(sk), (idx), ossl_check_${nametype}_type(ptr))) #define sk_${nametype}_find(sk, ptr) OPENSSL_sk_find(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)) From 9f85a036e331d2837db604fc505062f7790a8b2b Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Thu, 20 Mar 2025 17:14:51 +0100 Subject: [PATCH 0034/1171] Try to fix reported qlog issues Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27089) --- ssl/quic/qlog_event_helpers.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ssl/quic/qlog_event_helpers.c b/ssl/quic/qlog_event_helpers.c index 190b6968fc001..148cf2f57b583 100644 --- a/ssl/quic/qlog_event_helpers.c +++ b/ssl/quic/qlog_event_helpers.c @@ -213,8 +213,10 @@ static int log_frame_actual(QLOG *qlog_instance, PACKET *pkt, size_t i; PACKET orig_pkt = *pkt; - if (!ossl_quic_wire_peek_frame_header(pkt, &frame_type, NULL)) + if (!ossl_quic_wire_peek_frame_header(pkt, &frame_type, NULL)) { + *need_skip = SIZE_MAX; return 0; + } /* * If something goes wrong decoding a frame we cannot log it as that frame From f346932a15b5ce0cf7e42628e0b02a1871de93e1 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Thu, 20 Mar 2025 19:45:17 +0100 Subject: [PATCH 0035/1171] Do not wrap the python3 in ../../util/wrap.pl That is bad, because this script does seem to have issues, because it is itself linked against libcrypto, which causes crashes in enable-asan builds: ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD. ../../util/wrap.pl python3 ../../test/recipes/70-test_quic_multistream_data/verify-qlog.py => 1 not ok 1 - running qlog verification script not ok 2 - check qlog output Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27089) --- test/recipes/70-test_quic_multistream.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/recipes/70-test_quic_multistream.t b/test/recipes/70-test_quic_multistream.t index 7ab66f7e311c9..356382c680868 100644 --- a/test/recipes/70-test_quic_multistream.t +++ b/test/recipes/70-test_quic_multistream.t @@ -40,7 +40,7 @@ SKIP: { subtest "check qlog output" => sub { plan tests => 1; - ok(run(cmd(["python3", data_file("verify-qlog.py")])), + ok(run(cmd([data_file("verify-qlog.py")], exe_shell => "python3")), "running qlog verification script"); }; } From 289dcbe008018b3cf81053cba2b36825a1f49b74 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Fri, 21 Mar 2025 17:34:24 +0100 Subject: [PATCH 0036/1171] Upload artifacts despite possible test failures Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27089) --- .github/workflows/ci.yml | 19 +++++++++++++++++++ .github/workflows/cross-compiles.yml | 1 + 2 files changed, 20 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e81d8e086b65..dcc258a7c1a52 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -99,6 +99,7 @@ jobs: run: | util/wrap.pl -fips apps/openssl list -providers | grep 'name: CI FIPS Provider for OpenSSL$' - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@basic-gcc" @@ -121,6 +122,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@basic-clang" @@ -143,6 +145,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@linux-arm64" @@ -184,6 +187,7 @@ jobs: ./util/opensslwrap.sh version -c .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@BSD-x86_64" @@ -206,6 +210,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@minimal" @@ -228,6 +233,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@no-deprecated" @@ -250,6 +256,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@no-shared-ubuntu" @@ -276,6 +283,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@no-shared-${{ matrix.os }}" @@ -302,6 +310,7 @@ jobs: - name: make test run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@non-caching" @@ -328,6 +337,7 @@ jobs: - name: make test run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@address_ub_sanitizer" @@ -354,6 +364,7 @@ jobs: - name: make test run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="test_fuzz*" - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@fuzz_tests" @@ -382,6 +393,7 @@ jobs: - name: make test run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@memory_sanitizer" @@ -408,6 +420,7 @@ jobs: - name: make test run: .github/workflows/make-test V=1 TESTS="test_lhash test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*" - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@threads_sanitizer" @@ -432,6 +445,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@enable_non-default_options" @@ -462,6 +476,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@full_featured" @@ -484,6 +499,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@no-legacy" @@ -506,6 +522,7 @@ jobs: - name: make test run: .github/workflows/make-test - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@legacy" @@ -548,6 +565,7 @@ jobs: run: ../source/.github/workflows/make-test working-directory: ./build - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@out-of-readonly-source-and-install-ubuntu" @@ -592,6 +610,7 @@ jobs: run: ../source/.github/workflows/make-test working-directory: ./build - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "ci@out-of-readonly-source-and-install-${{ matrix.os }}" diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index fe2d4de308fd5..bb5eaa5bea794 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -225,6 +225,7 @@ jobs: TESTS="test_evp*" \ QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} - name: save artifacts + if: success() || failure() uses: actions/upload-artifact@v4 with: name: "cross-compiles@${{ matrix.platform.arch }}" From ad684e1a6a925c7fbadad7d309f0204f49e67105 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Sun, 23 Mar 2025 15:20:34 +0100 Subject: [PATCH 0037/1171] Try to fix endless loops in quic_multistream_test The problem seem to be caused by syntax errors due to injected OSSL_QUIC_FRAME_TYPE_PATH_CHALLENGE packets which are too short by 8 bytes. Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27089) --- test/quic_multistream_test.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index b73c8bef7edd4..b9a09460903b4 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -2827,7 +2827,7 @@ static int script_21_inject_plain(struct helper *h, QUIC_PKT_HDR *hdr, { int ok = 0; WPACKET wpkt; - unsigned char frame_buf[8]; + unsigned char frame_buf[9]; size_t written; if (h->inject_word0 == 0 || hdr->type != h->inject_word0) @@ -2840,6 +2840,19 @@ static int script_21_inject_plain(struct helper *h, QUIC_PKT_HDR *hdr, if (!TEST_true(WPACKET_quic_write_vlint(&wpkt, h->inject_word1))) goto err; + switch (h->inject_word1) { + case OSSL_QUIC_FRAME_TYPE_PATH_CHALLENGE: + if (!TEST_true(WPACKET_put_bytes_u64(&wpkt, (uint64_t)0))) + goto err; + break; + case OSSL_QUIC_FRAME_TYPE_STREAM_DATA_BLOCKED: + if (!TEST_true(WPACKET_quic_write_vlint(&wpkt, (uint64_t)0))) + goto err; + if (!TEST_true(WPACKET_quic_write_vlint(&wpkt, (uint64_t)0))) + goto err; + break; + } + if (!TEST_true(WPACKET_get_total_written(&wpkt, &written))) goto err; From e5bd7f91106481690c8be2d6de9c8a86c81b5f91 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 25 Mar 2025 10:17:36 +0100 Subject: [PATCH 0038/1171] 80-test_cms.t: Fix Provider compatibility CI failures Old FIPS providers do not support PQC algorithms. Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/27147) --- test/recipes/80-test_cms.t | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 21d787fbad167..fa5376b1f1913 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -42,6 +42,7 @@ my @defaultprov = ("-provider-path", $provpath, my @config = ( ); my $provname = 'default'; my $dsaallow = '1'; +my $no_pqc = 0; my $datadir = srctop_dir("test", "recipes", "80-test_cms_data"); my $smdir = srctop_dir("test", "smime-certs"); @@ -62,9 +63,11 @@ unless ($no_fips) { $provname = 'fips'; run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]), - capture => 1, statusvar => \$dsaallow); + capture => 1, statusvar => \$dsaallow); $no_dsa = 1 if $dsaallow == '0'; $old_fips = 1 if $dsaallow != '0'; + run(test(["fips_version_test", "-config", $provconf, "<3.5.0"]), + capture => 1, statusvar => \$no_pqc); } $ENV{OPENSSL_TEST_LIBCTX} = "1"; @@ -1404,7 +1407,7 @@ subtest "ML-DSA tests for CMS \n" => sub { SKIP: { skip "ML-DSA is not supported in this build", 2 - if disabled("ml-dsa"); + if disabled("ml-dsa") || $no_pqc; my $sig1 = "sig1.cms"; @@ -1425,7 +1428,7 @@ subtest "SLH-DSA tests for CMS \n" => sub { SKIP: { skip "SLH-DSA is not supported in this build", 6 - if disabled("slh-dsa"); + if disabled("slh-dsa") || $no_pqc; my $sig1 = "sig1.cms"; From 21f4bd986b7739f24f67270d533412065c7af0fc Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 25 Mar 2025 15:19:05 +0100 Subject: [PATCH 0039/1171] Update NEWS.md and CHANGES.md for the 3.5 release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Neil Horman Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/27152) (cherry picked from commit d6ace599edfba7f1487725993531578bfeb9663a) --- CHANGES.md | 90 ++++++++++++++++++++++++++++++++++++++++++------------ NEWS.md | 29 ++++++++++-------- 2 files changed, 87 insertions(+), 32 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 28e96ee6707e0..13c4326de3043 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -46,6 +46,21 @@ OpenSSL 3.5 *Hugo Landau, Matt Caswell, Tomáš Mráz, Neil Horman, Sasha Nedvedicky, Andrew Dinh* + * Tolerate PKCS#8 version 2 with optional public keys. The public key data + is currently ignored. + + *Viktor Dukhovni* + + * Signature schemes without an explicit signing digest in CMS are now supported. + Examples of such schemes are ED25519 or ML-DSA. + + *Michael Schroeder* + + * The TLS Signature algorithms defaults now include all three ML-DSA variants as + first algorithms. + + *Viktor Dukhovni* + * Added a `no-tls-deprecated-ec` configuration option. The `no-tls-deprecated-ec` option disables support for TLS elliptic curve @@ -105,18 +120,11 @@ OpenSSL 3.5 *Simo Sorce* - * Initial support for opaque symmetric keys objects. These replace the ad-hoc byte - arrays that are pervasive throughout the library. + * Initial support for opaque symmetric keys objects (EVP_SKEY). These + replace the ad-hoc byte arrays that are pervasive throughout the library. *Dmitry Belyavskiy and Simo Sorce* - * For TLSv1.3: Add capability for a client to send multiple key shares. Extend the scope of - `SSL_OP_CIPHER_SERVER_PREFERENCE` to cover server-side key exchange group selection. - Extend the server-side key exchange group selection algorithm and related group list syntax - to support multiple group priorities, e.g. to prioritize (hybrid-)KEMs. - - *David Kelsey*, *Martin Schmatz* - * The default TLS group list setting is now set to: `?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072` @@ -124,8 +132,20 @@ OpenSSL 3.5 default by the TLS client. GOST groups and FFDHE groups larger than 3072 bits are no longer enabled by default. + The group names in the group list setting are now also case insensitive. + *Viktor Dukhovni* + * For TLSv1.3: Add capability for a client to send multiple key shares. + Extend the scope of `SSL_OP_CIPHER_SERVER_PREFERENCE` to cover + server-side key exchange group selection. + + Extend the server-side key exchange group selection algorithm and related + group list syntax to support multiple group priorities, e.g. to prioritize + (hybrid-)KEMs. + + *David Kelsey*, *Martin Schmatz* + * A new random generation API has been introduced which modifies all of the L family of calls so they are routed through a specific named provider instead of being resolved via the normal DRBG @@ -248,22 +268,52 @@ OpenSSL 3.5 *Pablo De Lara Guarch, Dan Pittman* - * Fix EVP_DecodeUpdate(): do not write padding zeros to the decoded output. + * Fixed EVP_DecodeUpdate() to not write padding zeros to the decoded output. - According to the documentation, - for every 4 valid base64 bytes processed (ignoring whitespace, carriage returns and line feeds), - EVP_DecodeUpdate() produces 3 bytes of binary output data - (except at the end of data terminated with one or two padding characters). - However, the function behaved like an EVP_DecodeBlock(): - produces exactly 3 output bytes for every 4 input bytes. - Such behaviour could cause writes to a non-allocated output buffer - if a user allocates its size based on the documentation and knowing the padding size. + According to the documentation, for every 4 valid base64 bytes processed + (ignoring whitespace, carriage returns and line feeds), EVP_DecodeUpdate() + produces 3 bytes of binary output data (except at the end of data + terminated with one or two padding characters). However, the function + behaved like an EVP_DecodeBlock(). It produced exactly 3 output bytes for + every 4 input bytes. Such behaviour could cause writes to a non-allocated + output buffer if a user allocates its size based on the documentation and + knowing the padding size. - The fix makes EVP_DecodeUpdate() produce - exactly as many output bytes as in the initial non-encoded message. + The fix makes EVP_DecodeUpdate() produce exactly as many output bytes as + in the initial non-encoded message. *Valerii Krygin* + * Added support for aAissuingDistributionPoint, allowedAttributeAssignments, + timeSpecification, attributeDescriptor, roleSpecCertIdentifier, + authorityAttributeIdentifier and attributeMappings X.509v3 extensions. + + *Jonathan M. Wilbur* + + * Added a new CLI option `-provparam` and API functions for setting of + provider configuration parameters. + + *Viktor Dukhovni* + + * Added a new trace category for PROVIDER calls and added new tracing calls + in provider and algorithm fetching API functions. + + *Neil Horman* + + * Fixed benchmarking for AEAD ciphers in the `openssl speed` utility. + + *Mohammed Alhabib* + + * Added a build configuration option `enable-sslkeylog` for enabling support + for SSLKEYLOGFILE environment variable to log TLS connection secrets. + + *Neil Horman* + + * Added EVP_get_default_properties() function to retrieve the current default + property query string. + + *Dmitry Belyavskiy* + OpenSSL 3.4 ----------- diff --git a/NEWS.md b/NEWS.md index 0c74a8bc62d27..e3d9935edeacf 100644 --- a/NEWS.md +++ b/NEWS.md @@ -38,32 +38,37 @@ changes: * Default encryption cipher for the `req`, `cms`, and `smime` applications changed from `des-ede3-cbc` to `aes-256-cbc`. - * The TLS supported groups list has been changed in favor of PQC support. + * The default TLS supported groups list has been changed to include and + prefer hybrid PQC KEM groups. Some practically unused groups were removed + from the default list. * The default TLS keyshares have been changed to offer X25519MLKEM768 and and X25519. + * All `BIO_meth_get_*()` functions were deprecated. + This release adds the following new features: * Support for server side QUIC (RFC 9000) - * Support for 3rd party QUIC stacks + * Support for 3rd party QUIC stacks including 0-RTT support + + * Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) - * Support for PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) + * A new configuration option `no-tls-deprecated-ec` to disable support for + TLS groups deprecated in RFC8422 - * Allow the FIPS provider to optionally use the `JITTER` seed source. - Because this seed source is not part of the OpenSSL FIPS validations, - it should only be enabled after the [jitterentropy-library] has been - assessed for entropy quality. Moreover, the FIPS provider including - this entropy source will need to obtain an [ESV] from the [CMVP] before - FIPS compliance can be claimed. Enable this using the configuration - option `enable-fips-jitter`. + * A new configuration option `enable-fips-jitter` to make the FIPS provider + to use the `JITTER` seed source * Support for central key generation in CMP - * Support added for opaque symmetric key objects (EVP_SKEY). + * Support added for opaque symmetric key objects (EVP_SKEY) + + * Support for multiple TLS keyshares and improved TLS key establishment group + configurability - * Support for multiple TLS keyshares. + * API support for pipelining in provided cipher algorithms OpenSSL 3.4 ----------- From 8e08f9c5a013d9a9fb9e2db3c90a70eda50f78b5 Mon Sep 17 00:00:00 2001 From: Andrey Tsygunka Date: Wed, 19 Mar 2025 14:53:02 +0300 Subject: [PATCH 0040/1171] Fix NULL pointer dereference in `asn1_ex_i2c()`, crypto/asn1/tasn_enc.c Adds handling of V_ASN1_UNDEF to avoid NULL dereference in case ASN1 structure contains an element of type ASN1_TYPE without initializing its value (i.e. default constructed) CLA: trivial Signed-off-by: Andrey Tsygunka Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27100) --- crypto/asn1/tasn_enc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index dab5f9f278f3a..e0ee7604345ef 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -565,6 +565,9 @@ static int asn1_ex_i2c(const ASN1_VALUE **pval, unsigned char *cout, int *putype return -1; break; + case V_ASN1_UNDEF: + return -2; + case V_ASN1_NULL: cont = NULL; len = 0; From 6708df48d6e31a598df2fa24bbc907a762d9a371 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 20 Mar 2025 20:47:54 +0100 Subject: [PATCH 0041/1171] Allow ECDSA signing with digests without a NID in default provider Also fix ineffective check in DSA signing. Fixes #27084 Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/27107) --- providers/implementations/signature/dsa_sig.c | 23 +++++++++------- .../implementations/signature/ecdsa_sig.c | 26 ++++++++++++------- 2 files changed, 30 insertions(+), 19 deletions(-) diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index 4b585bb704c29..da09dffc21da2 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -164,16 +164,19 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); md_nid = ossl_digest_get_approved_nid(md); - if (md == NULL || md_nid < 0) { - if (md == NULL) - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, - "%s could not be fetched", mdname); - if (md_nid == NID_undef) - ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, - "digest=%s", mdname); - if (mdname_len >= sizeof(ctx->mdname)) - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, - "%s exceeds name buffer length", mdname); + if (md == NULL) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "%s could not be fetched", mdname); + goto err; + } + if (md_nid == NID_undef) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); + goto err; + } + if (mdname_len >= sizeof(ctx->mdname)) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "%s exceeds name buffer length", mdname); goto err; } /* XOF digests don't work */ diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c index 6fef96c86a6b6..f6af1c96b0a07 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -197,11 +197,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, goto err; } md_nid = ossl_digest_get_approved_nid(md); +#ifdef FIPS_MODULE if (md_nid == NID_undef) { ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); goto err; } +#endif /* XOF digests don't work */ if (EVP_MD_xof(md)) { ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); @@ -237,16 +239,22 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, EVP_MD_free(ctx->md); ctx->aid_len = 0; - if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)) - && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec, - md_nid) - && WPACKET_finish(&pkt)) { - WPACKET_get_total_written(&pkt, &ctx->aid_len); - aid = WPACKET_get_curr(&pkt); +#ifndef FIPS_MODULE + if (md_nid != NID_undef) { +#else + { +#endif + if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf)) + && ossl_DER_w_algorithmIdentifier_ECDSA_with_MD(&pkt, -1, ctx->ec, + md_nid) + && WPACKET_finish(&pkt)) { + WPACKET_get_total_written(&pkt, &ctx->aid_len); + aid = WPACKET_get_curr(&pkt); + } + WPACKET_cleanup(&pkt); + if (aid != NULL && ctx->aid_len != 0) + memmove(ctx->aid_buf, aid, ctx->aid_len); } - WPACKET_cleanup(&pkt); - if (aid != NULL && ctx->aid_len != 0) - memmove(ctx->aid_buf, aid, ctx->aid_len); ctx->mdctx = NULL; ctx->md = md; From 69fa61b08253a991e5553f35bd9fdaf8dc9aec43 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 20 Mar 2025 21:25:07 +0100 Subject: [PATCH 0042/1171] Test EVP_DigestSignInit() with ECDSA and KECCAK-256 hash Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/27107) --- test/evp_extra_test.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 9e96d80a3e01f..175f37bd0c579 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -2017,6 +2017,46 @@ static int test_EVP_DigestVerifyInit(void) return ret; } +#ifndef OPENSSL_NO_EC +static int test_ecdsa_digestsign_keccak(void) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + EVP_MD_CTX *ctx = NULL; + EVP_MD *md = NULL; + + if (nullprov != NULL) + return TEST_skip("Test does not support a non-default library context"); + + pkey = load_example_ec_key(); + if (!TEST_ptr(pkey)) + goto err; + + /* This would not work with FIPS provider so just use NULL libctx */ + md = EVP_MD_fetch(NULL, "KECCAK-256", NULL); + if (!TEST_ptr(md)) + goto err; + + ctx = EVP_MD_CTX_new(); + if (!TEST_ptr(ctx)) + goto err; + + /* + * Just check EVP_DigestSignInit_ex() works. + */ + if (!TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))) + goto err; + + ret = 1; + err: + EVP_MD_CTX_free(ctx); + EVP_PKEY_free(pkey); + EVP_MD_free(md); + + return ret; +} +#endif + #ifndef OPENSSL_NO_SIPHASH /* test SIPHASH MAC via EVP_PKEY with non-default parameters and reinit */ static int test_siphash_digestsign(void) @@ -6709,6 +6749,9 @@ int setup_tests(void) ADD_TEST(test_EVP_set_default_properties); ADD_ALL_TESTS(test_EVP_DigestSignInit, 30); ADD_TEST(test_EVP_DigestVerifyInit); +#ifndef OPENSSL_NO_EC + ADD_TEST(test_ecdsa_digestsign_keccak); +#endif #ifndef OPENSSL_NO_SIPHASH ADD_TEST(test_siphash_digestsign); #endif From 681528cbc41278a7bdc662cdb1ab286e07170a90 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sun, 23 Mar 2025 18:50:39 +1100 Subject: [PATCH 0043/1171] Report IANA sigalg name in s_client Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Paul Yang Reviewed-by: Nicola Tuveri Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27128) --- apps/lib/s_cb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 5aa57ea5fd431..9641e369e6219 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -328,6 +328,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) int ssl_print_sigalgs(BIO *out, SSL *s) { + const char *name; int nid; if (!SSL_is_server(s)) @@ -336,7 +337,9 @@ int ssl_print_sigalgs(BIO *out, SSL *s) do_print_sigalgs(out, s, 1); if (SSL_get_peer_signature_nid(s, &nid) && nid != NID_undef) BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(nid)); - if (SSL_get_peer_signature_type_nid(s, &nid)) + if (SSL_get0_peer_signature_name(s, &name)) + BIO_printf(out, "Peer signature type: %s\n", name); + else if (SSL_get_peer_signature_type_nid(s, &nid)) BIO_printf(out, "Peer signature type: %s\n", get_sigtype(nid)); return 1; } From b6dceb36e8f46c7f74db5882322eda062227ab6e Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 28 Feb 2025 17:39:50 +0000 Subject: [PATCH 0044/1171] Enable AES-GCM unroll8/unroll12 for Neoverse N3/V3 Reviewed-by: Paul Dale Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/27112) --- crypto/arm_arch.h | 2 ++ crypto/armcap.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index acd8aee4d5195..00586f212fa33 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -112,6 +112,8 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; # define ARM_CPU_PART_N2 0xD49 # define HISI_CPU_PART_KP920 0xD01 # define ARM_CPU_PART_V2 0xD4F +# define ARM_CPU_PART_N3 0xD8E +# define ARM_CPU_PART_V3 0xD84 # define APPLE_CPU_PART_M1_ICESTORM 0x022 # define APPLE_CPU_PART_M1_FIRESTORM 0x023 diff --git a/crypto/armcap.c b/crypto/armcap.c index 7c5a127523acb..d42305b3d5e98 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -422,11 +422,14 @@ void OPENSSL_cpuid_setup(void) MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N2) || MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_MICROSOFT, MICROSOFT_CPU_PART_COBALT_100) || MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V2) || + MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N3) || + MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V3) || MIDR_IMPLEMENTER(OPENSSL_arm_midr) == ARM_CPU_IMP_AMPERE) && (OPENSSL_armcap_P & ARMV8_SHA3)) OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3; if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1) || MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V2) || + MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V3) || MIDR_IMPLEMENTER(OPENSSL_arm_midr) == ARM_CPU_IMP_AMPERE) && (OPENSSL_armcap_P & ARMV8_SHA3)) OPENSSL_armcap_P |= ARMV8_UNROLL12_EOR3; From e5e4cf41c7af9b533265efb05e81ce1c56d58601 Mon Sep 17 00:00:00 2001 From: jay9827342 <2a0ncegrosykzhbde9gy3ybw0qcet@brukerfeil.eu> Date: Fri, 21 Mar 2025 09:39:49 +0000 Subject: [PATCH 0045/1171] Memory leak fix ktls_meth.c The OSSL_RECORD_LAYER needs to be properly freed when return code isnt success. Memory leak fix CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27111) --- ssl/record/methods/ktls_meth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index 33c7140e151f0..096beee3c725c 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -431,7 +431,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, taglen, mactype, md, comp); if (ret != OSSL_RECORD_RETURN_SUCCESS) { - OPENSSL_free(*retrl); + tls_free(*retrl); *retrl = NULL; } else { /* From da8de0e8dd3e09655cd17ef700359c63acdc9cd4 Mon Sep 17 00:00:00 2001 From: Jon Ericson Date: Fri, 14 Mar 2025 09:44:55 -0700 Subject: [PATCH 0046/1171] Change documentation to point to new wiki location Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27081) --- CHANGES.md | 4 ++-- NEWS.md | 2 +- README.md | 9 ++++----- demos/sslecho/A-SSL-Docs.txt | 4 ++-- doc/man7/ossl-guide-introduction.pod | 2 +- doc/man7/ossl-guide-migration.pod | 4 ++-- 6 files changed, 12 insertions(+), 13 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 13c4326de3043..e2357a030095a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4531,7 +4531,7 @@ OpenSSL 1.1.1 * Support for TLSv1.3 added. Note that users upgrading from an earlier version of OpenSSL should review their configuration settings to ensure that they are still appropriate for TLSv1.3. For further information see: - + *Matt Caswell* @@ -5819,7 +5819,7 @@ OpenSSL 1.1.0 * The GOST engine was out of date and therefore it has been removed. An up to date GOST engine is now being maintained in an external repository. - See: . Libssl still retains + See: . Libssl still retains support for GOST ciphersuites (these are only activated if a GOST engine is present). diff --git a/NEWS.md b/NEWS.md index e3d9935edeacf..309d01d9c530d 100644 --- a/NEWS.md +++ b/NEWS.md @@ -705,7 +705,7 @@ OpenSSL 1.1.1 * Rewrite of the packet construction code for "safer" packet handling * Rewrite of the extension handling code For further important information, see the [TLS1.3 page]( - https://wiki.openssl.org/index.php/TLS1.3) in the OpenSSL Wiki. + https://github.com/openssl/openssl/wiki/TLS1.3) in the OpenSSL Wiki. * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities diff --git a/README.md b/README.md index 17f449fda3b84..e95b9e141ef43 100644 --- a/README.md +++ b/README.md @@ -164,8 +164,7 @@ There are numerous source code demos for using various OpenSSL capabilities in t Wiki ---- -There is a Wiki at [wiki.openssl.org] which is currently not very active. -It contains a lot of useful information, not all of which is up-to-date. +There is a [GitHub Wiki] which is currently not very active. License ======= @@ -214,8 +213,8 @@ All rights reserved. "OpenSSL GitHub Mirror" -[wiki.openssl.org]: - +[GitHub Wiki]: + "OpenSSL Wiki" [ossl-guide-migration(7ossl)]: @@ -232,7 +231,7 @@ All rights reserved. [Binaries]: - + "List of third party OpenSSL binaries" [OpenSSL Guide]: diff --git a/demos/sslecho/A-SSL-Docs.txt b/demos/sslecho/A-SSL-Docs.txt index 865960e4bde51..8178d608de14d 100644 --- a/demos/sslecho/A-SSL-Docs.txt +++ b/demos/sslecho/A-SSL-Docs.txt @@ -4,9 +4,9 @@ OpenSSL API Documentation: https://www.openssl.org/docs Github: https://github.com/openssl/openssl -OpenSSL Wiki: https://wiki.openssl.org/index.php/Main_Page +OpenSSL Wiki: https://github.com/openssl/openssl/wiki -Original Simple Server: https://wiki.openssl.org/index.php/Simple_TLS_Server +Original Simple Server: https://github.com/openssl/openssl/wiki/Simple_TLS_Server --------------------------------------------------------------- diff --git a/doc/man7/ossl-guide-introduction.pod b/doc/man7/ossl-guide-introduction.pod index 26d26fd1a3b9a..2211473d29b42 100644 --- a/doc/man7/ossl-guide-introduction.pod +++ b/doc/man7/ossl-guide-introduction.pod @@ -32,7 +32,7 @@ attempting to build OpenSSL from the source code. Some third parties also supply OpenSSL binaries (e.g. for Windows and some other platforms). The OpenSSL project maintains a list of these third parties at -L. +L. If you build and install OpenSSL from the source code then you should download the appropriate files for the version that you want to use from the link given diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod index 13fa94674c4f7..aa60c129baa41 100644 --- a/doc/man7/ossl-guide-migration.pod +++ b/doc/man7/ossl-guide-migration.pod @@ -617,13 +617,13 @@ The code needs to be amended to look like this: Support for TLSv1.3 has been added. This has a number of implications for SSL/TLS applications. See the -L for further details. +L for further details. =back More details about the breaking changes between OpenSSL versions 1.0.2 and 1.1.0 can be found on the -L. +L. =head3 Upgrading from the OpenSSL 2.0 FIPS Object Module From ee651fff142c00d5904f2764d12245543eca9f7c Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 24 Mar 2025 23:03:16 +0100 Subject: [PATCH 0047/1171] Fix a visual glitch in test_cms.t the newline in the newly added subtest names somehow creates another small visual glitch in the test output, that looks like: 80-test_cms.t .. 30/? 80-test_cms.t .. ok Reviewed-by: Tomas Mraz Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/27145) --- test/recipes/80-test_cms.t | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index fa5376b1f1913..5c967c581835a 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -1381,7 +1381,7 @@ subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub { is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext"); }; -subtest "EdDSA tests for CMS \n" => sub { +subtest "EdDSA tests for CMS" => sub { plan tests => 2; SKIP: { @@ -1402,7 +1402,7 @@ subtest "EdDSA tests for CMS \n" => sub { } }; -subtest "ML-DSA tests for CMS \n" => sub { +subtest "ML-DSA tests for CMS" => sub { plan tests => 2; SKIP: { @@ -1423,7 +1423,7 @@ subtest "ML-DSA tests for CMS \n" => sub { } }; -subtest "SLH-DSA tests for CMS \n" => sub { +subtest "SLH-DSA tests for CMS" => sub { plan tests => 6; SKIP: { From a006b0a0894b9aa399eee91bd28ca06b281eef7e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 24 Mar 2025 06:25:01 +0100 Subject: [PATCH 0048/1171] In doc/man7/provider-{en,de}coder.pod, clarify where properties are defined Fixes #27126 Reviewed-by: Paul Yang Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/27132) --- doc/man7/provider-decoder.pod | 4 +++- doc/man7/provider-encoder.pod | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/man7/provider-decoder.pod b/doc/man7/provider-decoder.pod index e968e661f7cf7..cd6ab54603257 100644 --- a/doc/man7/provider-decoder.pod +++ b/doc/man7/provider-decoder.pod @@ -110,7 +110,9 @@ it decodes. For example, an implementation that decodes an RSA key should be named "RSA". Likewise, an implementation that decodes DER data from PEM input should be named "DER". -Properties can be used to further specify details about an implementation: +Properties, as defined in the L array element of each +decoder implementation, can be used to further specify details about an +implementation: =over 4 diff --git a/doc/man7/provider-encoder.pod b/doc/man7/provider-encoder.pod index f3e9ce5b16327..1b64701d06975 100644 --- a/doc/man7/provider-encoder.pod +++ b/doc/man7/provider-encoder.pod @@ -127,7 +127,9 @@ The name of an implementation should match the type of object it handles. For example, an implementation that encodes an RSA key should be named "RSA". Likewise, an implementation that further encodes DER should be named "DER". -Properties can be used to further specify details about an implementation: +Properties, as defined in the L array element of each +decoder implementation, can be used to further specify details about an +implementation: =over 4 From 725f55e235057c463feadabbb4d23450126117fd Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 25 Mar 2025 10:16:30 +0100 Subject: [PATCH 0049/1171] Update provider compatibility CI to run on 3.5 branch Also drop 3.1 development branch as it is out of public support now. Reviewed-by: Matt Caswell Reviewed-by: Paul Yang Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/27149) --- .github/workflows/prov-compat-label.yml | 14 +++++++------- .github/workflows/provider-compatibility.yml | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/prov-compat-label.yml b/.github/workflows/prov-compat-label.yml index d3e011f1f3225..a5aa09c17659d 100644 --- a/.github/workflows/prov-compat-label.yml +++ b/.github/workflows/prov-compat-label.yml @@ -113,10 +113,6 @@ jobs: name: openssl-3.0, dir: branch-3.0, tgz: branch-3.0.tar.gz, - }, { - name: openssl-3.1, - dir: branch-3.1, - tgz: branch-3.1.tar.gz, }, { name: openssl-3.2, dir: branch-3.2, @@ -129,6 +125,10 @@ jobs: name: openssl-3.4, dir: branch-3.4, tgz: branch-3.4.tar.gz, + }, { + name: openssl-3.5, + dir: branch-3.5, + tgz: branch-3.5.tar.gz, }, { name: master, dir: branch-master, @@ -197,20 +197,20 @@ jobs: # Note that releases are not used as a test environment for # later providers. Problems in these situations ought to be # caught by cross branch testing before the release. - tree_a: [ branch-3.4, branch-3.3, branch-3.2, branch-3.1, branch-3.0, + tree_a: [ branch-3.5, branch-3.4, branch-3.3, branch-3.2, branch-3.0, openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] tree_b: [ PR ] include: - tree_a: PR tree_b: branch-master + - tree_a: PR + tree_b: branch-3.5 - tree_a: PR tree_b: branch-3.4 - tree_a: PR tree_b: branch-3.3 - tree_a: PR tree_b: branch-3.2 - - tree_a: PR - tree_b: branch-3.1 - tree_a: PR tree_b: branch-3.0 steps: diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index 7ed080083f2b9..3edcab488080a 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -115,10 +115,6 @@ jobs: name: openssl-3.0, dir: branch-3.0, tgz: branch-3.0.tar.gz, - }, { - name: openssl-3.1, - dir: branch-3.1, - tgz: branch-3.1.tar.gz, }, { name: openssl-3.2, dir: branch-3.2, @@ -131,6 +127,10 @@ jobs: name: openssl-3.4, dir: branch-3.4, tgz: branch-3.4.tar.gz, + }, { + name: openssl-3.5, + dir: branch-3.5, + tgz: branch-3.5.tar.gz, }, { name: master, dir: branch-master, From dc246cec87793843d5a725abf2c89a6e134e7939 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 24 Mar 2025 00:29:38 +1100 Subject: [PATCH 0050/1171] In s_client report 'long' certificate sigalg name This matches the sigalg output format of X509_signature_print(3). Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Yang Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27130) --- apps/s_client.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index d05976ff5bd72..d69abee95ec65 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3386,27 +3386,29 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio, "---\nCertificate chain\n"); for (i = 0; i < sk_X509_num(sk); i++) { + X509 *chain_cert = sk_X509_value(sk, i); + BIO_printf(bio, "%2d s:", i); - X509_NAME_print_ex(bio, X509_get_subject_name(sk_X509_value(sk, i)), 0, get_nameopt()); + X509_NAME_print_ex(bio, X509_get_subject_name(chain_cert), 0, get_nameopt()); BIO_puts(bio, "\n"); BIO_printf(bio, " i:"); - X509_NAME_print_ex(bio, X509_get_issuer_name(sk_X509_value(sk, i)), 0, get_nameopt()); + X509_NAME_print_ex(bio, X509_get_issuer_name(chain_cert), 0, get_nameopt()); BIO_puts(bio, "\n"); public_key = X509_get_pubkey(sk_X509_value(sk, i)); if (public_key != NULL) { BIO_printf(bio, " a:PKEY: %s, %d (bit); sigalg: %s\n", - OBJ_nid2sn(EVP_PKEY_get_base_id(public_key)), + OBJ_nid2ln(EVP_PKEY_get_base_id(public_key)), EVP_PKEY_get_bits(public_key), - OBJ_nid2sn(X509_get_signature_nid(sk_X509_value(sk, i)))); + OBJ_nid2ln(X509_get_signature_nid(chain_cert))); EVP_PKEY_free(public_key); } BIO_printf(bio, " v:NotBefore: "); - ASN1_TIME_print(bio, X509_get0_notBefore(sk_X509_value(sk, i))); + ASN1_TIME_print(bio, X509_get0_notBefore(chain_cert)); BIO_printf(bio, "; NotAfter: "); - ASN1_TIME_print(bio, X509_get0_notAfter(sk_X509_value(sk, i))); + ASN1_TIME_print(bio, X509_get0_notAfter(chain_cert)); BIO_puts(bio, "\n"); if (c_showcerts) - PEM_write_bio_X509(bio, sk_X509_value(sk, i)); + PEM_write_bio_X509(bio, chain_cert); } } From 3edb1f09c62c058edf4039587ef35f6b074e0870 Mon Sep 17 00:00:00 2001 From: Andrey Tsygunka Date: Thu, 20 Mar 2025 17:45:23 +0300 Subject: [PATCH 0051/1171] Fix return value of the i2d_ASN1_bio_stream() call If the flags argument does not contain the SMIME_STREAM bit, the i2d_ASN1_bio_stream() function always returns 1, ignoring the result of the ASN1_item_i2d_bio() call. Fix the return value to the result of the ASN1_item_i2d_bio() call for this case. CLA: trivial Signed-off-by: Andrey Tsygunka Reviewed-by: Nicola Tuveri Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27106) --- crypto/asn1/asn_mime.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index b3778226f9aa6..105e35fb76858 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -96,7 +96,7 @@ int i2d_ASN1_bio_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, * internally */ else - ASN1_item_i2d_bio(it, out, val); + rv = ASN1_item_i2d_bio(it, out, val); return rv; } From 2c8103e468fa6463ef503a3dd8e6e20d1b1afec9 Mon Sep 17 00:00:00 2001 From: Chase Killorin Date: Wed, 5 Mar 2025 14:44:58 -0500 Subject: [PATCH 0052/1171] Removed duplicates in some man pages Fixes openssl/openssl#11748 find-doc-nits: Check for duplicate options Reviewed-by: Nicola Tuveri Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27088) --- doc/man1/CA.pl.pod | 2 + doc/man1/openssl-ciphers.pod.in | 1 - doc/man1/openssl-cms.pod.in | 2 + doc/man1/openssl-pkcs12.pod.in | 4 +- doc/man1/openssl-rehash.pod.in | 1 + doc/man1/openssl-s_client.pod.in | 83 --------------------------- doc/man1/openssl-s_server.pod.in | 98 +------------------------------- doc/man1/openssl-smime.pod.in | 2 +- doc/man1/openssl-ts.pod.in | 2 + doc/man1/openssl.pod | 2 + util/find-doc-nits | 26 +++++++-- 11 files changed, 36 insertions(+), 187 deletions(-) diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod index e05775cdca668..672bf7b4df5a4 100644 --- a/doc/man1/CA.pl.pod +++ b/doc/man1/CA.pl.pod @@ -6,6 +6,8 @@ CA.pl - friendlier interface for OpenSSL certificate programs =head1 SYNOPSIS +=for openssl duplicate options + B B<-?> | B<-h> | diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index 5239beca1d692..98523e40d413e 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -17,7 +17,6 @@ B B [B<-tls1_1>] [B<-tls1_2>] [B<-tls1_3>] -[B<-s>] [B<-psk>] [B<-srp>] [B<-stdname>] diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index c0d45cb9d5161..36f1b3e4a82c0 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -7,6 +7,8 @@ openssl-cms - CMS command =head1 SYNOPSIS +=for openssl duplicate options + B B [B<-help>] diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index a8d765392fd02..f23d132a8fcdd 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -7,6 +7,8 @@ openssl-pkcs12 - PKCS#12 file command =head1 SYNOPSIS +=for openssl duplicate options + B B [B<-help>] [B<-passin> I] @@ -174,7 +176,7 @@ see the L section. =item B<-out> I The filename to write certificates and private keys to, standard output by -default. They are all written in PEM format. +default. They are all written in PEM format. =item B<-info> diff --git a/doc/man1/openssl-rehash.pod.in b/doc/man1/openssl-rehash.pod.in index 380ad6dd2a46f..9fa8ed8689611 100644 --- a/doc/man1/openssl-rehash.pod.in +++ b/doc/man1/openssl-rehash.pod.in @@ -10,6 +10,7 @@ openssl-rehash, c_rehash - Create symbolic links to files named by the hash values =head1 SYNOPSIS +=for openssl duplicate options B B diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 371439e97b93c..d089bc60d80de 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -59,7 +59,6 @@ B B [B<-msg>] [B<-timeout>] [B<-mtu> I] -[B<-no_etm>] [B<-no_ems>] [B<-keymatexport> I