From dac42bdce1ed19e646c2adf04b27fc92a9d0e374 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 25 Aug 2023 12:04:04 +0100 Subject: [PATCH 001/324] Fix a bad merge in quic-multi-stream.c demo The function SSL_set_initial_peer_addr() got renamed to SSL_set1_initial_peer_addr(). The demo missed out on the rename when it got rebased on top of it. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21842) --- demos/guide/quic-multi-stream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demos/guide/quic-multi-stream.c b/demos/guide/quic-multi-stream.c index 86dc6e3502c1c..5b7c8581eb7b9 100644 --- a/demos/guide/quic-multi-stream.c +++ b/demos/guide/quic-multi-stream.c @@ -215,7 +215,7 @@ int main(void) } /* Set the IP address of the remote peer */ - if (!SSL_set_initial_peer_addr(ssl, peer_addr)) { + if (!SSL_set1_initial_peer_addr(ssl, peer_addr)) { printf("Failed to set the initial peer address\n"); goto end; } From 84a0b1b169197e3afdadcdafc9fea65361ff672f Mon Sep 17 00:00:00 2001 From: Min Zhou Date: Fri, 25 Aug 2023 18:02:47 +0800 Subject: [PATCH 002/324] Resolve assembler complains when including loongarch_arch.h The assembler will complain when we include loongarch_arch.h in an assembly file as following: crypto/loongarch_arch.h: Assembler messages: crypto/loongarch_arch.h:12: Fatal error: no match insn: extern unsigned int OPENSSL_loongarch_hwcap_P So, the sentence of `extern unsigned int OPENSSL_loongarch_hwcap_P` should be guarded with "#ifndef __ASSEMBLER__". Fixes #21838. Signed-off-by: Min Zhou Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21839) --- crypto/loongarch_arch.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/loongarch_arch.h b/crypto/loongarch_arch.h index 454be913329cb..9d895fe344d94 100644 --- a/crypto/loongarch_arch.h +++ b/crypto/loongarch_arch.h @@ -9,7 +9,10 @@ #ifndef OSSL_CRYPTO_LOONGARCH_ARCH_H # define OSSL_CRYPTO_LOONGARCH_ARCH_H +# ifndef __ASSEMBLER__ extern unsigned int OPENSSL_loongarch_hwcap_P; +# endif + # define LOONGARCH_HWCAP_LSX (1 << 4) # define LOONGARCH_HWCAP_LASX (1 << 5) From 0f9caad5b95e901b87fe45cf85c9582071ca0b23 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 25 Aug 2023 14:24:07 +0200 Subject: [PATCH 003/324] Raise the timeout in quic_client_test.c Recently the Coveralls CI run started failing because it times out in this test. Outside of Coveralls it runs fine so assuming that this is caused by slow execution under Coveralls. Reviewed-by: Matt Caswell Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21844) --- test/quic_client_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/quic_client_test.c b/test/quic_client_test.c index e3fe678edd528..5defd65939310 100644 --- a/test/quic_client_test.c +++ b/test/quic_client_test.c @@ -92,7 +92,7 @@ static int test_quic_client(void) for (;;) { if (ossl_time_compare(ossl_time_subtract(ossl_time_now(), start_time), - ossl_ms2time(3000)) >= 0) { + ossl_ms2time(10000)) >= 0) { TEST_error("timeout while attempting QUIC client test"); goto err; } From 1cfdbdd0d454b9b3882e364addfab920af3a29d5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 29 Aug 2023 12:38:55 +0200 Subject: [PATCH 004/324] Update Cloudflare Quiche to fix a build issue Reviewed-by: Hugo Landau Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21885) --- cloudflare-quiche | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudflare-quiche b/cloudflare-quiche index 24a959abf1159..7ab6a55cfe471 160000 --- a/cloudflare-quiche +++ b/cloudflare-quiche @@ -1 +1 @@ -Subproject commit 24a959abf115923910ce18985aa199d85fb602d7 +Subproject commit 7ab6a55cfe471267d61e4d28ba43d41defcd87e0 From 777a8a7f5d5b80919da906cdaf8825f502bcad4e Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 17 Aug 2023 08:55:52 +0100 Subject: [PATCH 005/324] QUIC: Minimally handle version negotiation packets Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21764) --- ssl/quic/quic_channel.c | 56 +++++++++++++++++++++++++++++++++++ ssl/quic/quic_channel_local.h | 7 +++++ ssl/quic/quic_wire_pkt.c | 7 +++++ 3 files changed, 70 insertions(+) diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 98e1a0110fc8e..516b895d8df20 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -99,6 +99,8 @@ static int ch_server_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer, const QUIC_CONN_ID *peer_dcid); static void ch_on_txp_ack_tx(const OSSL_QUIC_FRAME_ACK *ack, uint32_t pn_space, void *arg); +static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt); +static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch); DEFINE_LHASH_OF_EX(QUIC_SRT_ELEM); @@ -2092,6 +2094,7 @@ static int bio_addr_eq(const BIO_ADDR *a, const BIO_ADDR *b) static void ch_rx_handle_packet(QUIC_CHANNEL *ch) { uint32_t enc_level; + int old_have_processed_any_pkt = ch->have_processed_any_pkt; assert(ch->qrx_pkt != NULL); @@ -2164,6 +2167,8 @@ static void ch_rx_handle_packet(QUIC_CHANNEL *ch) */ return; + ch->have_processed_any_pkt = 1; + /* * RFC 9000 s. 17.2: "An endpoint MUST treat receipt of a packet that has a * non-zero value for [the reserved bits] after removing both packet and @@ -2281,12 +2286,63 @@ static void ch_rx_handle_packet(QUIC_CHANNEL *ch) ossl_quic_handle_frames(ch, ch->qrx_pkt); /* best effort */ break; + case QUIC_PKT_TYPE_VERSION_NEG: + /* + * "A client MUST discard any Version Negotiation packet if it has + * received and successfully processed any other packet." + */ + if (!old_have_processed_any_pkt) + ch_rx_handle_version_neg(ch, ch->qrx_pkt); + + break; + default: assert(0); break; } } +static void ch_rx_handle_version_neg(QUIC_CHANNEL *ch, OSSL_QRX_PKT *pkt) +{ + /* + * We do not support version negotiation at this time. As per RFC 9000 s. + * 6.2., we MUST abandon the connection attempt if we receive a Version + * Negotiation packet, unless we have already successfully processed another + * incoming packet, or the packet lists the QUIC version we want to use. + */ + PACKET vpkt; + unsigned long v; + + if (!PACKET_buf_init(&vpkt, pkt->hdr->data, pkt->hdr->len)) + return; + + while (PACKET_remaining(&vpkt) > 0) { + if (!PACKET_get_net_4(&vpkt, &v)) + break; + + if ((uint32_t)v == QUIC_VERSION_1) + return; + } + + /* No match, this is a failure case. */ + ch_raise_version_neg_failure(ch); +} + +static void ch_raise_version_neg_failure(QUIC_CHANNEL *ch) +{ + QUIC_TERMINATE_CAUSE tcause = {0}; + + tcause.error_code = QUIC_ERR_CONNECTION_REFUSED; + tcause.reason = "version negotiation failure"; + tcause.reason_len = strlen(tcause.reason); + + /* + * Skip TERMINATING state; this is not considered a protocol error and we do + * not send CONNECTION_CLOSE. + */ + ch_start_terminating(ch, &tcause, 1); +} + /* * This is called by the demux when we get a packet not destined for any known * DCID. diff --git a/ssl/quic/quic_channel_local.h b/ssl/quic/quic_channel_local.h index ff861f18c7c85..8cef1372552f8 100644 --- a/ssl/quic/quic_channel_local.h +++ b/ssl/quic/quic_channel_local.h @@ -304,6 +304,13 @@ struct quic_channel_st { */ unsigned int have_received_enc_pkt : 1; + /* + * Have we successfully processed any packet, including a Version + * Negotiation packet? If so, further Version Negotiation packets should be + * ignored. + */ + unsigned int have_processed_any_pkt : 1; + /* * Have we sent literally any packet yet? If not, there is no point polling * RX. diff --git a/ssl/quic/quic_wire_pkt.c b/ssl/quic/quic_wire_pkt.c index bd218b2361106..069f0c8fa5e69 100644 --- a/ssl/quic/quic_wire_pkt.c +++ b/ssl/quic/quic_wire_pkt.c @@ -306,6 +306,13 @@ int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt, hdr->data = PACKET_data(pkt); hdr->len = PACKET_remaining(pkt); + /* + * Version negotiation packets must contain an array of u32s, so it + * is invalid for their payload length to not be divisible by 4. + */ + if ((hdr->len % 4) != 0) + return 0; + /* Version negotiation packets are always fully decoded. */ hdr->partial = 0; From c5b882a80b9f5811e45e29f4492bf335e870eb35 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 17 Aug 2023 10:00:02 +0100 Subject: [PATCH 006/324] QUIC APL: Handle modes correctly Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21764) --- ssl/quic/quic_impl.c | 20 ++++++++++++++++++-- ssl/ssl_lib.c | 40 +++++++++++++++++++++++++++++----------- ssl/ssl_local.h | 2 ++ 3 files changed, 49 insertions(+), 13 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 71bd5e865b525..2314cbb819c0f 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1306,9 +1306,25 @@ long ossl_quic_ctrl(SSL *s, int cmd, long larg, void *parg) case DTLS_CTRL_HANDLE_TIMEOUT: /* DTLSv1_handle_timeout */ /* For legacy compatibility with DTLS calls. */ return ossl_quic_handle_events(s) == 1 ? 1 : -1; + + /* Mask ctrls we shouldn't support for QUIC. */ + case SSL_CTRL_GET_READ_AHEAD: + case SSL_CTRL_SET_READ_AHEAD: + case SSL_CTRL_SET_MAX_SEND_FRAGMENT: + case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: + case SSL_CTRL_SET_MAX_PIPELINES: + return 0; + default: - /* Probably a TLS related ctrl. Defer to our internal SSL object */ - return SSL_ctrl(ctx.qc->tls, cmd, larg, parg); + /* + * Probably a TLS related ctrl. Send back to the frontend SSL_ctrl + * implementation. Either SSL_ctrl will handle it itself by direct + * access into handshake layer state, or failing that, it will be passed + * to the handshake layer via the SSL_METHOD vtable. If the ctrl is not + * supported by anything, the handshake layer's ctrl method will finally + * return 0. + */ + return ossl_ctrl_internal(&ctx.qc->ssl, cmd, larg, parg, /*no_quic=*/1); } } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index bda6a9c7beef2..06efb4380acf5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2899,22 +2899,37 @@ int SSL_new_session_ticket(SSL *s) } long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) +{ + return ossl_ctrl_internal(s, cmd, larg, parg, /*no_quic=*/0); +} + +long ossl_ctrl_internal(SSL *s, int cmd, long larg, void *parg, int no_quic) { long l; SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); - /* TODO(QUIC FUTURE): Special handling for some ctrls will be needed */ - if (sc == NULL) - return 0; + /* + * Routing of ctrl calls for QUIC is a little counterintuitive: + * + * - Firstly (no_quic=0), we pass the ctrl directly to our QUIC + * implementation in case it wants to handle the ctrl specially. + * + * - If our QUIC implementation does not care about the ctrl, it + * will reenter this function with no_quic=1 and we will try to handle + * it directly using the QCSO SSL object stub (not the handshake layer + * SSL object). This is important for e.g. the version configuration + * ctrls below, which must use s->defltmeth (and not sc->defltmeth). + * + * - If we don't handle a ctrl here specially, then processing is + * redirected to the handshake layer SSL object. + */ + if (!no_quic && IS_QUIC(s)) + return s->method->ssl_ctrl(s, cmd, larg, parg); switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - if (IS_QUIC(s)) - return 0; return RECORD_LAYER_get_read_ahead(&sc->rlayer); case SSL_CTRL_SET_READ_AHEAD: - if (IS_QUIC(s)) - return 0; l = RECORD_LAYER_get_read_ahead(&sc->rlayer); RECORD_LAYER_set_read_ahead(&sc->rlayer, larg); return l; @@ -2945,7 +2960,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) sc->max_cert_list = (size_t)larg; return l; case SSL_CTRL_SET_MAX_SEND_FRAGMENT: - if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH || IS_QUIC(s)) + if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return 0; #ifndef OPENSSL_NO_KTLS if (sc->wbio != NULL && BIO_get_ktls_send(sc->wbio)) @@ -2957,12 +2972,12 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) sc->rlayer.wrlmethod->set_max_frag_len(sc->rlayer.wrl, larg); return 1; case SSL_CTRL_SET_SPLIT_SEND_FRAGMENT: - if ((size_t)larg > sc->max_send_fragment || larg == 0 || IS_QUIC(s)) + if ((size_t)larg > sc->max_send_fragment || larg == 0) return 0; sc->split_send_fragment = larg; return 1; case SSL_CTRL_SET_MAX_PIPELINES: - if (larg < 1 || larg > SSL_MAX_PIPELINES || IS_QUIC(s)) + if (larg < 1 || larg > SSL_MAX_PIPELINES) return 0; sc->max_pipelines = larg; if (sc->rlayer.rrlmethod->set_max_pipelines != NULL) @@ -3007,7 +3022,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_MAX_PROTO_VERSION: return sc->max_proto_version; default: - return s->method->ssl_ctrl(s, cmd, larg, parg); + if (IS_QUIC(s)) + return SSL_ctrl((SSL *)sc, cmd, larg, parg); + else + return s->method->ssl_ctrl(s, cmd, larg, parg); } } diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 4da83ab6928ea..96d2f307616e2 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2999,6 +2999,8 @@ void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s, const OSSL_RECORD_METHOD *meth, void *rlarg); +long ossl_ctrl_internal(SSL *s, int cmd, long larg, void *parg, int no_quic); + /* * Options which no longer have any effect, but which can be implemented * as no-ops for QUIC. From 413a427c2a7743474f57d5799f42de5357ceace2 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 17 Aug 2023 18:31:15 +0100 Subject: [PATCH 007/324] QUIC QRX: Initialise all RXE fields properly for non-encrypted packets Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21764) --- ssl/quic/quic_record_rx.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index bb94d3085e06c..e4705a1cce85a 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -873,6 +873,13 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, rxe->hdr.data = rxe_data(rxe); rxe->pn = QUIC_PN_INVALID; + rxe->data_len = rxe->hdr.len; + rxe->datagram_len = datagram_len; + rxe->key_epoch = 0; + rxe->peer = urxe->peer; + rxe->local = urxe->local; + rxe->time = urxe->time; + /* Move RXE to pending. */ ossl_list_rxe_remove(&qrx->rx_free, rxe); ossl_list_rxe_insert_tail(&qrx->rx_pending, rxe); From a1d2a9d12d269ba551b1d2d3bc825aedad8984c9 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 17 Aug 2023 18:32:16 +0100 Subject: [PATCH 008/324] QUIC MULTISTREAM TEST: Fix connect-or-fail Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21764) --- test/quic_multistream_test.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index ba973ed11ea86..42221880d1702 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -987,12 +987,13 @@ static int run_script_worker(struct helper *h, const struct script_op *script, connect_started = 1; ret = SSL_connect(h->c_conn); - if (!TEST_true((ret == 1 || op->arg1 > 0) - || (!h->blocking && is_want(h->c_conn, ret)))) - goto out; + if (ret != 1) { + if (!h->blocking && is_want(h->c_conn, ret)) + SPIN_AGAIN(); - if (!h->blocking && ret < 0) - SPIN_AGAIN(); + if (op->arg1 == 0 && !TEST_int_eq(ret, 1)) + goto out; + } } break; From de85ec03f5c6044fae8f2d1812d59aab0687b12a Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 24 Aug 2023 07:48:08 +0100 Subject: [PATCH 009/324] QUIC RXDP: Handle PING correctly Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21764) --- ssl/quic/quic_rx_depack.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c index 3ef4798111409..55712edabe10f 100644 --- a/ssl/quic/quic_rx_depack.c +++ b/ssl/quic/quic_rx_depack.c @@ -42,6 +42,7 @@ static int depack_do_frame_padding(PACKET *pkt) } static int depack_do_frame_ping(PACKET *pkt, QUIC_CHANNEL *ch, + uint32_t enc_level, OSSL_ACKM_RX_PKT *ackm_data) { /* We ignore this frame, apart from eliciting an ACK */ @@ -53,6 +54,7 @@ static int depack_do_frame_ping(PACKET *pkt, QUIC_CHANNEL *ch, return 0; } + ossl_quic_tx_packetiser_schedule_ack_eliciting(ch->txp, enc_level); return 1; } @@ -1034,10 +1036,11 @@ static int depack_do_frame_handshake_done(PACKET *pkt, /* Main frame processor */ static int depack_process_frames(QUIC_CHANNEL *ch, PACKET *pkt, - OSSL_QRX_PKT *parent_pkt, int packet_space, + OSSL_QRX_PKT *parent_pkt, uint32_t enc_level, OSSL_TIME received, OSSL_ACKM_RX_PKT *ackm_data) { uint32_t pkt_type = parent_pkt->hdr->type; + uint32_t packet_space = ossl_quic_enc_level_to_pn_space(enc_level); if (PACKET_remaining(pkt) == 0) { /* @@ -1098,7 +1101,7 @@ static int depack_process_frames(QUIC_CHANNEL *ch, PACKET *pkt, switch (frame_type) { case OSSL_QUIC_FRAME_TYPE_PING: /* Allowed in all packet types */ - if (!depack_do_frame_ping(pkt, ch, ackm_data)) + if (!depack_do_frame_ping(pkt, ch, enc_level, ackm_data)) return 0; break; case OSSL_QUIC_FRAME_TYPE_PADDING: @@ -1400,6 +1403,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) { PACKET pkt; OSSL_ACKM_RX_PKT ackm_data; + uint32_t enc_level; + /* * ok has three states: * -1 error with ackm_data uninitialized @@ -1419,30 +1424,22 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) */ ackm_data.pkt_num = qpacket->pn; ackm_data.time = qpacket->time; - switch (qpacket->hdr->type) { - case QUIC_PKT_TYPE_INITIAL: - ackm_data.pkt_space = QUIC_PN_SPACE_INITIAL; - break; - case QUIC_PKT_TYPE_HANDSHAKE: - ackm_data.pkt_space = QUIC_PN_SPACE_HANDSHAKE; - break; - case QUIC_PKT_TYPE_0RTT: - case QUIC_PKT_TYPE_1RTT: - ackm_data.pkt_space = QUIC_PN_SPACE_APP; - break; - default: + enc_level = ossl_quic_pkt_type_to_enc_level(qpacket->hdr->type); + if (enc_level >= QUIC_ENC_LEVEL_NUM) /* * Retry and Version Negotiation packets should not be passed to this * function. */ goto end; - } - ok = 0; /* Still assume the worst */ + + ok = 0; /* Still assume the worst */ + ackm_data.pkt_space = ossl_quic_enc_level_to_pn_space(enc_level); /* Now that special cases are out of the way, parse frames */ if (!PACKET_buf_init(&pkt, qpacket->hdr->data, qpacket->hdr->len) || !depack_process_frames(ch, &pkt, qpacket, - ackm_data.pkt_space, qpacket->time, + enc_level, + qpacket->time, &ackm_data)) goto end; From 69169cd9faf68e6d8fb83895233c184543151168 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 17 Aug 2023 09:44:37 +0100 Subject: [PATCH 010/324] QUIC: Version negotiation testing Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21764) --- test/quic_multistream_test.c | 128 ++++++++++++++++++++++++++++++++++- test/quic_record_test.c | 5 ++ 2 files changed, 132 insertions(+), 1 deletion(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 42221880d1702..ba97bfd7d43c8 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -80,6 +80,8 @@ struct helper { unsigned char *buf, size_t buf_len); int (*qtf_handshake_cb)(struct helper *h, unsigned char *buf, size_t buf_len); + int (*qtf_datagram_cb)(struct helper *h, + BIO_MSG *m, size_t stride); uint64_t inject_word0, inject_word1; uint64_t scratch0, scratch1, fail_count; }; @@ -101,6 +103,8 @@ struct script_op { unsigned char *buf, size_t buf_len); int (*qtf_handshake_cb)(struct helper *h, unsigned char *buf, size_t buf_len); + int (*qtf_datagram_cb)(struct helper *h, + BIO_MSG *m, size_t stride); }; #define OPK_END 0 @@ -152,6 +156,7 @@ struct script_op { #define OPK_S_SET_INJECT_HANDSHAKE 46 #define OPK_S_NEW_TICKET 47 #define OPK_C_SKIP_IF_UNBOUND 48 +#define OPK_S_SET_INJECT_DATAGRAM 49 #define EXPECT_CONN_CLOSE_APP (1U << 0) #define EXPECT_CONN_CLOSE_REMOTE (1U << 1) @@ -286,6 +291,8 @@ struct script_op { {OPK_S_NEW_TICKET}, #define OP_C_SKIP_IF_UNBOUND(stream_name, n) \ {OPK_C_SKIP_IF_UNBOUND, NULL, (n), NULL, #stream_name}, +#define OP_S_SET_INJECT_DATAGRAM(f) \ + {OPK_S_SET_INJECT_DATAGRAM, NULL, 0, NULL, NULL, 0, NULL, NULL, (f)}, static OSSL_TIME get_time(void *arg) { @@ -779,6 +786,15 @@ static int helper_handshake_listener(QTEST_FAULT *fault, return h->qtf_handshake_cb(h, buf, buf_len); } +static int helper_datagram_listener(QTEST_FAULT *fault, + BIO_MSG *msg, size_t stride, + void *arg) +{ + struct helper *h = arg; + + return h->qtf_datagram_cb(h, msg, stride); +} + static int is_want(SSL *s, int ret) { int ec = SSL_get_error(s, ret); @@ -1599,6 +1615,17 @@ static int run_script_worker(struct helper *h, const struct script_op *script, break; + case OPK_S_SET_INJECT_DATAGRAM: + h->qtf_datagram_cb = op->qtf_datagram_cb; + + if (!TEST_true(qtest_fault_set_datagram_listener(h->qtf, + h->qtf_datagram_cb != NULL ? + helper_datagram_listener : NULL, + h))) + goto out; + + break; + case OPK_SET_INJECT_WORD: h->inject_word0 = op->arg1; h->inject_word1 = op->arg2; @@ -4411,6 +4438,103 @@ static const struct script_op script_73[] = { OP_END }; +/* 74. Version negotiation: QUIC_VERSION_1 ignored */ +static int generate_version_neg(WPACKET *wpkt, uint32_t version) +{ + QUIC_PKT_HDR hdr = {0}; + + hdr.type = QUIC_PKT_TYPE_VERSION_NEG; + hdr.fixed = 1; + hdr.dst_conn_id.id_len = 0; + hdr.src_conn_id.id_len = 8; + memset(hdr.src_conn_id.id, 0x55, 8); + + if (!TEST_true(ossl_quic_wire_encode_pkt_hdr(wpkt, 0, &hdr, NULL))) + return 0; + + if (!TEST_true(WPACKET_put_bytes_u32(wpkt, version))) + return 0; + + return 1; +} + +static int server_gen_version_neg(struct helper *h, BIO_MSG *msg, size_t stride) +{ + int rc = 0, have_wpkt = 0; + size_t l; + WPACKET wpkt; + BUF_MEM *buf = NULL; + uint32_t version; + + switch (h->inject_word0) { + case 0: + return 1; + case 1: + version = QUIC_VERSION_1; + break; + default: + version = 0x5432abcd; + break; + } + + if (!TEST_ptr(buf = BUF_MEM_new())) + goto err; + + if (!TEST_true(WPACKET_init(&wpkt, buf))) + goto err; + + have_wpkt = 1; + + generate_version_neg(&wpkt, version); + + if (!TEST_true(WPACKET_get_total_written(&wpkt, &l))) + goto err; + + if (!TEST_true(qtest_fault_resize_datagram(h->qtf, l))) + return 0; + + memcpy(msg->data, buf->data, l); + h->inject_word0 = 0; + + rc = 1; +err: + if (have_wpkt) + WPACKET_finish(&wpkt); + + BUF_MEM_free(buf); + return rc; +} + +static const struct script_op script_74[] = { + OP_S_SET_INJECT_DATAGRAM (server_gen_version_neg) + OP_SET_INJECT_WORD (1, 0) + + OP_C_SET_ALPN ("ossltest") + OP_C_CONNECT_WAIT () + + OP_C_SET_DEFAULT_STREAM_MODE(SSL_DEFAULT_STREAM_MODE_NONE) + + OP_C_NEW_STREAM_BIDI (a, C_BIDI_ID(0)) + OP_C_WRITE (a, "apple", 5) + OP_S_BIND_STREAM_ID (a, C_BIDI_ID(0)) + OP_S_READ_EXPECT (a, "apple", 5) + + OP_END +}; + +/* 75. Version negotiation: Unknown version causes connection abort */ +static const struct script_op script_75[] = { + OP_S_SET_INJECT_DATAGRAM (server_gen_version_neg) + OP_SET_INJECT_WORD (2, 0) + + OP_C_SET_ALPN ("ossltest") + OP_C_CONNECT_WAIT_OR_FAIL() + + OP_C_EXPECT_CONN_CLOSE_INFO(QUIC_ERR_CONNECTION_REFUSED,0,0) + + OP_END +}; + static const struct script_op *const scripts[] = { script_1, script_2, @@ -4484,7 +4608,9 @@ static const struct script_op *const scripts[] = { script_70, script_71, script_72, - script_73 + script_73, + script_74, + script_75 }; static int test_script(int idx) diff --git a/test/quic_record_test.c b/test/quic_record_test.c index 2521b0ce2c442..a2144744a3fe2 100644 --- a/test/quic_record_test.c +++ b/test/quic_record_test.c @@ -2753,6 +2753,11 @@ static int test_wire_pkt_hdr_actual(int tidx, int repeat, int cipher, hpr_key[8] = (unsigned char)tidx; hpr_key[9] = (unsigned char)repeat; + if (is_trunc && trunc_len > t->min_success_len + && t->hdr.type == QUIC_PKT_TYPE_VERSION_NEG + && ((trunc_len - t->min_success_len) % 4) != 0) + expect_fail = 1; + switch (cipher) { case 0: hpr_cipher_id = QUIC_HDR_PROT_CIPHER_AES_128; From 20a54aa21fc34ded577daf0bc91808b68a3b3c95 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 22 Aug 2023 09:30:39 +0200 Subject: [PATCH 011/324] Removed unused member read_iv of ossl_record_layer_st Fixes #21732 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21804) --- ssl/record/methods/recmethod_local.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index 86517f00626ab..bd893b5e4c089 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -335,8 +335,6 @@ struct ossl_record_layer_st /* TLSv1.3 fields */ /* static IV */ unsigned char iv[EVP_MAX_IV_LENGTH]; - /* static read IV */ - unsigned char read_iv[EVP_MAX_IV_LENGTH]; int allow_plain_alerts; /* TLS "any" fields */ From 2de153dc5a2565bd922b9a15955f2abca02b215e Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 22 Aug 2023 09:19:32 +0200 Subject: [PATCH 012/324] Removed unused struct ssl3_comp_st Fixes #21731 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21803) --- ssl/ssl_local.h | 10 ---------- util/indent.pro | 1 - 2 files changed, 11 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 96d2f307616e2..e2157ab68765b 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2163,16 +2163,6 @@ typedef struct ssl3_enc_method { */ # define SSL_ENC_FLAG_TLS1_2_CIPHERS 0x10 -# ifndef OPENSSL_NO_COMP -/* Used for holding the relevant compression methods loaded into SSL_CTX */ -typedef struct ssl3_comp_st { - int comp_id; /* The identifier byte for this compression - * type */ - char *name; /* Text name used for the compression type */ - COMP_METHOD *method; /* The method :-) */ -} SSL3_COMP; -# endif - typedef enum downgrade_en { DOWNGRADE_NONE, DOWNGRADE_TO_1_2, diff --git a/util/indent.pro b/util/indent.pro index f580b7ea5b4fe..1af494d2b56bf 100644 --- a/util/indent.pro +++ b/util/indent.pro @@ -382,7 +382,6 @@ -T SRTP_PROTECTION_PROFILE -T SSL -T TLS_BUFFER --T SSL3_COMP -T SSL3_ENC_METHOD -T TLS_RL_RECORD -T SSL3_STATE From a2608e4bc430d6216bbf36f50a29278e8759103a Mon Sep 17 00:00:00 2001 From: Kai Pastor Date: Sat, 5 Aug 2023 08:34:35 +0200 Subject: [PATCH 013/324] Set VC win64 perlasm scheme during Configure Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21661) --- Configurations/10-main.conf | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index b1e8ce118522a..46094f59c2908 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -9,19 +9,22 @@ sub vc_win64a_info { $vc_win64a_info = { AS => "nasm", ASFLAGS => "-g", asflags => "-Ox -f win64 -DNEAR", - asoutflag => "-o " }; + asoutflag => "-o ", + perlasm_scheme => "nasm" }; } elsif ($disabled{asm}) { # assembler is still used to compile uplink shim $vc_win64a_info = { AS => "ml64", ASFLAGS => "/nologo /Zi", asflags => "/c /Cp /Cx", - asoutflag => "/Fo" }; + asoutflag => "/Fo", + perlasm_scheme => "masm" }; } else { $die->("NASM not found - make sure it's installed and available on %PATH%\n"); $vc_win64a_info = { AS => "{unknown}", ASFLAGS => "", asflags => "", - asoutflag => "" }; + asoutflag => "", + perlasm_scheme => "auto" }; } } return $vc_win64a_info; @@ -1565,7 +1568,7 @@ my %targets = ( sys_id => "WIN64A", uplink_arch => 'x86_64', asm_arch => 'x86_64', - perlasm_scheme => "auto", + perlasm_scheme => sub { vc_win64a_info()->{perlasm_scheme} }, multilib => "-x64", }, "VC-WIN32" => { From 96fe5e5f964d44dfff8667fb3c0111a25be58c87 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Tue, 22 Aug 2023 16:59:57 +0100 Subject: [PATCH 014/324] QUIC APL: Implement backpressure on stream creation Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21815) --- crypto/err/openssl.txt | 2 +- include/openssl/sslerr.h | 2 +- ssl/quic/quic_impl.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 3eeaa6d5d5799..b725032254e1c 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1563,7 +1563,7 @@ SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH:303:ssl session id has bad length SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch SSL_R_STILL_IN_INIT:121:still in init -SSL_R_STREAM_COUNT_LIMITED:411:stream count limited +SSL_R_STREAM_COUNT_LIMITED:395:stream count limited SSL_R_STREAM_FINISHED:365:stream finished SSL_R_STREAM_RECV_ONLY:366:stream recv only SSL_R_STREAM_RESET:375:stream reset diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index e1eb9a5692c25..0a4079b5c8093 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -290,7 +290,7 @@ # define SSL_R_SSL_SESSION_ID_TOO_LONG 408 # define SSL_R_SSL_SESSION_VERSION_MISMATCH 210 # define SSL_R_STILL_IN_INIT 121 -# define SSL_R_STREAM_COUNT_LIMITED 411 +# define SSL_R_STREAM_COUNT_LIMITED 395 # define SSL_R_STREAM_FINISHED 365 # define SSL_R_STREAM_RECV_ONLY 366 # define SSL_R_STREAM_RESET 375 diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 2314cbb819c0f..da4d179ccb453 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1780,7 +1780,7 @@ static SSL *quic_conn_stream_new(QCTX *ctx, uint64_t flags, int need_lock) * opened. */ if (no_blocking || !qc_blocking_mode(qc)) { - QUIC_RAISE_NON_IO_ERROR(ctx, SSL_R_STREAM_COUNT_LIMITED, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_STREAM_COUNT_LIMITED, NULL); goto err; } @@ -1790,10 +1790,10 @@ static SSL *quic_conn_stream_new(QCTX *ctx, uint64_t flags, int need_lock) /* Blocking mode - wait until we can get a stream. */ ret = block_until_pred(ctx->qc, quic_new_stream_wait, &args, 0); if (!quic_mutation_allowed(qc, /*req_active=*/1)) { - QUIC_RAISE_NON_IO_ERROR(ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); goto err; /* Shutdown before completion */ } else if (ret <= 0) { - QUIC_RAISE_NON_IO_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); goto err; /* Non-protocol error */ } } From 25a0c4b907b0dbef4f0e70bf35cd84c85aaee3ad Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 23 Aug 2023 08:25:28 +0100 Subject: [PATCH 015/324] QUIC APL: Support waiting for peer-initiated shutdown Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21815) --- doc/man3/SSL_shutdown.pod | 19 +++++++++++++++++ include/openssl/ssl.h.in | 2 ++ ssl/quic/quic_impl.c | 44 ++++++++++++++++++++++++++++++++++++--- 3 files changed, 62 insertions(+), 3 deletions(-) diff --git a/doc/man3/SSL_shutdown.pod b/doc/man3/SSL_shutdown.pod index b1a5c94fd9bcd..913b5559771ab 100644 --- a/doc/man3/SSL_shutdown.pod +++ b/doc/man3/SSL_shutdown.pod @@ -347,6 +347,25 @@ If an application calls SSL_shutdown_ex() with B, an application can subsequently change its mind about performing a rapid shutdown by making a subsequent call to SSL_shutdown_ex() without the flag set. +=head2 Peer-Initiated Shutdown + +In some cases, an application may wish to wait for a shutdown initiated by the +peer rather than triggered locally. To do this, call SSL_shutdown_ex() with +I specified in I. In blocking mode, this +waits until the peer initiates a shutdown or the connection otherwise becomes +terminated for another reason. In nonblocking mode it exits immediately with +either success or failure depending on whether a shutdown has occurred. + +If a locally initiated shutdown has already been triggered or the connection has +started terminating for another reason, this flag has no effect. + +=head2 Nonblocking Mode + +SSL_shutdown() and SSL_shutdown_ex() block if the connection is configured in +blocking mode. This may be overridden by specifying +B in I when calling SSL_shutdown_ex(), which +causes the call to operate as though in nonblocking mode. + =head1 RETURN VALUES For both SSL_shutdown() and SSL_shutdown_ex() the following return values can occur: diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 9448974403be1..37d192f7558e1 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -2312,6 +2312,8 @@ typedef struct ssl_shutdown_ex_args_st { #define SSL_SHUTDOWN_FLAG_RAPID (1U << 0) #define SSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH (1U << 1) +#define SSL_SHUTDOWN_FLAG_NO_BLOCK (1U << 2) +#define SSL_SHUTDOWN_FLAG_WAIT_PEER (1U << 3) __owur int SSL_shutdown_ex(SSL *ssl, uint64_t flags, const SSL_SHUTDOWN_EX_ARGS *args, diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index da4d179ccb453..d4eabccd37474 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1175,6 +1175,12 @@ static int quic_shutdown_flush_wait(void *arg) || qc_shutdown_flush_finished(qc); } +static int quic_shutdown_peer_wait(void *arg) +{ + QUIC_CONNECTION *qc = arg; + return ossl_quic_channel_is_term_any(qc->ch); +} + QUIC_TAKES_LOCK int ossl_quic_conn_shutdown(SSL *s, uint64_t flags, const SSL_SHUTDOWN_EX_ARGS *args, @@ -1183,6 +1189,8 @@ int ossl_quic_conn_shutdown(SSL *s, uint64_t flags, int ret; QCTX ctx; int stream_flush = ((flags & SSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH) == 0); + int no_block = ((flags & SSL_SHUTDOWN_FLAG_NO_BLOCK) != 0); + int wait_peer = ((flags & SSL_SHUTDOWN_FLAG_WAIT_PEER) != 0); if (!expect_quic(s, &ctx)) return -1; @@ -1200,11 +1208,11 @@ int ossl_quic_conn_shutdown(SSL *s, uint64_t flags, } /* Phase 1: Stream Flushing */ - if (stream_flush) { + if (!wait_peer && stream_flush) { qc_shutdown_flush_init(ctx.qc); if (!qc_shutdown_flush_finished(ctx.qc)) { - if (qc_blocking_mode(ctx.qc)) { + if (!no_block && qc_blocking_mode(ctx.qc)) { ret = block_until_pred(ctx.qc, quic_shutdown_flush_wait, ctx.qc, 0); if (ret < 1) { ret = 0; @@ -1222,6 +1230,35 @@ int ossl_quic_conn_shutdown(SSL *s, uint64_t flags, } /* Phase 2: Connection Closure */ + if (wait_peer && !ossl_quic_channel_is_term_any(ctx.qc->ch)) { + if (!no_block && qc_blocking_mode(ctx.qc)) { + ret = block_until_pred(ctx.qc, quic_shutdown_peer_wait, ctx.qc, 0); + if (ret < 1) { + ret = 0; + goto err; + } + } else { + ossl_quic_reactor_tick(ossl_quic_channel_get_reactor(ctx.qc->ch), 0); + } + + if (!ossl_quic_channel_is_term_any(ctx.qc->ch)) { + ret = 0; /* peer hasn't closed yet - still not done */ + goto err; + } + + /* + * We are at least terminating - go through the normal process of + * waiting until we are in the TERMINATED state. + */ + } + + /* Block mutation ops regardless of if we did stream flush. */ + ctx.qc->shutting_down = 1; + + /* + * This call is a no-op if we are already terminating, so it doesn't + * affect the wait_peer case. + */ ossl_quic_channel_local_close(ctx.qc->ch, args != NULL ? args->quic_error_code : 0, args != NULL ? args->quic_reason : NULL); @@ -1234,7 +1271,8 @@ int ossl_quic_conn_shutdown(SSL *s, uint64_t flags, } /* Phase 3: Terminating Wait Time */ - if (qc_blocking_mode(ctx.qc) && (flags & SSL_SHUTDOWN_FLAG_RAPID) == 0) { + if (!no_block && qc_blocking_mode(ctx.qc) + && (flags & SSL_SHUTDOWN_FLAG_RAPID) == 0) { ret = block_until_pred(ctx.qc, quic_shutdown_wait, ctx.qc, 0); if (ret < 1) { ret = 0; From 3bc38ba0712283bbbd57994af0259791dc42e704 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 23 Aug 2023 08:39:38 +0100 Subject: [PATCH 016/324] QUIC MULTISTREAM TEST: Test WAIT_PEER Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21815) --- include/internal/quic_tserver.h | 2 +- ssl/quic/quic_tserver.c | 4 +-- test/quic_multistream_test.c | 55 ++++++++++++++++++++++++++++----- util/quicserver.c | 3 ++ 4 files changed, 54 insertions(+), 10 deletions(-) diff --git a/include/internal/quic_tserver.h b/include/internal/quic_tserver.h index 45aea0abace93..b1415d5edf78e 100644 --- a/include/internal/quic_tserver.h +++ b/include/internal/quic_tserver.h @@ -182,7 +182,7 @@ OSSL_TIME ossl_quic_tserver_get_deadline(QUIC_TSERVER *srv); * Shutdown the QUIC connection. Returns 1 if the connection is terminated and * 0 otherwise. */ -int ossl_quic_tserver_shutdown(QUIC_TSERVER *srv); +int ossl_quic_tserver_shutdown(QUIC_TSERVER *srv, uint64_t app_error_code); /* Force generation of an ACK-eliciting packet. */ int ossl_quic_tserver_ping(QUIC_TSERVER *srv); diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c index 366673f5cb423..a3359c21c022f 100644 --- a/ssl/quic/quic_tserver.c +++ b/ssl/quic/quic_tserver.c @@ -502,9 +502,9 @@ OSSL_TIME ossl_quic_tserver_get_deadline(QUIC_TSERVER *srv) ossl_quic_channel_get_reactor(srv->ch)); } -int ossl_quic_tserver_shutdown(QUIC_TSERVER *srv) +int ossl_quic_tserver_shutdown(QUIC_TSERVER *srv, uint64_t app_error_code) { - ossl_quic_channel_local_close(srv->ch, 0, NULL); + ossl_quic_channel_local_close(srv->ch, app_error_code, NULL); /* TODO(QUIC): !SSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH */ diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index ba97bfd7d43c8..81e05dbf2eec2 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -157,6 +157,7 @@ struct script_op { #define OPK_S_NEW_TICKET 47 #define OPK_C_SKIP_IF_UNBOUND 48 #define OPK_S_SET_INJECT_DATAGRAM 49 +#define OPK_S_SHUTDOWN 50 #define EXPECT_CONN_CLOSE_APP (1U << 0) #define EXPECT_CONN_CLOSE_REMOTE (1U << 1) @@ -229,8 +230,8 @@ struct script_op { {OPK_C_SET_DEFAULT_STREAM_MODE, NULL, (mode), NULL, NULL}, #define OP_C_SET_INCOMING_STREAM_POLICY(policy) \ {OPK_C_SET_INCOMING_STREAM_POLICY, NULL, (policy), NULL, NULL}, -#define OP_C_SHUTDOWN_WAIT(reason) \ - {OPK_C_SHUTDOWN_WAIT, (reason), 0, NULL, NULL}, +#define OP_C_SHUTDOWN_WAIT(reason, flags) \ + {OPK_C_SHUTDOWN_WAIT, (reason), (flags), NULL, NULL}, #define OP_C_EXPECT_CONN_CLOSE_INFO(ec, app, remote) \ {OPK_C_EXPECT_CONN_CLOSE_INFO, NULL, \ ((app) ? EXPECT_CONN_CLOSE_APP : 0) | \ @@ -293,6 +294,8 @@ struct script_op { {OPK_C_SKIP_IF_UNBOUND, NULL, (n), NULL, #stream_name}, #define OP_S_SET_INJECT_DATAGRAM(f) \ {OPK_S_SET_INJECT_DATAGRAM, NULL, 0, NULL, NULL, 0, NULL, NULL, (f)}, +#define OP_S_SHUTDOWN(error_code) \ + {OPK_S_SHUTDOWN, NULL, (error_code)}, static OSSL_TIME get_time(void *arg) { @@ -1354,7 +1357,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, args.quic_reason = (const char *)op->arg0; - ret = SSL_shutdown_ex(c_tgt, 0, &args, sizeof(args)); + ret = SSL_shutdown_ex(c_tgt, op->arg1, &args, sizeof(args)); if (!TEST_int_ge(ret, 0)) goto out; @@ -1363,6 +1366,12 @@ static int run_script_worker(struct helper *h, const struct script_op *script, } break; + case OPK_S_SHUTDOWN: + { + ossl_quic_tserver_shutdown(h->s, op->arg1); + } + break; + case OPK_C_EXPECT_CONN_CLOSE_INFO: { SSL_CONN_CLOSE_INFO cc_info = {0}; @@ -1970,7 +1979,7 @@ static const struct script_op script_10[] = { OP_S_BIND_STREAM_ID (a, C_BIDI_ID(0)) OP_S_READ_EXPECT (a, "apple", 5) - OP_C_SHUTDOWN_WAIT (NULL) + OP_C_SHUTDOWN_WAIT (NULL, 0) OP_C_EXPECT_CONN_CLOSE_INFO(0, 1, 0) OP_S_EXPECT_CONN_CLOSE_INFO(0, 1, 1) @@ -3062,7 +3071,7 @@ static const struct script_op script_40[] = { OP_END_REPEAT () OP_C_CONCLUDE (a) - OP_C_SHUTDOWN_WAIT (NULL) /* disengages tick inhibition */ + OP_C_SHUTDOWN_WAIT (NULL, 0) /* disengages tick inhibition */ OP_S_BIND_STREAM_ID (a, C_BIDI_ID(0)) OP_S_READ_EXPECT (a, "apple", 5) @@ -3967,7 +3976,7 @@ static const struct script_op script_60[] = { OP_S_READ_EXPECT (a, "apple", 5) OP_CHECK (init_reason, 0) - OP_C_SHUTDOWN_WAIT (long_reason) + OP_C_SHUTDOWN_WAIT (long_reason, 0) OP_CHECK (check_shutdown_reason, 0) OP_END @@ -4535,6 +4544,37 @@ static const struct script_op script_75[] = { OP_END }; +/* 74. Test peer-initiated shutdown wait */ +static int script_76_check(struct helper *h, const struct script_op *op) +{ + if (!TEST_false(SSL_shutdown_ex(h->c_conn, SSL_SHUTDOWN_FLAG_WAIT_PEER, + NULL, 0))) + return 0; + + return 1; +} + +static const struct script_op script_76[] = { + OP_C_SET_ALPN ("ossltest") + OP_C_CONNECT_WAIT () + OP_C_SET_DEFAULT_STREAM_MODE(SSL_DEFAULT_STREAM_MODE_NONE) + + OP_C_NEW_STREAM_BIDI (a, C_BIDI_ID(0)) + OP_C_WRITE (a, "apple", 5) + + OP_S_BIND_STREAM_ID (a, C_BIDI_ID(0)) + OP_S_READ_EXPECT (a, "apple", 5) + + /* Check a WAIT_PEER call doesn't succeed yet. */ + OP_CHECK (script_76_check, 0) + OP_S_SHUTDOWN (42) + + OP_C_SHUTDOWN_WAIT (NULL, SSL_SHUTDOWN_FLAG_WAIT_PEER) + OP_C_EXPECT_CONN_CLOSE_INFO(42, 1, 1) + + OP_END +}; + static const struct script_op *const scripts[] = { script_1, script_2, @@ -4610,7 +4650,8 @@ static const struct script_op *const scripts[] = { script_72, script_73, script_74, - script_75 + script_75, + script_76 }; static int test_script(int idx) diff --git a/util/quicserver.c b/util/quicserver.c index c25128eaf6c3d..44d301313eb7c 100644 --- a/util/quicserver.c +++ b/util/quicserver.c @@ -242,6 +242,9 @@ int main(int argc, char *argv[]) } } while(streamid == UINT64_MAX); + while (!ossl_quic_tserver_shutdown(qtserv, 0)) + wait_for_activity(qtserv); + /* Read the request */ do { if (first) From 7ff1696e5b4d090839b0baa92c5333d482240fe0 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 23 Aug 2023 18:36:38 +0100 Subject: [PATCH 017/324] Tweak documentation for WAIT_PEER Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21815) --- doc/man3/SSL_shutdown.pod | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/man3/SSL_shutdown.pod b/doc/man3/SSL_shutdown.pod index 913b5559771ab..68de45e9a1397 100644 --- a/doc/man3/SSL_shutdown.pod +++ b/doc/man3/SSL_shutdown.pod @@ -359,6 +359,9 @@ either success or failure depending on whether a shutdown has occurred. If a locally initiated shutdown has already been triggered or the connection has started terminating for another reason, this flag has no effect. +B implies B, as +stream data cannot be flushed after a peer closes the connection. + =head2 Nonblocking Mode SSL_shutdown() and SSL_shutdown_ex() block if the connection is configured in From ade3baa6629b152185383605fb14d7b09483b409 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 24 Aug 2023 08:11:13 +0100 Subject: [PATCH 018/324] make update Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21815) --- crypto/err/openssl.txt | 2 +- include/openssl/sslerr.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index b725032254e1c..3eeaa6d5d5799 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1563,7 +1563,7 @@ SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH:303:ssl session id has bad length SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch SSL_R_STILL_IN_INIT:121:still in init -SSL_R_STREAM_COUNT_LIMITED:395:stream count limited +SSL_R_STREAM_COUNT_LIMITED:411:stream count limited SSL_R_STREAM_FINISHED:365:stream finished SSL_R_STREAM_RECV_ONLY:366:stream recv only SSL_R_STREAM_RESET:375:stream reset diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 0a4079b5c8093..e1eb9a5692c25 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -290,7 +290,7 @@ # define SSL_R_SSL_SESSION_ID_TOO_LONG 408 # define SSL_R_SSL_SESSION_VERSION_MISMATCH 210 # define SSL_R_STILL_IN_INIT 121 -# define SSL_R_STREAM_COUNT_LIMITED 395 +# define SSL_R_STREAM_COUNT_LIMITED 411 # define SSL_R_STREAM_FINISHED 365 # define SSL_R_STREAM_RECV_ONLY 366 # define SSL_R_STREAM_RESET 375 From 84adf0764bf21e6be9f0a7b3c7a6b0448541bf0f Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 24 Aug 2023 14:34:04 +0100 Subject: [PATCH 019/324] Tweak documentation for WAIT_PEER Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21815) --- doc/man3/SSL_shutdown.pod | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_shutdown.pod b/doc/man3/SSL_shutdown.pod index 68de45e9a1397..5d59f677f1de8 100644 --- a/doc/man3/SSL_shutdown.pod +++ b/doc/man3/SSL_shutdown.pod @@ -360,7 +360,9 @@ If a locally initiated shutdown has already been triggered or the connection has started terminating for another reason, this flag has no effect. B implies B, as -stream data cannot be flushed after a peer closes the connection. +stream data cannot be flushed after a peer closes the connection. Stream data +may still be sent to the peer in any time spent waiting before the peer closes +the connection, though there is no guarantee of this. =head2 Nonblocking Mode From bd3b026faab3b5ee5aa6b52ba6eb4080bc144b28 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Fri, 25 Aug 2023 15:48:57 +0100 Subject: [PATCH 020/324] Minor fix during rebase Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21815) --- util/quicserver.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/util/quicserver.c b/util/quicserver.c index 44d301313eb7c..c25128eaf6c3d 100644 --- a/util/quicserver.c +++ b/util/quicserver.c @@ -242,9 +242,6 @@ int main(int argc, char *argv[]) } } while(streamid == UINT64_MAX); - while (!ossl_quic_tserver_shutdown(qtserv, 0)) - wait_for_activity(qtserv); - /* Read the request */ do { if (first) From b56b034e9afc980c846a61dbf581da3c46e67952 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 Aug 2023 11:31:15 +0200 Subject: [PATCH 021/324] Correct the fixed size handling for dgram_pair and dgram_mem Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21866) --- crypto/bio/bss_dgram_pair.c | 11 +++++++---- test/bio_dgram_test.c | 14 ++++++++++---- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/crypto/bio/bss_dgram_pair.c b/crypto/bio/bss_dgram_pair.c index 3685d51f55d99..393af7dab444a 100644 --- a/crypto/bio/bss_dgram_pair.c +++ b/crypto/bio/bss_dgram_pair.c @@ -265,7 +265,7 @@ struct bio_dgram_pair_st { unsigned int no_trunc : 1; /* Reads fail if they would truncate */ unsigned int local_addr_enable : 1; /* Can use BIO_MSG->local? */ unsigned int role : 1; /* Determines lock order */ - unsigned int fixed_size : 1; /* Affects BIO_s_dgram_mem only */ + unsigned int grows_on_write : 1; /* Set for BIO_s_dgram_mem only */ }; #define MIN_BUF_LEN (1024) @@ -306,6 +306,8 @@ static int dgram_mem_init(BIO *bio) return 0; } + b->grows_on_write = 1; + bio->init = 1; return 1; } @@ -469,7 +471,7 @@ static int dgram_pair_ctrl_set_write_buf_size(BIO *bio, size_t len) } b->req_buf_len = len; - b->fixed_size = 1; + b->grows_on_write = 0; return 1; } @@ -1145,7 +1147,8 @@ static ossl_inline size_t compute_rbuf_growth(size_t target, size_t current) } /* Must hold local write lock */ -static size_t dgram_pair_write_inner(struct bio_dgram_pair_st *b, const uint8_t *buf, size_t sz) +static size_t dgram_pair_write_inner(struct bio_dgram_pair_st *b, + const uint8_t *buf, size_t sz) { size_t total_written = 0; @@ -1166,7 +1169,7 @@ static size_t dgram_pair_write_inner(struct bio_dgram_pair_st *b, const uint8_t if (dst_len == 0) { size_t new_len; - if (!b->fixed_size) /* resizeable only unless size not set explicitly */ + if (!b->grows_on_write) /* resize only if size not set explicitly */ break; /* increase the size */ new_len = compute_rbuf_growth(b->req_buf_len + sz, b->req_buf_len); diff --git a/test/bio_dgram_test.c b/test/bio_dgram_test.c index 0e2fb53103b3c..5aafe389f7056 100644 --- a/test/bio_dgram_test.c +++ b/test/bio_dgram_test.c @@ -519,6 +519,8 @@ static int test_bio_dgram_pair(int idx) } else { if (!TEST_ptr(bio1 = bio2 = BIO_new(BIO_s_dgram_mem()))) goto err; + if (idx == 1 && !TEST_true(BIO_set_write_buf_size(bio1, 20 * 1024))) + goto err; } mtu1 = BIO_dgram_get_mtu(bio1); @@ -535,7 +537,7 @@ static int test_bio_dgram_pair(int idx) if (!TEST_int_le(mtu1, sizeof(scratch) - 4)) goto err; - for (i = 0; idx == 0 || i < 9; ++i) { + for (i = 0; total < 1 * 1024 * 1024; ++i) { if (!TEST_int_eq(random_data(key, scratch, sizeof(scratch), i), 1)) goto err; @@ -548,10 +550,14 @@ static int test_bio_dgram_pair(int idx) goto err; total += blen; - if (!TEST_size_t_lt(total, 1 * 1024 * 1024)) - goto err; } + if (idx <= 1 && !TEST_size_t_lt(total, 1 * 1024 * 1024)) + goto err; + + if (idx == 2 && !TEST_size_t_ge(total, 1 * 1024 * 1024)) + goto err; + /* * Should be able to fit at least 9 datagrams in default write buffer size * in worst case @@ -766,7 +772,7 @@ int setup_tests(void) #if !defined(OPENSSL_NO_DGRAM) && !defined(OPENSSL_NO_SOCK) ADD_ALL_TESTS(test_bio_dgram, OSSL_NELEM(bio_dgram_cases)); # if !defined(OPENSSL_NO_CHACHA) - ADD_ALL_TESTS(test_bio_dgram_pair, 2); + ADD_ALL_TESTS(test_bio_dgram_pair, 3); # endif #endif From 4d5cfb229be8a52cdf961d9b7c5f6c1c0fa3b4f7 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Mon, 28 Aug 2023 13:22:24 +0200 Subject: [PATCH 022/324] Fix misspelled deprecation macro name in comment Commit 77c30753cd replaced the convenience macros `DEPRECATEDIN_{major}_{minor}` by `OSSL_DEPRECATEDIN_{major}_{minor}` but misspelled them in the comment. Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21868) --- include/openssl/macros.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/openssl/macros.h b/include/openssl/macros.h index 4579fc8eb3df1..55b825a1f1fbc 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -158,7 +158,7 @@ /* * Define macros for deprecation and simulated removal purposes. * - * The macros OSSL_DEPRECATED_{major}_{minor} are always defined for + * The macros OSSL_DEPRECATEDIN_{major}_{minor} are always defined for * all OpenSSL versions we care for. They can be used as attributes * in function declarations where appropriate. * From a954f761feb9ace245ea425d3b746ec6602580f3 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 24 Aug 2023 13:02:09 +0100 Subject: [PATCH 023/324] QUIC APL: Determine if an error is an I/O error dynamically Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21829) --- ssl/quic/quic_impl.c | 150 ++++++++++++++++++++++--------------------- 1 file changed, 78 insertions(+), 72 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index d4eabccd37474..b2ab9d4c673c8 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -92,12 +92,19 @@ static OSSL_TIME get_time_cb(void *arg) * a QCSO with a default stream was passed); * - whether a QSSO was passed (xso == NULL must not be used to determine this * because it may be non-NULL when a QCSO is passed if that QCSO has a - * default stream). + * default stream); + * - whether we are in "I/O context", meaning that non-normal errors can + * be reported via SSL_get_error() as well as via ERR. Functions such as + * SSL_read(), SSL_write() and SSL_do_handshake() are "I/O context" + * functions which are allowed to change the value returned by + * SSL_get_error. However, other functions (including functions which call + * SSL_do_handshake() implicitly) are not allowed to change the return value + * of SSL_get_error. */ struct qctx_st { QUIC_CONNECTION *qc; QUIC_XSO *xso; - int is_stream; + int is_stream, in_io; }; /* @@ -128,7 +135,7 @@ static int quic_raise_normal_error(QCTX *ctx, * * ctx should be NULL if the connection lock is not held. */ -static int quic_raise_non_normal_error(QCTX *ctx, int set_last_error, +static int quic_raise_non_normal_error(QCTX *ctx, const char *file, int line, const char *func, @@ -139,9 +146,9 @@ static int quic_raise_non_normal_error(QCTX *ctx, int set_last_error, va_list args; if (ctx != NULL) { - if (set_last_error && ctx->is_stream && ctx->xso != NULL) + if (ctx->in_io && ctx->is_stream && ctx->xso != NULL) ctx->xso->last_error = SSL_ERROR_SSL; - else if (set_last_error && !ctx->is_stream && ctx->qc != NULL) + else if (ctx->in_io && !ctx->is_stream && ctx->qc != NULL) ctx->qc->last_error = SSL_ERROR_SSL; if (reason == SSL_R_PROTOCOL_IS_SHUTDOWN && ctx->qc != NULL) @@ -162,14 +169,7 @@ static int quic_raise_non_normal_error(QCTX *ctx, int set_last_error, quic_raise_normal_error((ctx), (err)) #define QUIC_RAISE_NON_NORMAL_ERROR(ctx, reason, msg) \ - quic_raise_non_normal_error((ctx), 1, \ - OPENSSL_FILE, OPENSSL_LINE, \ - OPENSSL_FUNC, \ - (reason), \ - (msg)) - -#define QUIC_RAISE_NON_IO_ERROR(ctx, reason, msg) \ - quic_raise_non_normal_error((ctx), 0, \ + quic_raise_non_normal_error((ctx), \ OPENSSL_FILE, OPENSSL_LINE, \ OPENSSL_FUNC, \ (reason), \ @@ -193,7 +193,7 @@ static int expect_quic(const SSL *s, QCTX *ctx) ctx->is_stream = 0; if (s == NULL) - return QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_PASSED_NULL_PARAMETER, NULL); + return QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_PASSED_NULL_PARAMETER, NULL); switch (s->type) { case SSL_TYPE_QUIC_CONNECTION: @@ -201,6 +201,7 @@ static int expect_quic(const SSL *s, QCTX *ctx) ctx->qc = qc; ctx->xso = qc->default_xso; ctx->is_stream = 0; + ctx->in_io = 0; return 1; case SSL_TYPE_QUIC_XSO: @@ -208,10 +209,11 @@ static int expect_quic(const SSL *s, QCTX *ctx) ctx->qc = xso->conn; ctx->xso = xso; ctx->is_stream = 1; + ctx->in_io = 0; return 1; default: - return QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); + return QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); } } @@ -227,11 +229,12 @@ static int expect_quic(const SSL *s, QCTX *ctx) */ QUIC_ACQUIRES_LOCK static int ossl_unused expect_quic_with_stream_lock(const SSL *s, int remote_init, - QCTX *ctx) + int in_io, QCTX *ctx) { if (!expect_quic(s, ctx)) return 0; + ctx->in_io = in_io; quic_lock(ctx->qc); if (ctx->xso == NULL && remote_init >= 0) { @@ -257,7 +260,7 @@ static int ossl_unused expect_quic_with_stream_lock(const SSL *s, int remote_ini } if (ctx->xso == NULL) { - QUIC_RAISE_NON_IO_ERROR(ctx, SSL_R_NO_STREAM, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_NO_STREAM, NULL); goto err; } @@ -272,13 +275,14 @@ static int ossl_unused expect_quic_with_stream_lock(const SSL *s, int remote_ini * Like expect_quic(), but fails if called on a QUIC_XSO. ctx->xso may still * be non-NULL if the QCSO has a default stream. */ -static int ossl_unused expect_quic_conn_only(const SSL *s, QCTX *ctx) +static int ossl_unused expect_quic_conn_only(const SSL *s, int in_io, QCTX *ctx) { if (!expect_quic(s, ctx)) return 0; + ctx->in_io = in_io; if (ctx->is_stream) - return QUIC_RAISE_NON_IO_ERROR(ctx, SSL_R_CONN_USE_ONLY, NULL); + return QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_CONN_USE_ONLY, NULL); return 1; } @@ -352,7 +356,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx) qc = OPENSSL_zalloc(sizeof(*qc)); if (qc == NULL) { - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL); goto err; } @@ -360,13 +364,13 @@ SSL *ossl_quic_new(SSL_CTX *ctx) ssl_base = &qc->ssl; if (!ossl_ssl_init(ssl_base, ctx, ctx->method, SSL_TYPE_QUIC_CONNECTION)) { ssl_base = NULL; - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); goto err; } qc->tls = ossl_ssl_connection_new_int(ctx, TLS_method()); if (qc->tls == NULL || (sc = SSL_CONNECTION_FROM_SSL(qc->tls)) == NULL) { - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); goto err; } @@ -379,7 +383,7 @@ SSL *ossl_quic_new(SSL_CTX *ctx) #if defined(OPENSSL_THREADS) if ((qc->mutex = ossl_crypto_mutex_new()) == NULL) { - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL); goto err; } #endif @@ -937,7 +941,7 @@ int ossl_quic_conn_set_blocking_mode(SSL *s, int blocking) /* Cannot enable blocking mode if we do not have pollable FDs. */ if (blocking != 0 && (!ctx.qc->can_poll_net_rbio || !ctx.qc->can_poll_net_wbio)) - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_UNSUPPORTED, NULL); + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_UNSUPPORTED, NULL); if (!ctx.is_stream) { /* @@ -967,7 +971,7 @@ int ossl_quic_conn_set_initial_peer_addr(SSL *s, return 0; if (ctx.qc->started) - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, NULL); if (peer_addr == NULL) { @@ -1067,7 +1071,7 @@ int ossl_quic_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc) return 0; if (desc == NULL || ctx.qc->net_rbio == NULL) - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); return BIO_get_rpoll_descriptor(ctx.qc->net_rbio, desc); @@ -1082,7 +1086,7 @@ int ossl_quic_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc) return 0; if (desc == NULL || ctx.qc->net_wbio == NULL) - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); return BIO_get_wpoll_descriptor(ctx.qc->net_wbio, desc); @@ -1196,7 +1200,7 @@ int ossl_quic_conn_shutdown(SSL *s, uint64_t flags, return -1; if (ctx.is_stream) { - QUIC_RAISE_NON_IO_ERROR(&ctx, SSL_R_CONN_USE_ONLY, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, SSL_R_CONN_USE_ONLY, NULL); return -1; } @@ -1441,7 +1445,7 @@ static int create_channel(QUIC_CONNECTION *qc) qc->ch = ossl_quic_channel_new(&args); if (qc->ch == NULL) { - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); return 0; } @@ -1492,18 +1496,18 @@ static int quic_do_handshake(QCTX *ctx) if (BIO_ADDR_family(&qc->init_peer_addr) == AF_UNSPEC) { /* Peer address must have been set. */ - QUIC_RAISE_NON_IO_ERROR(ctx, SSL_R_REMOTE_PEER_ADDRESS_NOT_SET, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_REMOTE_PEER_ADDRESS_NOT_SET, NULL); return -1; /* Non-protocol error */ } if (qc->as_server != qc->as_server_state) { - QUIC_RAISE_NON_IO_ERROR(ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); return -1; /* Non-protocol error */ } if (qc->net_rbio == NULL || qc->net_wbio == NULL) { /* Need read and write BIOs. */ - QUIC_RAISE_NON_IO_ERROR(ctx, SSL_R_BIO_NOT_SET, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_BIO_NOT_SET, NULL); return -1; /* Non-protocol error */ } @@ -1512,7 +1516,7 @@ static int quic_do_handshake(QCTX *ctx) * non-blocking mode, which is fine. */ if (!ensure_channel_started(qc)) { - QUIC_RAISE_NON_IO_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); return -1; /* Non-protocol error */ } @@ -1531,7 +1535,7 @@ static int quic_do_handshake(QCTX *ctx) QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); return 0; /* Shutdown before completion */ } else if (ret <= 0) { - QUIC_RAISE_NON_IO_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); return -1; /* Non-protocol error */ } @@ -1560,6 +1564,7 @@ int ossl_quic_do_handshake(SSL *s) if (!expect_quic(s, &ctx)) return 0; + ctx.in_io = 1; quic_lock(ctx.qc); ret = quic_do_handshake(&ctx); @@ -1726,7 +1731,7 @@ static int qc_wait_for_default_xso_for_read(QCTX *ctx) */ qc_set_default_xso(qc, create_xso_from_stream(qc, qs), /*touch=*/0); if (qc->default_xso == NULL) - return QUIC_RAISE_NON_IO_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); + return QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); qc_touch_default_xso(qc); /* inhibits default XSO */ return 1; @@ -1738,18 +1743,18 @@ static QUIC_XSO *create_xso_from_stream(QUIC_CONNECTION *qc, QUIC_STREAM *qs) QUIC_XSO *xso = NULL; if ((xso = OPENSSL_zalloc(sizeof(*xso))) == NULL) { - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL); goto err; } if (!ossl_ssl_init(&xso->ssl, qc->ssl.ctx, qc->ssl.method, SSL_TYPE_QUIC_XSO)) { - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); goto err; } /* XSO refs QC */ if (!SSL_up_ref(&qc->ssl)) { - QUIC_RAISE_NON_IO_ERROR(NULL, ERR_R_SSL_LIB, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_SSL_LIB, NULL); goto err; } @@ -1805,7 +1810,7 @@ static SSL *quic_conn_stream_new(QCTX *ctx, uint64_t flags, int need_lock) quic_lock(qc); if (!quic_mutation_allowed(qc, /*req_active=*/0)) { - QUIC_RAISE_NON_IO_ERROR(ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); goto err; } @@ -1838,7 +1843,7 @@ static SSL *quic_conn_stream_new(QCTX *ctx, uint64_t flags, int need_lock) qs = ossl_quic_channel_new_stream_local(qc->ch, is_uni); if (qs == NULL) { - QUIC_RAISE_NON_IO_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); goto err; } @@ -1867,7 +1872,7 @@ SSL *ossl_quic_conn_stream_new(SSL *s, uint64_t flags) { QCTX ctx; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return NULL; return quic_conn_stream_new(&ctx, flags, /*need_lock=*/1); @@ -2219,7 +2224,7 @@ int ossl_quic_write(SSL *s, const void *buf, size_t len, size_t *written) *written = 0; - if (!expect_quic_with_stream_lock(s, /*remote_init=*/0, &ctx)) + if (!expect_quic_with_stream_lock(s, /*remote_init=*/0, /*io=*/1, &ctx)) return 0; partial_write = ((ctx.xso->ssl_mode & SSL_MODE_ENABLE_PARTIAL_WRITE) != 0); @@ -2409,6 +2414,7 @@ static int quic_read(SSL *s, void *buf, size_t len, size_t *bytes_read, int peek if (!expect_quic(s, &ctx)) return 0; + ctx.in_io = 1; quic_lock(ctx.qc); if (!quic_mutation_allowed(ctx.qc, /*req_active=*/0)) { @@ -2525,13 +2531,13 @@ static size_t ossl_quic_pending_int(const SSL *s, int check_channel) quic_lock(ctx.qc); if (ctx.xso == NULL) { - QUIC_RAISE_NON_IO_ERROR(&ctx, SSL_R_NO_STREAM, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, SSL_R_NO_STREAM, NULL); goto out; } if (ctx.xso->stream == NULL || !ossl_quic_stream_has_recv_buffer(ctx.xso->stream)) { - QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_INTERNAL_ERROR, NULL); goto out; } @@ -2568,7 +2574,7 @@ int ossl_quic_conn_stream_conclude(SSL *s) QUIC_STREAM *qs; int err; - if (!expect_quic_with_stream_lock(s, /*remote_init=*/0, &ctx)) + if (!expect_quic_with_stream_lock(s, /*remote_init=*/0, /*io=*/0, &ctx)) return 0; qs = ctx.xso->stream; @@ -2679,7 +2685,7 @@ uint64_t ossl_quic_get_stream_id(SSL *s) QCTX ctx; uint64_t id; - if (!expect_quic_with_stream_lock(s, /*remote_init=*/-1, &ctx)) + if (!expect_quic_with_stream_lock(s, /*remote_init=*/-1, /*io=*/0, &ctx)) return UINT64_MAX; id = ctx.xso->stream->id; @@ -2697,14 +2703,14 @@ int ossl_quic_set_default_stream_mode(SSL *s, uint32_t mode) { QCTX ctx; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return 0; quic_lock(ctx.qc); if (ctx.qc->default_xso_created) { quic_unlock(ctx.qc); - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, "too late to change default stream mode"); } @@ -2716,7 +2722,7 @@ int ossl_quic_set_default_stream_mode(SSL *s, uint32_t mode) break; default: quic_unlock(ctx.qc); - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, "bad default stream type"); } @@ -2734,7 +2740,7 @@ SSL *ossl_quic_detach_stream(SSL *s) QCTX ctx; QUIC_XSO *xso = NULL; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return NULL; quic_lock(ctx.qc); @@ -2759,11 +2765,11 @@ int ossl_quic_attach_stream(SSL *conn, SSL *stream) QUIC_XSO *xso; int nref; - if (!expect_quic_conn_only(conn, &ctx)) + if (!expect_quic_conn_only(conn, /*io=*/0, &ctx)) return 0; if (stream == NULL || stream->type != SSL_TYPE_QUIC_XSO) - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_PASSED_NULL_PARAMETER, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_PASSED_NULL_PARAMETER, "stream to attach must be a valid QUIC stream"); xso = (QUIC_XSO *)stream; @@ -2772,7 +2778,7 @@ int ossl_quic_attach_stream(SSL *conn, SSL *stream) if (ctx.qc->default_xso != NULL) { quic_unlock(ctx.qc); - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, "connection already has a default stream"); } @@ -2782,13 +2788,13 @@ int ossl_quic_attach_stream(SSL *conn, SSL *stream) */ if (!CRYPTO_GET_REF(&xso->ssl.references, &nref)) { quic_unlock(ctx.qc); - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_INTERNAL_ERROR, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_INTERNAL_ERROR, "ref"); } if (nref != 1) { quic_unlock(ctx.qc); - return QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, + return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, "stream being attached must have " "only 1 reference"); } @@ -2839,7 +2845,7 @@ int ossl_quic_set_incoming_stream_policy(SSL *s, int policy, int ret = 1; QCTX ctx; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return 0; quic_lock(ctx.qc); @@ -2853,7 +2859,7 @@ int ossl_quic_set_incoming_stream_policy(SSL *s, int policy, break; default: - QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); ret = 0; break; } @@ -2903,14 +2909,14 @@ SSL *ossl_quic_accept_stream(SSL *s, uint64_t flags) QUIC_XSO *xso; OSSL_RTT_INFO rtt_info; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return NULL; quic_lock(ctx.qc); if (qc_get_effective_incoming_stream_policy(ctx.qc) == SSL_INCOMING_STREAM_POLICY_REJECT) { - QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, NULL); goto out; } @@ -2966,7 +2972,7 @@ size_t ossl_quic_get_accept_stream_queue_len(SSL *s) QCTX ctx; size_t v; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return 0; quic_lock(ctx.qc); @@ -2991,7 +2997,7 @@ int ossl_quic_stream_reset(SSL *ssl, uint64_t error_code; int ok, err; - if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/0, &ctx)) + if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/0, /*io=*/0, &ctx)) return 0; qsm = ossl_quic_channel_get_qsm(ctx.qc->ch); @@ -3079,7 +3085,7 @@ static int quic_get_stream_state(SSL *ssl, int is_write) QCTX ctx; int state; - if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, &ctx)) + if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, /*io=*/0, &ctx)) return SSL_STREAM_STATE_NONE; quic_classify_stream(ctx.qc, ctx.xso->stream, is_write, &state, NULL); @@ -3111,7 +3117,7 @@ static int quic_get_stream_error_code(SSL *ssl, int is_write, QCTX ctx; int state; - if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, &ctx)) + if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, /*io=*/0, &ctx)) return -1; quic_classify_stream(ctx.qc, ctx.xso->stream, /*is_write=*/0, @@ -3152,12 +3158,12 @@ int ossl_quic_set_write_buffer_size(SSL *ssl, size_t size) int ret = 0; QCTX ctx; - if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, &ctx)) + if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, /*io=*/0, &ctx)) return 0; if (!ossl_quic_stream_has_send(ctx.xso->stream)) { /* Called on a unidirectional receive-only stream - error. */ - QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, NULL); goto out; } @@ -3171,7 +3177,7 @@ int ossl_quic_set_write_buffer_size(SSL *ssl, size_t size) } if (!ossl_quic_sstream_set_buffer_size(ctx.xso->stream->sstream, size)) { - QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_INTERNAL_ERROR, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_INTERNAL_ERROR, NULL); goto out; } @@ -3193,7 +3199,7 @@ int ossl_quic_get_conn_close_info(SSL *ssl, QCTX ctx; const QUIC_TERMINATE_CAUSE *tc; - if (!expect_quic_conn_only(ssl, &ctx)) + if (!expect_quic_conn_only(ssl, /*io=*/0, &ctx)) return -1; tc = ossl_quic_channel_get_terminate_cause(ctx.qc->ch); @@ -3216,7 +3222,7 @@ int ossl_quic_key_update(SSL *ssl, int update_type) { QCTX ctx; - if (!expect_quic_conn_only(ssl, &ctx)) + if (!expect_quic_conn_only(ssl, /*io=*/0, &ctx)) return 0; switch (update_type) { @@ -3229,7 +3235,7 @@ int ossl_quic_key_update(SSL *ssl, int update_type) break; default: - QUIC_RAISE_NON_IO_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); return 0; } @@ -3237,7 +3243,7 @@ int ossl_quic_key_update(SSL *ssl, int update_type) /* Attempt to perform a TXKU. */ if (!ossl_quic_channel_trigger_txku(ctx.qc->ch)) { - QUIC_RAISE_NON_IO_ERROR(&ctx, SSL_R_TOO_MANY_KEY_UPDATES, NULL); + QUIC_RAISE_NON_NORMAL_ERROR(&ctx, SSL_R_TOO_MANY_KEY_UPDATES, NULL); quic_unlock(ctx.qc); return 0; } @@ -3276,7 +3282,7 @@ long ossl_quic_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) { QCTX ctx; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return 0; switch (cmd) { @@ -3327,7 +3333,7 @@ QUIC_CHANNEL *ossl_quic_conn_get_channel(SSL *s) { QCTX ctx; - if (!expect_quic_conn_only(s, &ctx)) + if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) return NULL; return ctx.qc->ch; From 84364b9dc693a30fa55c22e684b45978a5bcc77b Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Mon, 28 Aug 2023 15:18:29 +0200 Subject: [PATCH 024/324] man: update missingcrypto.txt file Remove some entries which have been documented meanwhile. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21873) --- util/missingcrypto.txt | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 98052f0cb1c65..3f1d205bcadb7 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -241,7 +241,6 @@ BN_MONT_CTX_set_locked(3) BN_X931_derive_prime_ex(3) BN_X931_generate_Xpq(3) BN_X931_generate_prime_ex(3) -BN_abs_is_word(3) BN_asc2bn(3) BN_bntest_rand(3) BN_consttime_swap(3) @@ -453,7 +452,6 @@ DES_encrypt3(3) DES_options(3) DH_KDF_X9_42(3) DH_check_pub_key(3) -DH_compute_key_padded(3) DH_up_ref(3) DHparams_dup(3) DHparams_it(3) @@ -574,9 +572,7 @@ ERR_load_strings_const(3) ERR_set_error_data(3) ERR_unload_strings(3) EVP_CIPHER_CTX_buf_noconst(3) -EVP_CIPHER_CTX_copy(3) EVP_CIPHER_CTX_rand_key(3) -EVP_CIPHER_CTX_set_num(3) EVP_CIPHER_do_all(3) EVP_CIPHER_do_all_sorted(3) EVP_CIPHER_get_asn1_iv(3) @@ -649,7 +645,6 @@ NCONF_dump_bio(3) NCONF_dump_fp(3) NCONF_free_data(3) NCONF_get_number_e(3) -NCONF_get_section(3) NCONF_get_string(3) NCONF_load_bio(3) NCONF_load_fp(3) @@ -794,7 +789,6 @@ PKCS12_BAGS_it(3) PKCS12_MAC_DATA_it(3) PKCS12_PBE_add(3) PKCS12_SAFEBAGS_it(3) -PKCS12_SAFEBAG_get1_crl(3) PKCS12_SAFEBAG_it(3) PKCS12_get0_mac(3) PKCS12_get_attr(3) @@ -803,7 +797,6 @@ PKCS12_item_pack_safebag(3) PKCS12_mac_present(3) PKCS12_pack_authsafes(3) PKCS12_pack_p7data(3) -PKCS12_pack_p7encdata(3) PKCS12_unpack_authsafes(3) PKCS12_unpack_p7data(3) PKCS12_unpack_p7encdata(3) @@ -992,10 +985,8 @@ TS_RESP_CTX_add_failure_info(3) TS_RESP_CTX_add_flags(3) TS_RESP_CTX_add_md(3) TS_RESP_CTX_add_policy(3) -TS_RESP_CTX_free(3) TS_RESP_CTX_get_request(3) TS_RESP_CTX_get_tst_info(3) -TS_RESP_CTX_new(3) TS_RESP_CTX_set_accuracy(3) TS_RESP_CTX_set_certs(3) TS_RESP_CTX_set_clock_precision_digits(3) @@ -1259,7 +1250,6 @@ X509_get_default_private_dir(3) X509_get_pubkey_parameters(3) X509_get_signature_type(3) X509_issuer_and_serial_hash(3) -X509_issuer_name_hash(3) X509_issuer_name_hash_old(3) X509_it(3) X509_keyid_get0(3) @@ -1283,7 +1273,6 @@ X509_print_fp(3) X509_reject_clear(3) X509_signature_dump(3) X509_signature_print(3) -X509_subject_name_hash(3) X509_subject_name_hash_old(3) X509_supported_extension(3) X509_to_X509_REQ(3) From d57d0b818935c20a7b468c0e717773ea8a3373e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= Date: Thu, 13 Jul 2023 17:07:00 +0200 Subject: [PATCH 025/324] Add option for in-place cipher testing in evp_test The command line option enables setting in-place data processing for cipher testing in `evp_test`. The `both` option argument runs both - in-place and non-in-place testing. Reviewed-by: Tim Hudson Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/21546) --- test/evp_test.c | 144 +++++++++++++++++++++++++++++------------------- 1 file changed, 87 insertions(+), 57 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index 19efa9590169d..0a33ed3ba860e 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -72,6 +72,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_CONFIG_FILE, + OPT_IN_PLACE, OPT_TEST_ENUM } OPTION_CHOICE; @@ -111,6 +112,18 @@ static int memory_err_compare(EVP_TEST *t, const char *err, return r; } +/* Option specific for evp test */ +static int process_mode_in_place; + +static int evp_test_process_mode(char *mode) +{ + if (strcmp(mode, "in_place") == 0) + return 1; + else if (strcmp(mode, "both") == 0) + return 0; + return -1; +} + /* * Structure used to hold a list of blocks of memory to test * calls to "update" like functions. @@ -713,8 +726,8 @@ static int cipher_test_parse(EVP_TEST *t, const char *keyword, return 0; } -static int cipher_test_enc(EVP_TEST *t, int enc, - size_t out_misalign, size_t inp_misalign, int frag) +static int cipher_test_enc(EVP_TEST *t, int enc, size_t out_misalign, + size_t inp_misalign, int frag, int in_place) { CIPHER_DATA *expected = t->data; unsigned char *in, *expected_out, *tmp = NULL; @@ -740,7 +753,7 @@ static int cipher_test_enc(EVP_TEST *t, int enc, expected_out = expected->plaintext; out_len = expected->plaintext_len; } - if (inp_misalign == (size_t)-1) { + if (in_place == 1) { /* Exercise in-place encryption */ tmp = OPENSSL_malloc(out_misalign + in_len + 2 * EVP_MAX_BLOCK_LENGTH); if (!tmp) @@ -1053,10 +1066,27 @@ static int cipher_test_enc(EVP_TEST *t, int enc, return ok; } +/* + * XTS, SIV, CCM, stitched ciphers and Wrap modes have special + * requirements about input lengths so we don't fragment for those + */ +static int cipher_test_valid_fragmentation(CIPHER_DATA *cdat) +{ + return (cdat->aead == EVP_CIPH_CCM_MODE + || cdat->aead == EVP_CIPH_CBC_MODE + || (cdat->aead == -1 + && EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_STREAM_CIPHER) + || ((EVP_CIPHER_get_flags(cdat->cipher) & EVP_CIPH_FLAG_CTS) != 0) + || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_SIV_MODE + || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_GCM_SIV_MODE + || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_XTS_MODE + || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_WRAP_MODE) ? 0 : 1; +} + static int cipher_test_run(EVP_TEST *t) { CIPHER_DATA *cdat = t->data; - int rv, frag = 0; + int rv, frag, fragmax, in_place; size_t out_misalign, inp_misalign; if (!cdat->key) { @@ -1074,63 +1104,57 @@ static int cipher_test_run(EVP_TEST *t) t->err = "NO_TAG"; return 0; } - for (out_misalign = 0; out_misalign <= 1;) { + + fragmax = (cipher_test_valid_fragmentation(cdat) == 0) ? 0 : 1; + for (in_place = 1; in_place >= 0; in_place--) { static char aux_err[64]; + t->aux_err = aux_err; - for (inp_misalign = (size_t)-1; inp_misalign != 2; inp_misalign++) { - if (inp_misalign == (size_t)-1) { - /* kludge: inp_misalign == -1 means "exercise in-place" */ - BIO_snprintf(aux_err, sizeof(aux_err), - "%s in-place, %sfragmented", - out_misalign ? "misaligned" : "aligned", - frag ? "" : "not "); - } else { - BIO_snprintf(aux_err, sizeof(aux_err), - "%s output and %s input, %sfragmented", - out_misalign ? "misaligned" : "aligned", - inp_misalign ? "misaligned" : "aligned", - frag ? "" : "not "); - } - if (cdat->enc) { - rv = cipher_test_enc(t, 1, out_misalign, inp_misalign, frag); - /* Not fatal errors: return */ - if (rv != 1) { - if (rv < 0) - return 0; - return 1; - } - } - if (cdat->enc != 1) { - rv = cipher_test_enc(t, 0, out_misalign, inp_misalign, frag); - /* Not fatal errors: return */ - if (rv != 1) { - if (rv < 0) - return 0; - return 1; + /* Test only in-place data processing */ + if (process_mode_in_place == 1 && in_place == 0) + break; + + for (frag = 0; frag <= fragmax; frag++) { + for (out_misalign = 0; out_misalign <= 1; out_misalign++) { + for (inp_misalign = 0; inp_misalign <= 1; inp_misalign++) { + /* Skip input misalign tests for in-place processing */ + if (inp_misalign == 1 && in_place == 1) + break; + if (in_place == 1) { + BIO_snprintf(aux_err, sizeof(aux_err), + "%s in-place, %sfragmented", + out_misalign ? "misaligned" : "aligned", + frag ? "" : "not "); + } else { + BIO_snprintf(aux_err, sizeof(aux_err), + "%s output and %s input, %sfragmented", + out_misalign ? "misaligned" : "aligned", + inp_misalign ? "misaligned" : "aligned", + frag ? "" : "not "); + } + if (cdat->enc) { + rv = cipher_test_enc(t, 1, out_misalign, inp_misalign, + frag, in_place); + /* Not fatal errors: return */ + if (rv != 1) { + if (rv < 0) + return 0; + return 1; + } + } + if (cdat->enc != 1) { + rv = cipher_test_enc(t, 0, out_misalign, inp_misalign, + frag, in_place); + /* Not fatal errors: return */ + if (rv != 1) { + if (rv < 0) + return 0; + return 1; + } + } } } } - - if (out_misalign == 1 && frag == 0) { - /* - * XTS, SIV, CCM, stitched ciphers and Wrap modes have special - * requirements about input lengths so we don't fragment for those - */ - if (cdat->aead == EVP_CIPH_CCM_MODE - || cdat->aead == EVP_CIPH_CBC_MODE - || (cdat->aead == -1 - && EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_STREAM_CIPHER) - || ((EVP_CIPHER_get_flags(cdat->cipher) & EVP_CIPH_FLAG_CTS) != 0) - || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_SIV_MODE - || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_GCM_SIV_MODE - || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_XTS_MODE - || EVP_CIPHER_get_mode(cdat->cipher) == EVP_CIPH_WRAP_MODE) - break; - out_misalign = 0; - frag++; - } else { - out_misalign++; - } } t->aux_err = NULL; @@ -4070,6 +4094,8 @@ const OPTIONS *test_get_options(void) OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("[file...]\n"), { "config", OPT_CONFIG_FILE, '<', "The configuration file to use for the libctx" }, + { "process", OPT_IN_PLACE, 's', + "Mode for data processing by cipher tests [in_place/both], both by default"}, { OPT_HELP_STR, 1, '-', "file\tFile to run tests on.\n" }, { NULL } }; @@ -4088,8 +4114,12 @@ int setup_tests(void) case OPT_CONFIG_FILE: config_file = opt_arg(); break; + case OPT_IN_PLACE: + if ((process_mode_in_place = evp_test_process_mode(opt_arg())) == -1) + return 0; + break; case OPT_TEST_CASES: - break; + break; default: case OPT_ERR: return 0; From 9d2f7e1f611f03e65f25adf08b76e08821b315da Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 2 Aug 2023 17:54:01 +0200 Subject: [PATCH 026/324] OSSL_PROVIDER_load_ex Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/21604) --- crypto/provider.c | 21 ++++++++++++++++----- crypto/provider_child.c | 2 +- crypto/provider_conf.c | 2 +- crypto/provider_core.c | 27 ++++++++++++++++++++++++--- doc/man3/OSSL_PROVIDER.pod | 16 ++++++++++++++++ include/internal/provider.h | 2 +- include/openssl/provider.h | 5 +++++ util/libcrypto.num | 2 ++ 8 files changed, 66 insertions(+), 11 deletions(-) diff --git a/crypto/provider.c b/crypto/provider.c index 65f919aec281d..9cc51d3ae7aad 100644 --- a/crypto/provider.c +++ b/crypto/provider.c @@ -15,15 +15,15 @@ #include "internal/provider.h" #include "provider_local.h" -OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name, - int retain_fallbacks) +OSSL_PROVIDER *OSSL_PROVIDER_try_load_ex(OSSL_LIB_CTX *libctx, const char *name, + OSSL_PARAM *params, int retain_fallbacks) { OSSL_PROVIDER *prov = NULL, *actual; int isnew = 0; /* Find it or create it */ if ((prov = ossl_provider_find(libctx, name, 0)) == NULL) { - if ((prov = ossl_provider_new(libctx, name, NULL, 0)) == NULL) + if ((prov = ossl_provider_new(libctx, name, NULL, params, 0)) == NULL) return NULL; isnew = 1; } @@ -49,14 +49,25 @@ OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name, return actual; } -OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *libctx, const char *name) +OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name, + int retain_fallbacks) +{ + return OSSL_PROVIDER_try_load_ex(libctx, name, NULL, retain_fallbacks); +} + +OSSL_PROVIDER *OSSL_PROVIDER_load_ex(OSSL_LIB_CTX *libctx, const char *name, OSSL_PARAM *params) { /* Any attempt to load a provider disables auto-loading of defaults */ if (ossl_provider_disable_fallback_loading(libctx)) - return OSSL_PROVIDER_try_load(libctx, name, 0); + return OSSL_PROVIDER_try_load_ex(libctx, name, params, 0); return NULL; } +OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *libctx, const char *name) +{ + return OSSL_PROVIDER_load_ex(libctx, name, NULL); +} + int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov) { if (!ossl_provider_deactivate(prov, 1)) diff --git a/crypto/provider_child.c b/crypto/provider_child.c index 176a3a5cb25d9..ed8ee3b3a1421 100644 --- a/crypto/provider_child.c +++ b/crypto/provider_child.c @@ -132,7 +132,7 @@ static int provider_create_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) * init children */ if ((cprov = ossl_provider_new(ctx, provname, ossl_child_provider_init, - 1)) == NULL) + NULL, 1)) == NULL) goto err; if (!ossl_provider_activate(cprov, 0, 0)) { diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index 9751caac8e55d..11294b2996f9d 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -158,7 +158,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, } prov = ossl_provider_find(libctx, name, 1); if (prov == NULL) - prov = ossl_provider_new(libctx, name, NULL, 1); + prov = ossl_provider_new(libctx, name, NULL, NULL, 1); if (prov == NULL) { CRYPTO_THREAD_unlock(pcgbl->lock); if (soft) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 4cb3e21f69bb9..2e2c597f37dde 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -518,7 +518,7 @@ static int provider_free_intern(OSSL_PROVIDER *prov, int deactivate) */ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, OSSL_provider_init_fn *init_function, - int noconfig) + OSSL_PARAM *params, int noconfig) { struct provider_store_st *store = NULL; OSSL_PROVIDER_INFO template; @@ -540,7 +540,7 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, } } if (p->name == NULL) { - /* Check if this is a user added builtin provider */ + /* Check if this is a user added provider */ if (!CRYPTO_THREAD_read_lock(store->lock)) return NULL; for (i = 0, p = store->provinfo; i < store->numprovinfo; p++, i++) { @@ -555,8 +555,29 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, template.init = init_function; } + if (params != NULL) { + int i; + + template.parameters = sk_INFOPAIR_new_null(); + if (template.parameters == NULL) + return NULL; + + for (i = 0; params[i].key != NULL; i++) { + if (params[i].data_type != OSSL_PARAM_UTF8_STRING) + continue; + if (ossl_provider_info_add_parameter(&template, params[i].key, + (char *)params[i].data) <= 0) + return NULL; + } + } + /* provider_new() generates an error, so no need here */ - if ((prov = provider_new(name, template.init, template.parameters)) == NULL) + prov = provider_new(name, template.init, template.parameters); + + if (params != NULL) /* We copied the parameters, let's free them */ + sk_INFOPAIR_pop_free(template.parameters, infopair_free); + + if (prov == NULL) return NULL; prov->libctx = libctx; diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index 1790c0e67865c..12151021c5827 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -5,6 +5,7 @@ OSSL_PROVIDER_set_default_search_path, OSSL_PROVIDER_get0_default_search_path, OSSL_PROVIDER, OSSL_PROVIDER_load, OSSL_PROVIDER_try_load, OSSL_PROVIDER_unload, +OSSL_PROVIDER_load_ex, OSSL_PROVIDER_try_load_ex, OSSL_PROVIDER_available, OSSL_PROVIDER_do_all, OSSL_PROVIDER_gettable_params, OSSL_PROVIDER_get_params, OSSL_PROVIDER_query_operation, OSSL_PROVIDER_unquery_operation, @@ -24,8 +25,13 @@ OSSL_PROVIDER_self_test const char *OSSL_PROVIDER_get0_default_search_path(OSSL_LIB_CTX *libctx); OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *libctx, const char *name); + OSSL_PROVIDER *OSSL_PROVIDER_load_ex(OSSL_LIB_CTX *, const char *name, + OSSL_PARAM *params); OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name, int retain_fallbacks); + OSSL_PROVIDER *OSSL_PROVIDER_try_load_ex(OSSL_LIB_CTX *, const char *name, + OSSL_PARAM *params, + int retain_fallbacks); int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); int OSSL_PROVIDER_available(OSSL_LIB_CTX *libctx, const char *name); int OSSL_PROVIDER_do_all(OSSL_LIB_CTX *ctx, @@ -101,6 +107,13 @@ loaded and initialized or if I is nonzero. If the provider loads successfully and I is zero, the fallback providers are disabled. +OSSL_PROVIDER_load_ex() and OSSL_PROVIDER_try_load_ex() are the variants +of the previous functions accepting an C array of the parameters +that are passed as the configuration of the loaded provider. The parameters +of any type but C are silently ignored. If the +parameters are provided, they replace B the ones specified in the +configuration file. + OSSL_PROVIDER_unload() unloads the given provider. For a provider added with OSSL_PROVIDER_add_builtin(), this simply runs its teardown function. @@ -221,6 +234,9 @@ L, L, L The type and functions described here were added in OpenSSL 3.0. +The I and I functions were +added in OpenSSL 3.2. + =head1 COPYRIGHT Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/internal/provider.h b/include/internal/provider.h index 33750eba9cbfa..88a16062c77e4 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h @@ -32,7 +32,7 @@ OSSL_PROVIDER *ossl_provider_find(OSSL_LIB_CTX *libctx, const char *name, int noconfig); OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, OSSL_provider_init_fn *init_function, - int noconfig); + OSSL_PARAM *params, int noconfig); int ossl_provider_up_ref(OSSL_PROVIDER *prov); void ossl_provider_free(OSSL_PROVIDER *prov); diff --git a/include/openssl/provider.h b/include/openssl/provider.h index 088e74038e476..80e6db7bb2f85 100644 --- a/include/openssl/provider.h +++ b/include/openssl/provider.h @@ -23,8 +23,13 @@ const char *OSSL_PROVIDER_get0_default_search_path(OSSL_LIB_CTX *libctx); /* Load and unload a provider */ OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *name); +OSSL_PROVIDER *OSSL_PROVIDER_load_ex(OSSL_LIB_CTX *, const char *name, + OSSL_PARAM *params); OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *, const char *name, int retain_fallbacks); +OSSL_PROVIDER *OSSL_PROVIDER_try_load_ex(OSSL_LIB_CTX *, const char *name, + OSSL_PARAM *params, + int retain_fallbacks); int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); int OSSL_PROVIDER_available(OSSL_LIB_CTX *, const char *name); int OSSL_PROVIDER_do_all(OSSL_LIB_CTX *ctx, diff --git a/util/libcrypto.num b/util/libcrypto.num index 88ae4880efb55..2656df5d908b9 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5529,6 +5529,8 @@ OSSL_ERR_STATE_save ? 3_2_0 EXIST::FUNCTION: OSSL_ERR_STATE_restore ? 3_2_0 EXIST::FUNCTION: OSSL_ERR_STATE_free ? 3_2_0 EXIST::FUNCTION: ERR_count_to_mark ? 3_2_0 EXIST::FUNCTION: +OSSL_PROVIDER_load_ex ? 3_2_0 EXIST::FUNCTION: +OSSL_PROVIDER_try_load_ex ? 3_2_0 EXIST::FUNCTION: OSSL_ERR_STATE_save_to_mark ? 3_2_0 EXIST::FUNCTION: X509_STORE_CTX_set_get_crl ? 3_2_0 EXIST::FUNCTION: X509_STORE_CTX_set_current_reasons ? 3_2_0 EXIST::FUNCTION: From 4f3e3d9d3cb9632a8263cfe27ff11f342bf93351 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 3 Aug 2023 13:20:33 +0200 Subject: [PATCH 027/324] OSSL_PROVIDER_load_ex tests Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/21604) --- test/provider_internal_test.c | 4 +-- test/provider_test.c | 67 ++++++++++++++++++++++++++++++++++- 2 files changed, 68 insertions(+), 3 deletions(-) diff --git a/test/provider_internal_test.c b/test/provider_internal_test.c index bccce7159e1fd..6c333f85dbb23 100644 --- a/test/provider_internal_test.c +++ b/test/provider_internal_test.c @@ -64,7 +64,7 @@ static int test_builtin_provider(void) ret = TEST_ptr(prov = - ossl_provider_new(NULL, name, PROVIDER_INIT_FUNCTION_NAME, 0)) + ossl_provider_new(NULL, name, PROVIDER_INIT_FUNCTION_NAME, NULL, 0)) && test_provider(prov, expected_greeting1(name)); EVP_set_default_properties(NULL, ""); @@ -79,7 +79,7 @@ static int test_loaded_provider(void) OSSL_PROVIDER *prov = NULL; return - TEST_ptr(prov = ossl_provider_new(NULL, name, NULL, 0)) + TEST_ptr(prov = ossl_provider_new(NULL, name, NULL, NULL, 0)) && test_provider(prov, expected_greeting1(name)); } diff --git a/test/provider_test.c b/test/provider_test.c index b2e0a5da716f9..d1fe71f46d957 100644 --- a/test/provider_test.c +++ b/test/provider_test.c @@ -9,6 +9,7 @@ #include #include +#include #include "testutil.h" extern OSSL_provider_init_fn PROVIDER_INIT_FUNCTION_NAME; @@ -157,6 +158,60 @@ static int test_provider(OSSL_LIB_CTX **libctx, const char *name, return ok; } +#ifndef NO_PROVIDER_MODULE +static int test_provider_ex(OSSL_LIB_CTX **libctx, const char *name) +{ + OSSL_PROVIDER *prov = NULL; + const char *greeting = NULL; + int ok = 0; + long err; + const char custom_buf[] = "Custom greeting"; + OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new(); + OSSL_PARAM *params = NULL; + + OSSL_PARAM_BLD_push_utf8_string(bld, "greeting", custom_buf, strlen(custom_buf)); + params = OSSL_PARAM_BLD_to_param(bld); + + OSSL_PARAM_BLD_free(bld); + + if (!TEST_ptr(prov = OSSL_PROVIDER_load_ex(*libctx, name, params))) + goto err; + + if (!TEST_true(OSSL_PROVIDER_get_params(prov, greeting_request)) + || !TEST_ptr(greeting = greeting_request[0].data) + || !TEST_size_t_gt(greeting_request[0].data_size, 0) + || !TEST_str_eq(greeting, custom_buf)) + goto err; + + /* Make sure we got the error we were expecting */ + err = ERR_peek_last_error(); + if (!TEST_int_gt(err, 0) + || !TEST_int_eq(ERR_GET_REASON(err), 1)) + goto err; + + if (!TEST_true(OSSL_PROVIDER_unload(prov))) + goto err; + prov = NULL; + + /* + * We must free the libctx to force the provider to really be unloaded from + * memory + */ + OSSL_LIB_CTX_free(*libctx); + *libctx = NULL; + + /* We print out all the data to make sure it can still be accessed */ + ERR_print_errors_fp(stderr); + ok = 1; + err: + OSSL_PARAM_free(params); + OSSL_PROVIDER_unload(prov); + OSSL_LIB_CTX_free(*libctx); + *libctx = NULL; + return ok; +} +#endif + static int test_builtin_provider(void) { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); @@ -211,12 +266,22 @@ static int test_loaded_provider(void) { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); const char *name = "p_test"; + int res = 0; if (!TEST_ptr(libctx)) return 0; /* test_provider will free libctx as part of the test */ - return test_provider(&libctx, name, NULL); + res = test_provider(&libctx, name, NULL); + + libctx = OSSL_LIB_CTX_new(); + if (!TEST_ptr(libctx)) + return 0; + + /* test_provider_ex will free libctx as part of the test */ + res = res && test_provider_ex(&libctx, name); + + return res; } #endif From 9f5102bffc8bb3a9b02a0a5e3c1de4326622fe04 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 15 Aug 2023 14:46:26 +0200 Subject: [PATCH 028/324] Design document of the run-time parameters activation Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/21604) --- doc/designs/prov_loadex.md | 78 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 doc/designs/prov_loadex.md diff --git a/doc/designs/prov_loadex.md b/doc/designs/prov_loadex.md new file mode 100644 index 0000000000000..818f5cce2d78f --- /dev/null +++ b/doc/designs/prov_loadex.md @@ -0,0 +1,78 @@ +Providers run-time configuration +================================ + +Currently any provider run-time activation requires presence of the +initialization parameters in the OpenSSL configuration file. Otherwise the +provider will be activated with some "default" settings, that may or may not +work for a particular application. For real-world systems it may require +providing a specially designed OpenSSL config and passing it somehow (e.g. via +environment) that has its obvious drawbacks. + +We need a possibility to initialize providers on per-application level +according to per-application parameters. It's necessary for example for PKCS#11 +provider (where different applications may use different devices with different +drivers) and will be useful for some other providers. In case of Red Hat it is +also usable for FIPS provider. + +OpenSSL 3.2 introduces the API + +```C +OSSL_PROVIDER *OSSL_PROVIDER_load_ex(OSSL_LIB_CTX *libctx, const char *name, + OSSL_PARAM params[]); +``` + +intended to configure the provider in load time. + +It accepts only parameters of type `OSSL_PARAM_UTF8_STRING` because any +provider can be initialized from the config file where the values are +represented as strings and provider init function has to deal with it. + +Explicitly configured parameters can contradict the parameters named in the +configuration file. Here are the current design decisions and some possible +future steps. + +Real-world cases +---------------- + +Many applications use PKCS#11 API with a specific drivers. OpenSSL PKCS#11 +provider also provides a set of +tweaks usable in particular situations. So there are at least several scenarios +I have in mind: + +1. Configure a provider in the config file, activate on demand +2. Load/activate a provider run-time with parameters + +Current design +-------------- + +When the provider is loaded in the current library context and activated, the +currently loaded provider will be returned as the result of +`OSSL_PROVIDER_load_ex` call. + +When the provider is loaded in the current library context and NOT activated, +the parameters provided int the `OSSL_PROVIDER_load_ex` call will have the +preference. + +Separate instances of the provider can be loaded in the separate library +contexts. + +Several instances of the same provider in the same context using different +section names, module names (e.g. via symlinks) and provider names. But unless +the provider does not support some configuration options, the algorithms in +this case will have the same `provider` property and the result of fetching is +not determined. We strongly discourage against this trick. + +The run-time change of the loaded provider configuration is not supported. If +it is necessary, the calls to `OSSL_PROVIDER_unload` with the following call to +the `OSSL_PROVIDER_load` or `OSSL_PROVIDER_load_ex` should be used. + +Possible future steps +--------------------- + +1. We should provide some API function accessing the configuration parameters + of a particular provider. Having it, the application will be able to combine + some default values with the app-specific ones in more or less intellectual + way. + +2. We probably should remove the `INFOPAIR` structure and use the `OSSL_PARAM` + one instead. From 8a7f30ef67d59f808610275e8bc1723510cf062b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 Aug 2023 18:49:02 +0200 Subject: [PATCH 029/324] ecp_sm2p256-armv8.pl: Copy the argument handling from ecp_nistz256-armv8.pl Popping the $output argument is more robust and it also needs to be placed in double quotes to handle spaces in paths. Fixes #21874 Fixes #21876 Reviewed-by: Richard Levitte Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/21877) --- crypto/ec/asm/ecp_sm2p256-armv8.pl | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/crypto/ec/asm/ecp_sm2p256-armv8.pl b/crypto/ec/asm/ecp_sm2p256-armv8.pl index da4c16c309cd3..50950865e4340 100644 --- a/crypto/ec/asm/ecp_sm2p256-armv8.pl +++ b/crypto/ec/asm/ecp_sm2p256-armv8.pl @@ -6,15 +6,18 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -$flavour = shift; -while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or die "can't locate arm-xlate.pl"; -open OUT,"| \"$^X\" $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; *STDOUT=*OUT; my ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("x$_",(7..14)); From 305dc68add0e6b8e52cb5208d5803ac94f90bfb6 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 25 Aug 2023 15:24:16 +0200 Subject: [PATCH 030/324] Add CHANGES.md entry for ess_cert_id_alg default change The default was changed in 10536b7f5b07aab3dc9631e94a56258155a1d942 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21845) --- CHANGES.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 11a0ee793d819..78e74c41fa1f8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -25,6 +25,13 @@ OpenSSL 3.2 ### Changes between 3.1 and 3.2 [xx XXX xxxx] + * Changed the default value of the `ess_cert_id_alg` configuration + option which is used to calculate the TSA's public key certificate + identifier. The default algorithm is updated to be sha256 instead + of sha1. + + *Małgorzata Olszówka* + * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed table for point multiplication of the base point, which increases the size of libcrypto from 4.4 MB to 4.9 MB. A new configure option `no-sm2-precomp` has From ecb6cdf02a302af18fe4bc20097a9ea3177f897c Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Wed, 30 Aug 2023 08:41:43 +0200 Subject: [PATCH 031/324] OPENSSL_init_crypto load config into initial global default library context OPENSSL_init_crypto() with OPENSSL_INIT_LOAD_CONFIG must load the configuration into the initial global default library context, not the currently set default library context. OPENSSL_init_crypto() with OPENSSL_INIT_LOAD_CONFIG may be called within other OpenSSL API functions, e.g. from within EVP_PKEY_CTX_new_xxx() when initializing a pkey context, to perform implicit initialization, if it has not been initialized yet. This implicit initialization may happen at a time when an application has already create its own library context and made it the default library context. So loading the config into the current default library context would load it into the applications library context. Signed-off-by: Ingo Franzki Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21897) --- crypto/conf/conf_sap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c index be87aaf7e82b8..2e1848866418e 100644 --- a/crypto/conf/conf_sap.c +++ b/crypto/conf/conf_sap.c @@ -65,7 +65,8 @@ int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings) #endif #ifndef OPENSSL_SYS_UEFI - ret = CONF_modules_load_file(filename, appname, flags); + ret = CONF_modules_load_file_ex(OSSL_LIB_CTX_get0_global_default(), + filename, appname, flags); #else ret = 1; #endif From 60421893a286bb9eb7fb7c2454b84af9778ffca4 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 10:32:53 +0100 Subject: [PATCH 032/324] QUIC: Harden ring buffer against internal misuse Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21895) --- include/internal/ring_buf.h | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/include/internal/ring_buf.h b/include/internal/ring_buf.h index 1d70439278b50..85a8d309bae6a 100644 --- a/include/internal/ring_buf.h +++ b/include/internal/ring_buf.h @@ -12,6 +12,7 @@ # pragma once # include /* For 'ossl_inline' */ +# include "internal/safe_math.h" /* * ================================================================== @@ -39,6 +40,10 @@ struct ring_buf { uint64_t ctail_offset; }; +OSSL_SAFE_MATH_UNSIGNED(u64, uint64_t) + +#define MAX_OFFSET (((uint64_t)1) << 62) /* QUIC-imposed limit */ + static ossl_inline int ring_buf_init(struct ring_buf *r) { r->start = NULL; @@ -74,11 +79,15 @@ static ossl_inline int ring_buf_write_at(struct ring_buf *r, { size_t avail, idx, l; unsigned char *start = r->start; - int i; + int i, err = 0; avail = ring_buf_avail(r); if (logical_offset < r->ctail_offset - || logical_offset + buf_len > r->head_offset + avail) + || safe_add_u64(logical_offset, buf_len, &err) + > safe_add_u64(r->head_offset, avail, &err) + || safe_add_u64(r->head_offset, buf_len, &err) + > MAX_OFFSET + || err) return 0; for (i = 0; buf_len > 0 && i < 2; ++i) { @@ -113,6 +122,9 @@ static ossl_inline size_t ring_buf_push(struct ring_buf *r, if (buf_len > avail) buf_len = avail; + if (buf_len > MAX_OFFSET - r->head_offset) + buf_len = (size_t)(MAX_OFFSET - r->head_offset); + if (buf_len == 0) break; @@ -190,7 +202,7 @@ static ossl_inline void ring_buf_cpop_range(struct ring_buf *r, { assert(end >= start); - if (start > r->ctail_offset) + if (start > r->ctail_offset || end >= MAX_OFFSET) return; if (cleanse && r->alloc > 0 && end > r->ctail_offset) { From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001 From: Rohan McLure Date: Tue, 15 Aug 2023 15:20:20 +1000 Subject: [PATCH 033/324] ecc: Remove extraneous parentheses in secp384r1 Substitutions in the felem_reduce() method feature unecessary parentheses, remove them. Signed-off-by: Rohan McLure Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21749) --- crypto/ec/ecp_nistp384.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c index 14f9530d07c66..ff68f9cc7ad02 100644 --- a/crypto/ec/ecp_nistp384.c +++ b/crypto/ec/ecp_nistp384.c @@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in) acc[7] += in[12] >> 8; acc[6] += (in[12] & 0xff) << 48; acc[6] -= in[12] >> 16; - acc[5] -= ((in[12] & 0xffff) << 40); + acc[5] -= (in[12] & 0xffff) << 40; acc[6] += in[12] >> 48; acc[5] += (in[12] & 0xffffffffffff) << 8; @@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in) acc[6] += in[11] >> 8; acc[5] += (in[11] & 0xff) << 48; acc[5] -= in[11] >> 16; - acc[4] -= ((in[11] & 0xffff) << 40); + acc[4] -= (in[11] & 0xffff) << 40; acc[5] += in[11] >> 48; acc[4] += (in[11] & 0xffffffffffff) << 8; @@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in) acc[5] += in[10] >> 8; acc[4] += (in[10] & 0xff) << 48; acc[4] -= in[10] >> 16; - acc[3] -= ((in[10] & 0xffff) << 40); + acc[3] -= (in[10] & 0xffff) << 40; acc[4] += in[10] >> 48; acc[3] += (in[10] & 0xffffffffffff) << 8; @@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in) acc[4] += in[9] >> 8; acc[3] += (in[9] & 0xff) << 48; acc[3] -= in[9] >> 16; - acc[2] -= ((in[9] & 0xffff) << 40); + acc[2] -= (in[9] & 0xffff) << 40; acc[3] += in[9] >> 48; acc[2] += (in[9] & 0xffffffffffff) << 8; @@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in) acc[3] += acc[8] >> 8; acc[2] += (acc[8] & 0xff) << 48; acc[2] -= acc[8] >> 16; - acc[1] -= ((acc[8] & 0xffff) << 40); + acc[1] -= (acc[8] & 0xffff) << 40; acc[2] += acc[8] >> 48; acc[1] += (acc[8] & 0xffffffffffff) << 8; @@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in) acc[2] += acc[7] >> 8; acc[1] += (acc[7] & 0xff) << 48; acc[1] -= acc[7] >> 16; - acc[0] -= ((acc[7] & 0xffff) << 40); + acc[0] -= (acc[7] & 0xffff) << 40; acc[1] += acc[7] >> 48; acc[0] += (acc[7] & 0xffffffffffff) << 8; From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001 From: Rohan McLure Date: Wed, 16 Aug 2023 16:52:47 +1000 Subject: [PATCH 034/324] powerpc: ecc: Fix stack allocation secp384r1 asm Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as VSX enabled systems make extensive use of renaming, and so writebacks in felem_{mul,square}() can be reordered for best cache effects. Remove stack allocations. This in turn fixes unmatched push/pops in felem_{mul,square}(). Signed-off-by: Rohan McLure Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21749) --- crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 ----------------------------- 1 file changed, 49 deletions(-) diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl index 3f86b391af699..28f4168e52181 100755 --- a/crypto/ec/asm/ecp_nistp384-ppc64.pl +++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl @@ -62,51 +62,6 @@ ($) ___ } - -sub push_vrs($$) -{ - my ($min, $max) = @_; - - my $count = $max - $min + 1; - - $code.=<<___; - mr $savesp,$sp - stdu $sp,-16*`$count+1`($sp) - -___ - for (my $i = $min; $i <= $max; $i++) { - my $mult = $max - $i + 1; - $code.=<<___; - stxv $i,-16*$mult($savesp) -___ - - } - - $code.=<<___; - -___ -} - -sub pop_vrs($$) -{ - my ($min, $max) = @_; - - $code.=<<___; - ld $savesp,0($sp) -___ - for (my $i = $min; $i <= $max; $i++) { - my $mult = $max - $i + 1; - $code.=<<___; - lxv $i,-16*$mult($savesp) -___ - } - - $code.=<<___; - mr $sp,$savesp - -___ -} - sub load_vrs($$) { my ($pointer, $reg_list) = @_; @@ -162,8 +117,6 @@ ($$) startproc("p384_felem_mul"); - push_vrs(52, 63); - $code.=<<___; vspltisw $vzero,0 @@ -268,8 +221,6 @@ ($$) startproc("p384_felem_square"); - push_vrs(52, 63); - $code.=<<___; vspltisw $vzero,0 From 3961991593f788b3efb2a27563d358c7c58f854c Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 30 Aug 2023 15:48:02 +0100 Subject: [PATCH 035/324] Remove a redundant point mul from ossl_ec_key_public_check() This code was added in error and is entirely redundant. It is also an expensive operation (e.g. see #21833). Fixes #21834 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Shane Lontis Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21902) --- crypto/ec/ec_key.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index e428b45d4a1d4..2bf3e601f17f2 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -581,11 +581,6 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); goto err; } - /* Perform a second check on the public key */ - if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } if (!EC_POINT_is_at_infinity(eckey->group, point)) { ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER); goto err; From b544c72f3755c0ea51408d3118821a1ac126c070 Mon Sep 17 00:00:00 2001 From: slontis Date: Tue, 29 Aug 2023 18:02:14 +1000 Subject: [PATCH 036/324] Add ED25519 Signature demo. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21883) --- demos/README.txt | 8 +- demos/signature/EVP_ED_Signature_demo.c | 208 ++++++++++++++++++++++++ demos/signature/Makefile | 11 +- 3 files changed, 221 insertions(+), 6 deletions(-) create mode 100644 demos/signature/EVP_ED_Signature_demo.c diff --git a/demos/README.txt b/demos/README.txt index cc72721fbe2c1..32c15cd394d61 100644 --- a/demos/README.txt +++ b/demos/README.txt @@ -51,9 +51,11 @@ pkread.c Print out a description of a PKCS12 file. pkwrite.c Add a password to an existing PKCS12 file. signature: -EVP_Signature_demo.c Compute and verify a signature from multiple buffers -rsa_pss_direct.c Compute and verify an RSA-PSS signature from a hash -rsa_pss_hash.c Compute and verify an RSA-PSS signature over a buffer +EVP_EC_Signature_demo.c Compute and verify an EC signature. +EVP_DSA_Signature_demo.c Compute and verify a DSA signature. +EVP_ED_Signature_demo.c Compute and verify an ED25519 signature. +rsa_pss_direct.c Compute and verify an RSA-PSS signature from a hash +rsa_pss_hash.c Compute and verify an RSA-PSS signature over a buffer sslecho: main.c Simple SSL echo client/server. diff --git a/demos/signature/EVP_ED_Signature_demo.c b/demos/signature/EVP_ED_Signature_demo.c new file mode 100644 index 0000000000000..e5cb6f4de15fc --- /dev/null +++ b/demos/signature/EVP_ED_Signature_demo.c @@ -0,0 +1,208 @@ +/*- + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This demonstration will calculate and verify an ED25519 signature of + * a message using EVP_DigestSign() and EVP_DigestVerify(). + */ + +#include +#include +#include +#include +#include + +/* A test message to be signed (TBS) */ +static const unsigned char hamlet[] = + "To be, or not to be, that is the question,\n" + "Whether tis nobler in the minde to suffer\n" + "The slings and arrowes of outragious fortune,\n" + "Or to take Armes again in a sea of troubles,\n"; + +static int demo_sign(EVP_PKEY *priv, + const unsigned char *tbs, size_t tbs_len, + OSSL_LIB_CTX *libctx, + unsigned char **sig_out_value, + size_t *sig_out_len) +{ + int ret = 0; + size_t sig_len; + unsigned char *sig_value = NULL; + EVP_MD_CTX *sign_context = NULL; + + /* Create a signature context */ + sign_context = EVP_MD_CTX_new(); + if (sign_context == NULL) { + fprintf(stderr, "EVP_MD_CTX_new failed.\n"); + goto cleanup; + } + + /* + * Initialize the sign context using an ED25519 private key + * Notice that the digest name must NOT be used. + * In this demo we don't specify any additional parameters via + * OSSL_PARAM, which means it will use default values. + * For more information, refer to doc/man7/EVP_SIGNATURE-ED25519.pod + * "ED25519 and ED448 Signature Parameters" + */ + if (!EVP_DigestSignInit_ex(sign_context, NULL, NULL, libctx, NULL, priv, NULL)) { + fprintf(stderr, "EVP_DigestSignInit_ex failed.\n"); + goto cleanup; + } + + /* Calculate the required size for the signature by passing a NULL buffer. */ + if (!EVP_DigestSign(sign_context, NULL, &sig_len, tbs, tbs_len)) { + fprintf(stderr, "EVP_DigestSign using NULL buffer failed.\n"); + goto cleanup; + } + sig_value = OPENSSL_malloc(sig_len); + if (sig_value == NULL) { + fprintf(stderr, "OPENSSL_malloc failed.\n"); + goto cleanup; + } + fprintf(stdout, "Generating signature:\n"); + if (!EVP_DigestSign(sign_context, sig_value, &sig_len, tbs, tbs_len)) { + fprintf(stderr, "EVP_DigestSign failed.\n"); + goto cleanup; + } + *sig_out_len = sig_len; + *sig_out_value = sig_value; + BIO_dump_indent_fp(stdout, sig_value, sig_len, 2); + fprintf(stdout, "\n"); + ret = 1; + +cleanup: + if (!ret) + OPENSSL_free(sig_value); + EVP_MD_CTX_free(sign_context); + return ret; +} + +static int demo_verify(EVP_PKEY *pub, + const unsigned char *tbs, size_t tbs_len, + const unsigned char *sig_value, size_t sig_len, + OSSL_LIB_CTX *libctx) +{ + int ret = 0; + EVP_MD_CTX *verify_context = NULL; + + /* + * Make a verify signature context to hold temporary state + * during signature verification + */ + verify_context = EVP_MD_CTX_new(); + if (verify_context == NULL) { + fprintf(stderr, "EVP_MD_CTX_new failed.\n"); + goto cleanup; + } + /* Initialize the verify context with a ED25519 public key */ + if (!EVP_DigestVerifyInit_ex(verify_context, NULL, NULL, + libctx, NULL, pub, NULL)) { + fprintf(stderr, "EVP_DigestVerifyInit_ex failed.\n"); + goto cleanup; + } + /* + * ED25519 only supports the one shot interface using EVP_DigestVerify() + * The streaming EVP_DigestVerifyUpdate() API is not supported. + */ + if (!EVP_DigestVerify(verify_context, sig_value, sig_len, + tbs, tbs_len)) { + fprintf(stderr, "EVP_DigestVerify() failed.\n"); + goto cleanup; + } + fprintf(stdout, "Signature verified.\n"); + ret = 1; + +cleanup: + EVP_MD_CTX_free(verify_context); + return ret; +} + +static int create_key(OSSL_LIB_CTX *libctx, + EVP_PKEY **privout, EVP_PKEY **pubout) +{ + int ret = 0; + EVP_PKEY *priv = NULL, *pub = NULL; + unsigned char pubdata[32]; + size_t pubdata_len = 0; + + /* + * In this demo we just create a keypair, and extract the + * public key. We could also use EVP_PKEY_new_raw_private_key_ex() + * to create a key from raw data. + */ + priv = EVP_PKEY_Q_keygen(libctx, NULL, "ED25519"); + if (priv == NULL) { + fprintf(stderr, "EVP_PKEY_Q_keygen() failed\n"); + goto end; + } + + if (!EVP_PKEY_get_octet_string_param(priv, + OSSL_PKEY_PARAM_PUB_KEY, + pubdata, + sizeof(pubdata), + &pubdata_len)) { + fprintf(stderr, "EVP_PKEY_get_octet_string_param() failed\n"); + goto end; + } + pub = EVP_PKEY_new_raw_public_key_ex(libctx, "ED25519", NULL, pubdata, pubdata_len); + if (pub == NULL) { + fprintf(stderr, "EVP_PKEY_new_raw_public_key_ex() failed\n"); + goto end; + } + ret = 1; +end: + if (ret) { + *pubout = pub; + *privout = priv; + } else { + EVP_PKEY_free(priv); + } + return ret; +} + +int main(void) +{ + OSSL_LIB_CTX *libctx = NULL; + size_t sig_len = 0; + unsigned char *sig_value = NULL; + int ret = EXIT_FAILURE; + EVP_PKEY *priv = NULL, *pub = NULL; + + libctx = OSSL_LIB_CTX_new(); + if (libctx == NULL) { + fprintf(stderr, "OSSL_LIB_CTX_new() returned NULL\n"); + goto cleanup; + } + if (!create_key(libctx, &priv, &pub)) { + fprintf(stderr, "Failed to create key.\n"); + goto cleanup; + } + + if (!demo_sign(priv, hamlet, sizeof(hamlet), libctx, + &sig_value, &sig_len)) { + fprintf(stderr, "demo_sign failed.\n"); + goto cleanup; + } + if (!demo_verify(pub, hamlet, sizeof(hamlet), + sig_value, sig_len, libctx)) { + fprintf(stderr, "demo_verify failed.\n"); + goto cleanup; + } + ret = EXIT_SUCCESS; + +cleanup: + if (ret != EXIT_SUCCESS) + ERR_print_errors_fp(stderr); + EVP_PKEY_free(pub); + EVP_PKEY_free(priv); + OSSL_LIB_CTX_free(libctx); + OPENSSL_free(sig_value); + return ret; +} diff --git a/demos/signature/Makefile b/demos/signature/Makefile index 394eef6d425d6..2a7c196007072 100644 --- a/demos/signature/Makefile +++ b/demos/signature/Makefile @@ -1,23 +1,28 @@ # # To run the demos when linked with a shared library (default): # -# LD_LIBRARY_PATH=../.. ./EVP_Signature_demo +# LD_LIBRARY_PATH=../.. ./EVP_EC_Signature_demo +# LD_LIBRARY_PATH=../.. ./EVP_DSA_Signature_demo +# LD_LIBRARY_PATH=../.. ./EVP_ED_Signature_demo +# LD_LIBRARY_PATH=../.. ./rsa_pss_direct +# LD_LIBRARY_PATH=../.. ./rsa_pss_hash CFLAGS = -I../../include -g -Wall LDFLAGS = -L../.. LDLIBS = -lcrypto -all: EVP_EC_Signature_demo EVP_DSA_Signature_demo rsa_pss_direct rsa_pss_hash +all: EVP_EC_Signature_demo EVP_DSA_Signature_demo EVP_ED_Signature_demo rsa_pss_direct rsa_pss_hash %.o: %.c $(CC) $(CFLAGS) -c $< EVP_EC_Signature_demo: EVP_EC_Signature_demo.o EVP_DSA_Signature_demo: EVP_DSA_Signature_demo.o +EVP_ED_Signature_demo: EVP_ED_Signature_demo.o rsa_pss_direct: rsa_pss_direct.o rsa_pss_hash: rsa_pss_hash.o test: ; clean: - $(RM) *.o EVP_EC_Signature_demo EVP_DSA_Signature_demo rsa_pss_direct rsa_pss_hash + $(RM) *.o EVP_EC_Signature_demo EVP_DSA_Signature_demo EVP_ED_Signature_demo rsa_pss_direct rsa_pss_hash From 399c2da08ab9c6a382f8e9950742a022e847fec0 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 18 Dec 2022 20:54:15 +0100 Subject: [PATCH 037/324] Update X509 fuzzer to verify a chain It add supports for verifying that it's been signed by a CA, and checks the CRL and OCSP status Can find CVE-2022-4203 and CVE-2023-0286 Reviewed-by: Bernd Edlinger Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/20243) --- fuzz/build.info | 12 ++- fuzz/x509.c | 123 ++++++++++++++++++++++++++++--- test/recipes/99-test_fuzz_x509.t | 3 + 3 files changed, 125 insertions(+), 13 deletions(-) diff --git a/fuzz/build.info b/fuzz/build.info index e20034cfee1c8..7efc52ef8516b 100644 --- a/fuzz/build.info +++ b/fuzz/build.info @@ -9,7 +9,7 @@ -} IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] - PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server smime x509 + PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server smime PROGRAMS{noinst}=punycode pem decoder PROGRAMS{noinst}=v3name @@ -25,6 +25,10 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] PROGRAMS{noinst}=ct ENDIF + IF[{- !$disabled{"ocsp"} -}] + PROGRAMS{noinst}=x509 + ENDIF + SOURCE[asn1]=asn1.c driver.c fuzz_rand.c INCLUDE[asn1]=../include {- $ex_inc -} DEPEND[asn1]=../libcrypto ../libssl {- $ex_lib -} @@ -95,7 +99,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] ENDIF IF[{- !$disabled{tests} -}] - PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test smime-test x509-test + PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test smime-test PROGRAMS{noinst}=punycode-test pem-test decoder-test PROGRAMS{noinst}=v3name-test @@ -111,6 +115,10 @@ IF[{- !$disabled{tests} -}] PROGRAMS{noinst}=ct-test ENDIF + IF[{- !$disabled{"ocsp"} -}] + PROGRAMS{noinst}=x509-test + ENDIF + SOURCE[asn1-test]=asn1.c test-corpus.c fuzz_rand.c INCLUDE[asn1-test]=../include DEPEND[asn1-test]=../libcrypto ../libssl diff --git a/fuzz/x509.c b/fuzz/x509.c index 78061d176af79..6293f1a5c547a 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -9,6 +9,7 @@ */ #include +#include #include #include #include @@ -17,31 +18,131 @@ int FuzzerInitialize(int *argc, char ***argv) { FuzzerSetRand(); - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS + | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); ERR_clear_error(); CRYPTO_free_ex_index(0, -1); return 1; } +static int cb(int ok, X509_STORE_CTX *ctx) +{ + return 1; +} + int FuzzerTestOneInput(const uint8_t *buf, size_t len) { const unsigned char *p = buf; + size_t orig_len = len; unsigned char *der = NULL; + BIO *bio = NULL; + X509 *x509_1 = NULL, *x509_2 = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *param = NULL; + X509_STORE_CTX *ctx = NULL; + X509_CRL *crl = NULL; + STACK_OF(X509_CRL) *crls = NULL; + STACK_OF(X509) *certs = NULL; + OCSP_RESPONSE *resp = NULL; + OCSP_BASICRESP *bs = NULL; + OCSP_CERTID *id = NULL; + + x509_1 = d2i_X509(NULL, &p, len); + if (x509_1 == NULL) + goto err; + + bio = BIO_new(BIO_s_null()); + if (bio == NULL) + goto err; + + /* This will load and print the public key as well as extensions */ + X509_print(bio, x509_1); + BIO_free(bio); + + X509_issuer_and_serial_hash(x509_1); + + i2d_X509(x509_1, &der); + OPENSSL_free(der); + + len = orig_len - (p - buf); + x509_2 = d2i_X509(NULL, &p, len); + if (x509_2 == NULL) + goto err; + + len = orig_len - (p - buf); + crl = d2i_X509_CRL(NULL, &p, len); + if (crl == NULL) + goto err; + + len = orig_len - (p - buf); + resp = d2i_OCSP_RESPONSE(NULL, &p, len); + + store = X509_STORE_new(); + X509_STORE_add_cert(store, x509_2); - X509 *x509 = d2i_X509(NULL, &p, len); - if (x509 != NULL) { - BIO *bio = BIO_new(BIO_s_null()); - /* This will load and print the public key as well as extensions */ - X509_print(bio, x509); - BIO_free(bio); + param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_X509_STRICT); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - X509_issuer_and_serial_hash(x509); + X509_STORE_set1_param(store, param); - i2d_X509(x509, &der); - OPENSSL_free(der); + X509_STORE_set_verify_cb(store, cb); - X509_free(x509); + ctx = X509_STORE_CTX_new(); + if (ctx == NULL) + goto err; + + X509_STORE_CTX_init(ctx, store, x509_1, NULL); + + if (crl != NULL) { + crls = sk_X509_CRL_new_null(); + if (crls == NULL) + goto err; + + sk_X509_CRL_push(crls, crl); + X509_STORE_CTX_set0_crls(ctx, crls); } + + X509_verify_cert(ctx); + + if (resp != NULL) + bs = OCSP_response_get1_basic(resp); + + if (bs != NULL) { + int status, reason; + ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd; + + certs = sk_X509_new_null(); + if (certs == NULL) + goto err; + + sk_X509_push(certs, x509_1); + sk_X509_push(certs, x509_2); + + OCSP_basic_verify(bs, certs, store, OCSP_PARTIAL_CHAIN); + + id = OCSP_cert_to_id(NULL, x509_1, x509_2); + if (id == NULL) + goto err; + OCSP_resp_find_status(bs, id, &status, &reason, &revtime, &thisupd, + &nextupd); + } + +err: + X509_STORE_CTX_free(ctx); + X509_VERIFY_PARAM_free(param); + X509_STORE_free(store); + X509_free(x509_1); + X509_free(x509_2); + X509_CRL_free(crl); + OCSP_CERTID_free(id); + OCSP_BASICRESP_free(bs); + OCSP_RESPONSE_free(resp); + sk_X509_CRL_free(crls); + sk_X509_free(certs); + ERR_clear_error(); return 0; } diff --git a/test/recipes/99-test_fuzz_x509.t b/test/recipes/99-test_fuzz_x509.t index 9a1e3a19cadce..7ca3ee8ae7ca0 100644 --- a/test/recipes/99-test_fuzz_x509.t +++ b/test/recipes/99-test_fuzz_x509.t @@ -15,6 +15,9 @@ use OpenSSL::Test::Utils; my $fuzzer = "x509"; setup("test_fuzz_${fuzzer}"); +plan skip_all => "This test requires ocsp support" + if disabled("ocsp"); + plan tests => 2; # one more due to below require_ok(...) require_ok(srctop_file('test','recipes','fuzz.pl')); From da57c0eaf22c390f9b38c42ca1bd7daca4effd2f Mon Sep 17 00:00:00 2001 From: Abhirup Manna Date: Wed, 30 Aug 2023 22:23:20 +0530 Subject: [PATCH 038/324] Removed unnecessary brace in ktls_configure_crypto CLA: trivial Fixes #21498 Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21908) --- ssl/record/methods/ktls_meth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index 2d3c33bf7a8cc..ff8d7218597cb 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -95,7 +95,7 @@ int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c return 0; if (EVP_MD_is_a(md, "SHA1")) crypto_info->auth_algorithm = CRYPTO_SHA1_HMAC; - else if (EVP_MD_is_a(md, "SHA2-256")) { + else if (EVP_MD_is_a(md, "SHA2-256")) crypto_info->auth_algorithm = CRYPTO_SHA2_256_HMAC; else if (EVP_MD_is_a(md, "SHA2-384")) crypto_info->auth_algorithm = CRYPTO_SHA2_384_HMAC; From 881e3299dcadd65cc4a2843ba47abc6548ced8f4 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 039/324] QUIC TLS: Better error message when ALPN not used Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- ssl/quic/quic_tls.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index 8b9f812253d13..b0da216e37784 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -672,8 +672,8 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code, ERR_new(); ERR_set_debug(src_file, src_line, src_func); ERR_set_error(ERR_LIB_SSL, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR, - "handshake layer error, error code %llu (\"%s\")", - (unsigned long long)error_code, error_msg); + "handshake layer error, error code %llu (0x%llx) (\"%s\")", + error_code, error_code, error_msg); OSSL_ERR_STATE_save_to_mark(qtls->error_state); /* @@ -743,7 +743,8 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) return RAISE_INTERNAL_ERROR(qtls); } else { if (sc->ext.alpn == NULL || sc->ext.alpn_len == 0) - return RAISE_INTERNAL_ERROR(qtls); + return RAISE_ERROR(qtls, QUIC_ERR_CRYPTO_NO_APP_PROTO, + "ALPN must be configured when using QUIC"); } if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION)) return RAISE_INTERNAL_ERROR(qtls); From ed28cb8140f1de81eca0f90b169af2b783abfe16 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 040/324] BIO_s_connect: Make internal functions static Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_conn.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index f494b14000fa1..bc52607978ad1 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -52,8 +52,8 @@ static long conn_callback_ctrl(BIO *h, int cmd, BIO_info_cb *); static int conn_state(BIO *b, BIO_CONNECT *c); static void conn_close_socket(BIO *data); -BIO_CONNECT *BIO_CONNECT_new(void); -void BIO_CONNECT_free(BIO_CONNECT *a); +static BIO_CONNECT *BIO_CONNECT_new(void); +static void BIO_CONNECT_free(BIO_CONNECT *a); #define BIO_CONN_S_BEFORE 1 #define BIO_CONN_S_GET_ADDR 2 @@ -252,7 +252,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) return ret; } -BIO_CONNECT *BIO_CONNECT_new(void) +static BIO_CONNECT *BIO_CONNECT_new(void) { BIO_CONNECT *ret; @@ -263,7 +263,7 @@ BIO_CONNECT *BIO_CONNECT_new(void) return ret; } -void BIO_CONNECT_free(BIO_CONNECT *a) +static void BIO_CONNECT_free(BIO_CONNECT *a) { if (a == NULL) return; From 7841dbabec50eb701022154d9639a01c2a875eaa Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 041/324] BIO_s_connect: Add support for datagram mode Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_conn.c | 171 ++++++++++++++++++++++++++++++++++++++- include/openssl/bio.h.in | 7 ++ 2 files changed, 177 insertions(+), 1 deletion(-) diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index bc52607978ad1..865a4d4cd429e 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -19,6 +19,7 @@ typedef struct bio_connect_st { int state; int connect_family; + int connect_sock_type; char *param_hostname; char *param_service; int connect_mode; @@ -39,6 +40,11 @@ typedef struct bio_connect_st { * ssl info_callback */ BIO_info_cb *info_callback; + /* + * Used when connect_sock_type is SOCK_DGRAM. Owned by us; we forward + * read/write(mmsg) calls to this if present. + */ + BIO *dgram_bio; } BIO_CONNECT; static int conn_write(BIO *h, const char *buf, int num); @@ -49,6 +55,10 @@ static long conn_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int conn_new(BIO *h); static int conn_free(BIO *data); static long conn_callback_ctrl(BIO *h, int cmd, BIO_info_cb *); +static int conn_sendmmsg(BIO *h, BIO_MSG *m, size_t s, size_t n, + uint64_t f, size_t *mp); +static int conn_recvmmsg(BIO *h, BIO_MSG *m, size_t s, size_t n, + uint64_t f, size_t *mp); static int conn_state(BIO *b, BIO_CONNECT *c); static void conn_close_socket(BIO *data); @@ -76,8 +86,28 @@ static const BIO_METHOD methods_connectp = { conn_new, conn_free, conn_callback_ctrl, + conn_sendmmsg, + conn_recvmmsg, }; +static int conn_create_dgram_bio(BIO *b, BIO_CONNECT *c) +{ + if (c->connect_sock_type != SOCK_DGRAM) + return 1; + +#ifndef OPENSSL_NO_DGRAM + c->dgram_bio = BIO_new_dgram(b->num, 0); + if (c->dgram_bio == NULL) + goto err; + + return 1; + +err: +#endif + c->state = BIO_CONN_S_CONNECT_ERROR; + return 0; +} + static int conn_state(BIO *b, BIO_CONNECT *c) { int ret = -1, i; @@ -128,7 +158,8 @@ static int conn_state(BIO *b, BIO_CONNECT *c) } if (BIO_lookup(c->param_hostname, c->param_service, BIO_LOOKUP_CLIENT, - family, SOCK_STREAM, &c->addr_first) == 0) + family, c->connect_sock_type, + &c->addr_first) == 0) goto exit_loop; } if (c->addr_first == NULL) { @@ -186,6 +217,8 @@ static int conn_state(BIO *b, BIO_CONNECT *c) goto exit_loop; } else { ERR_clear_last_mark(); + if (!conn_create_dgram_bio(b, c)) + break; c->state = BIO_CONN_S_OK; } break; @@ -212,6 +245,8 @@ static int conn_state(BIO *b, BIO_CONNECT *c) ret = 0; goto exit_loop; } else { + if (!conn_create_dgram_bio(b, c)) + break; c->state = BIO_CONN_S_OK; # ifndef OPENSSL_NO_KTLS /* @@ -260,6 +295,7 @@ static BIO_CONNECT *BIO_CONNECT_new(void) return NULL; ret->state = BIO_CONN_S_BEFORE; ret->connect_family = BIO_FAMILY_IPANY; + ret->connect_sock_type = SOCK_STREAM; return ret; } @@ -311,6 +347,9 @@ static int conn_free(BIO *a) return 0; data = (BIO_CONNECT *)a->ptr; + if (data->dgram_bio != NULL) + BIO_free(data->dgram_bio); + if (a->shutdown) { conn_close_socket(a); BIO_CONNECT_free(data); @@ -333,6 +372,9 @@ static int conn_read(BIO *b, char *out, int outl) return ret; } + if (data->dgram_bio != NULL) + return BIO_read(data->dgram_bio, out, outl); + if (out != NULL) { clear_socket_error(); # ifndef OPENSSL_NO_KTLS @@ -364,6 +406,9 @@ static int conn_write(BIO *b, const char *in, int inl) return ret; } + if (data->dgram_bio != NULL) + return BIO_write(data->dgram_bio, in, inl); + clear_socket_error(); # ifndef OPENSSL_NO_KTLS if (BIO_should_ktls_ctrl_msg_flag(b)) { @@ -399,6 +444,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) const char **pptr = NULL; long ret = 1; BIO_CONNECT *data; + const BIO_ADDR *dg_addr; # ifndef OPENSSL_NO_KTLS ktls_crypto_info_t *crypto_info; # endif @@ -503,6 +549,62 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) } } break; + case BIO_C_SET_SOCK_TYPE: + if ((num != SOCK_STREAM && num != SOCK_DGRAM) + || data->state >= BIO_CONN_S_GET_ADDR) { + ret = 0; + break; + } + + data->connect_sock_type = (int)num; + ret = 1; + break; + case BIO_C_GET_SOCK_TYPE: + ret = data->connect_sock_type; + break; + case BIO_C_GET_DGRAM_BIO: + if (data->dgram_bio != NULL) { + *(BIO **)ptr = data->dgram_bio; + ret = 1; + } else { + ret = 0; + } + break; + case BIO_CTRL_DGRAM_GET_PEER: + if (data->state != BIO_CONN_S_OK) + conn_state(b, data); /* best effort */ + + if (data->state >= BIO_CONN_S_CREATE_SOCKET + && data->addr_iter != NULL + && (dg_addr = BIO_ADDRINFO_address(data->addr_iter)) != NULL) { + + ret = BIO_ADDR_sockaddr_size(dg_addr); + if (num == 0 || num > ret) + num = ret; + + memcpy(ptr, dg_addr, num); + ret = num; + } else { + ret = 0; + } + + break; + case BIO_CTRL_GET_RPOLL_DESCRIPTOR: + case BIO_CTRL_GET_WPOLL_DESCRIPTOR: + { + BIO_POLL_DESCRIPTOR *pd = ptr; + + if (data->state != BIO_CONN_S_OK) + conn_state(b, data); /* best effort */ + + if (data->state >= BIO_CONN_S_CREATE_SOCKET) { + pd->type = BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD; + pd->value.fd = b->num; + } else { + ret = 0; + } + } + break; case BIO_C_SET_NBIO: if (num != 0) data->connect_mode |= BIO_SOCK_NONBLOCK; @@ -667,6 +769,11 @@ int conn_gets(BIO *bio, char *buf, int size) return ret; } + if (data->dgram_bio != NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } + clear_socket_error(); while (size-- > 1) { # ifndef OPENSSL_NO_KTLS @@ -690,6 +797,68 @@ int conn_gets(BIO *bio, char *buf, int size) return ret > 0 || (bio->flags & BIO_FLAGS_IN_EOF) != 0 ? ptr - buf : ret; } +static int conn_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, size_t num_msgs, + uint64_t flags, size_t *msgs_processed) +{ + int ret; + BIO_CONNECT *data; + + if (bio == NULL) { + *msgs_processed = 0; + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + data = (BIO_CONNECT *)bio->ptr; + if (data->state != BIO_CONN_S_OK) { + ret = conn_state(bio, data); + if (ret <= 0) { + *msgs_processed = 0; + return 0; + } + } + + if (data->dgram_bio == NULL) { + *msgs_processed = 0; + ERR_raise(ERR_LIB_BIO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + return BIO_sendmmsg(data->dgram_bio, msg, stride, num_msgs, + flags, msgs_processed); +} + +static int conn_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, size_t num_msgs, + uint64_t flags, size_t *msgs_processed) +{ + int ret; + BIO_CONNECT *data; + + if (bio == NULL) { + *msgs_processed = 0; + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + data = (BIO_CONNECT *)bio->ptr; + if (data->state != BIO_CONN_S_OK) { + ret = conn_state(bio, data); + if (ret <= 0) { + *msgs_processed = 0; + return 0; + } + } + + if (data->dgram_bio == NULL) { + *msgs_processed = 0; + ERR_raise(ERR_LIB_BIO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + return BIO_recvmmsg(data->dgram_bio, msg, stride, num_msgs, + flags, msgs_processed); +} + BIO *BIO_new_connect(const char *str) { BIO *ret; diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index 91d3f8e41ccbe..9d196c7ae500c 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -461,6 +461,10 @@ typedef struct bio_poll_descriptor_st { # define BIO_C_SET_TFO 156 /* like BIO_C_SET_NBIO */ +# define BIO_C_SET_SOCK_TYPE 157 +# define BIO_C_GET_SOCK_TYPE 158 +# define BIO_C_GET_DGRAM_BIO 159 + # define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg) # define BIO_get_app_data(s) BIO_get_ex_data(s,0) @@ -488,6 +492,9 @@ typedef struct bio_poll_descriptor_st { # define BIO_get_conn_ip_family(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL) # define BIO_get_conn_mode(b) BIO_ctrl(b,BIO_C_GET_CONNECT,4,NULL) # define BIO_set_conn_mode(b,n) BIO_ctrl(b,BIO_C_SET_CONNECT_MODE,(n),NULL) +# define BIO_set_sock_type(b,t) BIO_ctrl(b,BIO_C_SET_SOCK_TYPE,(t),NULL) +# define BIO_get_sock_type(b) BIO_ctrl(b,BIO_C_GET_SOCK_TYPE,0,NULL) +# define BIO_get_dgram_bio(b, p) BIO_ctrl(b,BIO_C_GET_DGRAM_BIO,0,(void *)(BIO **)(p)) /* BIO_s_accept() */ # define BIO_set_accept_name(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0, \ From 549d0a700be311d9a65560cb9eed3f725546b5ed Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 042/324] QUIC CHANNEL: Only handle the first protocol error raised Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- ssl/quic/quic_channel.c | 9 +++++++++ ssl/quic/quic_channel_local.h | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 516b895d8df20..844ddc137c552 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -2930,6 +2930,10 @@ static void ch_start_terminating(QUIC_CHANNEL *ch, const QUIC_TERMINATE_CAUSE *tcause, int force_immediate) { + /* No point sending anything if we haven't sent anything yet. */ + if (!ch->have_sent_any_pkt) + force_immediate = 1; + switch (ch->state) { default: case QUIC_CHANNEL_STATE_IDLE: @@ -3250,6 +3254,10 @@ void ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL *ch, const char *ft_str = NULL; const char *ft_str_pfx = " (", *ft_str_sfx = ")"; + if (ch->protocol_error) + /* Only the first call to this function matters. */ + return; + if (err_str == NULL) { err_str = ""; err_str_pfx = ""; @@ -3297,6 +3305,7 @@ void ossl_quic_channel_raise_protocol_error_loc(QUIC_CHANNEL *ch, tcause.reason = reason; tcause.reason_len = strlen(reason); + ch->protocol_error = 1; ch_start_terminating(ch, &tcause, 0); } diff --git a/ssl/quic/quic_channel_local.h b/ssl/quic/quic_channel_local.h index 8cef1372552f8..a60a539f9bbf3 100644 --- a/ssl/quic/quic_channel_local.h +++ b/ssl/quic/quic_channel_local.h @@ -445,6 +445,14 @@ struct quic_channel_st { /* Permanent net error encountered */ unsigned int net_error : 1; + /* + * Protocol error encountered. Note that you should refer to the state field + * rather than this. This is only used so we can ignore protocol errors + * after the first protocol error, but still record the first protocol error + * if it happens during the TERMINATING state. + */ + unsigned int protocol_error : 1; + /* Inhibit tick for testing purposes? */ unsigned int inhibit_tick : 1; From 2e1760118b5ba316cdf0b144a21fb4c21f796c71 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 043/324] QUIC APL: Better error reporting Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- ssl/quic/quic_impl.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index b2ab9d4c673c8..79011f3387f6f 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1453,32 +1453,39 @@ static int create_channel(QUIC_CONNECTION *qc) } /* - * Creates a channel and configures it with the information we have accumulated - * via calls made to us from the application prior to starting a handshake - * attempt. + * Configures a channel with the information we have accumulated via calls made + * to us from the application prior to starting a handshake attempt. */ QUIC_NEEDS_LOCK -static int ensure_channel_started(QUIC_CONNECTION *qc) +static int ensure_channel_started(QCTX *ctx) { + QUIC_CONNECTION *qc = ctx->qc; + if (!qc->started) { - if (!configure_channel(qc) - || !ossl_quic_channel_start(qc->ch)) - goto err; + if (!configure_channel(qc)) { + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, + "failed to configure channel"); + return 0; + } + + if (!ossl_quic_channel_start(qc->ch)) { + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, + "failed to start channel"); + return 0; + } #if !defined(OPENSSL_NO_QUIC_THREAD_ASSIST) if (qc->is_thread_assisted) - if (!ossl_quic_thread_assist_init_start(&qc->thread_assist, qc->ch)) - goto err; + if (!ossl_quic_thread_assist_init_start(&qc->thread_assist, qc->ch)) { + QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, + "failed to start assist thread"); + return 0; + } #endif } qc->started = 1; return 1; - -err: - ossl_quic_channel_free(qc->ch); - qc->ch = NULL; - return 0; } QUIC_NEEDS_LOCK @@ -1515,10 +1522,8 @@ static int quic_do_handshake(QCTX *ctx) * Start connection process. Note we may come here multiple times in * non-blocking mode, which is fine. */ - if (!ensure_channel_started(qc)) { - QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, NULL); + if (!ensure_channel_started(qc)) /* raises on failure */ return -1; /* Non-protocol error */ - } if (ossl_quic_channel_is_handshake_complete(qc->ch)) /* The handshake is now done. */ From 573f16c99719c9439a66a82fa256662d7cd32d47 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 044/324] BIO_ssl: Make helper functions configure BIOs for QUIC correctly Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- ssl/bio_ssl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index ea72b394a175a..b342c846daa03 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -438,6 +438,12 @@ BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx) #ifndef OPENSSL_NO_SOCK BIO *ret = NULL, *buf = NULL, *ssl = NULL; +# ifndef OPENSSL_NO_QUIC + if (ctx != NULL && IS_QUIC_CTX(ctx)) + /* Never use buffering for QUIC. */ + return BIO_new_ssl_connect(ctx); +# endif + if ((buf = BIO_new(BIO_f_buffer())) == NULL) return NULL; if ((ssl = BIO_new_ssl_connect(ctx)) == NULL) @@ -459,6 +465,13 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx) if ((con = BIO_new(BIO_s_connect())) == NULL) return NULL; + +# ifndef OPENSSL_NO_QUIC + if (ctx != NULL && IS_QUIC_CTX(ctx)) + if (!BIO_set_sock_type(con, SOCK_DGRAM)) + goto err; +#endif + if ((ssl = BIO_new_ssl(ctx, 1)) == NULL) goto err; if ((ret = BIO_push(ssl, con)) == NULL) From 0818c17007bbda000e9c6329a1104d09cc614517 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 045/324] QUIC APL: Autoconfigure BIOs as non-blocking Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- ssl/quic/quic_impl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 79011f3387f6f..a15eb67f7b3b2 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -851,6 +851,8 @@ void ossl_quic_conn_set0_net_rbio(SSL *s, BIO *net_rbio) } else { ctx.qc->can_poll_net_rbio = 1; } + + BIO_set_nbio(net_rbio, 1); /* best effort autoconfig */ } } @@ -895,6 +897,8 @@ void ossl_quic_conn_set0_net_wbio(SSL *s, BIO *net_wbio) ossl_quic_channel_set_peer_addr(ctx.qc->ch, &ctx.qc->init_peer_addr); } + + BIO_set_nbio(net_wbio, 1); /* best effort autoconfig */ } } From 0b8b75e242e95db034e8026f462a799c0dafaefc Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 046/324] QUIC REACTOR: Move can-poll flags into reactor Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- include/internal/quic_reactor.h | 17 ++++++++++++--- ssl/quic/quic_reactor.c | 38 +++++++++++++++++++++++++++++---- 2 files changed, 48 insertions(+), 7 deletions(-) diff --git a/include/internal/quic_reactor.h b/include/internal/quic_reactor.h index 6a8ebbe29dbf8..2ca32f17ac439 100644 --- a/include/internal/quic_reactor.h +++ b/include/internal/quic_reactor.h @@ -94,6 +94,13 @@ typedef struct quic_reactor_st { */ unsigned int net_read_desired : 1; unsigned int net_write_desired : 1; + + /* + * Are the read and write poll descriptors we are currently configured with + * things we can actually poll? + */ + unsigned int can_poll_r : 1; + unsigned int can_poll_w : 1; } QUIC_REACTOR; void ossl_quic_reactor_init(QUIC_REACTOR *rtor, @@ -108,12 +115,16 @@ void ossl_quic_reactor_set_poll_r(QUIC_REACTOR *rtor, void ossl_quic_reactor_set_poll_w(QUIC_REACTOR *rtor, const BIO_POLL_DESCRIPTOR *w); -const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_r(QUIC_REACTOR *rtor); +const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_r(const QUIC_REACTOR *rtor); +const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_w(const QUIC_REACTOR *rtor); -const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_w(QUIC_REACTOR *rtor); +int ossl_quic_reactor_can_poll_r(const QUIC_REACTOR *rtor); +int ossl_quic_reactor_can_poll_w(const QUIC_REACTOR *rtor); -int ossl_quic_reactor_net_read_desired(QUIC_REACTOR *rtor); +int ossl_quic_reactor_can_support_poll_descriptor(const QUIC_REACTOR *rtor, + const BIO_POLL_DESCRIPTOR *d); +int ossl_quic_reactor_net_read_desired(QUIC_REACTOR *rtor); int ossl_quic_reactor_net_write_desired(QUIC_REACTOR *rtor); OSSL_TIME ossl_quic_reactor_get_tick_deadline(QUIC_REACTOR *rtor); diff --git a/ssl/quic/quic_reactor.c b/ssl/quic/quic_reactor.c index f89337b38e6f7..9aea218d27d01 100644 --- a/ssl/quic/quic_reactor.c +++ b/ssl/quic/quic_reactor.c @@ -24,6 +24,8 @@ void ossl_quic_reactor_init(QUIC_REACTOR *rtor, rtor->poll_w.type = BIO_POLL_DESCRIPTOR_TYPE_NONE; rtor->net_read_desired = 0; rtor->net_write_desired = 0; + rtor->can_poll_r = 0; + rtor->can_poll_w = 0; rtor->tick_deadline = initial_tick_deadline; rtor->tick_cb = tick_cb; @@ -32,24 +34,52 @@ void ossl_quic_reactor_init(QUIC_REACTOR *rtor, void ossl_quic_reactor_set_poll_r(QUIC_REACTOR *rtor, const BIO_POLL_DESCRIPTOR *r) { - rtor->poll_r = *r; + if (r == NULL) + rtor->poll_r.type = BIO_POLL_DESCRIPTOR_TYPE_NONE; + else + rtor->poll_r = *r; + + rtor->can_poll_r + = ossl_quic_reactor_can_support_poll_descriptor(rtor, &rtor->poll_r); } void ossl_quic_reactor_set_poll_w(QUIC_REACTOR *rtor, const BIO_POLL_DESCRIPTOR *w) { - rtor->poll_w = *w; + if (w == NULL) + rtor->poll_w.type = BIO_POLL_DESCRIPTOR_TYPE_NONE; + else + rtor->poll_w = *w; + + rtor->can_poll_w + = ossl_quic_reactor_can_support_poll_descriptor(rtor, &rtor->poll_w); } -const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_r(QUIC_REACTOR *rtor) +const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_r(const QUIC_REACTOR *rtor) { return &rtor->poll_r; } -const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_w(QUIC_REACTOR *rtor) +const BIO_POLL_DESCRIPTOR *ossl_quic_reactor_get_poll_w(const QUIC_REACTOR *rtor) { return &rtor->poll_w; } +int ossl_quic_reactor_can_support_poll_descriptor(const QUIC_REACTOR *rtor, + const BIO_POLL_DESCRIPTOR *d) +{ + return d->type == BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD; +} + +int ossl_quic_reactor_can_poll_r(const QUIC_REACTOR *rtor) +{ + return rtor->can_poll_r; +} + +int ossl_quic_reactor_can_poll_w(const QUIC_REACTOR *rtor) +{ + return rtor->can_poll_w; +} + int ossl_quic_reactor_net_read_desired(QUIC_REACTOR *rtor) { return rtor->net_read_desired; From be96180aa65fbf620eaf3ca8965a814b04e99130 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 047/324] QUIC CHANNEL: Cleanup poll descriptor management Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- include/internal/quic_channel.h | 6 ++++ ssl/quic/quic_channel.c | 60 +++++++++++++++++++++------------ 2 files changed, 44 insertions(+), 22 deletions(-) diff --git a/include/internal/quic_channel.h b/include/internal/quic_channel.h index 44009d1c209ed..1624870865c74 100644 --- a/include/internal/quic_channel.h +++ b/include/internal/quic_channel.h @@ -303,6 +303,12 @@ BIO *ossl_quic_channel_get_net_wbio(QUIC_CHANNEL *ch); int ossl_quic_channel_set_net_rbio(QUIC_CHANNEL *ch, BIO *net_rbio); int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL *ch, BIO *net_wbio); +/* + * Re-poll the network BIOs already set to determine if their support + * for polling has changed. + */ +int ossl_quic_channel_update_poll_descriptors(QUIC_CHANNEL *ch); + /* * Returns an existing stream by stream ID. Returns NULL if the stream does not * exist. diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 844ddc137c552..275d5f576beb3 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -2616,6 +2616,40 @@ BIO *ossl_quic_channel_get_net_wbio(QUIC_CHANNEL *ch) return ch->net_wbio; } +static int ch_update_poll_desc(QUIC_CHANNEL *ch, BIO *net_bio, int for_write) +{ + BIO_POLL_DESCRIPTOR d = {0}; + + if (net_bio == NULL + || (!for_write && !BIO_get_rpoll_descriptor(net_bio, &d)) + || (for_write && !BIO_get_wpoll_descriptor(net_bio, &d))) + /* Non-pollable BIO */ + d.type = BIO_POLL_DESCRIPTOR_TYPE_NONE; + + if (!validate_poll_descriptor(&d)) + return 0; + + if (for_write) + ossl_quic_reactor_set_poll_w(&ch->rtor, &d); + else + ossl_quic_reactor_set_poll_r(&ch->rtor, &d); + + return 1; +} + +int ossl_quic_channel_update_poll_descriptors(QUIC_CHANNEL *ch) +{ + int ok = 1; + + if (!ch_update_poll_desc(ch, ch->net_rbio, /*for_write=*/0)) + ok = 0; + + if (!ch_update_poll_desc(ch, ch->net_wbio, /*for_write=*/1)) + ok = 0; + + return ok; +} + /* * QUIC_CHANNEL does not ref any BIO it is provided with, nor is any ref * transferred to it. The caller (i.e., QUIC_CONNECTION) is responsible for @@ -2624,21 +2658,12 @@ BIO *ossl_quic_channel_get_net_wbio(QUIC_CHANNEL *ch) */ int ossl_quic_channel_set_net_rbio(QUIC_CHANNEL *ch, BIO *net_rbio) { - BIO_POLL_DESCRIPTOR d = {0}; - if (ch->net_rbio == net_rbio) return 1; - if (net_rbio != NULL) { - if (!BIO_get_rpoll_descriptor(net_rbio, &d)) - /* Non-pollable BIO */ - d.type = BIO_POLL_DESCRIPTOR_TYPE_NONE; - - if (!validate_poll_descriptor(&d)) - return 0; - } + if (!ch_update_poll_desc(ch, net_rbio, /*for_write=*/0)) + return 0; - ossl_quic_reactor_set_poll_r(&ch->rtor, &d); ossl_quic_demux_set_bio(ch->demux, net_rbio); ch->net_rbio = net_rbio; return 1; @@ -2646,21 +2671,12 @@ int ossl_quic_channel_set_net_rbio(QUIC_CHANNEL *ch, BIO *net_rbio) int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL *ch, BIO *net_wbio) { - BIO_POLL_DESCRIPTOR d = {0}; - if (ch->net_wbio == net_wbio) return 1; - if (net_wbio != NULL) { - if (!BIO_get_wpoll_descriptor(net_wbio, &d)) - /* Non-pollable BIO */ - d.type = BIO_POLL_DESCRIPTOR_TYPE_NONE; - - if (!validate_poll_descriptor(&d)) - return 0; - } + if (!ch_update_poll_desc(ch, net_wbio, /*for_write=*/1)) + return 0; - ossl_quic_reactor_set_poll_w(&ch->rtor, &d); ossl_qtx_set_bio(ch->qtx, net_wbio); ch->net_wbio = net_wbio; return 1; From 51e671e204ede3a56c3e1c38d834240020800dfa Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 048/324] QUIC APL: Refactor blocking configuration to allow late blocking support detection Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- ssl/quic/quic_impl.c | 186 +++++++++++++++++++++++++----------------- ssl/quic/quic_local.h | 22 +++-- 2 files changed, 125 insertions(+), 83 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index a15eb67f7b3b2..d56c64f97f9bf 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -35,6 +35,8 @@ static void qc_set_default_xso_keep_ref(QUIC_CONNECTION *qc, QUIC_XSO *xso, static SSL *quic_conn_stream_new(QCTX *ctx, uint64_t flags, int need_lock); static int quic_validate_for_write(QUIC_XSO *xso, int *err); static int quic_mutation_allowed(QUIC_CONNECTION *qc, int req_active); +static int qc_blocking_mode(const QUIC_CONNECTION *qc); +static int xso_blocking_mode(const QUIC_XSO *xso); /* * QUIC Front-End I/O API: Common Utilities @@ -399,8 +401,8 @@ SSL *ossl_quic_new(SSL_CTX *ctx) qc->default_stream_mode = SSL_DEFAULT_STREAM_MODE_AUTO_BIDI; qc->default_ssl_mode = qc->ssl.ctx->mode; qc->default_ssl_options = qc->ssl.ctx->options & OSSL_QUIC_PERMITTED_OPTIONS; - qc->default_blocking = 1; - qc->blocking = 1; + qc->desires_blocking = 1; + qc->blocking = 0; qc->incoming_stream_policy = SSL_INCOMING_STREAM_POLICY_AUTO; qc->last_error = SSL_ERROR_NONE; @@ -820,6 +822,24 @@ static int csm_analyse_init_peer_addr(BIO *net_wbio, BIO_ADDR *peer) return 1; } +static int qc_can_support_blocking_cached(QUIC_CONNECTION *qc) +{ + QUIC_REACTOR *rtor = ossl_quic_channel_get_reactor(qc->ch); + + return ossl_quic_reactor_can_poll_r(rtor) + && ossl_quic_reactor_can_poll_w(rtor); +} + +static void qc_update_can_support_blocking(QUIC_CONNECTION *qc) +{ + ossl_quic_channel_update_poll_descriptors(qc->ch); /* best effort */ +} + +static void qc_update_blocking_mode(QUIC_CONNECTION *qc) +{ + qc->blocking = qc->desires_blocking && qc_can_support_blocking_cached(qc); +} + void ossl_quic_conn_set0_net_rbio(SSL *s, BIO *net_rbio) { QCTX ctx; @@ -836,24 +856,15 @@ void ossl_quic_conn_set0_net_rbio(SSL *s, BIO *net_rbio) BIO_free(ctx.qc->net_rbio); ctx.qc->net_rbio = net_rbio; + if (net_rbio != NULL) + BIO_set_nbio(net_rbio, 1); /* best effort autoconfig */ + /* - * If what we have is not pollable (e.g. a BIO_dgram_pair) disable blocking - * mode as we do not support it for non-pollable BIOs. + * Determine if the current pair of read/write BIOs now set allows blocking + * mode to be supported. */ - if (net_rbio != NULL) { - BIO_POLL_DESCRIPTOR d = {0}; - - if (!BIO_get_rpoll_descriptor(net_rbio, &d) - || d.type != BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD) { - ctx.qc->blocking = 0; - ctx.qc->default_blocking = 0; - ctx.qc->can_poll_net_rbio = 0; - } else { - ctx.qc->can_poll_net_rbio = 1; - } - - BIO_set_nbio(net_rbio, 1); /* best effort autoconfig */ - } + qc_update_can_support_blocking(ctx.qc); + qc_update_blocking_mode(ctx.qc); } void ossl_quic_conn_set0_net_wbio(SSL *s, BIO *net_wbio) @@ -872,34 +883,15 @@ void ossl_quic_conn_set0_net_wbio(SSL *s, BIO *net_wbio) BIO_free(ctx.qc->net_wbio); ctx.qc->net_wbio = net_wbio; - if (net_wbio != NULL) { - BIO_POLL_DESCRIPTOR d = {0}; - - if (!BIO_get_wpoll_descriptor(net_wbio, &d) - || d.type != BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD) { - ctx.qc->blocking = 0; - ctx.qc->default_blocking = 0; - ctx.qc->can_poll_net_wbio = 0; - } else { - ctx.qc->can_poll_net_wbio = 1; - } - - /* - * If we do not have a peer address yet, and we have not started trying - * to connect yet, try to autodetect one. - */ - if (BIO_ADDR_family(&ctx.qc->init_peer_addr) == AF_UNSPEC - && !ctx.qc->started) { - if (!csm_analyse_init_peer_addr(net_wbio, &ctx.qc->init_peer_addr)) - /* best effort */ - BIO_ADDR_clear(&ctx.qc->init_peer_addr); - - ossl_quic_channel_set_peer_addr(ctx.qc->ch, - &ctx.qc->init_peer_addr); - } - + if (net_wbio != NULL) BIO_set_nbio(net_wbio, 1); /* best effort autoconfig */ - } + + /* + * Determine if the current pair of read/write BIOs now set allows blocking + * mode to be supported. + */ + qc_update_can_support_blocking(ctx.qc); + qc_update_blocking_mode(ctx.qc); } BIO *ossl_quic_conn_get_net_rbio(const SSL *s) @@ -930,40 +922,59 @@ int ossl_quic_conn_get_blocking_mode(const SSL *s) return 0; if (ctx.is_stream) - return ctx.xso->blocking; + return xso_blocking_mode(ctx.xso); - return ctx.qc->blocking; + return qc_blocking_mode(ctx.qc); } +QUIC_TAKES_LOCK int ossl_quic_conn_set_blocking_mode(SSL *s, int blocking) { + int ret = 0; QCTX ctx; if (!expect_quic(s, &ctx)) return 0; - /* Cannot enable blocking mode if we do not have pollable FDs. */ - if (blocking != 0 && - (!ctx.qc->can_poll_net_rbio || !ctx.qc->can_poll_net_wbio)) - return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_UNSUPPORTED, NULL); + quic_lock(ctx.qc); - if (!ctx.is_stream) { + /* Sanity check - can we support the request given the current network BIO? */ + if (blocking) { /* - * If called on a QCSO, update default and connection-level blocking - * modes. + * If called directly on a QCSO, update our information on network BIO + * capabilities. */ - ctx.qc->blocking = (blocking != 0); - ctx.qc->default_blocking = ctx.qc->blocking; + if (!ctx.is_stream) + qc_update_can_support_blocking(ctx.qc); + + /* Cannot enable blocking mode if we do not have pollable FDs. */ + if (!qc_can_support_blocking_cached(ctx.qc)) { + ret = QUIC_RAISE_NON_NORMAL_ERROR(&ctx, ERR_R_UNSUPPORTED, NULL); + goto out; + } } - if (ctx.xso != NULL) + if (!ctx.is_stream) + /* + * If called directly on a QCSO, update default and connection-level + * blocking modes. + */ + ctx.qc->desires_blocking = (blocking != 0); + + if (ctx.xso != NULL) { /* - * If called on a QSSO or QCSO with a default XSO, update blocking + * If called on a QSSO or a QCSO with a default XSO, update the blocking * mode. */ - ctx.xso->blocking = (blocking != 0); + ctx.xso->desires_blocking = (blocking != 0); + ctx.xso->desires_blocking_set = 1; + } - return 1; + ret = 1; +out: + qc_update_blocking_mode(ctx.qc); + quic_unlock(ctx.qc); + return ret; } int ossl_quic_conn_set_initial_peer_addr(SSL *s, @@ -1005,9 +1016,11 @@ static int qc_blocking_mode(const QUIC_CONNECTION *qc) static int xso_blocking_mode(const QUIC_XSO *xso) { - return xso->blocking - && xso->conn->can_poll_net_rbio - && xso->conn->can_poll_net_wbio; + if (xso->desires_blocking_set) + return xso->desires_blocking && qc_can_support_blocking_cached(xso->conn); + else + /* Only ever set if we can support blocking. */ + return xso->conn->blocking; } /* SSL_handle_events; performs QUIC I/O and timeout processing. */ @@ -1533,6 +1546,34 @@ static int quic_do_handshake(QCTX *ctx) /* The handshake is now done. */ return 1; + if (!qc_blocking_mode(qc)) { + /* Try to advance the reactor. */ + ossl_quic_reactor_tick(ossl_quic_channel_get_reactor(qc->ch), 0); + + if (ossl_quic_channel_is_handshake_complete(qc->ch)) + /* The handshake is now done. */ + return 1; + + if (ossl_quic_channel_is_term_any(qc->ch)) { + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); + return 0; + } else if (qc->desires_blocking) { + /* + * As a special case when doing a handshake when blocking mode is + * desired yet not available, see if the network BIOs have become + * poll descriptor-enabled. This supports BIOs such as BIO_s_connect + * which do late creation of socket FDs and therefore cannot expose + * a poll descriptor until after a network BIO is set on the QCSO. + */ + assert(!qc->blocking); + qc_update_can_support_blocking(qc); + qc_update_blocking_mode(qc); + } + } + + /* + * We are either in blocking mode or just entered it due to the code above. + */ if (qc_blocking_mode(qc)) { /* In blocking mode, wait for the handshake to complete. */ struct quic_handshake_wait_args args; @@ -1550,18 +1591,14 @@ static int quic_do_handshake(QCTX *ctx) assert(ossl_quic_channel_is_handshake_complete(qc->ch)); return 1; - } else { - /* Try to advance the reactor. */ - ossl_quic_reactor_tick(ossl_quic_channel_get_reactor(qc->ch), 0); - - if (ossl_quic_channel_is_handshake_complete(qc->ch)) - /* The handshake is now done. */ - return 1; - - /* Otherwise, indicate that the handshake isn't done yet. */ - QUIC_RAISE_NORMAL_ERROR(ctx, SSL_ERROR_WANT_READ); - return -1; /* Non-protocol error */ } + + /* + * Otherwise, indicate that the handshake isn't done yet. + * We can only get here in non-blocking mode. + */ + QUIC_RAISE_NORMAL_ERROR(ctx, SSL_ERROR_WANT_READ); + return -1; /* Non-protocol error */ } QUIC_TAKES_LOCK @@ -1768,7 +1805,6 @@ static QUIC_XSO *create_xso_from_stream(QUIC_CONNECTION *qc, QUIC_STREAM *qs) } xso->conn = qc; - xso->blocking = qc->default_blocking; xso->ssl_mode = qc->default_ssl_mode; xso->ssl_options = qc->default_ssl_options & OSSL_QUIC_PERMITTED_OPTIONS_STREAM; diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index d00a63d556b8f..d194563c2375c 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -41,8 +41,18 @@ struct quic_xso_st { /* The stream object. Always non-NULL for as long as the XSO exists. */ QUIC_STREAM *stream; - /* Is this stream in blocking mode? */ - unsigned int blocking : 1; + /* + * Has this stream been logically configured into blocking mode? Only + * meaningful if desires_blocking_set is 1. Ignored if blocking is not + * currently possible given QUIC_CONNECTION configuration. + */ + unsigned int desires_blocking : 1; + + /* + * Has SSL_set_blocking_mode been called on this stream? If not set, we + * inherit from the QUIC_CONNECTION blocking state. + */ + unsigned int desires_blocking_set : 1; /* * This state tracks SSL_write all-or-nothing (AON) write semantics @@ -154,10 +164,6 @@ struct quic_conn_st { /* Have we started? */ unsigned int started : 1; - /* Can the read and write network BIOs support blocking? */ - unsigned int can_poll_net_rbio : 1; - unsigned int can_poll_net_wbio : 1; - /* * This is 1 if we were instantiated using a QUIC server method * (for future use). @@ -176,8 +182,8 @@ struct quic_conn_st { /* Do connection-level operations (e.g. handshakes) run in blocking mode? */ unsigned int blocking : 1; - /* Do newly created streams start in blocking mode? Inherited by new XSOs. */ - unsigned int default_blocking : 1; + /* Does the application want blocking mode? */ + unsigned int desires_blocking : 1; /* Have we created a default XSO yet? */ unsigned int default_xso_created : 1; From 617b459ddfabe5c2fbfc28808126999d936218fe Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 049/324] QUIC CHANNEL: Introduce concept of (non-)addressed mode Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- include/internal/quic_txp.h | 5 ++++- ssl/quic/quic_channel.c | 15 ++++++++++++++- ssl/quic/quic_channel_local.h | 3 +++ ssl/quic/quic_txp.c | 4 ++-- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/include/internal/quic_txp.h b/include/internal/quic_txp.h index 09d552ef04362..b2dbb85f92498 100644 --- a/include/internal/quic_txp.h +++ b/include/internal/quic_txp.h @@ -128,7 +128,10 @@ int ossl_quic_tx_packetiser_set_cur_dcid(OSSL_QUIC_TX_PACKETISER *txp, int ossl_quic_tx_packetiser_set_cur_scid(OSSL_QUIC_TX_PACKETISER *txp, const QUIC_CONN_ID *scid); -/* Change the destination L4 address the TXP uses to send datagrams. */ +/* + * Change the destination L4 address the TXP uses to send datagrams. Specify + * NULL (or AF_UNSPEC) to disable use of addressed mode. + */ int ossl_quic_tx_packetiser_set_peer(OSSL_QUIC_TX_PACKETISER *txp, const BIO_ADDR *peer); diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 275d5f576beb3..efbe1c16604a8 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -584,13 +584,26 @@ int ossl_quic_channel_set_mutator(QUIC_CHANNEL *ch, int ossl_quic_channel_get_peer_addr(QUIC_CHANNEL *ch, BIO_ADDR *peer_addr) { + if (!ch->addressed_mode) + return 0; + *peer_addr = ch->cur_peer_addr; return 1; } int ossl_quic_channel_set_peer_addr(QUIC_CHANNEL *ch, const BIO_ADDR *peer_addr) { - ch->cur_peer_addr = *peer_addr; + if (ch->state != QUIC_CHANNEL_STATE_IDLE) + return 0; + + if (peer_addr == NULL || BIO_ADDR_family(peer_addr) == AF_UNSPEC) { + BIO_ADDR_clear(&ch->cur_peer_addr); + ch->addressed_mode = 0; + return 1; + } + + ch->cur_peer_addr = *peer_addr; + ch->addressed_mode = 1; return 1; } diff --git a/ssl/quic/quic_channel_local.h b/ssl/quic/quic_channel_local.h index a60a539f9bbf3..8b2edc647a040 100644 --- a/ssl/quic/quic_channel_local.h +++ b/ssl/quic/quic_channel_local.h @@ -456,6 +456,9 @@ struct quic_channel_st { /* Inhibit tick for testing purposes? */ unsigned int inhibit_tick : 1; + /* Are we using addressed mode? */ + unsigned int addressed_mode : 1; + /* Saved error stack in case permanent error was encountered */ ERR_STATE *err_state; }; diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c index 51802ba7b6159..97cba812e767c 100644 --- a/ssl/quic/quic_txp.c +++ b/ssl/quic/quic_txp.c @@ -555,8 +555,8 @@ int ossl_quic_tx_packetiser_set_peer(OSSL_QUIC_TX_PACKETISER *txp, const BIO_ADDR *peer) { if (peer == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); - return 0; + BIO_ADDR_clear(&txp->args.peer); + return 1; } txp->args.peer = *peer; From 533254eeb31efa46a9011665712e47b56a2fe720 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 050/324] BIO_s_connect: Support configuration of non-blocking mode in datagram mode Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_conn.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 865a4d4cd429e..0f9cba06da388 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -610,6 +610,10 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) data->connect_mode |= BIO_SOCK_NONBLOCK; else data->connect_mode &= ~BIO_SOCK_NONBLOCK; + + if (data->dgram_bio != NULL) + ret = BIO_set_nbio(data->dgram_bio, num); + break; #if defined(TCP_FASTOPEN) && !defined(OPENSSL_NO_TFO) case BIO_C_SET_TFO: From f3295bd80c44f0e202026ec856c73d8c9bb04670 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:32 +0100 Subject: [PATCH 051/324] BIO_s_datagram: Support configuring non-blocking mode Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_dgram.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index b42e87b107ac8..49cf56ad1924a 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -722,6 +722,10 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_DGRAM_SET_PEER: BIO_ADDR_make(&data->peer, BIO_ADDR_sockaddr((BIO_ADDR *)ptr)); break; + case BIO_C_SET_NBIO: + if (!BIO_socket_nbio(b->num, num != 0)) + ret = 0; + break; case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: data->next_timeout = ossl_time_from_timeval(*(struct timeval *)ptr); break; From 000ef7818b24a61611825670299ab82b283e0501 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 052/324] BIO: Add BIO_dgram_detect_peer_addr API Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_conn.c | 1 + crypto/bio/bss_dgram.c | 22 ++++++++++++++++++++++ include/openssl/bio.h.in | 3 +++ 3 files changed, 26 insertions(+) diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 0f9cba06da388..8d29f94bd120f 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -571,6 +571,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) } break; case BIO_CTRL_DGRAM_GET_PEER: + case BIO_CTRL_DGRAM_DETECT_PEER_ADDR: if (data->state != BIO_CONN_S_OK) conn_state(b, data); /* best effort */ diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 49cf56ad1924a..eb6897a3fdb74 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -722,6 +722,28 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_DGRAM_SET_PEER: BIO_ADDR_make(&data->peer, BIO_ADDR_sockaddr((BIO_ADDR *)ptr)); break; + case BIO_CTRL_DGRAM_DETECT_PEER_ADDR: + { + BIO_ADDR xaddr, *p = &data->peer; + socklen_t xaddr_len = sizeof(xaddr.sa); + + if (BIO_ADDR_family(p) == AF_UNSPEC) { + if (getpeername(b->num, (void *)&xaddr.sa, &xaddr_len) == 0 + && BIO_ADDR_family(&xaddr) != AF_UNSPEC) { + p = &xaddr; + } else { + ret = 0; + break; + } + } + + ret = BIO_ADDR_sockaddr_size(p); + if (num == 0 || num > ret) + num = ret; + + memcpy(ptr, p, (ret = num)); + } + break; case BIO_C_SET_NBIO: if (!BIO_socket_nbio(b->num, num != 0)) ret = 0; diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index 9d196c7ae500c..e797769909e97 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -190,6 +190,7 @@ extern "C" { # define BIO_CTRL_GET_RPOLL_DESCRIPTOR 90 # define BIO_CTRL_GET_WPOLL_DESCRIPTOR 91 +# define BIO_CTRL_DGRAM_DETECT_PEER_ADDR 92 # define BIO_DGRAM_CAP_NONE 0U # define BIO_DGRAM_CAP_HANDLES_SRC_ADDR (1U << 0) @@ -639,6 +640,8 @@ int BIO_ctrl_reset_read_request(BIO *b); (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)(peer)) # define BIO_dgram_set_peer(b,peer) \ (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)(peer)) +# define BIO_dgram_detect_peer_addr(b,peer) \ + (int)BIO_ctrl(b, BIO_CTRL_DGRAM_DETECT_PEER_ADDR, 0, (char *)(peer)) # define BIO_dgram_get_mtu_overhead(b) \ (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL) # define BIO_dgram_get_local_addr_cap(b) \ From 1bd35edc6603523953db24321df10d41c7a37923 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 053/324] BIO_s_datagram: Wire capability negotiation for BIO_s_datagram Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_dgram.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index eb6897a3fdb74..cc947943e5e25 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -971,6 +971,13 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) *(int *)ptr = data->local_addr_enabled; break; + case BIO_CTRL_DGRAM_GET_EFFECTIVE_CAPS: + ret = (long)(BIO_DGRAM_CAP_HANDLES_DST_ADDR + | BIO_DGRAM_CAP_HANDLES_SRC_ADDR + | BIO_DGRAM_CAP_PROVIDES_DST_ADDR + | BIO_DGRAM_CAP_PROVIDES_SRC_ADDR); + break; + case BIO_CTRL_GET_RPOLL_DESCRIPTOR: case BIO_CTRL_GET_WPOLL_DESCRIPTOR: { From c20b78d59960c523c4de02e7bd62fcd4c0a5a4f7 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 054/324] BIO_s_dgram_pair: Correct implementation of BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_dgram_pair.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bio/bss_dgram_pair.c b/crypto/bio/bss_dgram_pair.c index 393af7dab444a..a93b14154cac9 100644 --- a/crypto/bio/bss_dgram_pair.c +++ b/crypto/bio/bss_dgram_pair.c @@ -695,7 +695,7 @@ static long dgram_mem_ctrl(BIO *bio, int cmd, long num, void *ptr) /* BIO_dgram_get_local_addr_enable */ case BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE: /* Non-threadsafe */ - ret = (long)dgram_pair_ctrl_get_local_addr_enable(bio); + *(int *)ptr = (long)dgram_pair_ctrl_get_local_addr_enable(bio); break; /* BIO_dgram_set_local_addr_enable */ From 62665fc2430cb3d3c9e59a133e67ab9941222017 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 055/324] QUIC APL: Introduce addressed v. non-addressed mode handling Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- ssl/quic/quic_impl.c | 84 +++++++++++++++++++++++++++++++++++++++---- ssl/quic/quic_local.h | 6 ++++ 2 files changed, 83 insertions(+), 7 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index d56c64f97f9bf..49133f0ca7e38 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -816,7 +816,7 @@ uint64_t ossl_quic_get_options(const SSL *ssl) */ static int csm_analyse_init_peer_addr(BIO *net_wbio, BIO_ADDR *peer) { - if (BIO_dgram_get_peer(net_wbio, peer) <= 0) + if (BIO_dgram_detect_peer_addr(net_wbio, peer) <= 0) return 0; return 1; @@ -1518,12 +1518,6 @@ static int quic_do_handshake(QCTX *ctx) if (!quic_mutation_allowed(qc, /*req_active=*/0)) return QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); - if (BIO_ADDR_family(&qc->init_peer_addr) == AF_UNSPEC) { - /* Peer address must have been set. */ - QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_REMOTE_PEER_ADDRESS_NOT_SET, NULL); - return -1; /* Non-protocol error */ - } - if (qc->as_server != qc->as_server_state) { QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_PASSED_INVALID_ARGUMENT, NULL); return -1; /* Non-protocol error */ @@ -1535,6 +1529,82 @@ static int quic_do_handshake(QCTX *ctx) return -1; /* Non-protocol error */ } + /* + * We need to determine our addressing mode. There are basically two + * ways we can use L4 addresses: + * + * - Addressed mode, in which our BIO_sendmmsg calls have destination + * addresses attached to them which we expect the underlying network BIO + * to handle; + * + * - Unaddressed mode, in which the BIO provided to us on the + * network side neither provides us with L4 addresses nor is capable of + * honouring ones we provide. We don't know where the QUIC traffic we + * send ends up exactly and trust the application to know what it is + * doing. + * + * Addressed mode is preferred because it enables support for connection + * migration, multipath, etc. in the future. Addressed mode is automatically + * enabled if we are using e.g. BIO_s_datagram, with or without + * BIO_s_connect. + * + * If we are passed a BIO_s_dgram_pair (or some custom BIO) we may have to + * use unaddressed mode unless that BIO supports capability flags indicating + * it can provide and honour L4 addresses. + * + * Our strategy for determining address mode is simple: we probe the + * underlying network BIOs for their capabilities. If the network BIOs + * support what we need, we use addressed mode. Otherwise, we use + * unaddressed mode. + * + * If addressed mode is chosen, we require an initial peer address to be + * set. If this is not set, we fail. If unaddressed mode is used, we do not + * require this, as such an address is superfluous, though it can be set if + * desired. + */ + if (!qc->started && !qc->addressing_probe_done) { + long rcaps = BIO_dgram_get_effective_caps(qc->net_rbio); + long wcaps = BIO_dgram_get_effective_caps(qc->net_wbio); + int can_use_addressed = + (wcaps & BIO_DGRAM_CAP_HANDLES_DST_ADDR) != 0 + && (rcaps & BIO_DGRAM_CAP_PROVIDES_SRC_ADDR) != 0; + + qc->addressed_mode = can_use_addressed; + qc->addressing_probe_done = 1; + } + + if (!qc->started && qc->addressed_mode + && BIO_ADDR_family(&qc->init_peer_addr) == AF_UNSPEC) { + /* + * We are trying to connect and are using addressed mode, which means we + * need an initial peer address; if we do not have a peer address yet, + * we should try to autodetect one. + * + * We do this as late as possible because some BIOs (e.g. BIO_s_connect) + * may not be able to provide us with a peer address until they have + * finished their own processing. They may not be able to perform this + * processing until an application has figured configuring that BIO + * (e.g. with setter calls), which might happen after SSL_set_bio is + * called. + */ + if (!csm_analyse_init_peer_addr(qc->net_wbio, &qc->init_peer_addr)) + /* best effort */ + BIO_ADDR_clear(&qc->init_peer_addr); + else + ossl_quic_channel_set_peer_addr(qc->ch, &qc->init_peer_addr); + } + + if (!qc->started + && qc->addressed_mode + && BIO_ADDR_family(&qc->init_peer_addr) == AF_UNSPEC) { + /* + * If we still don't have a peer address in addressed mode, we can't do + * anything. + */ + QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_REMOTE_PEER_ADDRESS_NOT_SET, NULL); + return -1; /* Non-protocol error */ + } + /* * Start connection process. Note we may come here multiple times in * non-blocking mode, which is fine. diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index d194563c2375c..aaaab128aa271 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -195,6 +195,12 @@ struct quic_conn_st { */ unsigned int shutting_down : 1; + /* Have we probed the BIOs for addressing support? */ + unsigned int addressing_probe_done : 1; + + /* Are we using addressed mode (BIO_sendmmsg with non-NULL peer)? */ + unsigned int addressed_mode : 1; + /* Default stream type. Defaults to SSL_DEFAULT_STREAM_MODE_AUTO_BIDI. */ uint32_t default_stream_mode; From b1cb0675e5c76c6dd78863e6857b5456718da7b5 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 056/324] QUIC DDD: Fix bug in ddd-06-mem-uv Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-06-mem-uv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/designs/ddd/ddd-06-mem-uv.c b/doc/designs/ddd/ddd-06-mem-uv.c index f912f68bdf776..7af5a111054c8 100644 --- a/doc/designs/ddd/ddd-06-mem-uv.c +++ b/doc/designs/ddd/ddd-06-mem-uv.c @@ -237,11 +237,12 @@ static void on_rx_push(APP_CONN *conn) srd = SSL_read(conn->ssl, buf, buf_len); flush_write_buf(conn); - if (srd < 0) { - free(buf); + if (srd <= 0) { rc = SSL_get_error(conn->ssl, srd); - if (rc == SSL_ERROR_WANT_READ) + if (rc == SSL_ERROR_WANT_READ) { + free(buf); return; + } } conn->app_read_cb(conn, buf, srd, conn->app_read_arg); From 30302c66bd47220f6fa65f32bc510d3e679ec3d9 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 057/324] QUIC DDD: Allow target host:port to be set from command line Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-01-conn-blocking.c | 13 +++++++++++-- doc/designs/ddd/ddd-02-conn-nonblocking.c | 15 ++++++++++++--- doc/designs/ddd/ddd-03-fd-blocking.c | 16 ++++++++++++---- doc/designs/ddd/ddd-04-fd-nonblocking.c | 16 ++++++++++++---- doc/designs/ddd/ddd-05-mem-nonblocking.c | 17 +++++++++++++---- doc/designs/ddd/ddd-06-mem-uv.c | 17 +++++++++++++---- 6 files changed, 73 insertions(+), 21 deletions(-) diff --git a/doc/designs/ddd/ddd-01-conn-blocking.c b/doc/designs/ddd/ddd-01-conn-blocking.c index 8ed79e514745b..4dae5f48de72e 100644 --- a/doc/designs/ddd/ddd-01-conn-blocking.c +++ b/doc/designs/ddd/ddd-01-conn-blocking.c @@ -121,19 +121,28 @@ void teardown_ctx(SSL_CTX *ctx) */ int main(int argc, char **argv) { - const char msg[] = "GET / HTTP/1.0\r\nHost: www.openssl.org\r\n\r\n"; + static char msg[384], host_port[300]; SSL_CTX *ctx = NULL; BIO *b = NULL; char buf[2048]; int l, res = 1; + if (argc < 3) { + fprintf(stderr, "usage: %s host port\n", argv[0]); + goto fail; + } + + snprintf(host_port, sizeof(host_port), "%s:%s\n", argv[1], argv[2]); + snprintf(msg, sizeof(msg), + "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", argv[1]); + ctx = create_ssl_ctx(); if (ctx == NULL) { fprintf(stderr, "could not create context\n"); goto fail; } - b = new_conn(ctx, "www.openssl.org:443"); + b = new_conn(ctx, host_port); if (b == NULL) { fprintf(stderr, "could not create conn\n"); goto fail; diff --git a/doc/designs/ddd/ddd-02-conn-nonblocking.c b/doc/designs/ddd/ddd-02-conn-nonblocking.c index fa508afc7cd1b..30e7e33f1a1e1 100644 --- a/doc/designs/ddd/ddd-02-conn-nonblocking.c +++ b/doc/designs/ddd/ddd-02-conn-nonblocking.c @@ -222,13 +222,22 @@ void teardown_ctx(SSL_CTX *ctx) */ int main(int argc, char **argv) { - const char tx_msg[] = "GET / HTTP/1.0\r\nHost: www.openssl.org\r\n\r\n"; + static char tx_msg[384], host_port[300]; const char *tx_p = tx_msg; char rx_buf[2048]; int res = 1, l, tx_len = sizeof(tx_msg)-1; int timeout = 2000 /* ms */; APP_CONN *conn = NULL; - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; + + if (argc < 3) { + fprintf(stderr, "usage: %s host port\n", argv[0]); + goto fail; + } + + snprintf(host_port, sizeof(host_port), "%s:%s", argv[1], argv[2]); + snprintf(tx_msg, sizeof(tx_msg), + "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", argv[1]); ctx = create_ssl_ctx(); if (ctx == NULL) { @@ -236,7 +245,7 @@ int main(int argc, char **argv) goto fail; } - conn = new_conn(ctx, "www.openssl.org:443"); + conn = new_conn(ctx, host_port); if (conn == NULL) { fprintf(stderr, "cannot establish connection\n"); goto fail; diff --git a/doc/designs/ddd/ddd-03-fd-blocking.c b/doc/designs/ddd/ddd-03-fd-blocking.c index f4aaf35a1e915..6d9f8e87eb110 100644 --- a/doc/designs/ddd/ddd-03-fd-blocking.c +++ b/doc/designs/ddd/ddd-03-fd-blocking.c @@ -121,12 +121,20 @@ void teardown_ctx(SSL_CTX *ctx) int main(int argc, char **argv) { int rc, fd = -1, l, res = 1; - const char msg[] = "GET / HTTP/1.0\r\nHost: www.openssl.org\r\n\r\n"; + static char msg[300]; struct addrinfo hints = {0}, *result = NULL; SSL *ssl = NULL; - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; char buf[2048]; + if (argc < 3) { + fprintf(stderr, "usage: %s host port\n", argv[0]); + goto fail; + } + + snprintf(msg, sizeof(msg), + "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", argv[1]); + ctx = create_ssl_ctx(); if (ctx == NULL) { fprintf(stderr, "cannot create context\n"); @@ -136,7 +144,7 @@ int main(int argc, char **argv) hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; - rc = getaddrinfo("www.openssl.org", "443", &hints, &result); + rc = getaddrinfo(argv[1], argv[2], &hints, &result); if (rc < 0) { fprintf(stderr, "cannot resolve\n"); goto fail; @@ -156,7 +164,7 @@ int main(int argc, char **argv) goto fail; } - ssl = new_conn(ctx, fd, "www.openssl.org"); + ssl = new_conn(ctx, fd, argv[1]); if (ssl == NULL) { fprintf(stderr, "cannot create connection\n"); goto fail; diff --git a/doc/designs/ddd/ddd-04-fd-nonblocking.c b/doc/designs/ddd/ddd-04-fd-nonblocking.c index 2e9606b921b78..f8a5162a2e7a5 100644 --- a/doc/designs/ddd/ddd-04-fd-nonblocking.c +++ b/doc/designs/ddd/ddd-04-fd-nonblocking.c @@ -223,14 +223,22 @@ void teardown_ctx(SSL_CTX *ctx) int main(int argc, char **argv) { int rc, fd = -1, res = 1; - const char tx_msg[] = "GET / HTTP/1.0\r\nHost: www.openssl.org\r\n\r\n"; + static char tx_msg[300]; const char *tx_p = tx_msg; char rx_buf[2048]; int l, tx_len = sizeof(tx_msg)-1; int timeout = 2000 /* ms */; APP_CONN *conn = NULL; struct addrinfo hints = {0}, *result = NULL; - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; + + if (argc < 3) { + fprintf(stderr, "usage: %s host port\n", argv[0]); + goto fail; + } + + snprintf(tx_msg, sizeof(tx_msg), + "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", argv[1]); ctx = create_ssl_ctx(); if (ctx == NULL) { @@ -241,7 +249,7 @@ int main(int argc, char **argv) hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; - rc = getaddrinfo("www.openssl.org", "443", &hints, &result); + rc = getaddrinfo(argv[1], argv[2], &hints, &result); if (rc < 0) { fprintf(stderr, "cannot resolve\n"); goto fail; @@ -267,7 +275,7 @@ int main(int argc, char **argv) goto fail; } - conn = new_conn(ctx, fd, "www.openssl.org"); + conn = new_conn(ctx, fd, argv[1]); if (conn == NULL) { fprintf(stderr, "cannot establish connection\n"); goto fail; diff --git a/doc/designs/ddd/ddd-05-mem-nonblocking.c b/doc/designs/ddd/ddd-05-mem-nonblocking.c index 206ca7a6f7949..532cf877a3244 100644 --- a/doc/designs/ddd/ddd-05-mem-nonblocking.c +++ b/doc/designs/ddd/ddd-05-mem-nonblocking.c @@ -315,14 +315,23 @@ static int pump(APP_CONN *conn, int fd, int events, int timeout) int main(int argc, char **argv) { int rc, fd = -1, res = 1; - const char tx_msg[] = "GET / HTTP/1.0\r\nHost: www.openssl.org\r\n\r\n"; + static char tx_msg[300]; const char *tx_p = tx_msg; char rx_buf[2048]; int l, tx_len = sizeof(tx_msg)-1; int timeout = 2000 /* ms */; APP_CONN *conn = NULL; struct addrinfo hints = {0}, *result = NULL; - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; + + if (argc < 3) { + fprintf(stderr, "usage: %s host port\n", argv[0]); + goto fail; + } + + snprintf(tx_msg, sizeof(tx_msg), + "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", + argv[1]); ctx = create_ssl_ctx(); if (ctx == NULL) { @@ -333,7 +342,7 @@ int main(int argc, char **argv) hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; - rc = getaddrinfo("www.openssl.org", "443", &hints, &result); + rc = getaddrinfo(argv[1], argv[2], &hints, &result); if (rc < 0) { fprintf(stderr, "cannot resolve\n"); goto fail; @@ -359,7 +368,7 @@ int main(int argc, char **argv) goto fail; } - conn = new_conn(ctx, "www.openssl.org"); + conn = new_conn(ctx, argv[1]); if (conn == NULL) { fprintf(stderr, "cannot establish connection\n"); goto fail; diff --git a/doc/designs/ddd/ddd-06-mem-uv.c b/doc/designs/ddd/ddd-06-mem-uv.c index 7af5a111054c8..59184399ea213 100644 --- a/doc/designs/ddd/ddd-06-mem-uv.c +++ b/doc/designs/ddd/ddd-06-mem-uv.c @@ -547,10 +547,11 @@ static void post_write_get(APP_CONN *conn, int status, void *arg) app_read_start(conn, post_read, NULL); } +char tx_msg[300]; + static void post_connect(APP_CONN *conn, int status, void *arg) { int wr; - const char tx_msg[] = "GET / HTTP/1.0\r\nHost: www.openssl.org\r\n\r\n"; if (status < 0) { fprintf(stderr, "failed to connect: %d\n", status); @@ -568,10 +569,18 @@ static void post_connect(APP_CONN *conn, int status, void *arg) int main(int argc, char **argv) { int rc = 1; - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; APP_CONN *conn = NULL; struct addrinfo hints = {0}, *result = NULL; + if (argc < 3) { + fprintf(stderr, "usage: %s host port\n", argv[0]); + goto fail; + } + + snprintf(tx_msg, sizeof(tx_msg), + "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", argv[1]); + ctx = create_ssl_ctx(); if (!ctx) goto fail; @@ -579,13 +588,13 @@ int main(int argc, char **argv) hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE; - rc = getaddrinfo("www.openssl.org", "443", &hints, &result); + rc = getaddrinfo(argv[1], argv[2], &hints, &result); if (rc < 0) { fprintf(stderr, "cannot resolve\n"); goto fail; } - conn = new_conn(ctx, "www.openssl.org", result->ai_addr, result->ai_addrlen, post_connect, NULL); + conn = new_conn(ctx, argv[1], result->ai_addr, result->ai_addrlen, post_connect, NULL); if (!conn) goto fail; From e1d0c930c1a7913a2d67c3b8426cd6376d26bd46 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 058/324] QUIC DDD: Add unchanged copy of ddd-02-conn-nonblocking to serve as base for thread-assisted variant Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- .../ddd/ddd-02-conn-nonblocking-threads.c | 298 ++++++++++++++++++ 1 file changed, 298 insertions(+) create mode 100644 doc/designs/ddd/ddd-02-conn-nonblocking-threads.c diff --git a/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c b/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c new file mode 100644 index 0000000000000..30e7e33f1a1e1 --- /dev/null +++ b/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c @@ -0,0 +1,298 @@ +#include +#include + +/* + * Demo 2: Client — Managed Connection — Asynchronous Nonblocking + * ============================================================== + * + * This is an example of (part of) an application which uses libssl in an + * asynchronous, nonblocking fashion. The functions show all interactions with + * libssl the application makes, and would hypothetically be linked into a + * larger application. + * + * In this example, libssl still makes syscalls directly using an fd, which is + * configured in nonblocking mode. As such, the application can still be + * abstracted from the details of what that fd is (is it a TCP socket? is it a + * UDP socket?); this code passes the application an fd and the application + * simply calls back into this code when poll()/etc. indicates it is ready. + */ +typedef struct app_conn_st { + SSL *ssl; + BIO *ssl_bio; + int rx_need_tx, tx_need_rx; +} APP_CONN; + +/* + * The application is initializing and wants an SSL_CTX which it will use for + * some number of outgoing connections, which it creates in subsequent calls to + * new_conn. The application may also call this function multiple times to + * create multiple SSL_CTX. + */ +SSL_CTX *create_ssl_ctx(void) +{ + SSL_CTX *ctx; + + ctx = SSL_CTX_new(TLS_client_method()); + if (ctx == NULL) + return NULL; + + /* Enable trust chain verification. */ + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + + /* Load default root CA store. */ + if (SSL_CTX_set_default_verify_paths(ctx) == 0) { + SSL_CTX_free(ctx); + return NULL; + } + + return ctx; +} + +/* + * The application wants to create a new outgoing connection using a given + * SSL_CTX. + * + * hostname is a string like "openssl.org:443" or "[::1]:443". + */ +APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname) +{ + APP_CONN *conn; + BIO *out, *buf; + SSL *ssl = NULL; + const char *bare_hostname; + + conn = calloc(1, sizeof(APP_CONN)); + if (conn == NULL) + return NULL; + + out = BIO_new_ssl_connect(ctx); + if (out == NULL) { + free(conn); + return NULL; + } + + if (BIO_get_ssl(out, &ssl) == 0) { + BIO_free_all(out); + free(conn); + return NULL; + } + + buf = BIO_new(BIO_f_buffer()); + if (buf == NULL) { + BIO_free_all(out); + free(conn); + return NULL; + } + + BIO_push(out, buf); + + if (BIO_set_conn_hostname(out, hostname) == 0) { + BIO_free_all(out); + free(conn); + return NULL; + } + + /* Returns the parsed hostname extracted from the hostname:port string. */ + bare_hostname = BIO_get_conn_hostname(out); + if (bare_hostname == NULL) { + BIO_free_all(out); + free(conn); + return NULL; + } + + /* Tell the SSL object the hostname to check certificates against. */ + if (SSL_set1_host(ssl, bare_hostname) <= 0) { + BIO_free_all(out); + free(conn); + return NULL; + } + + /* Make the BIO nonblocking. */ + BIO_set_nbio(out, 1); + + conn->ssl_bio = out; + return conn; +} + +/* + * Non-blocking transmission. + * + * Returns -1 on error. Returns -2 if the function would block (corresponds to + * EWOULDBLOCK). + */ +int tx(APP_CONN *conn, const void *buf, int buf_len) +{ + int l; + + conn->tx_need_rx = 0; + + l = BIO_write(conn->ssl_bio, buf, buf_len); + if (l <= 0) { + if (BIO_should_retry(conn->ssl_bio)) { + conn->tx_need_rx = BIO_should_read(conn->ssl_bio); + return -2; + } else { + return -1; + } + } + + return l; +} + +/* + * Non-blocking reception. + * + * Returns -1 on error. Returns -2 if the function would block (corresponds to + * EWOULDBLOCK). + */ +int rx(APP_CONN *conn, void *buf, int buf_len) +{ + int l; + + conn->rx_need_tx = 0; + + l = BIO_read(conn->ssl_bio, buf, buf_len); + if (l <= 0) { + if (BIO_should_retry(conn->ssl_bio)) { + conn->rx_need_tx = BIO_should_write(conn->ssl_bio); + return -2; + } else { + return -1; + } + } + + return l; +} + +/* + * The application wants to know a fd it can poll on to determine when the + * SSL state machine needs to be pumped. + */ +int get_conn_fd(APP_CONN *conn) +{ + return BIO_get_fd(conn->ssl_bio, NULL); +} + +/* + * These functions returns zero or more of: + * + * POLLIN: The SSL state machine is interested in socket readability events. + * + * POLLOUT: The SSL state machine is interested in socket writeability events. + * + * POLLERR: The SSL state machine is interested in socket error events. + * + * get_conn_pending_tx returns events which may cause SSL_write to make + * progress and get_conn_pending_rx returns events which may cause SSL_read + * to make progress. + */ +int get_conn_pending_tx(APP_CONN *conn) +{ + return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; +} + +int get_conn_pending_rx(APP_CONN *conn) +{ + return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR; +} + +/* + * The application wants to close the connection and free bookkeeping + * structures. + */ +void teardown(APP_CONN *conn) +{ + BIO_free_all(conn->ssl_bio); + free(conn); +} + +/* + * The application is shutting down and wants to free a previously + * created SSL_CTX. + */ +void teardown_ctx(SSL_CTX *ctx) +{ + SSL_CTX_free(ctx); +} + +/* + * ============================================================================ + * Example driver for the above code. This is just to demonstrate that the code + * works and is not intended to be representative of a real application. + */ +int main(int argc, char **argv) +{ + static char tx_msg[384], host_port[300]; + const char *tx_p = tx_msg; + char rx_buf[2048]; + int res = 1, l, tx_len = sizeof(tx_msg)-1; + int timeout = 2000 /* ms */; + APP_CONN *conn = NULL; + SSL_CTX *ctx = NULL; + + if (argc < 3) { + fprintf(stderr, "usage: %s host port\n", argv[0]); + goto fail; + } + + snprintf(host_port, sizeof(host_port), "%s:%s", argv[1], argv[2]); + snprintf(tx_msg, sizeof(tx_msg), + "GET / HTTP/1.0\r\nHost: %s\r\n\r\n", argv[1]); + + ctx = create_ssl_ctx(); + if (ctx == NULL) { + fprintf(stderr, "cannot create SSL context\n"); + goto fail; + } + + conn = new_conn(ctx, host_port); + if (conn == NULL) { + fprintf(stderr, "cannot establish connection\n"); + goto fail; + } + + /* TX */ + while (tx_len != 0) { + l = tx(conn, tx_p, tx_len); + if (l > 0) { + tx_p += l; + tx_len -= l; + } else if (l == -1) { + fprintf(stderr, "tx error\n"); + } else if (l == -2) { + struct pollfd pfd = {0}; + pfd.fd = get_conn_fd(conn); + pfd.events = get_conn_pending_tx(conn); + if (poll(&pfd, 1, timeout) == 0) { + fprintf(stderr, "tx timeout\n"); + goto fail; + } + } + } + + /* RX */ + for (;;) { + l = rx(conn, rx_buf, sizeof(rx_buf)); + if (l > 0) { + fwrite(rx_buf, 1, l, stdout); + } else if (l == -1) { + break; + } else if (l == -2) { + struct pollfd pfd = {0}; + pfd.fd = get_conn_fd(conn); + pfd.events = get_conn_pending_rx(conn); + if (poll(&pfd, 1, timeout) == 0) { + fprintf(stderr, "rx timeout\n"); + goto fail; + } + } + } + + res = 0; +fail: + if (conn != NULL) + teardown(conn); + if (ctx != NULL) + teardown_ctx(ctx); + return res; +} From be4c3446a475a8449aa00e550de9de887ec44a70 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 059/324] QUIC DDD: Update makefile Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/Makefile | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/doc/designs/ddd/Makefile b/doc/designs/ddd/Makefile index 0671f4ed731e6..505830ea5ddfa 100644 --- a/doc/designs/ddd/Makefile +++ b/doc/designs/ddd/Makefile @@ -3,10 +3,12 @@ # # LD_LIBRARY_PATH=../.. make test -TESTS=ddd-01-conn-blocking ddd-02-conn-nonblocking ddd-03-fd-blocking ddd-04-fd-nonblocking ddd-05-mem-nonblocking ddd-06-mem-uv +TESTS_BASE=ddd-01-conn-blocking ddd-02-conn-nonblocking ddd-02-conn-nonblocking-threads \ + ddd-03-fd-blocking ddd-04-fd-nonblocking ddd-05-mem-nonblocking ddd-06-mem-uv +TESTS=$(foreach x,$(TESTS_BASE),$(x)-tls $(x)-quic) -CFLAGS = -I../include -O3 -g -Wall -LDFLAGS = -L.. +CFLAGS = -I../../../include -O3 -g -Wall +LDFLAGS = -L../../.. LDLIBS = -lcrypto -lssl all: $(TESTS) @@ -14,11 +16,14 @@ all: $(TESTS) clean: rm -f $(TESTS) *.o -test: all - for x in $(TESTS); do echo "$$x"; LD_LIBRARY_PATH="$$(pwd)/.." ./$$x | grep -q '' || { echo >&2 'Error'; exit 1; }; done - -ddd-06-mem-uv: ddd-06-mem-uv.c +ddd-06-mem-uv-tls: ddd-06-mem-uv.c $(CC) $(CFLAGS) $(LDFLAGS) -o "$@" "$<" $(LDLIBS) -luv -ddd-%: ddd-%.c +ddd-06-mem-uv-quic: ddd-06-mem-uv.c + $(CC) $(CFLAGS) $(LDFLAGS) -DUSE_QUIC -o "$@" "$<" $(LDLIBS) -luv + +ddd-%-quic: ddd-%.c + $(CC) $(CFLAGS) $(LDFLAGS) -DUSE_QUIC -o "$@" "$<" $(LDLIBS) + +ddd-%-tls: ddd-%.c $(CC) $(CFLAGS) $(LDFLAGS) -o "$@" "$<" $(LDLIBS) From 37f12107ee98670bae4b967110370a2bdb171c16 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 060/324] QUIC DDD: ddd-01-conn-blocking: Planned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-01-conn-blocking.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/designs/ddd/ddd-01-conn-blocking.c b/doc/designs/ddd/ddd-01-conn-blocking.c index 4dae5f48de72e..11c3585a18565 100644 --- a/doc/designs/ddd/ddd-01-conn-blocking.c +++ b/doc/designs/ddd/ddd-01-conn-blocking.c @@ -20,7 +20,11 @@ SSL_CTX *create_ssl_ctx(void) { SSL_CTX *ctx; +#ifdef USE_QUIC + ctx = SSL_CTX_new(QUIC_client_method()); +#else ctx = SSL_CTX_new(TLS_client_method()); +#endif if (ctx == NULL) return NULL; From b96e5cc60b6c9b4985eab829fd7b1161481da428 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 061/324] QUIC DDD: ddd-01-conn-blocking: Unplanned changes - QUIC_client_method() renamed due to namespacing - QUIC mandates use of ALPN Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-01-conn-blocking.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/designs/ddd/ddd-01-conn-blocking.c b/doc/designs/ddd/ddd-01-conn-blocking.c index 11c3585a18565..ab5cbf673d028 100644 --- a/doc/designs/ddd/ddd-01-conn-blocking.c +++ b/doc/designs/ddd/ddd-01-conn-blocking.c @@ -21,7 +21,7 @@ SSL_CTX *create_ssl_ctx(void) SSL_CTX *ctx; #ifdef USE_QUIC - ctx = SSL_CTX_new(QUIC_client_method()); + ctx = SSL_CTX_new(OSSL_QUIC_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif @@ -51,6 +51,9 @@ BIO *new_conn(SSL_CTX *ctx, const char *hostname) BIO *out; SSL *ssl = NULL; const char *bare_hostname; +#ifdef USE_QUIC + static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'}; +#endif out = BIO_new_ssl_connect(ctx); if (out == NULL) @@ -79,6 +82,15 @@ BIO *new_conn(SSL_CTX *ctx, const char *hostname) return NULL; } +#ifdef USE_QUIC + /* Configure ALPN, which is required for QUIC. */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) { + /* Note: SSL_set_alpn_protos returns 1 for failure. */ + BIO_free_all(out); + return NULL; + } +#endif + return out; } From e6ad003d73b3021790f486ded07fe038a6d30335 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 062/324] QUIC DDD: ddd-02-conn-nonblocking: Planned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-02-conn-nonblocking.c | 123 ++++++++++++++++++++-- 1 file changed, 117 insertions(+), 6 deletions(-) diff --git a/doc/designs/ddd/ddd-02-conn-nonblocking.c b/doc/designs/ddd/ddd-02-conn-nonblocking.c index 30e7e33f1a1e1..3295635be6161 100644 --- a/doc/designs/ddd/ddd-02-conn-nonblocking.c +++ b/doc/designs/ddd/ddd-02-conn-nonblocking.c @@ -32,7 +32,11 @@ SSL_CTX *create_ssl_ctx(void) { SSL_CTX *ctx; +#ifdef USE_QUIC + ctx = SSL_CTX_new(QUIC_client_method()); +#else ctx = SSL_CTX_new(TLS_client_method()); +#endif if (ctx == NULL) return NULL; @@ -77,7 +81,11 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname) return NULL; } +#ifdef USE_QUIC + buf = BIO_new(BIO_f_dgram_buffer()); +#else buf = BIO_new(BIO_f_buffer()); +#endif if (buf == NULL) { BIO_free_all(out); free(conn); @@ -170,7 +178,11 @@ int rx(APP_CONN *conn, void *buf, int buf_len) */ int get_conn_fd(APP_CONN *conn) { +#ifdef USE_QUIC + return BIO_get_poll_fd(conn->ssl_bio, NULL); +#else return BIO_get_fd(conn->ssl_bio, NULL); +#endif } /* @@ -188,7 +200,11 @@ int get_conn_fd(APP_CONN *conn) */ int get_conn_pending_tx(APP_CONN *conn) { +#ifdef USE_QUIC + return POLLIN | POLLOUT | POLLERR; +#else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; +#endif } int get_conn_pending_rx(APP_CONN *conn) @@ -196,6 +212,28 @@ int get_conn_pending_rx(APP_CONN *conn) return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR; } +#ifdef USE_QUIC +/* + * Returns the number of milliseconds after which some call to libssl must be + * made. Any call (BIO_read/BIO_write/BIO_pump) will do. Returns -1 if + * there is no need for such a call. This may change after the next call + * to libssl. + */ +int get_conn_pump_timeout(APP_CONN *conn) +{ + return BIO_get_timeout(conn->ssl_bio); +} + +/* + * Called to advance internals of libssl state machines without having to + * perform an application-level read/write. + */ +void pump(APP_CONN *conn) +{ + BIO_pump(conn->ssl_bio); +} +#endif + /* * The application wants to close the connection and free bookkeeping * structures. @@ -220,16 +258,37 @@ void teardown_ctx(SSL_CTX *ctx) * Example driver for the above code. This is just to demonstrate that the code * works and is not intended to be representative of a real application. */ +#include + +static inline void ms_to_timeval(struct timeval *t, int ms) +{ + t->tv_sec = ms < 0 ? -1 : ms/1000; + t->tv_usec = ms < 0 ? 0 : (ms%1000)*1000; +} + +static inline int timeval_to_ms(const struct timeval *t) +{ + return t->tv_sec*1000 + t->tv_usec/1000; +} + int main(int argc, char **argv) { static char tx_msg[384], host_port[300]; const char *tx_p = tx_msg; char rx_buf[2048]; int res = 1, l, tx_len = sizeof(tx_msg)-1; +#ifdef USE_QUIC + struct timeval timeout; +#else int timeout = 2000 /* ms */; +#endif APP_CONN *conn = NULL; SSL_CTX *ctx = NULL; +#ifdef USE_QUIC + ms_to_timeval(&timeout, 2000); +#endif + if (argc < 3) { fprintf(stderr, "usage: %s host port\n", argv[0]); goto fail; @@ -260,12 +319,38 @@ int main(int argc, char **argv) } else if (l == -1) { fprintf(stderr, "tx error\n"); } else if (l == -2) { +#ifdef USE_QUIC + struct timeval start, now, deadline, t; +#endif struct pollfd pfd = {0}; + +#ifdef USE_QUIC + ms_to_timeval(&t, get_conn_pump_timeout(conn)); + if (t.tv_sec < 0 || timercmp(&t, &timeout, >)) + t = timeout; + + gettimeofday(&start, NULL); + timeradd(&start, &timeout, &deadline); +#endif + pfd.fd = get_conn_fd(conn); pfd.events = get_conn_pending_tx(conn); - if (poll(&pfd, 1, timeout) == 0) { - fprintf(stderr, "tx timeout\n"); - goto fail; +#ifdef USE_QUIC + if (poll(&pfd, 1, timeval_to_ms(&t)) == 0) +#else + if (poll(&pfd, 1, timeout) == 0) +#endif + { +#ifdef USE_QUIC + pump(conn); + + gettimeofday(&now, NULL); + if (timercmp(&now, &deadline, >=)) +#endif + { + fprintf(stderr, "tx timeout\n"); + goto fail; + } } } } @@ -278,12 +363,38 @@ int main(int argc, char **argv) } else if (l == -1) { break; } else if (l == -2) { +#ifdef USE_QUIC + struct timeval start, now, deadline, t; +#endif struct pollfd pfd = {0}; + +#ifdef USE_QUIC + ms_to_timeval(&t, get_conn_pump_timeout(conn)); + if (t.tv_sec < 0 || timercmp(&t, &timeout, >)) + t = timeout; + + gettimeofday(&start, NULL); + timeradd(&start, &timeout, &deadline); +#endif + pfd.fd = get_conn_fd(conn); pfd.events = get_conn_pending_rx(conn); - if (poll(&pfd, 1, timeout) == 0) { - fprintf(stderr, "rx timeout\n"); - goto fail; +#ifdef USE_QUIC + if (poll(&pfd, 1, timeval_to_ms(&t)) == 0) +#else + if (poll(&pfd, 1, timeout) == 0) +#endif + { +#ifdef USE_QUIC + pump(conn); + + gettimeofday(&now, NULL); + if (timercmp(&now, &deadline, >=)) +#endif + { + fprintf(stderr, "rx timeout\n"); + goto fail; + } } } } From f3792076597a8e9003f61333e5e9a84818f12529 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 063/324] QUIC DDD: ddd-02-conn-nonblocking: Unplanned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-02-conn-nonblocking.c | 58 +++++++++++++++++++---- 1 file changed, 49 insertions(+), 9 deletions(-) diff --git a/doc/designs/ddd/ddd-02-conn-nonblocking.c b/doc/designs/ddd/ddd-02-conn-nonblocking.c index 3295635be6161..9b45781fdf7a9 100644 --- a/doc/designs/ddd/ddd-02-conn-nonblocking.c +++ b/doc/designs/ddd/ddd-02-conn-nonblocking.c @@ -33,7 +33,7 @@ SSL_CTX *create_ssl_ctx(void) SSL_CTX *ctx; #ifdef USE_QUIC - ctx = SSL_CTX_new(QUIC_client_method()); + ctx = SSL_CTX_new(OSSL_QUIC_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif @@ -64,6 +64,9 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname) BIO *out, *buf; SSL *ssl = NULL; const char *bare_hostname; +#ifdef USE_QUIC + static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'}; +#endif conn = calloc(1, sizeof(APP_CONN)); if (conn == NULL) @@ -81,11 +84,20 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname) return NULL; } -#ifdef USE_QUIC - buf = BIO_new(BIO_f_dgram_buffer()); -#else + /* + * NOTE: QUIC cannot operate with a buffering BIO between the QUIC SSL + * object in the network. In this case, the call to BIO_push() is not + * supported by the QUIC SSL object and will be ignored, thus this code + * works without removing this line. However, the buffering BIO is not + * actually used as a result and should be removed when adapting code to use + * QUIC. + * + * Setting a buffer as the underlying BIO on the QUIC SSL object using + * SSL_set_bio() will not work, though BIO_s_dgram_pair is available for + * buffering the input and output to the QUIC SSL object on the network side + * if desired. + */ buf = BIO_new(BIO_f_buffer()); -#endif if (buf == NULL) { BIO_free_all(out); free(conn); @@ -115,6 +127,15 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname) return NULL; } +#ifdef USE_QUIC + /* Configure ALPN, which is required for QUIC. */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) { + /* Note: SSL_set_alpn_protos returns 1 for failure. */ + BIO_free_all(out); + return NULL; + } +#endif + /* Make the BIO nonblocking. */ BIO_set_nbio(out, 1); @@ -179,7 +200,12 @@ int rx(APP_CONN *conn, void *buf, int buf_len) int get_conn_fd(APP_CONN *conn) { #ifdef USE_QUIC - return BIO_get_poll_fd(conn->ssl_bio, NULL); + BIO_POLL_DESCRIPTOR d; + + if (!BIO_get_rpoll_descriptor(conn->ssl_bio, &d)) + return -1; + + return d.value.fd; #else return BIO_get_fd(conn->ssl_bio, NULL); #endif @@ -201,7 +227,9 @@ int get_conn_fd(APP_CONN *conn) int get_conn_pending_tx(APP_CONN *conn) { #ifdef USE_QUIC - return POLLIN | POLLOUT | POLLERR; + return (SSL_net_read_desired(conn->ssl) ? POLLIN : 0) + | (SSL_net_write_desired(conn->ssl) ? POLLOUT : 0) + | POLLERR; #else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; #endif @@ -209,7 +237,11 @@ int get_conn_pending_tx(APP_CONN *conn) int get_conn_pending_rx(APP_CONN *conn) { +#ifdef USE_QUIC + return get_conn_pending_tx(conn); +#else return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR; +#endif } #ifdef USE_QUIC @@ -219,9 +251,17 @@ int get_conn_pending_rx(APP_CONN *conn) * there is no need for such a call. This may change after the next call * to libssl. */ +static inline int timeval_to_ms(const struct timeval *t); + int get_conn_pump_timeout(APP_CONN *conn) { - return BIO_get_timeout(conn->ssl_bio); + struct timeval tv; + int is_infinite; + + if (!SSL_get_event_timeout(conn->ssl, &tv, &is_infinite)) + return -1; + + return is_infinite ? -1 : timeval_to_ms(&tv); } /* @@ -230,7 +270,7 @@ int get_conn_pump_timeout(APP_CONN *conn) */ void pump(APP_CONN *conn) { - BIO_pump(conn->ssl_bio); + SSL_handle_events(conn->ssl); } #endif From 43f4b8a80ead05900a3a23196c3c4bbb3ed045b1 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 064/324] QUIC DDD: ddd-03-fd-blocking: Planned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-03-fd-blocking.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/designs/ddd/ddd-03-fd-blocking.c b/doc/designs/ddd/ddd-03-fd-blocking.c index 6d9f8e87eb110..0a890d6abe29e 100644 --- a/doc/designs/ddd/ddd-03-fd-blocking.c +++ b/doc/designs/ddd/ddd-03-fd-blocking.c @@ -21,7 +21,11 @@ SSL_CTX *create_ssl_ctx(void) { SSL_CTX *ctx; +#ifdef USE_QUIC + ctx = SSL_CTX_new(QUIC_client_method()); +#else ctx = SSL_CTX_new(TLS_client_method()); +#endif if (ctx == NULL) return NULL; @@ -152,7 +156,11 @@ int main(int argc, char **argv) signal(SIGPIPE, SIG_IGN); +#ifdef USE_QUIC + fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); +#else fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); +#endif if (fd < 0) { fprintf(stderr, "cannot create socket\n"); goto fail; From 24e583619c6f4bb1e7659b6b4f06cea920710688 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 065/324] QUIC DDD: ddd-03-fd-blocking: Unplanned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-03-fd-blocking.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/designs/ddd/ddd-03-fd-blocking.c b/doc/designs/ddd/ddd-03-fd-blocking.c index 0a890d6abe29e..1388839cecb5d 100644 --- a/doc/designs/ddd/ddd-03-fd-blocking.c +++ b/doc/designs/ddd/ddd-03-fd-blocking.c @@ -22,7 +22,7 @@ SSL_CTX *create_ssl_ctx(void) SSL_CTX *ctx; #ifdef USE_QUIC - ctx = SSL_CTX_new(QUIC_client_method()); + ctx = SSL_CTX_new(OSSL_QUIC_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif @@ -50,6 +50,9 @@ SSL_CTX *create_ssl_ctx(void) SSL *new_conn(SSL_CTX *ctx, int fd, const char *bare_hostname) { SSL *ssl; +#ifdef USE_QUIC + static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'}; +#endif ssl = SSL_new(ctx); if (ssl == NULL) @@ -72,6 +75,15 @@ SSL *new_conn(SSL_CTX *ctx, int fd, const char *bare_hostname) return NULL; } +#ifdef USE_QUIC + /* Configure ALPN, which is required for QUIC. */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) { + /* Note: SSL_set_alpn_protos returns 1 for failure. */ + SSL_free(ssl); + return NULL; + } +#endif + return ssl; } From b3e71dbf6863343cfabdbe2ba0443fcb69343874 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 066/324] QUIC DDD: ddd-04-fd-nonblocking: Planned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-04-fd-nonblocking.c | 123 ++++++++++++++++++++++-- 1 file changed, 117 insertions(+), 6 deletions(-) diff --git a/doc/designs/ddd/ddd-04-fd-nonblocking.c b/doc/designs/ddd/ddd-04-fd-nonblocking.c index f8a5162a2e7a5..ef15ecb29a0ce 100644 --- a/doc/designs/ddd/ddd-04-fd-nonblocking.c +++ b/doc/designs/ddd/ddd-04-fd-nonblocking.c @@ -27,7 +27,11 @@ SSL_CTX *create_ssl_ctx(void) { SSL_CTX *ctx; +#ifdef USE_QUIC + ctx = SSL_CTX_new(QUIC_client_method()); +#else ctx = SSL_CTX_new(TLS_client_method()); +#endif if (ctx == NULL) return NULL; @@ -180,7 +184,11 @@ int get_conn_fd(APP_CONN *conn) */ int get_conn_pending_tx(APP_CONN *conn) { +#ifdef USE_QUIC + return POLLIN | POLLOUT | POLLERR; +#else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; +#endif } int get_conn_pending_rx(APP_CONN *conn) @@ -188,6 +196,28 @@ int get_conn_pending_rx(APP_CONN *conn) return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR; } +#ifdef USE_QUIC +/* + * Returns the number of milliseconds after which some call to libssl must be + * made. Any call (SSL_read/SSL_write/SSL_pump) will do. Returns -1 if there is + * no need for such a call. This may change after the next call + * to libssl. + */ +int get_conn_pump_timeout(APP_CONN *conn) +{ + return SSL_get_timeout(conn->ssl); +} + +/* + * Called to advance internals of libssl state machines without having to + * perform an application-level read/write. + */ +void pump(APP_CONN *conn) +{ + SSL_pump(conn->ssl); +} +#endif + /* * The application wants to close the connection and free bookkeeping * structures. @@ -216,10 +246,28 @@ void teardown_ctx(SSL_CTX *ctx) #include #include #include +#ifdef USE_QUIC +# include +#endif #include #include #include +#ifdef USE_QUIC + +static inline void ms_to_timeval(struct timeval *t, int ms) +{ + t->tv_sec = ms < 0 ? -1 : ms/1000; + t->tv_usec = ms < 0 ? 0 : (ms%1000)*1000; +} + +static inline int timeval_to_ms(const struct timeval *t) +{ + return t->tv_sec*1000 + t->tv_usec/1000; +} + +#endif + int main(int argc, char **argv) { int rc, fd = -1, res = 1; @@ -227,11 +275,19 @@ int main(int argc, char **argv) const char *tx_p = tx_msg; char rx_buf[2048]; int l, tx_len = sizeof(tx_msg)-1; +#ifdef USE_QUIC + struct timeval timeout; +#else int timeout = 2000 /* ms */; +#endif APP_CONN *conn = NULL; struct addrinfo hints = {0}, *result = NULL; SSL_CTX *ctx = NULL; +#ifdef USE_QUIC + ms_to_timeval(&timeout, 2000); +#endif + if (argc < 3) { fprintf(stderr, "usage: %s host port\n", argv[0]); goto fail; @@ -257,7 +313,11 @@ int main(int argc, char **argv) signal(SIGPIPE, SIG_IGN); +#ifdef USE_QUIC + fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); +#else fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); +#endif if (fd < 0) { fprintf(stderr, "cannot create socket\n"); goto fail; @@ -291,12 +351,38 @@ int main(int argc, char **argv) fprintf(stderr, "tx error\n"); goto fail; } else if (l == -2) { +#ifdef USE_QUIC + struct timeval start, now, deadline, t; +#endif struct pollfd pfd = {0}; + +#ifdef USE_QUIC + ms_to_timeval(&t, get_conn_pump_timeout(conn)); + if (t.tv_sec < 0 || timercmp(&t, &timeout, >)) + t = timeout; + + gettimeofday(&start, NULL); + timeradd(&start, &timeout, &deadline); +#endif + pfd.fd = get_conn_fd(conn); pfd.events = get_conn_pending_tx(conn); - if (poll(&pfd, 1, timeout) == 0) { - fprintf(stderr, "tx timeout\n"); - goto fail; +#ifdef USE_QUIC + if (poll(&pfd, 1, timeval_to_ms(&t)) == 0) +#else + if (poll(&pfd, 1, timeout) == 0) +#endif + { +#ifdef USE_QUIC + pump(conn); + + gettimeofday(&now, NULL); + if (timercmp(&now, &deadline, >=)) +#endif + { + fprintf(stderr, "tx timeout\n"); + goto fail; + } } } } @@ -309,12 +395,37 @@ int main(int argc, char **argv) } else if (l == -1) { break; } else if (l == -2) { +#ifdef USE_QUIC + struct timeval start, now, deadline, t; +#endif struct pollfd pfd = {0}; + +#ifdef USE_QUIC + ms_to_timeval(&t, get_conn_pump_timeout(conn)); + if (t.tv_sec < 0 || timercmp(&t, &timeout, >)) + t = timeout; + + gettimeofday(&start, NULL); + timeradd(&start, &timeout, &deadline); +#endif + pfd.fd = get_conn_fd(conn); pfd.events = get_conn_pending_rx(conn); - if (poll(&pfd, 1, timeout) == 0) { - fprintf(stderr, "rx timeout\n"); - goto fail; +#ifdef USE_QUIC + if (poll(&pfd, 1, timeval_to_ms(&t)) == 0) +#else + if (poll(&pfd, 1, timeout) == 0) +#endif + { +#ifdef USE_QUIC + pump(conn); + gettimeofday(&now, NULL); + if (timercmp(&now, &deadline, >=)) +#endif + { + fprintf(stderr, "rx timeout\n"); + goto fail; + } } } } From 92db6d628016baa146bfce8b645c13f64ad4bf68 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 067/324] QUIC DDD: ddd-04-fd-nonblocking: Unplanned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-04-fd-nonblocking.c | 33 +++++++++++++++++++++---- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/doc/designs/ddd/ddd-04-fd-nonblocking.c b/doc/designs/ddd/ddd-04-fd-nonblocking.c index ef15ecb29a0ce..009ba571fee8d 100644 --- a/doc/designs/ddd/ddd-04-fd-nonblocking.c +++ b/doc/designs/ddd/ddd-04-fd-nonblocking.c @@ -28,7 +28,7 @@ SSL_CTX *create_ssl_ctx(void) SSL_CTX *ctx; #ifdef USE_QUIC - ctx = SSL_CTX_new(QUIC_client_method()); + ctx = SSL_CTX_new(OSSL_QUIC_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif @@ -57,6 +57,9 @@ APP_CONN *new_conn(SSL_CTX *ctx, int fd, const char *bare_hostname) { APP_CONN *conn; SSL *ssl; +#ifdef USE_QUIC + static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'}; +#endif conn = calloc(1, sizeof(APP_CONN)); if (conn == NULL) @@ -88,6 +91,16 @@ APP_CONN *new_conn(SSL_CTX *ctx, int fd, const char *bare_hostname) return NULL; } +#ifdef USE_QUIC + /* Configure ALPN, which is required for QUIC. */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) { + /* Note: SSL_set_alpn_protos returns 1 for failure. */ + SSL_free(ssl); + free(conn); + return NULL; + } +#endif + conn->fd = fd; return conn; } @@ -185,7 +198,9 @@ int get_conn_fd(APP_CONN *conn) int get_conn_pending_tx(APP_CONN *conn) { #ifdef USE_QUIC - return POLLIN | POLLOUT | POLLERR; + return (SSL_net_read_desired(conn->ssl) ? POLLIN : 0) + | (SSL_net_write_desired(conn->ssl) ? POLLOUT : 0) + | POLLERR; #else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; #endif @@ -193,7 +208,7 @@ int get_conn_pending_tx(APP_CONN *conn) int get_conn_pending_rx(APP_CONN *conn) { - return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR; + return get_conn_pending_tx(conn); } #ifdef USE_QUIC @@ -203,9 +218,17 @@ int get_conn_pending_rx(APP_CONN *conn) * no need for such a call. This may change after the next call * to libssl. */ +static inline int timeval_to_ms(const struct timeval *t); + int get_conn_pump_timeout(APP_CONN *conn) { - return SSL_get_timeout(conn->ssl); + struct timeval tv; + int is_infinite; + + if (!SSL_get_event_timeout(conn->ssl, &tv, &is_infinite)) + return -1; + + return is_infinite ? -1 : timeval_to_ms(&tv); } /* @@ -214,7 +237,7 @@ int get_conn_pump_timeout(APP_CONN *conn) */ void pump(APP_CONN *conn) { - SSL_pump(conn->ssl); + SSL_handle_events(conn->ssl); } #endif From 70dc50c2659f70c47f20e45939b0b43fe9436610 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:33 +0100 Subject: [PATCH 068/324] QUIC DDD: ddd-05-mem-nonblocking: Planned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-05-mem-nonblocking.c | 27 ++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/doc/designs/ddd/ddd-05-mem-nonblocking.c b/doc/designs/ddd/ddd-05-mem-nonblocking.c index 532cf877a3244..527f735bfcfa7 100644 --- a/doc/designs/ddd/ddd-05-mem-nonblocking.c +++ b/doc/designs/ddd/ddd-05-mem-nonblocking.c @@ -31,7 +31,11 @@ SSL_CTX *create_ssl_ctx(void) { SSL_CTX *ctx; +#ifdef USE_QUIC + ctx = SSL_CTX_new(QUIC_client_method()); +#else ctx = SSL_CTX_new(TLS_client_method()); +#endif if (ctx == NULL) return NULL; @@ -71,7 +75,11 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *bare_hostname) SSL_set_connect_state(ssl); /* cannot fail */ +#ifdef USE_QUIC + if (BIO_new_dgram_pair(&internal_bio, 0, &net_bio, 0) <= 0) { +#else if (BIO_new_bio_pair(&internal_bio, 0, &net_bio, 0) <= 0) { +#endif SSL_free(ssl); free(conn); return NULL; @@ -168,7 +176,11 @@ int rx(APP_CONN *conn, void *buf, int buf_len) /* * Called to get data which has been enqueued for transmission to the network - * by OpenSSL. + * by OpenSSL. For QUIC, this always outputs a single frame. + * + * IMPORTANT (QUIC): If buf_len is inadequate to hold the frame, it is truncated + * (similar to read(2)). A buffer size of at least 1472 must be used by default + * to guarantee this does not occur. */ int read_net_tx(APP_CONN *conn, void *buf, int buf_len) { @@ -177,6 +189,9 @@ int read_net_tx(APP_CONN *conn, void *buf, int buf_len) /* * Called to feed data which has been received from the network to OpenSSL. + * + * QUIC: buf must contain the entirety of a single frame. It will be consumed + * entirely (return value == buf_len) or not at all. */ int write_net_rx(APP_CONN *conn, const void *buf, int buf_len) { @@ -215,7 +230,11 @@ size_t net_tx_avail(APP_CONN *conn) */ int get_conn_pending_tx(APP_CONN *conn) { +#ifdef USE_QUIC + return POLLIN | POLLOUT | POLLERR; +#else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; +#endif } int get_conn_pending_rx(APP_CONN *conn) @@ -259,7 +278,7 @@ void teardown_ctx(SSL_CTX *ctx) static int pump(APP_CONN *conn, int fd, int events, int timeout) { int l, l2; - char buf[2048]; + char buf[2048]; /* QUIC: would need to be changed if < 1472 */ size_t wspace; struct pollfd pfd = {0}; @@ -350,7 +369,11 @@ int main(int argc, char **argv) signal(SIGPIPE, SIG_IGN); +#ifdef USE_QUIC + fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); +#else fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); +#endif if (fd < 0) { fprintf(stderr, "cannot create socket\n"); goto fail; From 47eceab67aef371c00504354939f7b5aff211c60 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:34 +0100 Subject: [PATCH 069/324] QUIC DDD: ddd-05-mem-nonblocking: Unplanned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-05-mem-nonblocking.c | 25 +++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/doc/designs/ddd/ddd-05-mem-nonblocking.c b/doc/designs/ddd/ddd-05-mem-nonblocking.c index 527f735bfcfa7..821e3fecba7a2 100644 --- a/doc/designs/ddd/ddd-05-mem-nonblocking.c +++ b/doc/designs/ddd/ddd-05-mem-nonblocking.c @@ -32,7 +32,7 @@ SSL_CTX *create_ssl_ctx(void) SSL_CTX *ctx; #ifdef USE_QUIC - ctx = SSL_CTX_new(QUIC_client_method()); + ctx = SSL_CTX_new(OSSL_QUIC_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif @@ -62,6 +62,9 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *bare_hostname) BIO *ssl_bio, *internal_bio, *net_bio; APP_CONN *conn; SSL *ssl; +#ifdef USE_QUIC + static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'}; +#endif conn = calloc(1, sizeof(APP_CONN)); if (conn == NULL) @@ -76,7 +79,7 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *bare_hostname) SSL_set_connect_state(ssl); /* cannot fail */ #ifdef USE_QUIC - if (BIO_new_dgram_pair(&internal_bio, 0, &net_bio, 0) <= 0) { + if (BIO_new_bio_dgram_pair(&internal_bio, 0, &net_bio, 0) <= 0) { #else if (BIO_new_bio_pair(&internal_bio, 0, &net_bio, 0) <= 0) { #endif @@ -112,6 +115,16 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *bare_hostname) return NULL; } +#ifdef USE_QUIC + /* Configure ALPN, which is required for QUIC. */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) { + /* Note: SSL_set_alpn_protos returns 1 for failure. */ + SSL_free(ssl); + BIO_free(ssl_bio); + return NULL; + } +#endif + conn->ssl_bio = ssl_bio; conn->net_bio = net_bio; return conn; @@ -231,7 +244,9 @@ size_t net_tx_avail(APP_CONN *conn) int get_conn_pending_tx(APP_CONN *conn) { #ifdef USE_QUIC - return POLLIN | POLLOUT | POLLERR; + return (SSL_net_read_desired(conn->ssl) ? POLLIN : 0) + | (SSL_net_write_desired(conn->ssl) ? POLLOUT : 0) + | POLLERR; #else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; #endif @@ -239,7 +254,11 @@ int get_conn_pending_tx(APP_CONN *conn) int get_conn_pending_rx(APP_CONN *conn) { +#ifdef USE_QUIC + return get_conn_pending_tx(conn); +#else return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR; +#endif } /* From 5e73999803a90126386c78eb68164192ca0d76ce Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:34 +0100 Subject: [PATCH 070/324] QUIC DDD: ddd-06-mem-uv: Planned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-06-mem-uv.c | 98 +++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/doc/designs/ddd/ddd-06-mem-uv.c b/doc/designs/ddd/ddd-06-mem-uv.c index 59184399ea213..d228b7ad97218 100644 --- a/doc/designs/ddd/ddd-06-mem-uv.c +++ b/doc/designs/ddd/ddd-06-mem-uv.c @@ -11,7 +11,11 @@ typedef void (app_connect_cb)(APP_CONN *conn, int status, void *arg); typedef void (app_write_cb)(APP_CONN *conn, int status, void *arg); typedef void (app_read_cb)(APP_CONN *conn, void *buf, size_t buf_len, void *arg); +#ifdef USE_QUIC +static void set_timer(APP_CONN *conn); +#else static void tcp_connect_done(uv_connect_t *tcp_connect, int status); +#endif static void net_connect_fail_close_done(uv_handle_t *handle); static int handshake_ssl(APP_CONN *conn); static void flush_write_buf(APP_CONN *conn); @@ -54,8 +58,13 @@ struct app_conn_st { SSL *ssl; BIO *net_bio; uv_stream_t *stream; +#ifdef USE_QUIC + uv_udp_t udp; + uv_timer_t timer; +#else uv_tcp_t tcp; uv_connect_t tcp_connect; +#endif app_connect_cb *app_connect_cb; /* called once handshake is done */ void *app_connect_arg; app_read_cb *app_read_cb; /* application's on-RX callback */ @@ -77,7 +86,11 @@ SSL_CTX *create_ssl_ctx(void) { SSL_CTX *ctx; +#ifdef USE_QUIC + ctx = SSL_CTX_new(QUIC_client_method()); +#else ctx = SSL_CTX_new(TLS_client_method()); +#endif if (ctx == NULL) return NULL; @@ -112,21 +125,47 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname, if (!conn) return NULL; +#ifdef USE_QUIC + uv_udp_init(uv_default_loop(), &conn->udp); + conn->udp.data = conn; + + uv_timer_init(uv_default_loop(), &conn->timer); + conn->timer.data = conn; +#else uv_tcp_init(uv_default_loop(), &conn->tcp); conn->tcp.data = conn; conn->stream = (uv_stream_t *)&conn->tcp; +#endif + conn->app_connect_cb = cb; conn->app_connect_arg = arg; +#ifdef USE_QUIC + rc = uv_udp_connect(&conn->udp, sa); +#else conn->tcp_connect.data = conn; rc = uv_tcp_connect(&conn->tcp_connect, &conn->tcp, sa, tcp_connect_done); +#endif if (rc < 0) { +#ifdef USE_QUIC + uv_close((uv_handle_t *)&conn->udp, net_connect_fail_close_done); +#else uv_close((uv_handle_t *)&conn->tcp, net_connect_fail_close_done); +#endif return NULL; } conn->ctx = ctx; conn->hostname = hostname; + +#ifdef USE_QUIC + rc = setup_ssl(conn, hostname); + if (rc < 0) { + uv_close((uv_handle_t *)&conn->udp, net_connect_fail_close_done); + return NULL; + } +#endif + return conn; } @@ -167,13 +206,22 @@ void teardown(APP_CONN *conn) BIO_free_all(conn->net_bio); SSL_free(conn->ssl); +#ifndef USE_QUIC uv_cancel((uv_req_t *)&conn->tcp_connect); +#endif conn->teardown_done = &teardown_done; uv_close((uv_handle_t *)conn->stream, teardown_continued); +#ifdef USE_QUIC + uv_close((uv_handle_t *)&conn->timer, teardown_continued); +#endif /* Just wait synchronously until teardown completes. */ +#ifdef USE_QUIC + while (teardown_done < 2) +#else while (!teardown_done) +#endif uv_run(uv_default_loop(), UV_RUN_DEFAULT); } @@ -218,6 +266,11 @@ static void dequeue_upper_write_op(APP_CONN *conn) static void net_read_alloc(uv_handle_t *handle, size_t suggested_size, uv_buf_t *buf) { +#ifdef USE_QUIC + if (suggested_size < 1472) + suggested_size = 1472; +#endif + buf->base = malloc(suggested_size); buf->len = suggested_size; } @@ -313,7 +366,11 @@ static void net_read_done(uv_stream_t *stream, ssize_t nr, const uv_buf_t *buf) static void set_rx(APP_CONN *conn) { +#ifdef USE_QUIC + if (!conn->closed) +#else if (!conn->closed && (conn->app_read_cb || (!conn->done_handshake && conn->init_handshake) || conn->pending_upper_write_head != NULL)) +#endif uv_read_start(conn->stream, net_read_alloc, net_read_done); else uv_read_stop(conn->stream); @@ -372,6 +429,9 @@ static void flush_write_buf(APP_CONN *conn) static void handshake_done_ssl(APP_CONN *conn) { +#ifdef USE_QUIC + set_timer(conn); +#endif conn->app_connect_cb(conn, 0, conn->app_connect_arg); } @@ -411,10 +471,17 @@ static int setup_ssl(APP_CONN *conn, const char *hostname) SSL_set_connect_state(ssl); +#ifdef USE_QUIC + if (BIO_new_dgram_pair(&internal_bio, 0, &net_bio, 0) <= 0) { + SSL_free(ssl); + return -1; + } +#else if (BIO_new_bio_pair(&internal_bio, 0, &net_bio, 0) <= 0) { SSL_free(ssl); return -1; } +#endif SSL_set_bio(ssl, internal_bio, internal_bio); @@ -433,6 +500,7 @@ static int setup_ssl(APP_CONN *conn, const char *hostname) return handshake_ssl(conn); } +#ifndef USE_QUIC static void tcp_connect_done(uv_connect_t *tcp_connect, int status) { int rc; @@ -450,6 +518,7 @@ static void tcp_connect_done(uv_connect_t *tcp_connect, int status) return; } } +#endif static void net_connect_fail_close_done(uv_handle_t *handle) { @@ -458,6 +527,28 @@ static void net_connect_fail_close_done(uv_handle_t *handle) free(conn); } +#ifdef USE_QUIC + +static void timer_done(uv_timer_t *timer) +{ + APP_CONN *conn = (APP_CONN *)timer->data; + + SSL_pump(conn->ssl); + handle_pending_writes(conn); + flush_write_buf(conn); + set_rx(conn); + set_timer(conn); /* repeat timer */ +} + +static void set_timer(APP_CONN *conn) +{ + int ms = SSL_get_timeout(conn->ssl); + if (ms > 0) + uv_timer_start(&conn->timer, timer_done, ms, 0); +} + +#endif + static int try_write(APP_CONN *conn, UPPER_WRITE_OP *op) { int rc, rcx; @@ -511,13 +602,20 @@ static void teardown_continued(uv_handle_t *handle) UPPER_WRITE_OP *op, *next_op; char *teardown_done = conn->teardown_done; +#ifdef USE_QUIC + if (++*teardown_done < 2) + return; +#endif + for (op=conn->pending_upper_write_head; op; op=next_op) { next_op = op->next; free(op); } free(conn); +#ifndef USE_QUIC *teardown_done = 1; +#endif } /* From 74d588ca1581924e51e9bc72d26d372cdcd269f2 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:34 +0100 Subject: [PATCH 071/324] QUIC DDD: ddd-06-mem-uv: Unplanned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-06-mem-uv.c | 64 +++++++++++++++++++++++++++++---- 1 file changed, 57 insertions(+), 7 deletions(-) diff --git a/doc/designs/ddd/ddd-06-mem-uv.c b/doc/designs/ddd/ddd-06-mem-uv.c index d228b7ad97218..20699501c8de1 100644 --- a/doc/designs/ddd/ddd-06-mem-uv.c +++ b/doc/designs/ddd/ddd-06-mem-uv.c @@ -2,6 +2,9 @@ #include #include #include +#ifdef USE_QUIC +# include +#endif typedef struct app_conn_st APP_CONN; typedef struct upper_write_op_st UPPER_WRITE_OP; @@ -26,6 +29,13 @@ static int write_deferred(APP_CONN *conn, const void *buf, size_t buf_len, app_w static void teardown_continued(uv_handle_t *handle); static int setup_ssl(APP_CONN *conn, const char *hostname); +#ifdef USE_QUIC +static inline int timeval_to_ms(const struct timeval *t) +{ + return t->tv_sec*1000 + t->tv_usec/1000; +} +#endif + /* * Structure to track an application-level write request. Only created * if SSL_write does not accept the data immediately, typically because @@ -44,7 +54,11 @@ struct upper_write_op_st { * Structure to track a network-level write request. */ struct lower_write_op_st { +#ifdef USE_QUIC + uv_udp_send_t w; +#else uv_write_t w; +#endif uv_buf_t b; uint8_t *buf; APP_CONN *conn; @@ -57,11 +71,11 @@ struct app_conn_st { SSL_CTX *ctx; SSL *ssl; BIO *net_bio; - uv_stream_t *stream; #ifdef USE_QUIC uv_udp_t udp; uv_timer_t timer; #else + uv_stream_t *stream; uv_tcp_t tcp; uv_connect_t tcp_connect; #endif @@ -87,7 +101,7 @@ SSL_CTX *create_ssl_ctx(void) SSL_CTX *ctx; #ifdef USE_QUIC - ctx = SSL_CTX_new(QUIC_client_method()); + ctx = SSL_CTX_new(OSSL_QUIC_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif @@ -211,9 +225,11 @@ void teardown(APP_CONN *conn) #endif conn->teardown_done = &teardown_done; - uv_close((uv_handle_t *)conn->stream, teardown_continued); #ifdef USE_QUIC + uv_close((uv_handle_t *)&conn->udp, teardown_continued); uv_close((uv_handle_t *)&conn->timer, teardown_continued); +#else + uv_close((uv_handle_t *)conn->stream, teardown_continued); #endif /* Just wait synchronously until teardown completes. */ @@ -331,7 +347,12 @@ static void handle_pending_writes(APP_CONN *conn) set_rx(conn); } +#ifdef USE_QUIC +static void net_read_done(uv_udp_t *stream, ssize_t nr, const uv_buf_t *buf, + const struct sockaddr *addr, unsigned int flags) +#else static void net_read_done(uv_stream_t *stream, ssize_t nr, const uv_buf_t *buf) +#endif { int rc; APP_CONN *conn = (APP_CONN *)stream->data; @@ -368,15 +389,22 @@ static void set_rx(APP_CONN *conn) { #ifdef USE_QUIC if (!conn->closed) + uv_udp_recv_start(&conn->udp, net_read_alloc, net_read_done); + else + uv_udp_recv_stop(&conn->udp); #else if (!conn->closed && (conn->app_read_cb || (!conn->done_handshake && conn->init_handshake) || conn->pending_upper_write_head != NULL)) -#endif uv_read_start(conn->stream, net_read_alloc, net_read_done); else uv_read_stop(conn->stream); +#endif } +#ifdef USE_QUIC +static void net_write_done(uv_udp_send_t *req, int status) +#else static void net_write_done(uv_write_t *req, int status) +#endif { LOWER_WRITE_OP *op = (LOWER_WRITE_OP *)req->data; APP_CONN *conn = op->conn; @@ -418,7 +446,11 @@ static void flush_write_buf(APP_CONN *conn) op->b.base = (char *)buf; op->b.len = rd; +#ifdef USE_QUIC + rc = uv_udp_send(&op->w, &conn->udp, &op->b, 1, NULL, net_write_done); +#else rc = uv_write(&op->w, conn->stream, &op->b, 1, net_write_done); +#endif if (rc < 0) { free(buf); free(op); @@ -464,6 +496,9 @@ static int setup_ssl(APP_CONN *conn, const char *hostname) { BIO *internal_bio = NULL, *net_bio = NULL; SSL *ssl = NULL; +#ifdef USE_QUIC + static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'}; +#endif ssl = SSL_new(conn->ctx); if (!ssl) @@ -472,7 +507,7 @@ static int setup_ssl(APP_CONN *conn, const char *hostname) SSL_set_connect_state(ssl); #ifdef USE_QUIC - if (BIO_new_dgram_pair(&internal_bio, 0, &net_bio, 0) <= 0) { + if (BIO_new_bio_dgram_pair(&internal_bio, 0, &net_bio, 0) <= 0) { SSL_free(ssl); return -1; } @@ -495,6 +530,15 @@ static int setup_ssl(APP_CONN *conn, const char *hostname) return -1; } +#ifdef USE_QUIC + /* Configure ALPN, which is required for QUIC. */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) { + /* Note: SSL_set_alpn_protos returns 1 for failure. */ + SSL_free(ssl); + return -1; + } +#endif + conn->net_bio = net_bio; conn->ssl = ssl; return handshake_ssl(conn); @@ -533,7 +577,7 @@ static void timer_done(uv_timer_t *timer) { APP_CONN *conn = (APP_CONN *)timer->data; - SSL_pump(conn->ssl); + SSL_handle_events(conn->ssl); handle_pending_writes(conn); flush_write_buf(conn); set_rx(conn); @@ -542,7 +586,13 @@ static void timer_done(uv_timer_t *timer) static void set_timer(APP_CONN *conn) { - int ms = SSL_get_timeout(conn->ssl); + struct timeval tv; + int ms, is_infinite; + + if (!SSL_get_event_timeout(conn->ssl, &tv, &is_infinite)) + return; + + ms = is_infinite ? -1 : timeval_to_ms(&tv); if (ms > 0) uv_timer_start(&conn->timer, timer_done, ms, 0); } From 1ed2d7929a3f3fe86242116b0bc1366d36c3782d Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:34 +0100 Subject: [PATCH 072/324] QUIC DDD: ddd-02-conn-nonblocking-threads: Planned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/ddd-02-conn-nonblocking-threads.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c b/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c index 30e7e33f1a1e1..2f154138ed458 100644 --- a/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c +++ b/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c @@ -32,7 +32,11 @@ SSL_CTX *create_ssl_ctx(void) { SSL_CTX *ctx; +#ifdef USE_QUIC + ctx = SSL_CTX_new(QUIC_client_thread_method()); +#else ctx = SSL_CTX_new(TLS_client_method()); +#endif if (ctx == NULL) return NULL; @@ -170,7 +174,11 @@ int rx(APP_CONN *conn, void *buf, int buf_len) */ int get_conn_fd(APP_CONN *conn) { +#ifdef USE_QUIC + return BIO_get_poll_fd(conn->ssl_bio, NULL); +#else return BIO_get_fd(conn->ssl_bio, NULL); +#endif } /* @@ -188,7 +196,11 @@ int get_conn_fd(APP_CONN *conn) */ int get_conn_pending_tx(APP_CONN *conn) { +#ifdef USE_QUIC + return POLLIN | POLLOUT | POLLERR; +#else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; +#endif } int get_conn_pending_rx(APP_CONN *conn) From c276217e4bc9db08f0741882af837355f50c18ab Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:34 +0100 Subject: [PATCH 073/324] QUIC DDD: ddd-02-conn-nonblocking-threads: Unplanned changes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- .../ddd/ddd-02-conn-nonblocking-threads.c | 29 +++++++++++++++++-- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c b/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c index 2f154138ed458..892c36f1ce5ec 100644 --- a/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c +++ b/doc/designs/ddd/ddd-02-conn-nonblocking-threads.c @@ -33,7 +33,7 @@ SSL_CTX *create_ssl_ctx(void) SSL_CTX *ctx; #ifdef USE_QUIC - ctx = SSL_CTX_new(QUIC_client_thread_method()); + ctx = SSL_CTX_new(OSSL_QUIC_client_thread_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif @@ -64,6 +64,9 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname) BIO *out, *buf; SSL *ssl = NULL; const char *bare_hostname; +#ifdef USE_QUIC + static const unsigned char alpn[] = {5, 'd', 'u', 'm', 'm', 'y'}; +#endif conn = calloc(1, sizeof(APP_CONN)); if (conn == NULL) @@ -111,6 +114,15 @@ APP_CONN *new_conn(SSL_CTX *ctx, const char *hostname) return NULL; } +#ifdef USE_QUIC + /* Configure ALPN, which is required for QUIC. */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn))) { + /* Note: SSL_set_alpn_protos returns 1 for failure. */ + BIO_free_all(out); + return NULL; + } +#endif + /* Make the BIO nonblocking. */ BIO_set_nbio(out, 1); @@ -175,7 +187,12 @@ int rx(APP_CONN *conn, void *buf, int buf_len) int get_conn_fd(APP_CONN *conn) { #ifdef USE_QUIC - return BIO_get_poll_fd(conn->ssl_bio, NULL); + BIO_POLL_DESCRIPTOR d; + + if (!BIO_get_rpoll_descriptor(conn->ssl_bio, &d)) + return -1; + + return d.value.fd; #else return BIO_get_fd(conn->ssl_bio, NULL); #endif @@ -197,7 +214,9 @@ int get_conn_fd(APP_CONN *conn) int get_conn_pending_tx(APP_CONN *conn) { #ifdef USE_QUIC - return POLLIN | POLLOUT | POLLERR; + return (SSL_net_read_desired(conn->ssl) ? POLLIN : 0) + | (SSL_net_write_desired(conn->ssl) ? POLLOUT : 0) + | POLLERR; #else return (conn->tx_need_rx ? POLLIN : 0) | POLLOUT | POLLERR; #endif @@ -205,7 +224,11 @@ int get_conn_pending_tx(APP_CONN *conn) int get_conn_pending_rx(APP_CONN *conn) { +#ifdef USE_QUIC + return get_conn_pending_tx(conn); +#else return (conn->rx_need_tx ? POLLOUT : 0) | POLLIN | POLLERR; +#endif } /* From 277880e754c5a19cc456165560344204373a6b40 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 9 Aug 2023 17:46:34 +0100 Subject: [PATCH 074/324] QUIC DDD: Final report Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/designs/ddd/README.md | 3 + doc/designs/ddd/REPORT.md | 340 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 343 insertions(+) create mode 100644 doc/designs/ddd/REPORT.md diff --git a/doc/designs/ddd/README.md b/doc/designs/ddd/README.md index 99d3832bfc30d..3f430de24a0e7 100644 --- a/doc/designs/ddd/README.md +++ b/doc/designs/ddd/README.md @@ -50,6 +50,9 @@ certificates or other TLS functionality, the use of QUIC is unlikely to have implications for these APIs and demos demonstrating such functionality are therefore out of scope. +[A report is available](REPORT.md) on the results of the DDD process following +the completion of the development of the QUIC MVP. + Background ---------- diff --git a/doc/designs/ddd/REPORT.md b/doc/designs/ddd/REPORT.md new file mode 100644 index 0000000000000..ce742507cee8c --- /dev/null +++ b/doc/designs/ddd/REPORT.md @@ -0,0 +1,340 @@ +Report on the Conclusions of the QUIC DDD Process +================================================= + +The [QUIC Demo-Driven Design process](README.md) was undertaken to meet the OMC +requirement to develop a QUIC API that required only minimal changes to existing +applications to be able to adapt their code to use QUIC. The demo-driven design +process developed a set of representative demos modelling a variety of common +OpenSSL usage patterns based on analysis of a broad spectrum of open source +software projects using OpenSSL. + +As part of this process, a set of proposed diffs were produced. These proposed +diffs were the expected changes which would be needed to the baseline demos to +support QUIC based on theoretical analysis of the minimum requirements to be +able to support QUIC. This analysis concluded that the changes needed to +applications could be kept very small in many circumstances, with only minimal +diff sizes to the baseline demos. + +Following the development of QUIC MVP, these demos have been revisited and the +correspondence of our actual final API and usage patterns with the planned diffs +have been reviewed. + +This document discusses the planned changes and the actual changes for each demo +and draws conclusions on the level of disparity. + +Since tracking a set of diffs separately is unwieldy, both the planned and +unplanned changes have been folded into the original baseline demo files guarded +with `#ifdef USE_QUIC`. Viewing these files therefore is informative to +application writers as it provides a clear view of what is different when using +QUIC. (The originally planned changes, and the final changes, are added in +separate, clearly-labelled commits; to view the originally planned changes only, +view the commit history for a given demo file.) + +ddd-01-conn-blocking +-------------------- + +This demo exists to demonstrate the simplest possible usage of OpenSSL, whether +with TLS or QUIC. + +### Originally planned changes + +The originally planned change to enable applications for QUIC amounted to just a +single line: + +```diff ++ ctx = SSL_CTX_new(QUIC_client_method()); +- ctx = SSL_CTX_new(TLS_client_method()); +``` + +### Actual changes + +The following additional changes needed to be made: + +- `QUIC_client_method` was renamed to `OSSL_QUIC_client_method` for namespacing + reasons. + +- A call to `SSL_set_alpn_protos` to configure ALPN was added. This is necessary + because QUIC mandates the use of ALPN, and this was not noted during the + DDD process. + +ddd-02-conn-nonblocking +----------------------- + +This demo exists to demonstrate simple non-blocking usage. As with +ddd-01-conn-blocking, the name resolution process is managed by `BIO_s_connect`. + +It also arbitrarily adds a `BIO_f_buffer` pushed onto the BIO stack +as this is a common application usage pattern. + +### Originally planned changes + +The originally planned changes to enable applications for QUIC amounted to: + +- Change of method (as for ddd-01-conn-blocking); + +- Use of a `BIO_f_dgram_buffer` BIO method instead of a `BIO_f_buffer`; + +- Use of a `BIO_get_poll_fd` function to get the FD to poll rather than + `BIO_get_fd`; + +- A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2) + need to be determined. + +- Additional functions in application code to determine event handling + timeouts related to QUIC (`get_conn_pump_timeout`) and to pump + the QUIC event loop (`pump`). + +- Timeout computation code which involves merging and comparing different + timeouts and calling `pump` as needed, based on deadlines reported + by libssl. + +Note that some of these changes are unnecessary when using the thread assisted +mode (see the variant ddd-02-conn-nonblocking-threads below). + +### Actual changes + +The following additional changes needed to be made: + +- Change of method name (as for ddd-01-conn-blocking); + +- Use of ALPN (as for ddd-01-conn-blocking); + +- The strategy for how to expose pollable OS resource handles + to applications to determine I/O readiness has changed substantially since the + original DDD process. As such, applications now use `BIO_get_rpoll_descriptor` + and `BIO_get_wpoll_descriptor` to determine I/O readiness, rather than the + originally hypothesised `SSL_get_poll_fd`. + +- The strategy for how to determine when to poll for `POLLIN`, when to + poll for `POLLOUT`, etc. has changed since the original DDD process. + This information is now exposed via `SSL_net_read_desired` and + `SSL_net_write_desired`. + +- The API to expose the event handling deadline for the QUIC engine + has evolved since the original DDD process. The new API + `SSL_get_event_timeout` is used, rather than the originally hypothesised + `BIO_get_timeout`/`SSL_get_timeout`. + +- The API to perform QUIC event processing has been renamed to be + more descriptive. It is now called `SSL_handle_events` rather than + the originally hypothesised `BIO_pump`/`SSL_pump`. + +The following changes were foreseen to be necessary, but turned out to actually +not be necessary: + +- The need to change code which pushes a `BIO_f_buffer()` after a SSL BIO + was foreseen as use of buffering on the network side is unworkable with + QUIC. This turned out not to be necessary since we can just reject the + BIO_push() call. The buffer should still be freed eventually when the + SSL BIO is freed. The buffer is not used and is unnecessary, so it is + still desirable for applications to remove this code. + +ddd-02-conn-nonblocking-threads +------------------------------- + +This is a variant of the ddd-02-conn-nonblocking demo. The base is the same, but +the changes made are different. The use of thread-assisted mode, in which an +internal assist thread is used to perform QUIC event handling, enables an +application to make fewer changes than are needed in the ddd-02-conn-nonblocking +demo. + +### Originally planned changes + +The originally planned changes to enable applications for QUIC amounted to: + +- Change of method, this time using method `QUIC_client_thread_method` rather + than `QUIC_client_method`; + +- Use of a `BIO_get_poll_fd` function to get the FD to poll rather than + `BIO_get_fd`; + +- A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2) + need to be determined. + + Note that this is a subtantially smaller list of changes than for + ddd-02-conn-nonblocking. + +### Actual changes + +The following additional changes needed to be made: + +- Change of method name (`QUIC_client_thread_method` was renamed to + `OSSL_QUIC_client_thread_method` for namespacing reasons); + +- Use of ALPN (as for ddd-01-conn-blocking); + +- Use of `BIO_get_rpoll_descriptor` rather than `BIO_get_poll_fd` (as for + ddd-02-conn-nonblocking). + +- Use of `SSL_net_read_desired` and `SSL_net_write_desired` (as for + ddd-02-conn-nonblocking). + +ddd-03-fd-blocking +------------------ + +This demo is similar to ddd-01-conn-blocking but uses a file descriptor passed +directly by the application rather than BIO_s_connect. + +### Originally planned changes + +- Change of method (as for ddd-01-conn-blocking); + +- The arguments to the `socket(2)` call are changed from `(AF_INET, SOCK_STREAM, + IPPROTO_TCP)` to `(AF_INET, SOCK_DGRAM, IPPROTO_UDP)`. + +### Actual changes + +The following additional changes needed to be made: + +- Change of method name (as for ddd-01-conn-blocking); + +- Use of ALPN (as for ddd-01-conn-blocking). + +ddd-04-fd-nonblocking +--------------------- + +This demo is similar to ddd-01-conn-nonblocking but uses a file descriptor +passed directly by the application rather than BIO_s_connect. + +### Originally planned changes + +- Change of method (as for ddd-01-conn-blocking); + +- The arguments to the `socket(2)` call are changed from `(AF_INET, SOCK_STREAM, + IPPROTO_TCP)` to `(AF_INET, SOCK_DGRAM, IPPROTO_UDP)`; + +- A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2) + need to be determined. + +- Additional functions in application code to determine event handling + timeouts related to QUIC (`get_conn_pump_timeout`) and to pump + the QUIC event loop (`pump`). + +- Timeout computation code which involves merging and comparing different + timeouts and calling `pump` as needed, based on deadlines reported + by libssl. + +### Actual changes + +The following additional changes needed to be made: + +- Change of method name (as for ddd-01-conn-blocking); + +- Use of ALPN (as for ddd-01-conn-blocking); + +- `SSL_get_timeout` replaced with `SSL_get_event_timeout` (as for + ddd-02-conn-nonblocking); + +- `SSL_pump` renamed to `SSL_handle_events` (as for ddd-02-conn-nonblocking); + +- The strategy for how to determine when to poll for `POLLIN`, when to + poll for `POLLOUT`, etc. has changed since the original DDD process. + This information is now exposed via `SSL_net_read_desired` and + `SSL_net_write_desired` (as for ddd-02-conn-nonblocking). + +ddd-05-mem-nonblocking +---------------------- + +This demo is more elaborate. It uses memory buffers created and managed by an +application as an intermediary between libssl and the network, which is a common +usage pattern for applications. Managing this pattern for QUIC is more elaborate +since datagram semantics on the network channel need to be maintained. + +### Originally planned changes + +- Change of method (as for ddd-01-conn-blocking); + +- Call to `BIO_new_bio_pair` is changed to `BIO_new_dgram_pair`, which + provides a bidirectional memory buffer BIO with datagram semantics. + +- A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2) + need to be determined. + +- Potential changes to buffer sizes used by applications to buffer + datagrams, if those buffers are smaller than 1472 bytes. + +- The arguments to the `socket(2)` call are changed from `(AF_INET, SOCK_STREAM, + IPPROTO_TCP)` to `(AF_INET, SOCK_DGRAM, IPPROTO_UDP)`; + +### Actual changes + +The following additional changes needed to be made: + +- Change of method name (as for ddd-01-conn-blocking); + +- Use of ALPN (as for ddd-01-conn-blocking); + +- The API to construct a `BIO_s_dgram_pair` ended up being named + `BIO_new_bio_dgram_pair` rather than `BIO_new_dgram_pair`; + +- Use of `SSL_net_read_desired` and `SSL_net_write_desired` (as for + ddd-02-conn-nonblocking). + +ddd-06-mem-uv +------------- + +This demo is the most elaborate of the set. It uses a real-world asynchronous +I/O reactor, namely libuv (the engine used by Node.js). In doing so it seeks to +demonstrate and prove the viability of our API design with a real-world +asynchronous I/O system. It operates wholly in non-blocking mode and uses memory +buffers on either side of the QUIC stack to feed data to and from the +application and the network. + +### Originally planned changes + +- Change of method (as for ddd-01-conn-blocking); + +- Various changes to use of libuv needed to switch to using UDP; + +- Additional use of libuv to configure a timer event; + +- Call to `BIO_new_bio_pair` is changed to `BIO_new_dgram_pair` + (as for ddd-05-mem-nonblocking); + +- Some reordering of code required by the design of libuv. + +### Actual changes + +The following additional changes needed to be made: + +- Change of method name (as for ddd-01-conn-blocking); + +- Use of ALPN (as for ddd-01-conn-blocking); + +- `BIO_new_dgram_pair` renamed to `BIO_new_bio_dgram_pair` (as for + ddd-05-mem-nonblocking); + +- `SSL_get_timeout` replaced with `SSL_get_event_timeout` (as for + ddd-02-conn-nonblocking); + +- `SSL_pump` renamed to `SSL_handle_events` (as for ddd-02-conn-nonblocking); + +- Fixes to use of libuv based on a corrected understanding + of its operation, and changes that necessarily ensue. + +Conclusions +----------- + +The DDD process has successfully delivered on the objective of delivering a QUIC +API which can be used with only minimal API changes. The additional changes on +top of those originally planned which were required to successfully execute the +demos using QUIC were highly limited in scope and mostly constituted only minor +changes. The sum total of the changes required for each demo (both planned and +additional), as denoted in each DDD demo file under `#ifdef USE_QUIC` guards, +are both minimal and limited in scope. + +“Minimal” and “limited” are distinct criteria. If inexorable technical +requirements dictate, an enormous set of changes to an application could be +considered “minimal”. The changes required to representative applications, as +demonstrated by the DDD demos, are not merely minimal but also limited. + +For example, while the extent of these necessary changes varies by the +sophistication of each demo and the kind of application usage pattern it +represents, some demos in particular demonstrate exceptionally small changesets; +for example, ddd-01-conn-blocking and ddd-02-conn-nonblocking-threads, with +ddd-01-conn-blocking literally being enabled by a single line change assuming +ALPN is already configured. + +This report concludes the DDD process for the single-stream QUIC client API +design process, which sought to validate our API design and API ease of use for +existing applications seeking to adopt QUIC. From 3760747ff452fcb3e29190e670073253c5b47d49 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 10 Aug 2023 19:29:27 +0100 Subject: [PATCH 075/324] Minor fixes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- include/openssl/bio.h.in | 6 +++--- ssl/quic/quic_impl.c | 12 +++++------- ssl/quic/quic_local.h | 3 ++- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index e797769909e97..e6af3470a5a48 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -188,9 +188,9 @@ extern "C" { * # define BIO_CTRL_SET_KTLS_TX_ZEROCOPY_SENDFILE 90 */ -# define BIO_CTRL_GET_RPOLL_DESCRIPTOR 90 -# define BIO_CTRL_GET_WPOLL_DESCRIPTOR 91 -# define BIO_CTRL_DGRAM_DETECT_PEER_ADDR 92 +# define BIO_CTRL_GET_RPOLL_DESCRIPTOR 91 +# define BIO_CTRL_GET_WPOLL_DESCRIPTOR 92 +# define BIO_CTRL_DGRAM_DETECT_PEER_ADDR 93 # define BIO_DGRAM_CAP_NONE 0U # define BIO_DGRAM_CAP_HANDLES_SRC_ADDR (1U << 0) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 49133f0ca7e38..839168040b914 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1565,15 +1565,13 @@ static int quic_do_handshake(QCTX *ctx) if (!qc->started && !qc->addressing_probe_done) { long rcaps = BIO_dgram_get_effective_caps(qc->net_rbio); long wcaps = BIO_dgram_get_effective_caps(qc->net_wbio); - int can_use_addressed = - (wcaps & BIO_DGRAM_CAP_HANDLES_DST_ADDR) != 0 - && (rcaps & BIO_DGRAM_CAP_PROVIDES_SRC_ADDR) != 0; - qc->addressed_mode = can_use_addressed; - qc->addressing_probe_done = 1; + qc->addressed_mode_r = ((rcaps & BIO_DGRAM_CAP_PROVIDES_SRC_ADDR) != 0); + qc->addressed_mode_w = ((wcaps & BIO_DGRAM_CAP_HANDLES_DST_ADDR) != 0); + qc->addressing_probe_done = 1; } - if (!qc->started && qc->addressed_mode + if (!qc->started && qc->addressed_mode_w && BIO_ADDR_family(&qc->init_peer_addr) == AF_UNSPEC) { /* * We are trying to connect and are using addressed mode, which means we @@ -1595,7 +1593,7 @@ static int quic_do_handshake(QCTX *ctx) } if (!qc->started - && qc->addressed_mode + && qc->addressed_mode_w && BIO_ADDR_family(&qc->init_peer_addr) == AF_UNSPEC) { /* * If we still don't have a peer address in addressed mode, we can't do diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index aaaab128aa271..f492dc656b902 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -199,7 +199,8 @@ struct quic_conn_st { unsigned int addressing_probe_done : 1; /* Are we using addressed mode (BIO_sendmmsg with non-NULL peer)? */ - unsigned int addressed_mode : 1; + unsigned int addressed_mode_w : 1; + unsigned int addressed_mode_r : 1; /* Default stream type. Defaults to SSL_DEFAULT_STREAM_MODE_AUTO_BIDI. */ uint32_t default_stream_mode; From 4426c47d662768b0f087c9099b76cabef4c1f540 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 10 Aug 2023 19:49:17 +0100 Subject: [PATCH 076/324] Add manpages Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- doc/man3/BIO_s_connect.pod | 24 +++++++++++++++++++++++- doc/man3/BIO_s_datagram.pod | 19 +++++++++++++++++-- util/other.syms | 4 ++++ 3 files changed, 44 insertions(+), 3 deletions(-) diff --git a/doc/man3/BIO_s_connect.pod b/doc/man3/BIO_s_connect.pod index 4d07994c23653..0c1106c5234e9 100644 --- a/doc/man3/BIO_s_connect.pod +++ b/doc/man3/BIO_s_connect.pod @@ -7,7 +7,8 @@ BIO_set_conn_hostname, BIO_set_conn_port, BIO_set_conn_address, BIO_set_conn_ip_family, BIO_get_conn_hostname, BIO_get_conn_port, BIO_get_conn_address, BIO_get_conn_ip_family, -BIO_set_nbio, BIO_do_connect - connect BIO +BIO_set_nbio, BIO_set_sock_type, BIO_get_sock_type, BIO_get_dgram_bio, +BIO_do_connect - connect BIO =head1 SYNOPSIS @@ -28,6 +29,10 @@ BIO_set_nbio, BIO_do_connect - connect BIO long BIO_set_nbio(BIO *b, long n); + int BIO_set_sock_type(BIO *b, int sock_type); + int BIO_get_sock_type(BIO *b); + int BIO_get_dgram_bio(BIO *B, BIO **dgram_bio); + long BIO_do_connect(BIO *b); =head1 DESCRIPTION @@ -101,6 +106,17 @@ The call BIO_should_retry() should be used for non blocking connect BIOs to determine if the call should be retried. If a connection has already been established this call has no effect. +BIO_set_sock_type() can be used to set a socket type value as would be passed in +a call to socket(2). The only currently supported values are B (the +default) and B. If B is configured, the connection +created is a UDP datagram socket handled via L. +I/O calls such as L and L are forwarded transparently +to an internal L instance. The created L +instance can be retrieved using BIO_get_dgram_bio() if desired, which writes +a pointer to the L instance to I<*dgram_bio>. + +BIO_get_sock_type() retrieves the value set using BIO_set_sock_type(). + =head1 NOTES If blocking I/O is set then a non positive return value from any @@ -161,6 +177,12 @@ BIO_set_nbio() returns 1 or <=0 if an error occurs. BIO_do_connect() returns 1 if the connection was successfully established and <=0 if the connection failed. +BIO_set_sock_type() returns 1 on success or 0 on failure. + +BIO_get_sock_type() returns a socket type or 0 if the call is not supported. + +BIO_get_dgram_bio() returns 1 on success or 0 on failure. + =head1 EXAMPLES This is example connects to a webserver on the local host and attempts diff --git a/doc/man3/BIO_s_datagram.pod b/doc/man3/BIO_s_datagram.pod index 3ff24cc55127c..3045536200fe7 100644 --- a/doc/man3/BIO_s_datagram.pod +++ b/doc/man3/BIO_s_datagram.pod @@ -9,6 +9,7 @@ BIO_dgram_recv_timedout, BIO_dgram_send_timedout, BIO_dgram_get_peer, BIO_dgram_set_peer, +BIO_dgram_detect_peer_addr, BIO_dgram_get_mtu_overhead - Network BIO with datagram semantics =head1 SYNOPSIS @@ -25,6 +26,7 @@ BIO_dgram_get_mtu_overhead - Network BIO with datagram semantics int BIO_dgram_get_peer(BIO *bio, BIO_ADDR *peer); int BIO_dgram_set_peer(BIO *bio, const BIO_ADDR *peer); int BIO_dgram_get_mtu_overhead(BIO *bio); + int BIO_dgram_detect_peer_addr(BIO *bio, BIO_ADDR *peer); =head1 DESCRIPTION @@ -144,6 +146,15 @@ hazardous when used with unconnected network sockets; see above. This does not affect the operation of L. L does not affect the value set by BIO_dgram_set_peer(). +=item BIO_dgram_detect_peer_addr (BIO_CTRL_DGRAM_DETECT_PEER_ADDR) + +This is similar to BIO_dgram_get_peer() except that if the peer address has not +been set on the BIO object, an OS call such as getpeername(2) will be attempted +to try and autodetect the peer address to which the underlying socket is +connected. Other BIOs may also implement this control if they are capable of +sensing a peer address, without necessarily also implementing +BIO_dgram_set_peer() and BIO_dgram_get_peer(). + =item BIO_dgram_recv_timeout (BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP) Returns 1 if the last I/O operation performed on the BIO (for example, via a @@ -231,8 +242,12 @@ BIO_s_datagram() returns a BIO method. BIO_new_dgram() returns a BIO on success and NULL on failure. -BIO_ctrl_dgram_connect(), BIO_ctrl_set_connected(), -BIO_dgram_get_peer(), BIO_dgram_set_peer() return 1 on success and 0 on failure. +BIO_ctrl_dgram_connect(), BIO_ctrl_set_connected() and BIO_dgram_set_peer() +return 1 on success and 0 on failure. + +BIO_dgram_get_peer() and BIO_dgram_detect_peer_addr() return 0 on failure and +the number of bytes for the outputted address representation (a positive value) +on success. BIO_dgram_recv_timedout() and BIO_dgram_send_timedout() return 0 or 1 depending on the circumstance; see discussion above. diff --git a/util/other.syms b/util/other.syms index ea48770ea0445..cd1f73468dbd0 100644 --- a/util/other.syms +++ b/util/other.syms @@ -168,6 +168,10 @@ BIO_dgram_get_peer define BIO_dgram_set_peer define BIO_dgram_recv_timedout define BIO_dgram_send_timedout define +BIO_dgram_detect_peer_addr define +BIO_get_dgram_bio define +BIO_get_sock_type define +BIO_set_sock_type define BIO_do_accept define BIO_do_connect define BIO_do_handshake define From abeb41b42fa3cdca99d3f3fef48ea6ee04023d68 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Fri, 18 Aug 2023 12:06:10 +0100 Subject: [PATCH 077/324] Minor updates Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_conn.c | 19 +++++++++++++------ doc/man3/BIO_s_connect.pod | 12 +++++++----- include/openssl/bio.h.in | 2 +- ssl/quic/quic_impl.c | 2 +- util/other.syms | 2 +- 5 files changed, 23 insertions(+), 14 deletions(-) diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 8d29f94bd120f..f09160b3c0c98 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -347,8 +347,7 @@ static int conn_free(BIO *a) return 0; data = (BIO_CONNECT *)a->ptr; - if (data->dgram_bio != NULL) - BIO_free(data->dgram_bio); + BIO_free(data->dgram_bio); if (a->shutdown) { conn_close_socket(a); @@ -372,8 +371,12 @@ static int conn_read(BIO *b, char *out, int outl) return ret; } - if (data->dgram_bio != NULL) - return BIO_read(data->dgram_bio, out, outl); + if (data->dgram_bio != NULL) { + BIO_clear_retry_flags(b); + ret = BIO_read(data->dgram_bio, out, outl); + BIO_set_flags(b, BIO_get_retry_flags(data->dgram_bio)); + return ret; + } if (out != NULL) { clear_socket_error(); @@ -406,8 +409,12 @@ static int conn_write(BIO *b, const char *in, int inl) return ret; } - if (data->dgram_bio != NULL) - return BIO_write(data->dgram_bio, in, inl); + if (data->dgram_bio != NULL) { + BIO_clear_retry_flags(b); + ret = BIO_write(data->dgram_bio, in, inl); + BIO_set_flags(b, BIO_get_retry_flags(data->dgram_bio)); + return ret; + } clear_socket_error(); # ifndef OPENSSL_NO_KTLS diff --git a/doc/man3/BIO_s_connect.pod b/doc/man3/BIO_s_connect.pod index 0c1106c5234e9..35d67787ffe05 100644 --- a/doc/man3/BIO_s_connect.pod +++ b/doc/man3/BIO_s_connect.pod @@ -7,7 +7,7 @@ BIO_set_conn_hostname, BIO_set_conn_port, BIO_set_conn_address, BIO_set_conn_ip_family, BIO_get_conn_hostname, BIO_get_conn_port, BIO_get_conn_address, BIO_get_conn_ip_family, -BIO_set_nbio, BIO_set_sock_type, BIO_get_sock_type, BIO_get_dgram_bio, +BIO_set_nbio, BIO_set_sock_type, BIO_get_sock_type, BIO_get0_dgram_bio, BIO_do_connect - connect BIO =head1 SYNOPSIS @@ -31,7 +31,7 @@ BIO_do_connect - connect BIO int BIO_set_sock_type(BIO *b, int sock_type); int BIO_get_sock_type(BIO *b); - int BIO_get_dgram_bio(BIO *B, BIO **dgram_bio); + int BIO_get0_dgram_bio(BIO *B, BIO **dgram_bio); long BIO_do_connect(BIO *b); @@ -112,8 +112,10 @@ default) and B. If B is configured, the connection created is a UDP datagram socket handled via L. I/O calls such as L and L are forwarded transparently to an internal L instance. The created L -instance can be retrieved using BIO_get_dgram_bio() if desired, which writes -a pointer to the L instance to I<*dgram_bio>. +instance can be retrieved using BIO_get0_dgram_bio() if desired, which writes +a pointer to the L instance to I<*dgram_bio>. The lifetime +of the internal L is managed by BIO_s_connect() and does not +need to be freed by the caller. BIO_get_sock_type() retrieves the value set using BIO_set_sock_type(). @@ -181,7 +183,7 @@ BIO_set_sock_type() returns 1 on success or 0 on failure. BIO_get_sock_type() returns a socket type or 0 if the call is not supported. -BIO_get_dgram_bio() returns 1 on success or 0 on failure. +BIO_get0_dgram_bio() returns 1 on success or 0 on failure. =head1 EXAMPLES diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index e6af3470a5a48..aa05d7d9cf41b 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -495,7 +495,7 @@ typedef struct bio_poll_descriptor_st { # define BIO_set_conn_mode(b,n) BIO_ctrl(b,BIO_C_SET_CONNECT_MODE,(n),NULL) # define BIO_set_sock_type(b,t) BIO_ctrl(b,BIO_C_SET_SOCK_TYPE,(t),NULL) # define BIO_get_sock_type(b) BIO_ctrl(b,BIO_C_GET_SOCK_TYPE,0,NULL) -# define BIO_get_dgram_bio(b, p) BIO_ctrl(b,BIO_C_GET_DGRAM_BIO,0,(void *)(BIO **)(p)) +# define BIO_get0_dgram_bio(b, p) BIO_ctrl(b,BIO_C_GET_DGRAM_BIO,0,(void *)(BIO **)(p)) /* BIO_s_accept() */ # define BIO_set_accept_name(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0, \ diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 839168040b914..11c8afce8acb1 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1581,7 +1581,7 @@ static int quic_do_handshake(QCTX *ctx) * We do this as late as possible because some BIOs (e.g. BIO_s_connect) * may not be able to provide us with a peer address until they have * finished their own processing. They may not be able to perform this - * processing until an application has figured configuring that BIO + * processing until an application has finished configuring that BIO * (e.g. with setter calls), which might happen after SSL_set_bio is * called. */ diff --git a/util/other.syms b/util/other.syms index cd1f73468dbd0..4bac4afeaadb0 100644 --- a/util/other.syms +++ b/util/other.syms @@ -169,7 +169,7 @@ BIO_dgram_set_peer define BIO_dgram_recv_timedout define BIO_dgram_send_timedout define BIO_dgram_detect_peer_addr define -BIO_get_dgram_bio define +BIO_get0_dgram_bio define BIO_get_sock_type define BIO_set_sock_type define BIO_do_accept define From 8d7f034622c0235d06f4d6526f71dcab2f71b0c6 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 17:00:16 +0100 Subject: [PATCH 078/324] Minor fixes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21715) --- crypto/bio/bss_dgram_pair.c | 2 +- doc/designs/ddd/REPORT.md | 2 +- doc/designs/ddd/ddd-05-mem-nonblocking.c | 6 +++--- ssl/quic/quic_impl.c | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/bio/bss_dgram_pair.c b/crypto/bio/bss_dgram_pair.c index a93b14154cac9..3d7987833692b 100644 --- a/crypto/bio/bss_dgram_pair.c +++ b/crypto/bio/bss_dgram_pair.c @@ -695,7 +695,7 @@ static long dgram_mem_ctrl(BIO *bio, int cmd, long num, void *ptr) /* BIO_dgram_get_local_addr_enable */ case BIO_CTRL_DGRAM_GET_LOCAL_ADDR_ENABLE: /* Non-threadsafe */ - *(int *)ptr = (long)dgram_pair_ctrl_get_local_addr_enable(bio); + *(int *)ptr = (int)dgram_pair_ctrl_get_local_addr_enable(bio); break; /* BIO_dgram_set_local_addr_enable */ diff --git a/doc/designs/ddd/REPORT.md b/doc/designs/ddd/REPORT.md index ce742507cee8c..195e834899cff 100644 --- a/doc/designs/ddd/REPORT.md +++ b/doc/designs/ddd/REPORT.md @@ -151,7 +151,7 @@ The originally planned changes to enable applications for QUIC amounted to: - A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2) need to be determined. - Note that this is a subtantially smaller list of changes than for + Note that this is a substantially smaller list of changes than for ddd-02-conn-nonblocking. ### Actual changes diff --git a/doc/designs/ddd/ddd-05-mem-nonblocking.c b/doc/designs/ddd/ddd-05-mem-nonblocking.c index 821e3fecba7a2..abf6c3c4969ed 100644 --- a/doc/designs/ddd/ddd-05-mem-nonblocking.c +++ b/doc/designs/ddd/ddd-05-mem-nonblocking.c @@ -189,9 +189,9 @@ int rx(APP_CONN *conn, void *buf, int buf_len) /* * Called to get data which has been enqueued for transmission to the network - * by OpenSSL. For QUIC, this always outputs a single frame. + * by OpenSSL. For QUIC, this always outputs a single datagram. * - * IMPORTANT (QUIC): If buf_len is inadequate to hold the frame, it is truncated + * IMPORTANT (QUIC): If buf_len is inadequate to hold the datagram, it is truncated * (similar to read(2)). A buffer size of at least 1472 must be used by default * to guarantee this does not occur. */ @@ -203,7 +203,7 @@ int read_net_tx(APP_CONN *conn, void *buf, int buf_len) /* * Called to feed data which has been received from the network to OpenSSL. * - * QUIC: buf must contain the entirety of a single frame. It will be consumed + * QUIC: buf must contain the entirety of a single datagram. It will be consumed * entirely (return value == buf_len) or not at all. */ int write_net_rx(APP_CONN *conn, const void *buf, int buf_len) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 11c8afce8acb1..bf1c412a09168 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1607,7 +1607,7 @@ static int quic_do_handshake(QCTX *ctx) * Start connection process. Note we may come here multiple times in * non-blocking mode, which is fine. */ - if (!ensure_channel_started(qc)) /* raises on failure */ + if (!ensure_channel_started(ctx)) /* raises on failure */ return -1; /* Non-protocol error */ if (ossl_quic_channel_is_handshake_complete(qc->ch)) From d2e9e12b23fe331b71abe8c201f2610266090dde Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 13:09:13 +0100 Subject: [PATCH 079/324] QUIC APL: Allow stream origin to be queried Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/man3/SSL_get_stream_id.pod | 17 ++++++++++++++--- include/internal/quic_ssl.h | 1 + include/openssl/ssl.h.in | 1 + ssl/quic/quic_impl.c | 19 +++++++++++++++++++ ssl/ssl_lib.c | 12 ++++++++++++ util/libssl.num | 1 + 6 files changed, 48 insertions(+), 3 deletions(-) diff --git a/doc/man3/SSL_get_stream_id.pod b/doc/man3/SSL_get_stream_id.pod index 86ec2d96218f4..42ee08c814d94 100644 --- a/doc/man3/SSL_get_stream_id.pod +++ b/doc/man3/SSL_get_stream_id.pod @@ -3,8 +3,8 @@ =head1 NAME SSL_get_stream_id, SSL_get_stream_type, SSL_STREAM_TYPE_NONE, -SSL_STREAM_TYPE_READ, SSL_STREAM_TYPE_WRITE, SSL_STREAM_TYPE_BIDI - get QUIC -stream ID and stream type information +SSL_STREAM_TYPE_READ, SSL_STREAM_TYPE_WRITE, SSL_STREAM_TYPE_BIDI, +SSL_is_stream_local - get QUIC stream ID and stream type information =head1 SYNOPSIS @@ -18,6 +18,8 @@ stream ID and stream type information #define SSL_STREAM_TYPE_WRITE int SSL_get_stream_type(SSL *ssl); + int SSL_is_stream_local(SSL *ssl); + =head1 DESCRIPTION The SSL_get_stream_id() function returns the QUIC stream ID for a QUIC stream @@ -55,12 +57,16 @@ from. =back +The SSL_is_stream_local() function determines whether a stream was locally +created. + =head1 NOTES While QUICv1 assigns specific meaning to the low two bits of a QUIC stream ID, QUIC stream IDs in future versions of QUIC are not required to have the same semantics. Do not determine stream properties using these bits. Instead, use -SSL_get_stream_type() to determine the stream type. +SSL_get_stream_type() to determine the stream type and SSL_get_stream_origin() +to determine the stream initiator. The SSL_get_stream_type() identifies the type of a QUIC stream based on its identity, and does not indicate whether an operation can currently be @@ -79,6 +85,11 @@ always below 2**62. SSL_get_stream_type() returns one of the B values. +SSL_is_stream_local() returns 1 if called on a QUIC stream SSL object which +represents a stream which was locally initiated. It returns 0 if called on a +QUIC stream SSL object which represents a stream which was remotely initiated by +a peer, and -1 if called on any other kind of SSL object. + =head1 SEE ALSO L, L diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h index 6bddc8a67880c..f815ba5435951 100644 --- a/include/internal/quic_ssl.h +++ b/include/internal/quic_ssl.h @@ -73,6 +73,7 @@ __owur SSL *ossl_quic_conn_stream_new(SSL *s, uint64_t flags); __owur SSL *ossl_quic_get0_connection(SSL *s); __owur int ossl_quic_get_stream_type(SSL *s); __owur uint64_t ossl_quic_get_stream_id(SSL *s); +__owur int ossl_quic_is_stream_local(SSL *s); __owur int ossl_quic_set_default_stream_mode(SSL *s, uint32_t mode); __owur SSL *ossl_quic_detach_stream(SSL *s); __owur int ossl_quic_attach_stream(SSL *conn, SSL *stream); diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 37d192f7558e1..f0a00583ecff1 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -2278,6 +2278,7 @@ __owur int SSL_is_connection(SSL *s); __owur int SSL_get_stream_type(SSL *s); __owur uint64_t SSL_get_stream_id(SSL *s); +__owur int SSL_is_stream_local(SSL *s); #define SSL_DEFAULT_STREAM_MODE_NONE 0 #define SSL_DEFAULT_STREAM_MODE_AUTO_BIDI 1 diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index bf1c412a09168..acb51fc858bf6 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -2807,6 +2807,25 @@ uint64_t ossl_quic_get_stream_id(SSL *s) return id; } +/* + * SSL_is_stream_local + * ------------------- + */ +QUIC_TAKES_LOCK +int ossl_quic_is_stream_local(SSL *s) +{ + QCTX ctx; + int is_local; + + if (!expect_quic_with_stream_lock(s, /*remote_init=*/-1, &ctx)) + return -1; + + is_local = ossl_quic_stream_is_local_init(ctx.xso->stream); + quic_unlock(ctx.qc); + + return is_local; +} + /* * SSL_set_default_stream_mode * --------------------------- diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 06efb4380acf5..b83f11fa5b4a0 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -7474,6 +7474,18 @@ uint64_t SSL_get_stream_id(SSL *s) #endif } +int SSL_is_stream_local(SSL *s) +{ +#ifndef OPENSSL_NO_QUIC + if (!IS_QUIC(s)) + return -1; + + return ossl_quic_is_stream_local(s); +#else + return -1; +#endif +} + int SSL_set_default_stream_mode(SSL *s, uint32_t mode) { #ifndef OPENSSL_NO_QUIC diff --git a/util/libssl.num b/util/libssl.num index 1cb0558ac6b4c..225064943ba31 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -576,3 +576,4 @@ SSL_set_incoming_stream_policy ? 3_2_0 EXIST::FUNCTION: SSL_handle_events ? 3_2_0 EXIST::FUNCTION: SSL_get_event_timeout ? 3_2_0 EXIST::FUNCTION: SSL_get0_group_name ? 3_2_0 EXIST::FUNCTION: +SSL_is_stream_local ? 3_2_0 EXIST::FUNCTION: From cc50b44e555d71a10cdc45588d1b57523fb95ee4 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 13:19:40 +0100 Subject: [PATCH 080/324] Document OSSL_get_thread_support_flags() Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/man3/CRYPTO_THREAD_run_once.pod | 20 +++++++++++++++++++- util/other.syms | 2 ++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index 1badd193978f5..b6ca5f1fafad2 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -8,7 +8,8 @@ CRYPTO_THREAD_unlock, CRYPTO_THREAD_lock_free, CRYPTO_atomic_add, CRYPTO_atomic_or, CRYPTO_atomic_load, CRYPTO_atomic_load_int, OSSL_set_max_threads, OSSL_get_max_threads, -OSSL_get_thread_support_flags - OpenSSL thread support +OSSL_get_thread_support_flags, OSSL_THREAD_SUPPORT_FLAG_THREAD_POOL, +OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN - OpenSSL thread support =head1 SYNOPSIS @@ -33,6 +34,9 @@ OSSL_get_thread_support_flags - OpenSSL thread support uint64_t OSSL_get_max_threads(OSSL_LIB_CTX *ctx); uint32_t OSSL_get_thread_support_flags(void); + #define OSSL_THREAD_SUPPORT_FLAG_THREAD_POOL + #define OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN + =head1 DESCRIPTION OpenSSL can be safely used in multi-threaded applications provided that @@ -121,6 +125,17 @@ spawned unless (and until) there is demand. Thread polling is disabled by default. To enable threading you must call OSSL_set_max_threads() explicitly. Under no circumstances is this done for you. +=item * + +OSSL_get_thread_support_flags() determines what thread pool functionality +OpenSSL is compiled with and is able to support in the current run time +environment. B indicates that the base +thread pool functionality is available, and +B indicates that the default thread pool +model is available. The default thread pool model is currently the only model +available, therefore both of these flags must be set for thread pool +functionality to be used. + =back =head1 RETURN VALUES @@ -140,6 +155,9 @@ OSSL_get_max_threads() returns the maximum number of threads currently allowed to be used by the thread pool. If thread pooling is disabled or not available, returns 0. +OSSL_get_thread_support_flags() returns zero or more B +values. + The other functions return 1 on success, or 0 on error. =head1 NOTES diff --git a/util/other.syms b/util/other.syms index 4bac4afeaadb0..b65e4d97167b0 100644 --- a/util/other.syms +++ b/util/other.syms @@ -697,6 +697,8 @@ OSSL_TRACE_CANCEL define OSSL_TRACE1 define OSSL_TRACE2 define OSSL_TRACE9 define +OSSL_THREAD_SUPPORT_FLAG_THREAD_POOL define +OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN define TS_VERIFY_CTS_set_certs define deprecated 3.0.0 EVP_PKEY_get1_tls_encodedpoint define deprecated 3.0.0 EVP_PKEY_set1_tls_encodedpoint define deprecated 3.0.0 From 7d9e447ab812df34bba581c5918721cc704fdacb Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 13:41:39 +0100 Subject: [PATCH 081/324] QUIC API: Revise SSL_get_conn_close_info to use a flags field Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/designs/quic-design/quic-api.md | 15 ++++++----- doc/man3/SSL_get_conn_close_info.pod | 37 +++++++++++++++++----------- include/openssl/ssl.h.in | 5 +++- ssl/quic/quic_impl.c | 7 ++++-- test/quic_multistream_test.c | 8 ++++-- util/other.syms | 2 ++ 6 files changed, 48 insertions(+), 26 deletions(-) diff --git a/doc/designs/quic-design/quic-api.md b/doc/designs/quic-design/quic-api.md index ab1c81e2f1c13..3684c958807ad 100644 --- a/doc/designs/quic-design/quic-api.md +++ b/doc/designs/quic-design/quic-api.md @@ -830,12 +830,14 @@ unidirectional stream), returns -1. | New | Never | No | C | ```c +#define SSL_CONN_CLOSE_FLAG_LOCAL +#define SSL_CONN_CLOSE_FLAG_TRANSPORT + typedef struct ssl_conn_close_info_st { uint64_t error_code; char *reason; size_t reason_len; - int is_local; - int is_transport; + uint32_t flags; } SSL_CONN_CLOSE_INFO; int SSL_get_conn_close_info(SSL *ssl, @@ -854,11 +856,12 @@ always be zero terminated, but since it is received from a potentially untrusted peer, may also contain zero bytes. `info->reason_len` is the true length of the reason string in bytes. -`info->is_local` is 1 if the connection closure was locally initiated. +`info->flags` has `SSL_CONN_CLOSE_FLAG_LOCAL` set if the connection closure was +locally initiated. -`info->is_transport` is 1 if the connection closure was initiated by QUIC, and 0 -if it was initiated by the application. The namespace of `info->error_code` is -determined by this parameter. +`info->flags` has `SSL_CONN_CLOSE_FLAG_TRANSPORT` if the connection closure was +initiated by QUIC, and 0 if it was initiated by the application. The namespace +of `info->error_code` is determined by this parameter. ### New APIs for Multi-Stream Operation diff --git a/doc/man3/SSL_get_conn_close_info.pod b/doc/man3/SSL_get_conn_close_info.pod index 4d5da74b756d1..b82e434f2b088 100644 --- a/doc/man3/SSL_get_conn_close_info.pod +++ b/doc/man3/SSL_get_conn_close_info.pod @@ -2,18 +2,22 @@ =head1 NAME -SSL_get_conn_close_info - get information about why a QUIC connection was closed +SSL_get_conn_close_info, SSL_CONN_CLOSE_FLAG_LOCAL, +SSL_CONN_CLOSE_FLAG_TRANSPORT - get information about why a QUIC connection was +closed =head1 SYNOPSIS #include + #define SSL_CONN_CLOSE_FLAG_LOCAL + #define SSL_CONN_CLOSE_FLAG_TRANSPORT + typedef struct ssl_conn_close_info_st { uint64_t error_code; char *reason; size_t reason_len; - int is_local; - int is_transport; + uint32_t flags; } SSL_CONN_CLOSE_INFO; int SSL_get_conn_close_info(SSL *ssl, SSL_CONN_CLOSE_INFO *info, @@ -34,8 +38,9 @@ The following fields are set: =item I This is a 62-bit QUIC error code. It is either a 62-bit application error code -(if I is 0) or a 62-bit standard QUIC transport error code (if -I is 1). +(if B not set in I) or a 62-bit standard +QUIC transport error code (if B is set in +I). =item I @@ -49,20 +54,22 @@ of I is recommended. While it is intended as per the QUIC protocol that this be a UTF-8 string, there is no guarantee that this is the case for strings received from the peer. -=item I - -If 1, connection closure was locally triggered. This could be due to an -application request (e.g. if I is 0), or (if I is 1) -due to logic internal to the QUIC implementation (for example, if the peer -engages in a protocol violation, or an idle timeout occurs). +=item B -If 0, connection closure was remotely triggered. +If I has B set, connection closure was locally +triggered. This could be due to an application request (e.g. if +B is unset), or (if +I is set) due to logic internal to the QUIC +implementation (for example, if the peer engages in a protocol violation, or an +idle timeout occurs). -=item I +If unset, connection closure was remotely triggered. -If 1, connection closure was triggered for QUIC protocol reasons. +=item B -If 0, connection closure was triggered by the local or remote application. +If I has B set, connection closure was +triggered for QUIC protocol reasons. Otherwise, connection closure was triggered +by the local or remote application. =back diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index f0a00583ecff1..5df101ff87210 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -2343,11 +2343,14 @@ __owur int SSL_get_stream_write_state(SSL *ssl); __owur int SSL_get_stream_read_error_code(SSL *ssl, uint64_t *app_error_code); __owur int SSL_get_stream_write_error_code(SSL *ssl, uint64_t *app_error_code); +#define SSL_CONN_CLOSE_FLAG_LOCAL (1U << 0) +#define SSL_CONN_CLOSE_FLAG_TRANSPORT (1U << 1) + typedef struct ssl_conn_close_info_st { uint64_t error_code; const char *reason; size_t reason_len; - int is_local, is_transport; + uint32_t flags; } SSL_CONN_CLOSE_INFO; __owur int SSL_get_conn_close_info(SSL *ssl, diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index acb51fc858bf6..c3900580f79f4 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -3341,8 +3341,11 @@ int ossl_quic_get_conn_close_info(SSL *ssl, info->error_code = tc->error_code; info->reason = tc->reason; info->reason_len = tc->reason_len; - info->is_local = !tc->remote; - info->is_transport = !tc->app; + info->flags = 0; + if (!tc->remote) + info->flags |= SSL_CONN_CLOSE_FLAG_LOCAL; + if (!tc->app) + info->flags |= SSL_CONN_CLOSE_FLAG_TRANSPORT; return 1; } diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 81e05dbf2eec2..3b2b5ed6cad14 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -1385,8 +1385,12 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!SSL_get_conn_close_info(c_tgt, &cc_info, sizeof(cc_info))) SPIN_AGAIN(); - if (!TEST_int_eq(expect_app, !cc_info.is_transport) - || !TEST_int_eq(expect_remote, !cc_info.is_local) + if (!TEST_int_eq(expect_app, + (cc_info.flags + & SSL_CONN_CLOSE_FLAG_TRANSPORT) == 0) + || !TEST_int_eq(expect_remote, + (cc_info.flags + & SSL_CONN_CLOSE_FLAG_LOCAL) == 0) || !TEST_uint64_t_eq(error_code, cc_info.error_code)) goto out; } diff --git a/util/other.syms b/util/other.syms index b65e4d97167b0..fa7a59d6a8835 100644 --- a/util/other.syms +++ b/util/other.syms @@ -647,6 +647,8 @@ SSL_want_read define SSL_want_retry_verify define SSL_want_write define SSL_want_x509_lookup define +SSL_CONN_CLOSE_FLAG_LOCAL define +SSL_CONN_CLOSE_FLAG_TRANSPORT define SSLv23_client_method define SSLv23_method define SSLv23_server_method define From d492e34351ae49e899a7c66f1882703a4fedced2 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 13:43:35 +0100 Subject: [PATCH 082/324] QUIC: Make TLS1_FLAGS_QUIC private Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- include/internal/ssl.h | 3 +++ include/openssl/ssl3.h | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/internal/ssl.h b/include/internal/ssl.h index 46146a9e7ebf8..8a0c797496724 100644 --- a/include/internal/ssl.h +++ b/include/internal/ssl.h @@ -18,4 +18,7 @@ typedef void (*ossl_msg_cb)(int write_p, int version, int content_type, int ossl_ssl_get_error(const SSL *s, int i, int check_err); +/* Set if this is the QUIC handshake layer */ +# define TLS1_FLAGS_QUIC 0x2000 + #endif diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 2747a9d65bea3..3007a31d52a57 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -307,9 +307,6 @@ extern "C" { /* Set if extended master secret extension required on renegotiation */ # define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 -/* Set if this is the QUIC handshake layer */ -# define TLS1_FLAGS_QUIC 0x2000 - # define SSL3_MT_HELLO_REQUEST 0 # define SSL3_MT_CLIENT_HELLO 1 # define SSL3_MT_SERVER_HELLO 2 From 2619d10ace8ee8e56425771bac48aa12769421f2 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 13:45:40 +0100 Subject: [PATCH 083/324] BIO: Allow third parties to use integers instead of pointers for poll descriptors Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/man3/BIO_get_rpoll_descriptor.pod | 12 ++++++------ include/openssl/bio.h.in | 7 ++++--- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/doc/man3/BIO_get_rpoll_descriptor.pod b/doc/man3/BIO_get_rpoll_descriptor.pod index 9de9f1fb01470..ce33e23f26e48 100644 --- a/doc/man3/BIO_get_rpoll_descriptor.pod +++ b/doc/man3/BIO_get_rpoll_descriptor.pod @@ -10,10 +10,11 @@ can be used to determine when a BIO object can next be read or written #include typedef struct bio_poll_descriptor_st { - int type; + uint32_t type; union { - int fd; - void *custom; + int fd; + void *custom; + uintptr_t custom_ui; } value; } BIO_POLL_DESCRIPTOR; @@ -71,9 +72,8 @@ complete a BIO_write() operation. =item BIO_POLL_DESCRIPTOR_CUSTOM_START Type values beginning with this value (inclusive) are reserved for application -allocation for custom poll descriptor types. The field I in the -B is an opaque pointer which can be used by the application -arbitrarily. +allocation for custom poll descriptor types. Any of the definitions in the union +field I can be used by the application arbitrarily as opaque values. =back diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index aa05d7d9cf41b..735361b17b1d0 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -387,10 +387,11 @@ typedef struct bio_mmsg_cb_args_st { #define BIO_POLL_DESCRIPTOR_CUSTOM_START 8192 typedef struct bio_poll_descriptor_st { - int type; + uint32_t type; union { - int fd; - void *custom; + int fd; + void *custom; + uintptr_t custom_ui; } value; } BIO_POLL_DESCRIPTOR; From cf269150630aa2854589b250f9aa61186a6b74ce Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 14:00:14 +0100 Subject: [PATCH 084/324] BIO: Emphasise API contract for BIO_sendmmsg/BIO_recvmmsg Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/man3/BIO_sendmmsg.pod | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/man3/BIO_sendmmsg.pod b/doc/man3/BIO_sendmmsg.pod index 9742eda50b50f..04075dd591940 100644 --- a/doc/man3/BIO_sendmmsg.pod +++ b/doc/man3/BIO_sendmmsg.pod @@ -197,6 +197,10 @@ transient error, many of which are system specific. =back +Third parties implementing custom BIOs supporting the BIO_sendmmsg() or +BIO_recvmmsg() methods should note that it is a required part of the API +contract that an error is always raised when either of these functions return 0. + BIO_dgram_set_local_addr_enable() returns 1 if local address support was successfully enabled or disabled and 0 otherwise. From 0c125b611d55b2d3a79a977614431745f149afbe Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 16:18:39 +0100 Subject: [PATCH 085/324] QUIC: Update API table Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/designs/quic-design/quic-api-ssl-funcs.md | 72 ++++++++++--------- 1 file changed, 38 insertions(+), 34 deletions(-) diff --git a/doc/designs/quic-design/quic-api-ssl-funcs.md b/doc/designs/quic-design/quic-api-ssl-funcs.md index 52e199cee6fff..6b226b089705e 100644 --- a/doc/designs/quic-design/quic-api-ssl-funcs.md +++ b/doc/designs/quic-design/quic-api-ssl-funcs.md @@ -156,7 +156,7 @@ Notes: | **⇒ Method Manipulation** | | | `SSL_CTX_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | | `SSL_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_ssl_method` | Object | 🟥TBD | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_ssl_method` | Object | 🟩U | 🟥FC | 🟧QSI | 🟢Done | | **⇒ SRTP** | | | `SSL_get_selected_srtp_profile` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | | `SSL_get_srtp_profiles` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | @@ -186,9 +186,9 @@ Notes: | `SSL_get_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | | `SSL_get_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | | **⇒ ALPN** | †2 | -| `SSL_SESSION_set1_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟡TODO | -| `SSL_SESSION_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟡TODO | -| `SSL_CTX_set_alpn_select_cb` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟡TODO | +| `SSL_SESSION_set1_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_SESSION_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_CTX_set_alpn_select_cb` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | | `SSL_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | | `SSL_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | | `SSL_CTX_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | @@ -594,7 +594,7 @@ Notes: | `SSL_write_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | | `SSL_sendfile` | ADP | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | | `SSL_pending` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_has_pending` | ADP | TBD | 🟩A | 🟧QSI | 🟢Done | +| `SSL_has_pending` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | | `SSL_accept` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | | `SSL_connect` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | | `SSL_do_handshake` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | @@ -603,7 +603,7 @@ Notes: | `SSL_set_bio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | | `SSL_get_wbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | | `SSL_get_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_error` | NDP | 🟩U | 🟩A | 🟧QSI | Done — needs review | +| `SSL_get_error` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | | `SSL_get_rfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | | `SSL_get_wfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | | `SSL_get_fd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | @@ -612,42 +612,46 @@ Notes: | `SSL_set_fd` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | | `SSL_key_update` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | | `SSL_get_key_update_type` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_clear` (connection) | CSSM | TBD | 🟩A | 🟥FC | 🟢Done | -| `SSL_clear` (stream) | CSSM | TBD | 🟩A | 🟧QSI | 🟠Design TBD | -| `SSL_shutdown` | CSSM | 🟧C | 🟩A | 🟧QSI | 🟡TODO | +| `SSL_clear` (connection) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| `SSL_clear` (stream) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| `SSL_shutdown` | CSSM | 🟧C | 🟩A | 🟧QSI | 🟢Done | | `SSL_want` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `BIO_new_ssl_connect` | Global | 🟩U | 🟩A | 🟧QSI | 🟡TODO | -| `BIO_new_buffer_ssl_connect` | Global | 🟩U | 🟦U | 🟧QSI | 🟡TODO | -| `SSL_get_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟠Design TBD | -| `SSL_set_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟠Design TBD | +| `BIO_new_ssl_connect` | Global | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `BIO_new_buffer_ssl_connect` | Global | 🟩U | 🟦U | 🟧QSI | 🟢Done | +| `SSL_get_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | | **⇒ New APIs** | | -| `SSL_tick` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_tick_timeout` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_tls` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_quic` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_handle_events` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_event_timeout` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | | `SSL_get_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | | `SSL_set_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | | `SSL_get_rpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | | `SSL_get_wpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_want_net_read` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_want_net_write` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_net_read_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_net_write_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | | `SSL_set1_initial_peer_addr` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_shutdown_ex` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_stream_conclude` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_stream_reset` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_stream_read_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_stream_write_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_stream_read_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_stream_write_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_conn_close_info` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | +| `SSL_shutdown_ex` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_stream_conclude` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_stream_reset` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_read_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_write_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_read_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_write_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_conn_close_info` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_inject_net_dgram` | NDP | 🟦N | 🟩A | 🟥QSA | 🟢Done | | **⇒ New APIs for Multi-Stream** | | -| `SSL_get0_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_is_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_stream_id` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_stream_type` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_new_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_accept_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_get_accept_stream_queue_len` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_set_default_stream_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | -| `SSL_set_incoming_stream_policy` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟡TODO | +| `SSL_get0_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_id` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_type` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_stream_local` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_new_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_accept_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_accept_stream_queue_len` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_default_stream_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_incoming_stream_policy` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | | **⇒ Currently Not Supported** | | | `SSL_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | | `BIO_ssl_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | From b139f7a26d0158e42b0f4b9e7364111a8fd17fa2 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 16:18:50 +0100 Subject: [PATCH 086/324] QUIC APL: Report that we do not support SSL_clear correctly Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- ssl/quic/quic_impl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index c3900580f79f4..7dfe25c916f07 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -567,8 +567,8 @@ int ossl_quic_clear(SSL *s) if (!expect_quic(s, &ctx)) return 0; - /* TODO(QUIC FUTURE): Currently a no-op. */ - return 1; + ERR_raise(ERR_LIB_SSL, ERR_R_UNSUPPORTED); + return 0; } int ossl_quic_conn_set_override_now_cb(SSL *s, From 728741f5880d538444754ae18557342d552b56ae Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 16:19:05 +0100 Subject: [PATCH 087/324] QUIC: Note that SSL_set_shutdown is not supported Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/man3/SSL_set_shutdown.pod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/man3/SSL_set_shutdown.pod b/doc/man3/SSL_set_shutdown.pod index 54d541e4e4fe7..730d819c8ad02 100644 --- a/doc/man3/SSL_set_shutdown.pod +++ b/doc/man3/SSL_set_shutdown.pod @@ -57,6 +57,8 @@ If a close_notify was received, SSL_RECEIVED_SHUTDOWN will be set, for setting SSL_SENT_SHUTDOWN the application must however still call L or SSL_set_shutdown() itself. +These functions are not supported for QUIC SSL objects. + =head1 RETURN VALUES SSL_set_shutdown() does not return diagnostic information. From ca5b030306b8b4c98afca5dca216bc59c24e6aca Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 16:22:27 +0100 Subject: [PATCH 088/324] QUIC: Update API overview document Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/designs/quic-design/quic-api.md | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/doc/designs/quic-design/quic-api.md b/doc/designs/quic-design/quic-api.md index 3684c958807ad..fceacdda6df83 100644 --- a/doc/designs/quic-design/quic-api.md +++ b/doc/designs/quic-design/quic-api.md @@ -51,6 +51,7 @@ designs and the relevant design decisions. - [`SSL_is_connection`](#-ssl-is-connection-) - [`SSL_get_stream_type`](#-ssl-get-stream-type-) - [`SSL_get_stream_id`](#-ssl-get-stream-id-) + - [`SSL_is_stream_local`](#-ssl-is-stream-local-) - [`SSL_new_stream`](#-ssl-new-stream-) - [`SSL_accept_stream`](#-ssl-accept-stream-) - [`SSL_get_accept_stream_queue_len`](#-ssl-get-accept-stream-queue-len-) @@ -88,9 +89,9 @@ for details on SSL object APIs. | Semantics | API | Status | |-----------|---------------------------------|--------| -| TBD | `BIO_s_connect` | TODO | -| TBD | `BIO_set_conn_hostname` | TODO | -| TBD | `BIO_new_bio_pair` | TODO | +| Changed | `BIO_s_connect` | Done | +| Unchanged | `BIO_set_conn_hostname` | Done | +| N/A | `BIO_new_bio_pair` | N/A (see `BIO_new_bio_dgram_pair`) | | New | `BIO_s_dgram_pair` | Done | | Unchanged | `BIO_dgram_get_mtu` | Done | | Unchanged | `BIO_dgram_set_mtu` | Done | @@ -982,6 +983,21 @@ __owur int SSL_get_stream_type(SSL *ssl); __owur uint64_t SSL_get_stream_id(SSL *ssl); ``` +#### `SSL_is_stream_local` + +| Semantics | `SSL_get_error` | Can Tick? | CSHL | +| --------- | ------------- | --------- | ------------- | +| New | Never | No | S | + +```c +/* + * QUIC: Returns 1 if the stream was locally initiated, or 0 otherwise. + * + * TLS, DTLS: Returns -1. + */ +__owur int SSL_is_stream_local(SSL *ssl); +``` + #### `SSL_new_stream` | Semantics | `SSL_get_error` | Can Tick? | CSHL | @@ -1530,7 +1546,8 @@ calls. **Q. How should `STOP_SENDING` be supported?** -TODO: Determine how `STOP_SENDING` should be supported. +We trigger `STOP_SENDING` automatically if an application frees the associated +QUIC stream SSL object. **Q. Can data be received on a locally initiated bidirectional stream before any data is sent on that stream?** From e24f784b0c3be754b2114902ca3d8ec8e67711dc Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 16:36:11 +0100 Subject: [PATCH 089/324] QUIC: Note differences in SSL_want Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/man3/SSL_want.pod | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/man3/SSL_want.pod b/doc/man3/SSL_want.pod index 1d274fd342a23..8a17bdf228af7 100644 --- a/doc/man3/SSL_want.pod +++ b/doc/man3/SSL_want.pod @@ -99,6 +99,10 @@ SSL_want_x509_lookup(), SSL_want_retry_verify(), SSL_want_async(), SSL_want_async_job(), and SSL_want_client_hello_cb() return 1 when the corresponding condition is true or 0 otherwise. +=head1 QUIC-SPECIFIC CONSIDERATIONS + +For QUIC, these functions relate only to the TLS handshake layer. + =head1 SEE ALSO L, L From 7b1ca59995a0d0ad933b5d475face79b8ec99828 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 16:48:45 +0100 Subject: [PATCH 090/324] Fix after rebase Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- ssl/quic/quic_impl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 7dfe25c916f07..ec18a9f6c8d92 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -2817,7 +2817,7 @@ int ossl_quic_is_stream_local(SSL *s) QCTX ctx; int is_local; - if (!expect_quic_with_stream_lock(s, /*remote_init=*/-1, &ctx)) + if (!expect_quic_with_stream_lock(s, /*remote_init=*/-1, /*io=*/0, &ctx)) return -1; is_local = ossl_quic_stream_is_local_init(ctx.xso->stream); From 016a80dcf441189ac6d84533f1951506116a3b98 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 17:42:04 +0100 Subject: [PATCH 091/324] Minor fixes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- doc/man3/SSL_get_stream_id.pod | 2 +- ssl/quic/quic_impl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/SSL_get_stream_id.pod b/doc/man3/SSL_get_stream_id.pod index 42ee08c814d94..26521cb452ecd 100644 --- a/doc/man3/SSL_get_stream_id.pod +++ b/doc/man3/SSL_get_stream_id.pod @@ -65,7 +65,7 @@ created. While QUICv1 assigns specific meaning to the low two bits of a QUIC stream ID, QUIC stream IDs in future versions of QUIC are not required to have the same semantics. Do not determine stream properties using these bits. Instead, use -SSL_get_stream_type() to determine the stream type and SSL_get_stream_origin() +SSL_get_stream_type() to determine the stream type and SSL_get_stream_is_local() to determine the stream initiator. The SSL_get_stream_type() identifies the type of a QUIC stream based on its diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index ec18a9f6c8d92..a9945fec43b1b 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -3343,7 +3343,7 @@ int ossl_quic_get_conn_close_info(SSL *ssl, info->reason_len = tc->reason_len; info->flags = 0; if (!tc->remote) - info->flags |= SSL_CONN_CLOSE_FLAG_LOCAL; + info->flags |= SSL_CONN_CLOSE_FLAG_LOCAL; if (!tc->app) info->flags |= SSL_CONN_CLOSE_FLAG_TRANSPORT; return 1; From d5c3f4b2dba0202c589d1d733e88e392794dce41 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 12:47:25 +0100 Subject: [PATCH 092/324] Comment on internal flag Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21905) --- include/openssl/ssl3.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 3007a31d52a57..3f72835a3e5b0 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -307,6 +307,8 @@ extern "C" { /* Set if extended master secret extension required on renegotiation */ # define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 +/* 0x2000 is reserved for TLS1_FLAGS_QUIC (internal) */ + # define SSL3_MT_HELLO_REQUEST 0 # define SSL3_MT_CLIENT_HELLO 1 # define SSL3_MT_SERVER_HELLO 2 From a31601cc3ffca7de688aabcd34d83ff2c4496e17 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 13:20:05 +0100 Subject: [PATCH 093/324] QUIC WIRE: When peeking at number of ACK ranges, ensure enough data is available Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21917) --- ssl/quic/quic_wire.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ssl/quic/quic_wire.c b/ssl/quic/quic_wire.c index 0a2130a2d177c..a38efa758a6a7 100644 --- a/ssl/quic/quic_wire.c +++ b/ssl/quic/quic_wire.c @@ -488,7 +488,7 @@ int ossl_quic_wire_peek_frame_ack_num_ranges(const PACKET *orig_pkt, uint64_t *total_ranges) { PACKET pkt = *orig_pkt; - uint64_t ack_range_count; + uint64_t ack_range_count, i; if (!expect_frame_header_mask(&pkt, OSSL_QUIC_FRAME_TYPE_ACK_WITHOUT_ECN, 1, NULL) @@ -497,6 +497,18 @@ int ossl_quic_wire_peek_frame_ack_num_ranges(const PACKET *orig_pkt, || !PACKET_get_quic_vlint(&pkt, &ack_range_count)) return 0; + /* + * Ensure the specified number of ack ranges listed in the ACK frame header + * actually are available in the frame data. This naturally bounds the + * number of ACK ranges which can be requested by the MDPL, and therefore by + * the MTU. This ensures we do not allocate memory for an excessive number + * of ACK ranges. + */ + for (i = 0; i < ack_range_count; ++i) + if (!PACKET_skip_quic_vlint(&pkt) + || !PACKET_skip_quic_vlint(&pkt)) + return 0; + /* (cannot overflow because QUIC vlints can only encode up to 2**62-1) */ *total_ranges = ack_range_count + 1; return 1; From 8c792b0ccd41657d9972efbcc997a0c39d49121f Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 13:28:34 +0100 Subject: [PATCH 094/324] QUIC RXDP: Reuse allocations between ACK frame processing Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21917) --- ssl/quic/quic_channel.c | 1 + ssl/quic/quic_channel_local.h | 4 ++++ ssl/quic/quic_rx_depack.c | 20 +++++++++++++------- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index efbe1c16604a8..78aaabef52525 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -524,6 +524,7 @@ static void ch_cleanup(QUIC_CHANNEL *ch) OPENSSL_free(ch->local_transport_params); OPENSSL_free((char *)ch->terminate_cause.reason); OSSL_ERR_STATE_free(ch->err_state); + OPENSSL_free(ch->ack_range_scratch); /* Free the stateless reset tokens */ for (srte = ossl_list_stateless_reset_tokens_head(&ch->srt_list_seq); diff --git a/ssl/quic/quic_channel_local.h b/ssl/quic/quic_channel_local.h index 8b2edc647a040..77dc5dd7bc4d9 100644 --- a/ssl/quic/quic_channel_local.h +++ b/ssl/quic/quic_channel_local.h @@ -461,6 +461,10 @@ struct quic_channel_st { /* Saved error stack in case permanent error was encountered */ ERR_STATE *err_state; + + /* Scratch area for use by RXDP to store decoded ACK ranges. */ + OSSL_QUIC_ACK_RANGE *ack_range_scratch; + size_t num_ack_range_scratch; }; # endif diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c index 55712edabe10f..f7f8bf6ea3dda 100644 --- a/ssl/quic/quic_rx_depack.c +++ b/ssl/quic/quic_rx_depack.c @@ -64,18 +64,26 @@ static int depack_do_frame_ack(PACKET *pkt, QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) { OSSL_QUIC_FRAME_ACK ack; - OSSL_QUIC_ACK_RANGE *ack_ranges = NULL; + OSSL_QUIC_ACK_RANGE *p; uint64_t total_ranges = 0; uint32_t ack_delay_exp = ch->rx_ack_delay_exp; if (!ossl_quic_wire_peek_frame_ack_num_ranges(pkt, &total_ranges) /* In case sizeof(uint64_t) > sizeof(size_t) */ - || total_ranges > SIZE_MAX / sizeof(ack_ranges[0]) - || (ack_ranges = OPENSSL_zalloc(sizeof(ack_ranges[0]) - * (size_t)total_ranges)) == NULL) + || total_ranges > SIZE_MAX / sizeof(OSSL_QUIC_ACK_RANGE)) goto malformed; - ack.ack_ranges = ack_ranges; + if (ch->num_ack_range_scratch < (size_t)total_ranges) { + if ((p = OPENSSL_realloc(ch->ack_range_scratch, + sizeof(OSSL_QUIC_ACK_RANGE) + * (size_t)total_ranges)) == NULL) + goto malformed; + + ch->ack_range_scratch = p; + ch->num_ack_range_scratch = (size_t)total_ranges; + } + + ack.ack_ranges = ch->ack_range_scratch; ack.num_ack_ranges = (size_t)total_ranges; if (!ossl_quic_wire_decode_frame_ack(pkt, ack_delay_exp, &ack, NULL)) @@ -120,7 +128,6 @@ static int depack_do_frame_ack(PACKET *pkt, QUIC_CHANNEL *ch, goto malformed; ++ch->diag_num_rx_ack; - OPENSSL_free(ack_ranges); return 1; malformed: @@ -128,7 +135,6 @@ static int depack_do_frame_ack(PACKET *pkt, QUIC_CHANNEL *ch, QUIC_ERR_FRAME_ENCODING_ERROR, frame_type, "decode error"); - OPENSSL_free(ack_ranges); return 0; } From 56df4cf24fad554e173d950a79a516e730096055 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 11:52:38 +0100 Subject: [PATCH 095/324] QUIC APL: Adjust expect_quic_conn_only Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21915) --- ssl/quic/quic_impl.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index a9945fec43b1b..5dd73fd19b8bd 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -277,12 +277,11 @@ static int ossl_unused expect_quic_with_stream_lock(const SSL *s, int remote_ini * Like expect_quic(), but fails if called on a QUIC_XSO. ctx->xso may still * be non-NULL if the QCSO has a default stream. */ -static int ossl_unused expect_quic_conn_only(const SSL *s, int in_io, QCTX *ctx) +static int ossl_unused expect_quic_conn_only(const SSL *s, QCTX *ctx) { if (!expect_quic(s, ctx)) return 0; - ctx->in_io = in_io; if (ctx->is_stream) return QUIC_RAISE_NON_NORMAL_ERROR(ctx, SSL_R_CONN_USE_ONLY, NULL); @@ -1985,7 +1984,7 @@ SSL *ossl_quic_conn_stream_new(SSL *s, uint64_t flags) { QCTX ctx; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return NULL; return quic_conn_stream_new(&ctx, flags, /*need_lock=*/1); @@ -2835,7 +2834,7 @@ int ossl_quic_set_default_stream_mode(SSL *s, uint32_t mode) { QCTX ctx; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return 0; quic_lock(ctx.qc); @@ -2872,7 +2871,7 @@ SSL *ossl_quic_detach_stream(SSL *s) QCTX ctx; QUIC_XSO *xso = NULL; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return NULL; quic_lock(ctx.qc); @@ -2897,7 +2896,7 @@ int ossl_quic_attach_stream(SSL *conn, SSL *stream) QUIC_XSO *xso; int nref; - if (!expect_quic_conn_only(conn, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(conn, &ctx)) return 0; if (stream == NULL || stream->type != SSL_TYPE_QUIC_XSO) @@ -2977,7 +2976,7 @@ int ossl_quic_set_incoming_stream_policy(SSL *s, int policy, int ret = 1; QCTX ctx; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return 0; quic_lock(ctx.qc); @@ -3041,7 +3040,7 @@ SSL *ossl_quic_accept_stream(SSL *s, uint64_t flags) QUIC_XSO *xso; OSSL_RTT_INFO rtt_info; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return NULL; quic_lock(ctx.qc); @@ -3104,7 +3103,7 @@ size_t ossl_quic_get_accept_stream_queue_len(SSL *s) QCTX ctx; size_t v; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return 0; quic_lock(ctx.qc); @@ -3331,7 +3330,7 @@ int ossl_quic_get_conn_close_info(SSL *ssl, QCTX ctx; const QUIC_TERMINATE_CAUSE *tc; - if (!expect_quic_conn_only(ssl, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(ssl, &ctx)) return -1; tc = ossl_quic_channel_get_terminate_cause(ctx.qc->ch); @@ -3357,7 +3356,7 @@ int ossl_quic_key_update(SSL *ssl, int update_type) { QCTX ctx; - if (!expect_quic_conn_only(ssl, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(ssl, &ctx)) return 0; switch (update_type) { @@ -3417,7 +3416,7 @@ long ossl_quic_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) { QCTX ctx; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return 0; switch (cmd) { @@ -3468,7 +3467,7 @@ QUIC_CHANNEL *ossl_quic_conn_get_channel(SSL *s) { QCTX ctx; - if (!expect_quic_conn_only(s, /*io=*/0, &ctx)) + if (!expect_quic_conn_only(s, &ctx)) return NULL; return ctx.qc->ch; From 72ca0b88fc8cd97a20528d2f92e145e181194a98 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 11:53:07 +0100 Subject: [PATCH 096/324] QUIC APL: Revise I/O error setting so that the last error is set on success Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21915) --- ssl/quic/quic_impl.c | 50 +++++++++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 5dd73fd19b8bd..2f60594efa7ac 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -26,6 +26,7 @@ static int qc_try_create_default_xso_for_write(QCTX *ctx); static int qc_wait_for_default_xso_for_read(QCTX *ctx); static void quic_lock(QUIC_CONNECTION *qc); static void quic_unlock(QUIC_CONNECTION *qc); +static void quic_lock_for_io(QCTX *ctx); static int quic_do_handshake(QCTX *ctx); static void qc_update_reject_policy(QUIC_CONNECTION *qc); static void qc_touch_default_xso(QUIC_CONNECTION *qc); @@ -109,6 +110,18 @@ struct qctx_st { int is_stream, in_io; }; +QUIC_NEEDS_LOCK +static void quic_set_last_error(QCTX *ctx, int last_error) +{ + if (!ctx->in_io) + return; + + if (ctx->is_stream && ctx->xso != NULL) + ctx->xso->last_error = last_error; + else if (!ctx->is_stream && ctx->qc != NULL) + ctx->qc->last_error = last_error; +} + /* * Raise a 'normal' error, meaning one that can be reported via SSL_get_error() * rather than via ERR. Note that normal errors must always be raised while @@ -118,10 +131,8 @@ QUIC_NEEDS_LOCK static int quic_raise_normal_error(QCTX *ctx, int err) { - if (ctx->is_stream) - ctx->xso->last_error = err; - else - ctx->qc->last_error = err; + assert(ctx->in_io); + quic_set_last_error(ctx, err); return 0; } @@ -148,10 +159,7 @@ static int quic_raise_non_normal_error(QCTX *ctx, va_list args; if (ctx != NULL) { - if (ctx->in_io && ctx->is_stream && ctx->xso != NULL) - ctx->xso->last_error = SSL_ERROR_SSL; - else if (ctx->in_io && !ctx->is_stream && ctx->qc != NULL) - ctx->qc->last_error = SSL_ERROR_SSL; + quic_set_last_error(ctx, SSL_ERROR_SSL); if (reason == SSL_R_PROTOCOL_IS_SHUTDOWN && ctx->qc != NULL) ossl_quic_channel_restore_err_state(ctx->qc->ch); @@ -236,8 +244,10 @@ static int ossl_unused expect_quic_with_stream_lock(const SSL *s, int remote_ini if (!expect_quic(s, ctx)) return 0; - ctx->in_io = in_io; - quic_lock(ctx->qc); + if (in_io) + quic_lock_for_io(ctx); + else + quic_lock(ctx->qc); if (ctx->xso == NULL && remote_init >= 0) { if (!quic_mutation_allowed(ctx->qc, /*req_active=*/0)) { @@ -301,6 +311,20 @@ static void quic_lock(QUIC_CONNECTION *qc) #endif } +static void quic_lock_for_io(QCTX *ctx) +{ + quic_lock(ctx->qc); + ctx->in_io = 1; + + /* + * We are entering an I/O function so we must update the values returned by + * SSL_get_error and SSL_want. Set no error. This will be overridden later + * if a call to QUIC_RAISE_NORMAL_ERROR or QUIC_RAISE_NON_NORMAL_ERROR + * occurs during the API call. + */ + quic_set_last_error(ctx, SSL_ERROR_NONE); +} + /* Precondition: Channel mutex is held (unchecked) */ QUIC_NEEDS_LOCK static void quic_unlock(QUIC_CONNECTION *qc) @@ -1677,8 +1701,7 @@ int ossl_quic_do_handshake(SSL *s) if (!expect_quic(s, &ctx)) return 0; - ctx.in_io = 1; - quic_lock(ctx.qc); + quic_lock_for_io(&ctx); ret = quic_do_handshake(&ctx); quic_unlock(ctx.qc); @@ -2526,8 +2549,7 @@ static int quic_read(SSL *s, void *buf, size_t len, size_t *bytes_read, int peek if (!expect_quic(s, &ctx)) return 0; - ctx.in_io = 1; - quic_lock(ctx.qc); + quic_lock_for_io(&ctx); if (!quic_mutation_allowed(ctx.qc, /*req_active=*/0)) { ret = QUIC_RAISE_NON_NORMAL_ERROR(&ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); From 5debf070103131cff97a2fc78c93cae391099842 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 11:53:32 +0100 Subject: [PATCH 097/324] QUIC APL: Implement SSL_want Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21915) --- include/internal/quic_ssl.h | 1 + ssl/quic/quic_impl.c | 42 +++++++++++++++++++++++++++++++++++++ ssl/ssl_lib.c | 5 +++++ 3 files changed, 48 insertions(+) diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h index f815ba5435951..77ff85a022cd4 100644 --- a/include/internal/quic_ssl.h +++ b/include/internal/quic_ssl.h @@ -57,6 +57,7 @@ __owur int ossl_quic_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *d); __owur int ossl_quic_get_net_read_desired(SSL *s); __owur int ossl_quic_get_net_write_desired(SSL *s); __owur int ossl_quic_get_error(const SSL *s, int i); +__owur int ossl_quic_want(const SSL *s); __owur int ossl_quic_conn_get_blocking_mode(const SSL *s); __owur int ossl_quic_conn_set_blocking_mode(SSL *s, int blocking); __owur int ossl_quic_conn_shutdown(SSL *s, uint64_t flags, diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 2f60594efa7ac..71c15361027d1 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -2025,6 +2025,7 @@ SSL *ossl_quic_conn_stream_new(SSL *s, uint64_t flags) * above, all QUIC I/O is implemented using non-blocking mode internally. * * SSL_get_error => partially implemented by ossl_quic_get_error + * SSL_want => ossl_quic_want * (BIO/)SSL_read => ossl_quic_read * (BIO/)SSL_write => ossl_quic_write * SSL_pending => ossl_quic_pending @@ -2052,6 +2053,47 @@ int ossl_quic_get_error(const SSL *s, int i) return last_error; } +/* Converts a code returned by SSL_get_error to a code returned by SSL_want. */ +static int error_to_want(int error) +{ + switch (error) { + case SSL_ERROR_WANT_CONNECT: /* never used - UDP is connectionless */ + case SSL_ERROR_WANT_ACCEPT: /* never used - UDP is connectionless */ + case SSL_ERROR_ZERO_RETURN: + default: + return SSL_NOTHING; + + case SSL_ERROR_WANT_READ: + return SSL_READING; + + case SSL_ERROR_WANT_WRITE: + return SSL_WRITING; + + case SSL_ERROR_WANT_CLIENT_HELLO_CB: + return SSL_CLIENT_HELLO_CB; + + case SSL_ERROR_WANT_X509_LOOKUP: + return SSL_X509_LOOKUP; + } +} + +/* SSL_want */ +int ossl_quic_want(const SSL *s) +{ + QCTX ctx; + int w; + + if (!expect_quic(s, &ctx)) + return SSL_NOTHING; + + quic_lock(ctx.qc); + + w = error_to_want(ctx.is_stream ? ctx.xso->last_error : ctx.qc->last_error); + + quic_unlock(ctx.qc); + return w; +} + /* * SSL_write * --------- diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b83f11fa5b4a0..5bfd8cc4cef0f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5501,6 +5501,11 @@ int SSL_want(const SSL *s) { const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); +#ifndef OPENSSL_NO_QUIC + if (IS_QUIC(s)) + return ossl_quic_want(s); +#endif + if (sc == NULL) return SSL_NOTHING; From 9ff816106c2b2ccbffe5c4e3619a840547088674 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 11:53:47 +0100 Subject: [PATCH 098/324] QUIC MULTISTREAM TEST: Test SSL_want for consistency with SSL_get_error Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21915) --- test/quic_multistream_test.c | 68 +++++++++++++++++++++++++++++++----- 1 file changed, 59 insertions(+), 9 deletions(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 3b2b5ed6cad14..895a6d74a70bc 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -805,6 +805,29 @@ static int is_want(SSL *s, int ret) return ec == SSL_ERROR_WANT_READ || ec == SSL_ERROR_WANT_WRITE; } +static int check_consistent_want(SSL *s, int ret) +{ + int ec = SSL_get_error(s, ret); + int w = SSL_want(s); + + int ok = TEST_true( + (ec == SSL_ERROR_NONE && w == SSL_NOTHING) + || (ec == SSL_ERROR_ZERO_RETURN && w == SSL_NOTHING) + || (ec == SSL_ERROR_SSL && w == SSL_NOTHING) + || (ec == SSL_ERROR_SYSCALL && w == SSL_NOTHING) + || (ec == SSL_ERROR_WANT_READ && w == SSL_READING) + || (ec == SSL_ERROR_WANT_WRITE && w == SSL_WRITING) + || (ec == SSL_ERROR_WANT_CLIENT_HELLO_CB && w == SSL_CLIENT_HELLO_CB) + || (ec == SSL_ERROR_WANT_X509_LOOKUP && w == SSL_X509_LOOKUP) + || (ec == SSL_ERROR_WANT_RETRY_VERIFY && w == SSL_RETRY_VERIFY) + ); + + if (!ok) + TEST_error("got error=%d, want=%d", ec, w); + + return ok; +} + static int run_script_worker(struct helper *h, const struct script_op *script, const char *script_name, int thread_idx) @@ -1006,6 +1029,8 @@ static int run_script_worker(struct helper *h, const struct script_op *script, connect_started = 1; ret = SSL_connect(h->c_conn); + if (!check_consistent_want(c_tgt, ret)) + goto out; if (ret != 1) { if (!h->blocking && is_want(h->c_conn, ret)) SPIN_AGAIN(); @@ -1019,12 +1044,14 @@ static int run_script_worker(struct helper *h, const struct script_op *script, case OPK_C_WRITE: { size_t bytes_written = 0; + int r; if (!TEST_ptr(c_tgt)) goto out; - if (!TEST_true(SSL_write_ex(c_tgt, op->arg0, op->arg1, - &bytes_written)) + r = SSL_write_ex(c_tgt, op->arg0, op->arg1, &bytes_written); + if (!TEST_true(r) + || !check_consistent_want(c_tgt, r) || !TEST_size_t_eq(bytes_written, op->arg1)) goto out; } @@ -1078,13 +1105,18 @@ static int run_script_worker(struct helper *h, const struct script_op *script, case OPK_C_READ_EXPECT: { size_t bytes_read = 0; + int r; if (op->arg1 > 0 && tmp_buf == NULL && !TEST_ptr(tmp_buf = OPENSSL_malloc(op->arg1))) goto out; - if (!SSL_read_ex(c_tgt, tmp_buf + offset, op->arg1 - offset, - &bytes_read)) + r = SSL_read_ex(c_tgt, tmp_buf + offset, op->arg1 - offset, + &bytes_read); + if (!check_consistent_want(c_tgt, r)) + goto out; + + if (!r) SPIN_AGAIN(); if (bytes_read + offset != op->arg1) { @@ -1136,9 +1168,11 @@ static int run_script_worker(struct helper *h, const struct script_op *script, { char buf[1]; size_t bytes_read = 0; + int r; - if (!TEST_false(SSL_read_ex(c_tgt, buf, sizeof(buf), - &bytes_read)) + r = SSL_read_ex(c_tgt, buf, sizeof(buf), &bytes_read); + if (!check_consistent_want(c_tgt, r) + || !TEST_false(r) || !TEST_size_t_eq(bytes_read, 0)) goto out; @@ -1148,6 +1182,9 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_int_eq(SSL_get_error(c_tgt, 0), SSL_ERROR_ZERO_RETURN)) goto out; + + if (!TEST_int_eq(SSL_want(c_tgt), SSL_NOTHING)) + goto out; } break; @@ -1447,11 +1484,14 @@ static int run_script_worker(struct helper *h, const struct script_op *script, case OPK_C_WRITE_FAIL: { size_t bytes_written = 0; + int r; if (!TEST_ptr(c_tgt)) goto out; - if (!TEST_false(SSL_write_ex(c_tgt, "apple", 5, &bytes_written))) + r = SSL_write_ex(c_tgt, "apple", 5, &bytes_written); + if (!TEST_false(r) + || !check_consistent_want(c_tgt, r)) goto out; } break; @@ -1474,11 +1514,15 @@ static int run_script_worker(struct helper *h, const struct script_op *script, { size_t bytes_read = 0; char buf[1]; + int r; if (!TEST_ptr(c_tgt)) goto out; - if (!TEST_false(SSL_read_ex(c_tgt, buf, sizeof(buf), &bytes_read))) + r = SSL_read_ex(c_tgt, buf, sizeof(buf), &bytes_read); + if (!TEST_false(r)) + goto out; + if (!check_consistent_want(c_tgt, r)) goto out; } break; @@ -1487,11 +1531,15 @@ static int run_script_worker(struct helper *h, const struct script_op *script, { size_t bytes_read = 0; char buf[1]; + int r; if (!TEST_ptr(c_tgt)) goto out; - if (!TEST_false(SSL_read_ex(c_tgt, buf, sizeof(buf), &bytes_read))) + r = SSL_read_ex(c_tgt, buf, sizeof(buf), &bytes_read); + if (!TEST_false(r)) + goto out; + if (!check_consistent_want(c_tgt, r)) goto out; if (is_want(c_tgt, 0)) @@ -1583,6 +1631,8 @@ static int run_script_worker(struct helper *h, const struct script_op *script, { if (!TEST_size_t_eq((size_t)SSL_get_error(c_tgt, 0), op->arg1)) goto out; + if (!TEST_int_eq(SSL_want(c_tgt), SSL_NOTHING)) + goto out; } break; From 7b8e27bc2e02238986d89ef0ece067ec1b48e165 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 22 Aug 2023 16:07:30 +0200 Subject: [PATCH 099/324] Avoid clobbering non-volatile XMM registers This affects some Poly1305 assembler functions which are only used for certain CPU types. Remove those functions for Windows targets, as a simple interim solution. Fixes #21522 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21808) --- crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index fa9bfb7a7b814..24bab9d0bcf95 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -195,7 +195,7 @@ sub poly1305_iteration { bt \$`5+32`,%r9 # AVX2? cmovc %rax,%r10 ___ -$code.=<<___ if ($avx>3); +$code.=<<___ if ($avx>3 && !$win64); mov \$`(1<<31|1<<21|1<<16)`,%rax shr \$32,%r9 and %rax,%r9 @@ -2724,7 +2724,7 @@ sub poly1305_iteration { .cfi_endproc .size poly1305_blocks_avx512,.-poly1305_blocks_avx512 ___ -if ($avx>3) { +if ($avx>3 && !$win64) { ######################################################################## # VPMADD52 version using 2^44 radix. # From 3a0012cb52bef4df54bd46946d7ff783c24b4305 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 31 Aug 2023 15:31:42 +0100 Subject: [PATCH 100/324] Handle non IO based retry errors in QUIC SSL_get_error() may respond with some retry errors that are not IO related. In particular SSL_ERROR_WANT_RETRY_VERIFY and SSL_ERROR_WANT_X509_LOOKUP. These can occur during a TLS handshake. If they occur when a QUIC Connection is performing a TLS handshake then we need to propagate these up to the QCSO. We also handle SSL_ERROR_WANT_CLIENT_HELLO_CB. This one will only ever occur on the server side which we don't currently support. However adding the handling for it now is identical to all the other handling so including it is no cost, and will be needed when we do add server support. We are not concerned with SSL_ERROR_WANT_ASYNC or SSL_ERROR_WANT_ASYNC_JOB since we do not support async operation with QUIC. Fixes openssl/project#199 Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21922) --- ssl/quic/quic_impl.c | 28 ++++++++++++++++++++++++++++ ssl/quic/quic_tls.c | 3 +++ 2 files changed, 31 insertions(+) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 71c15361027d1..c43f8a7fc866c 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1445,6 +1445,18 @@ struct quic_handshake_wait_args { QUIC_CONNECTION *qc; }; +static int tls_wants_non_io_retry(QUIC_CONNECTION *qc) +{ + int want = SSL_want(qc->tls); + + if (want == SSL_X509_LOOKUP + || want == SSL_CLIENT_HELLO_CB + || want == SSL_RETRY_VERIFY) + return 1; + + return 0; +} + static int quic_handshake_wait(void *arg) { struct quic_handshake_wait_args *args = arg; @@ -1455,6 +1467,9 @@ static int quic_handshake_wait(void *arg) if (ossl_quic_channel_is_handshake_complete(args->qc->ch)) return 1; + if (tls_wants_non_io_retry(args->qc)) + return 1; + return 0; } @@ -1680,10 +1695,20 @@ static int quic_do_handshake(QCTX *ctx) return -1; /* Non-protocol error */ } + if (tls_wants_non_io_retry(qc)) { + QUIC_RAISE_NORMAL_ERROR(ctx, SSL_get_error(qc->tls, 0)); + return -1; + } + assert(ossl_quic_channel_is_handshake_complete(qc->ch)); return 1; } + if (tls_wants_non_io_retry(qc)) { + QUIC_RAISE_NORMAL_ERROR(ctx, SSL_get_error(qc->tls, 0)); + return -1; + } + /* * Otherwise, indicate that the handshake isn't done yet. * We can only get here in non-blocking mode. @@ -2069,6 +2094,9 @@ static int error_to_want(int error) case SSL_ERROR_WANT_WRITE: return SSL_WRITING; + case SSL_ERROR_WANT_RETRY_VERIFY: + return SSL_RETRY_VERIFY; + case SSL_ERROR_WANT_CLIENT_HELLO_CB: return SSL_CLIENT_HELLO_CB; diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index b0da216e37784..ff4c8dac0bc28 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -798,6 +798,9 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) switch (err) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: + case SSL_ERROR_WANT_CLIENT_HELLO_CB: + case SSL_ERROR_WANT_X509_LOOKUP: + case SSL_ERROR_WANT_RETRY_VERIFY: ERR_pop_to_mark(); return 1; From 48724e8a205c732705c3f54a3bd43d7049e77774 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 31 Aug 2023 16:18:28 +0100 Subject: [PATCH 101/324] Add a test for QUIC non IO retry errors Test that errors such as SSL_ERROR_WANT_RETRY_VERIFY are properly handled by QUIC connections. Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21922) --- .../quic-design/quic-fault-injector.md | 7 +++ test/helpers/quictestlib.c | 39 ++++++++++-- test/helpers/quictestlib.h | 7 +++ test/quicapitest.c | 59 +++++++++++++++++++ 4 files changed, 106 insertions(+), 6 deletions(-) diff --git a/doc/designs/quic-design/quic-fault-injector.md b/doc/designs/quic-design/quic-fault-injector.md index a60763518f02a..30db905ee84a6 100644 --- a/doc/designs/quic-design/quic-fault-injector.md +++ b/doc/designs/quic-design/quic-fault-injector.md @@ -228,6 +228,13 @@ void ossl_quic_fault_free(OSSL_QUIC_FAULT *fault); */ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl); +/* + * Same as qtest_create_quic_connection but will stop (successfully) if the + * clientssl indicates SSL_ERROR_WANT_XXX as specified by |wanterr| + */ +int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, + int wanterr); + /* * Confirm that the server has received the given transport error code. */ diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 2dbbb435bbabb..2fcb4bdb6f83e 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -239,6 +239,7 @@ int qtest_supports_blocking(void) #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) static int globserverret = 0; +static TSAN_QUALIFIER int abortserverthread = 0; static QUIC_TSERVER *globtserv; static const thread_t thread_zero; @@ -253,7 +254,8 @@ static void run_server_thread(void) } #endif -int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl) +int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, + int wanterr) { int retc = -1, rets = 0, abortctr = 0, ret = 0; int clienterr = 0, servererr = 0; @@ -263,6 +265,9 @@ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl) * t uninitialised */ thread_t t = thread_zero; + + if (clientssl != NULL) + abortserverthread = 0; #endif if (!TEST_ptr(qtserv)) { @@ -295,10 +300,21 @@ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl) if (retc <= 0) { err = SSL_get_error(clientssl, retc); - if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) { - TEST_info("SSL_connect() failed %d, %d", retc, err); - TEST_openssl_errors(); - clienterr = 1; + if (err == wanterr) { + retc = 1; +#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) + if (qtserv == NULL && rets > 0) + tsan_store(&abortserverthread, 1); + else +#endif + rets = 1; + } else { + if (err != SSL_ERROR_WANT_READ + && err != SSL_ERROR_WANT_WRITE) { + TEST_info("SSL_connect() failed %d, %d", retc, err); + TEST_openssl_errors(); + clienterr = 1; + } } } } @@ -312,6 +328,7 @@ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl) */ if (!clienterr && retc <= 0) SSL_handle_events(clientssl); + if (!servererr && rets <= 0) { qtest_add_time(1); ossl_quic_tserver_tick(qtserv); @@ -327,7 +344,12 @@ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl) TEST_info("No progress made"); goto err; } - } while ((retc <= 0 && !clienterr) || (rets <= 0 && !servererr)); + } while ((retc <= 0 && !clienterr) + || (rets <= 0 && !servererr +#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) + && !tsan_load(&abortserverthread) +#endif + )); if (qtserv == NULL && rets > 0) { #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) @@ -345,6 +367,11 @@ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl) return ret; } +int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl) +{ + return qtest_create_quic_connection_ex(qtserv, clientssl, SSL_ERROR_NONE); +} + #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) static TSAN_QUALIFIER int shutdowndone; diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index cfda1b29b5fb9..fb1c5d88b534d 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -62,6 +62,13 @@ int qtest_supports_blocking(void); */ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl); +/* + * Same as qtest_create_quic_connection but will stop (successfully) if the + * clientssl indicates SSL_ERROR_WANT_XXX as specified by |wanterr| + */ +int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, + int wanterr); + /* * Shutdown the client SSL object gracefully */ diff --git a/test/quicapitest.c b/test/quicapitest.c index 83a048bc74480..5eff924527ee6 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1003,6 +1003,64 @@ static int test_multiple_dgrams(void) return testresult; } +static int non_io_retry_cert_verify_cb(X509_STORE_CTX *ctx, void *arg) +{ + int idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + SSL *ssl; + int *ctr = (int *)arg; + + /* this should not happen but check anyway */ + if (idx < 0 + || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) + return 0; + + /* If this is the first time we've been called then retry */ + if (((*ctr)++) == 0) + return SSL_set_retry_verify(ssl); + + /* Otherwise do nothing - verification succeeds. Continue as normal */ + return 1; +} + +/* Test that we can handle a non-io related retry error + * Test 0: Non-blocking + * Test 1: Blocking + */ +static int test_non_io_retry(int idx) +{ + SSL_CTX *cctx; + SSL *clientquic = NULL; + QUIC_TSERVER *qtserv = NULL; + int testresult = 0; + int flags = 0, ctr = 0; + + if (idx >= 1 && !qtest_supports_blocking()) + return TEST_skip("Blocking tests not supported in this build"); + + cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + if (!TEST_ptr(cctx)) + goto err; + + SSL_CTX_set_cert_verify_callback(cctx, non_io_retry_cert_verify_cb, &ctr); + + flags = (idx >= 1) ? QTEST_FLAG_BLOCK : 0; + if (!TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, + flags, &qtserv, &clientquic, NULL)) + || !TEST_true(qtest_create_quic_connection_ex(qtserv, clientquic, + SSL_ERROR_WANT_RETRY_VERIFY)) + || !TEST_int_eq(SSL_want(clientquic), SSL_RETRY_VERIFY) + || !TEST_true(qtest_create_quic_connection(qtserv, clientquic))) + goto err; + + testresult = 1; + err: + SSL_free(clientquic); + ossl_quic_tserver_free(qtserv); + SSL_CTX_free(cctx); + + return testresult; +} + OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n") int setup_tests(void) @@ -1072,6 +1130,7 @@ int setup_tests(void) ADD_TEST(test_bio_ssl); ADD_TEST(test_back_pressure); ADD_TEST(test_multiple_dgrams); + ADD_ALL_TESTS(test_non_io_retry, 2); return 1; err: cleanup_tests(); From 59d87f6e7eb41018a2a17fef2198d3fcf04e63f4 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Fri, 1 Sep 2023 15:52:47 +0530 Subject: [PATCH 102/324] Fix typo in openssl-pkeyutl(1) Changed "than" to "then" for improved clarity and correctness. CLA: trivial Fixes #21543 Signed-off-by: Sumitra Sharma Reviewed-by: Hugo Landau Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/21925) --- doc/man1/openssl-pkeyutl.pod.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index 4b8e3fc574a79..880cd3548afcb 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -301,7 +301,7 @@ These have the same meaning as the B algorithm with some additional restrictions. The padding mode can only be set to B which is the default value. -If the key has parameter restrictions than the digest, MGF1 +If the key has parameter restrictions then the digest, MGF1 digest and salt length are set to the values specified in the parameters. The digest and MG cannot be changed and the salt length cannot be set to a value less than the minimum restriction. From 5318c012885a5382eadbf95aa9c1d35664bca819 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Fri, 1 Sep 2023 12:40:49 +0530 Subject: [PATCH 103/324] Replace ssl3_get_message() with tls_get_message_header() and/or tls_get_message_body() Update commit messages that previously used ssl3_get_message() to now use tls_get_message_header() and tls_get_message_body() due to the split in OpenSSL 1.1.0. CLA: trivial Fixes #21582 Signed-off-by: Sumitra Sharma Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21886) --- ssl/record/rec_layer_d1.c | 2 +- ssl/record/rec_layer_s3.c | 3 ++- ssl/ssl_local.h | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 75ed6775cbce4..5dc8d12e76a98 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -170,7 +170,7 @@ static void dtls_unbuffer_record(SSL_CONNECTION *s) * Return up to 'len' payload bytes received in 'type' records. * 'type' is one of the following: * - * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) + * - SSL3_RT_HANDSHAKE * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) * - 0 (during a shutdown, no data has to be returned) * diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index bf92a8e6ab6d1..29c5de88d418b 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -533,7 +533,8 @@ int ssl_release_record(SSL_CONNECTION *s, TLS_RECORD *rr, size_t length) * Return up to 'len' payload bytes received in 'type' records. * 'type' is one of the following: * - * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) + * - SSL3_RT_HANDSHAKE (when tls_get_message_header and tls_get_message_body + * call us) * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) * - 0 (during a shutdown, no data has to be returned) * diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index e2157ab68765b..29715781ee90e 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1258,7 +1258,7 @@ struct ssl_connection_st { SSL_EARLY_DATA_STATE early_data_state; BUF_MEM *init_buf; /* buffer used during init */ void *init_msg; /* pointer to handshake message body, set by - * ssl3_get_message() */ + * tls_get_message_header() */ size_t init_num; /* amount read/written */ size_t init_off; /* amount read/written */ From 12d08fe3a50f28fe80ff591e05d7f8253148afb4 Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Fri, 1 Sep 2023 08:41:11 +0100 Subject: [PATCH 104/324] Move ALIGN32 and ALIGN64 into common.h, and fix for clang-cl.exe clang-cl.exe defines __clang__ and _MSC_VER but not __GNUC__, so a clang- specific guard is needed to get the correct ALIGNxx versions. Fixes #21914 Change-Id: Icdc047b182ad1ba61c7b1b06a1e951eda1a0c33d Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21921) --- crypto/bn/rsaz_exp.c | 11 ++--------- crypto/ec/ecp_nistz256.c | 8 -------- crypto/ec/ecp_sm2p256.c | 12 +----------- include/internal/common.h | 35 +++++++++++++++++++++++------------ 4 files changed, 26 insertions(+), 40 deletions(-) diff --git a/crypto/bn/rsaz_exp.c b/crypto/bn/rsaz_exp.c index e44eae43be8df..844140720ccb1 100644 --- a/crypto/bn/rsaz_exp.c +++ b/crypto/bn/rsaz_exp.c @@ -13,6 +13,7 @@ */ #include +#include "internal/common.h" #include "rsaz_exp.h" #ifndef RSAZ_ENABLED @@ -31,16 +32,8 @@ void rsaz_1024_scatter5_avx2(void *tbl, const void *val, int i); void rsaz_1024_gather5_avx2(void *val, const void *tbl, int i); void rsaz_1024_red2norm_avx2(void *norm, const void *red); -#if defined(__GNUC__) -# define ALIGN64 __attribute__((aligned(64))) -#elif defined(_MSC_VER) -# define ALIGN64 __declspec(align(64)) -#elif defined(__SUNPRO_C) -# define ALIGN64 +#if defined(__SUNPRO_C) # pragma align 64(one,two80) -#else -/* not fatal, might hurt performance a little */ -# define ALIGN64 #endif ALIGN64 static const BN_ULONG one[40] = { diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 44d9054a17198..8addb1e40c08b 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -37,14 +37,6 @@ # define TOBN(hi,lo) ((BN_ULONG)hi<<32|lo) #endif -#if defined(__GNUC__) -# define ALIGN32 __attribute((aligned(32))) -#elif defined(_MSC_VER) -# define ALIGN32 __declspec(align(32)) -#else -# define ALIGN32 -#endif - #define ALIGNPTR(p,N) ((unsigned char *)p+N-(size_t)p%N) #define P256_LIMBS (256/BN_BITS2) diff --git a/crypto/ec/ecp_sm2p256.c b/crypto/ec/ecp_sm2p256.c index 49fab47187a5b..6ec42455299b3 100644 --- a/crypto/ec/ecp_sm2p256.c +++ b/crypto/ec/ecp_sm2p256.c @@ -18,19 +18,9 @@ #include #include "crypto/bn.h" #include "ec_local.h" +#include "internal/common.h" #include "internal/constant_time.h" -#if defined(__GNUC__) -# define ALIGN32 __attribute((aligned(32))) -# define ALIGN64 __attribute((aligned(64))) -#elif defined(_MSC_VER) -# define ALIGN32 __declspec(align(32)) -# define ALIGN64 __declspec(align(64)) -#else -# define ALIGN32 -# define ALIGN64 -#endif - #define P256_LIMBS (256 / BN_BITS2) #if !defined(OPENSSL_NO_SM2_PRECOMP) diff --git a/include/internal/common.h b/include/internal/common.h index 204e7c3eecd37..ce4a4e3086021 100644 --- a/include/internal/common.h +++ b/include/internal/common.h @@ -18,17 +18,28 @@ # include "internal/e_os.h" /* ossl_inline in many files */ # include "internal/nelem.h" -#if defined(__GNUC__) || defined(__clang__) - #define likely(x) __builtin_expect(!!(x), 1) - #define unlikely(x) __builtin_expect(!!(x), 0) -#else - #define likely(x) x - #define unlikely(x) x -#endif +# if defined(__GNUC__) || defined(__clang__) +# define likely(x) __builtin_expect(!!(x), 1) +# define unlikely(x) __builtin_expect(!!(x), 0) +# else +# define likely(x) x +# define unlikely(x) x +# endif -#ifdef NDEBUG -# define ossl_assert(x) ((x) != 0) -#else +# if defined(__GNUC__) || defined(__clang__) +# define ALIGN32 __attribute((aligned(32))) +# define ALIGN64 __attribute((aligned(64))) +# elif defined(_MSC_VER) +# define ALIGN32 __declspec(align(32)) +# define ALIGN64 __declspec(align(64)) +# else +# define ALIGN32 +# define ALIGN64 +# endif + +# ifdef NDEBUG +# define ossl_assert(x) ((x) != 0) +# else __owur static ossl_inline int ossl_assert_int(int expr, const char *exprstr, const char *file, int line) { @@ -38,10 +49,10 @@ __owur static ossl_inline int ossl_assert_int(int expr, const char *exprstr, return expr; } -# define ossl_assert(x) ossl_assert_int((x) != 0, "Assertion failed: "#x, \ +# define ossl_assert(x) ossl_assert_int((x) != 0, "Assertion failed: "#x, \ __FILE__, __LINE__) -#endif +# endif /* Check if |pre|, which must be a string literal, is a prefix of |str| */ #define HAS_PREFIX(str, pre) (strncmp(str, pre "", sizeof(pre) - 1) == 0) From 61cfc22b60e33bc77b1e1944759af48c8e58f0d2 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Mon, 28 Aug 2023 12:07:16 -0400 Subject: [PATCH 105/324] Implement dupctx for chacha20 cipher Implement the dupctx method for the chacha20 cipher, so that EVP_PKEY_CTX_copy works Its pretty straightforward, its basically just a memdup. Checking the pointers that might need fixing up: in PROV_CHACHA20_CTX all members are statically declared, so memduping should be fine in PROV_CHACHA20_CTX->base (PROV_CIPHER_CTX): Non statically declared members: *tlsmac needs to get memduped to avoid double free conditions, but only if base.alloced is set *hw pointer is always assigned to the chacha20_hw global variable, so can be left alone *libctx can be left alone as provctx is always NULL in chacha20_newctx *ks appears unused by chacha20, so can be ignored Fixes #20978 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21878) --- .../implementations/ciphers/cipher_chacha20.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index 41aa056c2dc03..49e36ba1a9777 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -21,6 +21,7 @@ static OSSL_FUNC_cipher_newctx_fn chacha20_newctx; static OSSL_FUNC_cipher_freectx_fn chacha20_freectx; +static OSSL_FUNC_cipher_dupctx_fn chacha20_dupctx; static OSSL_FUNC_cipher_get_params_fn chacha20_get_params; static OSSL_FUNC_cipher_get_ctx_params_fn chacha20_get_ctx_params; static OSSL_FUNC_cipher_set_ctx_params_fn chacha20_set_ctx_params; @@ -64,6 +65,25 @@ static void chacha20_freectx(void *vctx) } } +static void *chacha20_dupctx(void *vctx) +{ + PROV_CHACHA20_CTX *ctx = (PROV_CHACHA20_CTX *)vctx; + PROV_CHACHA20_CTX *dupctx = NULL; + + if (ctx != NULL) { + dupctx = OPENSSL_memdup(ctx, sizeof(*dupctx)); + if (dupctx != NULL && dupctx->base.tlsmac != NULL && dupctx->base.alloced) { + dupctx->base.tlsmac = OPENSSL_memdup(dupctx->base.tlsmac, + dupctx->base.tlsmacsize); + if (dupctx->base.tlsmac == NULL) { + OPENSSL_free(dupctx); + dupctx = NULL; + } + } + } + return dupctx; +} + static int chacha20_get_params(OSSL_PARAM params[]) { return ossl_cipher_generic_get_params(params, 0, CHACHA20_FLAGS, @@ -187,6 +207,7 @@ int ossl_chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen, const OSSL_DISPATCH ossl_chacha20_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_freectx }, + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_dupctx }, { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_chacha20_einit }, { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_chacha20_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_update }, From 3859a027259b5b571eaf5e8cf4c0704611950c2c Mon Sep 17 00:00:00 2001 From: slontis Date: Mon, 28 Aug 2023 12:47:51 +1000 Subject: [PATCH 106/324] Change PBES2 KDF default salt length to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default salt length. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21858) --- CHANGES.md | 10 +++++++ crypto/asn1/p5_pbe.c | 3 +- crypto/asn1/p5_pbev2.c | 3 +- crypto/asn1/p5_scrypt.c | 2 +- doc/man3/PKCS5_PBE_keyivgen.pod | 12 +++++++- include/crypto/evp.h | 9 ++++++ test/recipes/15-test_genrsa.t | 9 +++++- test/recipes/25-test_pkcs8.t | 53 ++++++++++++++++++++++++++++++++- 8 files changed, 95 insertions(+), 6 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 78e74c41fa1f8..8f1e757f8ca5e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -25,6 +25,16 @@ OpenSSL 3.2 ### Changes between 3.1 and 3.2 [xx XXX xxxx] + * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) + from 8 bytes to 16 bytes. + The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and + recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 + requires a salt length of 128 bits. This affects OpenSSL command line + applications such as "genrsa" and "pkcs8" and API's such as + PEM_write_bio_PrivateKey() that are reliant on the default value. + + *Shane Lontis* + * Changed the default value of the `ess_cert_id_alg` configuration option which is used to calculate the TSA's public key certificate identifier. The default algorithm is updated to be sha256 instead diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index 13b3f19bae89b..c595973fe5166 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -12,6 +12,7 @@ #include #include #include +#include "crypto/evp.h" /* PKCS#5 password based encryption structure */ @@ -45,7 +46,7 @@ int PKCS5_pbe_set0_algor_ex(X509_ALGOR *algor, int alg, int iter, goto err; } if (!saltlen) - saltlen = PKCS5_SALT_LEN; + saltlen = PKCS5_DEFAULT_PBE1_SALT_LEN; if (saltlen < 0) goto err; diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index e710cf3c35813..c188a08a6eb23 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -10,6 +10,7 @@ #include #include "internal/cryptlib.h" #include "crypto/asn1.h" +#include "crypto/evp.h" #include #include #include @@ -196,7 +197,7 @@ X509_ALGOR *PKCS5_pbkdf2_set_ex(int iter, unsigned char *salt, int saltlen, goto err; } if (saltlen == 0) - saltlen = PKCS5_SALT_LEN; + saltlen = PKCS5_DEFAULT_PBE2_SALT_LEN; if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL) goto err; diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 94b77fd3ab297..d6ec2445fa1b6 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -166,7 +166,7 @@ static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen, } if (!saltlen) - saltlen = PKCS5_SALT_LEN; + saltlen = PKCS5_DEFAULT_PBE2_SALT_LEN; /* This will either copy salt or grow the buffer */ if (ASN1_STRING_set(sparam->salt, salt, saltlen) == 0) { diff --git a/doc/man3/PKCS5_PBE_keyivgen.pod b/doc/man3/PKCS5_PBE_keyivgen.pod index 72de3153b97de..f697628db13bb 100644 --- a/doc/man3/PKCS5_PBE_keyivgen.pod +++ b/doc/man3/PKCS5_PBE_keyivgen.pod @@ -127,6 +127,12 @@ associated parameters for the PBKDF2 algorithm. PKCS5_pbe_set0_algor() and PKCS5_pbe_set0_algor_ex() set the PBE algorithm OID and parameters into the supplied B. +If I is NULL, then I specifies the size in bytes of the random salt to +generate. If I is 0 then a default size is used. +For PBE related functions such as PKCS5_pbe_set_ex() the default salt length is 8 bytes. +For PBE2 related functions that use PBKDF2 such as PKCS5_pbkdf2_set(), +PKCS5_pbe2_set_scrypt() and PKCS5_pbe2_set() the default salt length is 16 bytes. + =head1 NOTES The *_keyivgen() functions are typically used in PKCS#12 to encrypt objects. @@ -165,9 +171,13 @@ PKCS5_pbkdf2_set_ex() were added in OpenSSL 3.0. From OpenSSL 3.0 the PBKDF1 algorithm used in PKCS5_PBE_keyivgen() and PKCS5_PBE_keyivgen_ex() has been moved to the legacy provider as an EVP_KDF. +In OpenSSL 3.2 the default salt length changed from 8 bytes to 16 bytes for PBE2 +related functions such as PKCS5_pbe2_set(). +This is required for PBKDF2 FIPS compliance. + =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 566b7889dbcfc..9605c9daa53ff 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -16,6 +16,15 @@ # include "internal/refcount.h" # include "crypto/ecx.h" +/* + * Default PKCS5 PBE KDF salt lengths + * In RFC 8018, PBE1 uses 8 bytes (64 bits) for its salt length. + * It also specifies to use at least 8 bytes for PBES2. + * The NIST requirement for PBKDF2 is 128 bits so we use this as the + * default for PBE2 (scrypt and HKDF2) + */ +# define PKCS5_DEFAULT_PBE1_SALT_LEN PKCS5_SALT_LEN +# define PKCS5_DEFAULT_PBE2_SALT_LEN 16 /* * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag * values in evp.h diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t index fe99f3369490c..5632efe5fc5c2 100644 --- a/test/recipes/15-test_genrsa.t +++ b/test/recipes/15-test_genrsa.t @@ -25,7 +25,7 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => ($no_fips ? 0 : 5) # Extra FIPS related tests - + 15; + + 16; # We want to know that an absurdly small number of bits isn't support is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem', @@ -106,6 +106,13 @@ ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 'genrsatest-enc.pem', '-aes256', '-passout', 'pass:x' ])), "rsa encrypt"); +# Check the default salt length for PBKDF2 is 16 bytes +# We expect the output to be of the form "0:d=0 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687" +# i.e. 2 byte header + 16 byte salt. +ok(run(app(([ 'openssl', 'asn1parse', + '-in', 'genrsatest-enc.pem', + '-offset', '34', '-length', '18']))), + "Check the default size of the PBKDF2 PARAM 'salt length' is 16"); ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 'pass:x' ])), "rsa decrypt"); diff --git a/test/recipes/25-test_pkcs8.t b/test/recipes/25-test_pkcs8.t index 299a56b85222a..7a06be19e4e59 100644 --- a/test/recipes/25-test_pkcs8.t +++ b/test/recipes/25-test_pkcs8.t @@ -15,7 +15,58 @@ use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips is_nofips/; setup("test_pkcs8"); -plan tests => 3; +plan tests => 9; + +ok(run(app(([ 'openssl', 'pkcs8', '-topk8', + '-in', srctop_file('test', 'certs', 'pc5-key.pem'), + '-out', 'pbkdf2_default_saltlen.pem', + '-passout', 'pass:password']))), + "Convert a private key to PKCS5 v2.0 format using PBKDF2 with the default saltlen"); + +# We expect the output to be of the form "0:d=0 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687" +# i.e. 2 byte header + 16 byte salt. +ok(run(app(([ 'openssl', 'asn1parse', + '-in', 'pbkdf2_default_saltlen.pem', + '-offset', '34', '-length', '18']))), + "Check the default size of the PBKDF2 PARAM 'salt length' is 16"); + +SKIP: { + skip "scrypt is not supported by this OpenSSL build", 2 + if disabled("scrypt"); + + ok(run(app(([ 'openssl', 'pkcs8', '-topk8', + '-in', srctop_file('test', 'certs', 'pc5-key.pem'), + '-scrypt', + '-out', 'scrypt_default_saltlen.pem', + '-passout', 'pass:password']))), + "Convert a private key to PKCS5 v2.0 format using scrypt with the default saltlen"); + +# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687" +# i.e. 2 byte header + 16 byte salt. + ok(run(app(([ 'openssl', 'asn1parse', + '-in', 'scrypt_default_saltlen.pem', + '-offset', '34', '-length', '18']))), + "Check the default size of the SCRYPT PARAM 'salt length' = 16"); +} + +SKIP: { + skip "legacy provider is not supported by this OpenSSL build", 2 + if disabled('legacy') || disabled("des"); + + ok(run(app(([ 'openssl', 'pkcs8', '-topk8', + '-in', srctop_file('test', 'certs', 'pc5-key.pem'), + '-v1', "PBE-MD5-DES", + '-provider', 'legacy', + '-provider', 'default', + '-out', 'pbe1.pem', + '-passout', 'pass:password']))), + "Convert a private key to PKCS5 v1.5 format using pbeWithMD5AndDES-CBC with the default saltlen"); + + ok(run(app(([ 'openssl', 'asn1parse', + '-in', 'pbe1.pem', + '-offset', '19', '-length', '10']))), + "Check the default size of the PBE PARAM 'salt length' = 8"); +}; SKIP: { skip "SM2, SM3 or SM4 is not supported by this OpenSSL build", 3 From 9f679bdc71aac83e89cc5aacb42855f3657ace39 Mon Sep 17 00:00:00 2001 From: slontis Date: Thu, 31 Aug 2023 17:49:55 +1000 Subject: [PATCH 107/324] Added a 'saltlen' option to the openssl pkcs8 command line app. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21858) --- apps/pkcs8.c | 20 ++++++++++---- doc/man1/openssl-pkcs8.pod.in | 7 +++++ test/recipes/25-test_pkcs8.t | 52 +++++++++++++++++++++++++++++++++-- 3 files changed, 71 insertions(+), 8 deletions(-) diff --git a/apps/pkcs8.c b/apps/pkcs8.c index e3932245f39db..7b5e79966bacc 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,6 +17,9 @@ #include #include +#define STR(a) XSTR(a) +#define XSTR(a) #a + typedef enum OPTION_choice { OPT_COMMON, OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, @@ -26,6 +29,7 @@ typedef enum OPTION_choice { #endif OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT, OPT_TRADITIONAL, + OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -53,7 +57,8 @@ const OPTIONS pkcs8_options[] = { {"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"}, {"iter", OPT_ITER, 'p', "Specify the iteration count"}, {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"}, - + {"saltlen", OPT_SALTLEN, 'p', "Specify the salt length (in bytes)"}, + {OPT_MORE_STR, 0, 0, "Default: 8 (For PBE1) or 16 (for PBE2)"}, #ifndef OPENSSL_NO_SCRYPT OPT_SECTION("Scrypt"), {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"}, @@ -88,6 +93,7 @@ int pkcs8_main(int argc, char **argv) #ifndef OPENSSL_NO_SCRYPT long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0; #endif + int saltlen = 0; /* A value of zero chooses the default */ prog = opt_init(argc, argv, pkcs8_options); while ((o = opt_next()) != OPT_EOF) { @@ -189,6 +195,10 @@ int pkcs8_main(int argc, char **argv) goto opthelp; break; #endif + case OPT_SALTLEN: + if (!opt_int(opt_arg(), &saltlen)) + goto opthelp; + break; } } @@ -245,14 +255,14 @@ int pkcs8_main(int argc, char **argv) if (cipher) { #ifndef OPENSSL_NO_SCRYPT if (scrypt_N && scrypt_r && scrypt_p) - pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL, + pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, saltlen, NULL, scrypt_N, scrypt_r, scrypt_p); else #endif - pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL, + pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, saltlen, NULL, pbe_nid); } else { - pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, 0); + pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, saltlen); } if (pbe == NULL) { BIO_printf(bio_err, "Error setting PBE algorithm\n"); diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in index 2af61203e9a75..bf87c590c79b7 100644 --- a/doc/man1/openssl-pkcs8.pod.in +++ b/doc/man1/openssl-pkcs8.pod.in @@ -27,6 +27,7 @@ B B [B<-scrypt_N> I] [B<-scrypt_r> I] [B<-scrypt_p> I

] +[B<-saltlen> I] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} @@ -148,6 +149,12 @@ B<-scrypt_p> and B<-v2> options. Sets the scrypt I, I or I

parameters. +=item B<-saltlen> + +Sets the length (in bytes) of the salt to use for the PBE algorithm. +If this value is not specified, the default for PBES2 is 16 (128 bits) +and 8 (64 bits) for PBES1. + {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_engine_item -} diff --git a/test/recipes/25-test_pkcs8.t b/test/recipes/25-test_pkcs8.t index 7a06be19e4e59..2f7ea1e1ae0c2 100644 --- a/test/recipes/25-test_pkcs8.t +++ b/test/recipes/25-test_pkcs8.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips is_nofips/; setup("test_pkcs8"); -plan tests => 9; +plan tests => 15; ok(run(app(([ 'openssl', 'pkcs8', '-topk8', '-in', srctop_file('test', 'certs', 'pc5-key.pem'), @@ -31,7 +31,7 @@ ok(run(app(([ 'openssl', 'asn1parse', "Check the default size of the PBKDF2 PARAM 'salt length' is 16"); SKIP: { - skip "scrypt is not supported by this OpenSSL build", 2 + skip "scrypt is not supported by this OpenSSL build", 4 if disabled("scrypt"); ok(run(app(([ 'openssl', 'pkcs8', '-topk8', @@ -47,10 +47,25 @@ SKIP: { '-in', 'scrypt_default_saltlen.pem', '-offset', '34', '-length', '18']))), "Check the default size of the SCRYPT PARAM 'salt length' = 16"); + + ok(run(app(([ 'openssl', 'pkcs8', '-topk8', + '-in', srctop_file('test', 'certs', 'pc5-key.pem'), + '-scrypt', + '-saltlen', '8', + '-out', 'scrypt_64bit_saltlen.pem', + '-passout', 'pass:password']))), + "Convert a private key to PKCS5 v2.0 format using scrypt with a salt length of 8 bytes"); + +# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:3C1147976A2B61CA" +# i.e. 2 byte header + 8 byte salt. + ok(run(app(([ 'openssl', 'asn1parse', + '-in', 'scrypt_64bit_saltlen.pem', + '-offset', '34', '-length', '10']))), + "Check the size of the SCRYPT PARAM 'salt length' is 8"); } SKIP: { - skip "legacy provider is not supported by this OpenSSL build", 2 + skip "legacy provider is not supported by this OpenSSL build", 4 if disabled('legacy') || disabled("des"); ok(run(app(([ 'openssl', 'pkcs8', '-topk8', @@ -66,8 +81,39 @@ SKIP: { '-in', 'pbe1.pem', '-offset', '19', '-length', '10']))), "Check the default size of the PBE PARAM 'salt length' = 8"); + + ok(run(app(([ 'openssl', 'pkcs8', '-topk8', + '-in', srctop_file('test', 'certs', 'pc5-key.pem'), + '-v1', "PBE-MD5-DES", + '-saltlen', '16', + '-provider', 'legacy', + '-provider', 'default', + '-out', 'pbe1_128bitsalt.pem', + '-passout', 'pass:password']))), + "Convert a private key to PKCS5 v1.5 format using pbeWithMD5AndDES-CBC with the 16 byte saltlen"); + + ok(run(app(([ 'openssl', 'asn1parse', + '-in', 'pbe1_128bitsalt.pem', + '-offset', '19', '-length', '18']))), + "Check the size of the PBE PARAM 'salt length' = 16"); }; + +ok(run(app(([ 'openssl', 'pkcs8', '-topk8', + '-in', srctop_file('test', 'certs', 'pc5-key.pem'), + '-saltlen', '8', + '-out', 'pbkdf2_64bit_saltlen.pem', + '-passout', 'pass:password']))), + "Convert a private key to PKCS5 v2.0 format using pbkdf2 with a salt length of 8 bytes"); + +# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:3C1147976A2B61CA" +# i.e. 2 byte header + 8 byte salt. +ok(run(app(([ 'openssl', 'asn1parse', + '-in', 'pbkdf2_64bit_saltlen.pem', + '-offset', '34', '-length', '10']))), + "Check the size of the PBKDF2 PARAM 'salt length' is 8"); + + SKIP: { skip "SM2, SM3 or SM4 is not supported by this OpenSSL build", 3 if disabled("sm2") || disabled("sm3") || disabled("sm4"); From e3994583a1e4bde9a589c379520d216bc0a0c515 Mon Sep 17 00:00:00 2001 From: slontis Date: Thu, 31 Aug 2023 17:51:46 +1000 Subject: [PATCH 108/324] Added 'saltlen' option to the OpenSSL enc command line app. This allows PBKDF2 to change the saltlen to something other than the new default value of 16. Previously this app hardwired the salt length to a maximum of 8 bytes. Non PBKDF2 mode uses EVP_BytesToKey() internally, which is documented to only allow 8 bytes. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21858) --- CHANGES.md | 3 +++ apps/enc.c | 28 ++++++++++++++++++++-------- doc/man1/openssl-enc.pod.in | 17 +++++++++++++++-- test/recipes/20-test_enc.t | 20 +++++++++++++++++++- test/recipes/25-test_pkcs8.t | 2 +- 5 files changed, 58 insertions(+), 12 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 8f1e757f8ca5e..974e549486017 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -32,6 +32,9 @@ OpenSSL 3.2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default value. + The additional commandline option 'saltlen' has been added to the + OpenSSL command line applications for "pkcs8" and "enc" to allow the + salt length to be set to a non default value. *Shane Lontis* diff --git a/apps/enc.c b/apps/enc.c index 58994e1d3e75b..a3b17da08d652 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -49,7 +49,7 @@ typedef enum OPTION_choice { OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER, - OPT_R_ENUM, OPT_PROV_ENUM + OPT_SALTLEN, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS enc_options[] = { @@ -100,6 +100,8 @@ const OPTIONS enc_options[] = { {OPT_MORE_STR, 0, 0, "Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT)}, {"none", OPT_NONE, '-', "Don't encrypt"}, + {"saltlen", OPT_SALTLEN, 'p', "Specify the PBKDF2 salt length (in bytes)"}, + {OPT_MORE_STR, 0, 0, "Default: 16"}, #ifndef OPENSSL_NO_ZLIB {"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"}, #endif @@ -132,7 +134,8 @@ int enc_main(int argc, char **argv) int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY; int ret = 1, inl, nopad = 0; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; - unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; + unsigned char *buff = NULL, salt[EVP_MAX_IV_LENGTH]; + int saltlen = 0; int pbkdf2 = 0; int iter = 0; long n; @@ -293,6 +296,12 @@ int enc_main(int argc, char **argv) iter = opt_int_arg(); pbkdf2 = 1; break; + case OPT_SALTLEN: + if (!opt_int(opt_arg(), &saltlen)) + goto opthelp; + if (saltlen > (int)sizeof(salt)) + saltlen = (int)sizeof(salt); + break; case OPT_PBKDF2: pbkdf2 = 1; if (iter == 0) /* do not overwrite a chosen value */ @@ -317,6 +326,8 @@ int enc_main(int argc, char **argv) goto opthelp; if (!app_RAND_load()) goto end; + if (saltlen == 0 || pbkdf2 == 0) + saltlen = PKCS5_SALT_LEN; /* Get the cipher name, either from progname (if set) or flag. */ if (!opt_cipher(ciphername, &cipher)) @@ -496,13 +507,13 @@ int enc_main(int argc, char **argv) if (nosalt) { sptr = NULL; } else { - if (hsalt != NULL && !set_hex(hsalt, salt, sizeof(salt))) { + if (hsalt != NULL && !set_hex(hsalt, salt, saltlen)) { BIO_printf(bio_err, "invalid hex salt value\n"); goto end; } if (enc) { /* encryption */ if (hsalt == NULL) { - if (RAND_bytes(salt, sizeof(salt)) <= 0) { + if (RAND_bytes(salt, saltlen) <= 0) { BIO_printf(bio_err, "RAND_bytes failed\n"); goto end; } @@ -515,7 +526,7 @@ int enc_main(int argc, char **argv) sizeof(magic) - 1) != sizeof(magic) - 1 || BIO_write(wbio, (char *)salt, - sizeof(salt)) != sizeof(salt))) { + saltlen) != saltlen)) { BIO_printf(bio_err, "error writing output file\n"); goto end; } @@ -528,7 +539,7 @@ int enc_main(int argc, char **argv) } if (memcmp(mbuf, magic, sizeof(mbuf)) == 0) { /* file IS salted */ if (BIO_read(rbio, salt, - sizeof(salt)) != sizeof(salt)) { + saltlen) != saltlen) { BIO_printf(bio_err, "error reading input file\n"); goto end; } @@ -550,7 +561,8 @@ int enc_main(int argc, char **argv) int iklen = EVP_CIPHER_get_key_length(cipher); int ivlen = EVP_CIPHER_get_iv_length(cipher); /* not needed if HASH_UPDATE() is fixed : */ - int islen = (sptr != NULL ? sizeof(salt) : 0); + int islen = (sptr != NULL ? saltlen : 0); + if (!PKCS5_PBKDF2_HMAC(str, str_len, sptr, islen, iter, dgst, iklen+ivlen, tmpkeyiv)) { BIO_printf(bio_err, "PKCS5_PBKDF2_HMAC failed\n"); @@ -646,7 +658,7 @@ int enc_main(int argc, char **argv) if (printkey) { if (!nosalt) { printf("salt="); - for (i = 0; i < (int)sizeof(salt); i++) + for (i = 0; i < (int)saltlen; i++) printf("%02X", salt[i]); printf("\n"); } diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index 84d67361f82e4..14066a31859f9 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -31,6 +31,7 @@ B B|I [B<-md> I] [B<-iter> I] [B<-pbkdf2>] +[B<-saltlen> I] [B<-p>] [B<-P>] [B<-bufsize> I] @@ -132,6 +133,15 @@ This option enables the use of PBKDF2 algorithm to derive the key. Use PBKDF2 algorithm with a default iteration count of 10000 unless otherwise specified by the B<-iter> command line option. +=item B<-saltlen> + +Set the salt length to use when using the B<-pbkdf2> option. +For compatibility reasons, the default is 8 bytes. +The maximum value is currently 16 bytes. +If the B<-pbkdf2> option is not used, then this option is ignored +and a fixed salt length of 8 is used. The salt length used when +encrypting must also be used when decrypting. + =item B<-nosalt> Don't use a salt in the key derivation routines. This option B be @@ -147,7 +157,8 @@ encrypting, this is the default. The actual salt to use: this must be represented as a string of hex digits. If this option is used while encrypting, the same exact value will be needed -again during decryption. +again during decryption. This salt may be truncated or zero padded to +match the salt length (See B<-saltlen>). =item B<-K> I @@ -465,9 +476,11 @@ The B<-list> option was added in OpenSSL 1.1.1e. The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. +The B<-saltlen> option was added in OpenSSL 3.2. + =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_enc.t b/test/recipes/20-test_enc.t index c5391d53f252b..d16d73e64a9e9 100644 --- a/test/recipes/20-test_enc.t +++ b/test/recipes/20-test_enc.t @@ -41,7 +41,7 @@ my @ciphers = |rc2|rc4|seed)/x} @ciphers if disabled("legacy"); -plan tests => 2 + (scalar @ciphers)*2; +plan tests => 5 + (scalar @ciphers)*2; SKIP: { skip "Problems getting ciphers...", 1 + scalar(@ciphers) @@ -72,4 +72,22 @@ plan tests => 2 + (scalar @ciphers)*2; && compare_text($test,$clearfile) == 0, $t); } } + ok(run(app([$cmd, "enc", "-in", $test, "-aes256", "-pbkdf2", "-out", + "salted_default.cipher", "-pass", "pass:password"])) + && run(app([$cmd, "enc", "-d", "-in", "salted_default.cipher", "-aes256", "-pbkdf2", + "-saltlen", "8", "-out", "salted_default.clear", "-pass", "pass:password"])) + && compare_text($test,"salted_default.clear") == 0, + "Check that the default salt length of 8 bytes is used for PKDF2"); + + ok(!run(app([$cmd, "enc", "-d", "-in", "salted_default.cipher", "-aes256", "-pbkdf2", + "-saltlen", "16", "-out", "salted_fail.clear", "-pass", "pass:password"])), + "Check the decrypt fails if the saltlen is incorrect"); + + ok(run(app([$cmd, "enc", "-in", $test, "-aes256", "-pbkdf2", "-saltlen", "16", + "-out", "salted.cipher", "-pass", "pass:password"])) + && run(app([$cmd, "enc", "-d", "-in", "salted.cipher", "-aes256", "-pbkdf2", + "-saltlen", "16", "-out", "salted.clear", "-pass", "pass:password"])) + && compare_text($test,"salted.clear") == 0, + "Check that we can still use a salt length of 16 bytes for PKDF2"); + } diff --git a/test/recipes/25-test_pkcs8.t b/test/recipes/25-test_pkcs8.t index 2f7ea1e1ae0c2..2db574bb69575 100644 --- a/test/recipes/25-test_pkcs8.t +++ b/test/recipes/25-test_pkcs8.t @@ -81,7 +81,7 @@ SKIP: { '-in', 'pbe1.pem', '-offset', '19', '-length', '10']))), "Check the default size of the PBE PARAM 'salt length' = 8"); - + ok(run(app(([ 'openssl', 'pkcs8', '-topk8', '-in', srctop_file('test', 'certs', 'pc5-key.pem'), '-v1', "PBE-MD5-DES", From d94bee8e9be2eb9e7e659a29c42586fe2f90f5a6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 4 Sep 2023 16:22:10 +0200 Subject: [PATCH 109/324] VMS: More header inclusion compensation for VMS C compiler Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21951) --- Configurations/descrip.mms.tmpl | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index b6e6eb4d6054a..7453a72b3febc 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -211,7 +211,10 @@ # format, relative to the directory where the .c file is located. The logic # is that any inclusion, merged with one of these relative directories, will # find the requested inclusion file. - foreach (grep /\[\.crypto\.async\.arch\].*\.o$/, keys %{$unified_info{sources}}) { + # In the regexps, it's advisable to always start the file name with .*?, as + # the C source to OBJ file translation adds stuff at the beginning of the, + # name, such as [.ssl]bio_ssl.c -> [.ssl]libssl-shlib-bio_ssl.OBJ + foreach (grep /\[\.crypto\.async\.arch\].*?\.o$/, keys %{$unified_info{sources}}) { my $obj = platform->obj($_); push @{$unified_info{includes_extra}->{$obj}}, qw(../); } @@ -229,15 +232,14 @@ # like "record/record.h". Adding "./" as an inclusion directory helps # making this sort of header from these directories. push @{$unified_info{includes_extra}->{$obj}}, qw(./); - } - foreach (grep /\[\.ssl\].*?ssl_lib\.o$/, keys %{$unified_info{sources}}) { - my $obj = platform->obj($_); - # Some files in [.ssl] include "quic/quic_local.h", which in turn - # includes "../ssl_local.h". Adding "./quic" as an inclusion directory - # helps making this sort of header from these directories. + + # Additionally, an increasing amount of files in [.ssl] include + # "quic/quic_local.h", which in turn includes "../ssl_local.h". Adding + # "./quic" as an inclusion directory helps making this sort of header + # from these directories. push @{$unified_info{includes_extra}->{$obj}}, qw(./quic); } - foreach (grep /\[\.ssl\.(?:record|statem)\].*?\.o$/, keys %{$unified_info{sources}}) { + foreach (grep /\[\.ssl\.(?:quic|record|statem)\].*?\.o$/, keys %{$unified_info{sources}}) { my $obj = platform->obj($_); # Most of the files in [.ssl.record] and [.ssl.statem] include # "../ssl_local.h", which includes things like "record/record.h". @@ -251,8 +253,10 @@ # Most of the files in [.ssl.record.methods] include "../../ssl_local.h" # which includes things like "record/record.h". Adding "../../" as an # inclusion directory helps making this sort of header from these - # directories. - push @{$unified_info{includes_extra}->{$obj}}, qw(../../); + # directories. But this gets worse; through a series of inclusions, + # all of them based on the relative directory of the object file, there's + # a need to deal with an inclusion of "../ssl_local.h" as well. + push @{$unified_info{includes_extra}->{$obj}}, qw(../../), qw(../); } foreach (grep /\[\.test\].*?\.o$/, keys %{$unified_info{sources}}) { my $obj = platform->obj($_); @@ -264,6 +268,10 @@ # directly, but that would end up with more whack-a-mole of this sort, so # nah, we do it broadly. push @{$unified_info{includes_extra}->{$obj}}, qw(../ssl/record/methods); + # Similarly, some include "../ssl/ssl_local.h", and somewhere down the + # line, "quic/quic_local.h" gets included, which includes "../ssl_local.h" + # The problem is fixed by adding ../ssl/quic too. + push @{$unified_info{includes_extra}->{$obj}}, qw(../ssl/quic); } foreach (grep /\[\.test\.helpers\].*?\.o$/, keys %{$unified_info{sources}}) { my $obj = platform->obj($_); From 3ae4686bf6cfb9889efeecbc8e80b279afbe1e28 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 4 Sep 2023 16:23:05 +0200 Subject: [PATCH 110/324] VMS: Add a fallback definition of socklen_t It is not present in current VMS C headers... Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21951) --- include/internal/sockets.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/internal/sockets.h b/include/internal/sockets.h index 100e34629768b..050be74672f0f 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -89,6 +89,9 @@ struct servent *PASCAL getservbyname(const char *, const char *); # endif # include +# if defined(OPENSSL_SYS_VMS) +typedef size_t socklen_t; /* Currently appears to be missing on VMS */ +# endif # if defined(OPENSSL_SYS_VMS_NODECC) # include # include From cfbdc5dd14bf9fc969c9eb76216ab59a4ae64ba4 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 4 Sep 2023 16:24:05 +0200 Subject: [PATCH 111/324] Include #include "internal/numbers.h" in ssl/quic/quic_cfq.c It's needed for platforms that don't define UINT64_MAX and similar macros Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21951) --- ssl/quic/quic_cfq.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/quic/quic_cfq.c b/ssl/quic/quic_cfq.c index 25ac36e348274..f9d66281cdf13 100644 --- a/ssl/quic/quic_cfq.c +++ b/ssl/quic/quic_cfq.c @@ -8,6 +8,7 @@ */ #include "internal/quic_cfq.h" +#include "internal/numbers.h" typedef struct quic_cfq_item_ex_st QUIC_CFQ_ITEM_EX; From 09a4b4b72204f973804d60096c513f5ed6b39e4f Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 4 Sep 2023 17:54:22 +0200 Subject: [PATCH 112/324] internal/numbers.h: Add fallback implementation for UINT32_C and UINT64_C Other similar macros can be implemented later. Right now, this are the most likely to be actually useful Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21951) --- include/internal/numbers.h | 25 +++++++++++++++++++++++++ test/quic_multistream_test.c | 1 + 2 files changed, 26 insertions(+) diff --git a/include/internal/numbers.h b/include/internal/numbers.h index 4f4d3306d5da8..41fd693bd1d3b 100644 --- a/include/internal/numbers.h +++ b/include/internal/numbers.h @@ -61,6 +61,31 @@ # define UINT64_MAX __MAXUINT__(uint64_t) # endif +/* + * 64-bit processor with LP64 ABI + */ +# ifdef SIXTY_FOUR_BIT_LONG +# ifndef UINT32_C +# define UINT32_C(c) (c) +# endif +# ifndef UINT64_C +# define UINT64_C(c) (c##UL) +# endif +# endif + +/* + * 64-bit processor other than LP64 ABI + */ +# ifdef SIXTY_FOUR_BIT +# ifndef UINT32_C +# define UINT32_C(c) (c##UL) +# endif +# ifndef UINT64_C +# define UINT64_C(c) (c##ULL) +# endif +# endif + + # ifndef INT128_MAX # if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 typedef __int128_t int128_t; diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 895a6d74a70bc..04f2771ed89ea 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -18,6 +18,7 @@ #if defined(OPENSSL_THREADS) # include "internal/thread_arch.h" #endif +#include "internal/numbers.h" /* UINT64_C */ static const char *certfile, *keyfile; From b12c07cfba9651ae80b7020ffe8e634f47581389 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 4 Sep 2023 21:50:18 +0200 Subject: [PATCH 113/324] quicserver.c: Fix build with no-ssl-trace Reviewed-by: Tim Hudson Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21958) --- util/quicserver.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/util/quicserver.c b/util/quicserver.c index c25128eaf6c3d..5a51b240ffdf7 100644 --- a/util/quicserver.c +++ b/util/quicserver.c @@ -217,7 +217,12 @@ int main(int argc, char *argv[]) bio = NULL; if (trace) +#ifndef OPENSSL_NO_SSL_TRACE ossl_quic_tserver_set_msg_callback(qtserv, SSL_trace, bio_err); +#else + BIO_printf(bio_err, + "Warning: -trace specified but no SSL tracing support present\n"); +#endif /* Wait for handshake to complete */ ossl_quic_tserver_tick(qtserv); From 75ac8f04b78e9e1283b0402a791728ba2728e159 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 4 Sep 2023 21:39:30 +0200 Subject: [PATCH 114/324] 04-test_encoder_decoder.t: Use algorithm that is non-fips also on 3.0.0 The test encrypted RSA key with DES3 which is still allowed in the 3.0 fips provider. Instead use the traditional key format that uses MD5 to create the password based key. MD5 is disallowed in the 3.0 fips provider. Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/21957) --- test/recipes/04-test_encoder_decoder.t | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t index 817c95ee64a4e..56c7d6e714a2e 100644 --- a/test/recipes/04-test_encoder_decoder.t +++ b/test/recipes/04-test_encoder_decoder.t @@ -50,10 +50,10 @@ unless ($no_fips) { my $no_des = disabled("des"); SKIP: { - skip "DES disabled", 2 if disabled("des"); - ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem', - '-passout', 'pass:pass' ])), - "rsa encrypt using a non fips algorithm"); + skip "MD5 disabled", 2 if disabled("md5"); + ok(run(app([ 'openssl', 'genrsa', '-aes128', '-out', 'epki.pem', + '-traditional', '-passout', 'pass:pass' ])), + "rsa encrypted using a non fips algorithm MD5 in pbe"); my $conf2 = srctop_file("test", "default-and-fips.cnf"); ok(run(test(['decoder_propq_test', '-config', $conf2, From 852438adc0c9cb29b9cbdb5adab727230f40effb Mon Sep 17 00:00:00 2001 From: Kai Pastor Date: Sun, 3 Sep 2023 10:59:22 +0200 Subject: [PATCH 115/324] Use armv8 .quad instead of .dword Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21939) --- crypto/sm4/asm/vpsm4-armv8.pl | 6 +++--- crypto/sm4/asm/vpsm4_ex-armv8.pl | 18 +++++++++--------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl index a09e44cada7cb..11da0d3976f9c 100755 --- a/crypto/sm4/asm/vpsm4-armv8.pl +++ b/crypto/sm4/asm/vpsm4-armv8.pl @@ -569,11 +569,11 @@ () .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 .Lfk: - .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 + .quad 0x56aa3350a3b1bac6,0xb27022dc677d9197 .Lshuffles: - .dword 0x0B0A090807060504,0x030201000F0E0D0C + .quad 0x0B0A090807060504,0x030201000F0E0D0C .Lxts_magic: - .dword 0x0101010101010187,0x0101010101010101 + .quad 0x0101010101010187,0x0101010101010101 .size _vpsm4_consts,.-_vpsm4_consts ___ diff --git a/crypto/sm4/asm/vpsm4_ex-armv8.pl b/crypto/sm4/asm/vpsm4_ex-armv8.pl index 992ac98af72c2..60aebc2faf7f9 100644 --- a/crypto/sm4/asm/vpsm4_ex-armv8.pl +++ b/crypto/sm4/asm/vpsm4_ex-armv8.pl @@ -553,18 +553,18 @@ () .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 .Lfk: - .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 + .quad 0x56aa3350a3b1bac6,0xb27022dc677d9197 .Lshuffles: - .dword 0x0B0A090807060504,0x030201000F0E0D0C + .quad 0x0B0A090807060504,0x030201000F0E0D0C .Lxts_magic: - .dword 0x0101010101010187,0x0101010101010101 + .quad 0x0101010101010187,0x0101010101010101 .Lsbox_magic: - .dword 0x0b0e0104070a0d00,0x0306090c0f020508 - .dword 0x62185a2042387a00,0x22581a6002783a40 - .dword 0x15df62a89e54e923,0xc10bb67c4a803df7 - .dword 0xb9aa6b78c1d21300,0x1407c6d56c7fbead - .dword 0x6404462679195b3b,0xe383c1a1fe9edcbc - .dword 0x0f0f0f0f0f0f0f0f,0x0f0f0f0f0f0f0f0f + .quad 0x0b0e0104070a0d00,0x0306090c0f020508 + .quad 0x62185a2042387a00,0x22581a6002783a40 + .quad 0x15df62a89e54e923,0xc10bb67c4a803df7 + .quad 0xb9aa6b78c1d21300,0x1407c6d56c7fbead + .quad 0x6404462679195b3b,0xe383c1a1fe9edcbc + .quad 0x0f0f0f0f0f0f0f0f,0x0f0f0f0f0f0f0f0f .size _${prefix}_consts,.-_${prefix}_consts ___ From e0f4976ac634e8c74231e45f865457edab834324 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 4 Sep 2023 22:09:27 +0200 Subject: [PATCH 116/324] VMS: More header inclusion compensation for VMS C compiler Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/21959) --- Configurations/descrip.mms.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 7453a72b3febc..828e1e91fbb26 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -275,7 +275,8 @@ } foreach (grep /\[\.test\.helpers\].*?\.o$/, keys %{$unified_info{sources}}) { my $obj = platform->obj($_); - push @{$unified_info{includes_extra}->{$obj}}, qw(../../ssl); + push @{$unified_info{includes_extra}->{$obj}}, + qw(../../ssl ../../ssl/quic); } # This makes sure things get built in the order they need From d4231af60a8d04196b3b873c2fa8638daff36173 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 07:56:28 +0000 Subject: [PATCH 117/324] Bump actions/checkout from 2 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21953) --- .github/workflows/ci.yml | 54 ++++++++++---------- .github/workflows/compiler-zoo.yml | 2 +- .github/workflows/coveralls.yml | 2 +- .github/workflows/cross-compiles.yml | 2 +- .github/workflows/fips-checksums.yml | 4 +- .github/workflows/fuzz-checker.yml | 2 +- .github/workflows/os-zoo.yml | 6 +-- .github/workflows/provider-compatibility.yml | 2 +- .github/workflows/run-checker-ci.yml | 2 +- .github/workflows/run-checker-daily-sctp.yml | 2 +- .github/workflows/run-checker-daily.yml | 2 +- .github/workflows/run-checker-merge.yml | 2 +- .github/workflows/static-analysis.yml | 2 +- .github/workflows/windows.yml | 8 +-- .github/workflows/windows_comp.yml | 4 +- 15 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e467f79dd7089..7ce1ef292ea8a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,7 +29,7 @@ jobs: run: | sudo apt-get update sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: config @@ -44,7 +44,7 @@ jobs: check_docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump - name: make build_generated @@ -64,7 +64,7 @@ jobs: check-ansi: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CPPFLAGS=-ansi ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make @@ -73,7 +73,7 @@ jobs: basic_gcc: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: localegen @@ -89,7 +89,7 @@ jobs: basic_clang: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -102,7 +102,7 @@ jobs: minimal: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -115,7 +115,7 @@ jobs: no-deprecated: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -131,7 +131,7 @@ jobs: os: [ ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -144,7 +144,7 @@ jobs: non-caching: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -157,7 +157,7 @@ jobs: address_ub_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -170,7 +170,7 @@ jobs: memory_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -184,7 +184,7 @@ jobs: threads_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -197,7 +197,7 @@ jobs: enable_non-default_options: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: modprobe tls @@ -212,7 +212,7 @@ jobs: fips_and_ktls: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: modprobe tls @@ -232,7 +232,7 @@ jobs: sudo apt-get update sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - name: checkout openssl - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -250,7 +250,7 @@ jobs: sudo apt-get update sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - name: checkout openssl - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -269,7 +269,7 @@ jobs: sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - name: checkout openssl - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -287,7 +287,7 @@ jobs: sudo apt-get update sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install brotli libbrotli1 libbrotli-dev - name: checkout openssl - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -305,7 +305,7 @@ jobs: sudo apt-get update sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install zstd libzstd1 libzstd-dev - name: checkout openssl - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -318,7 +318,7 @@ jobs: no-legacy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -331,7 +331,7 @@ jobs: legacy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -347,7 +347,7 @@ jobs: os: [ ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -360,7 +360,7 @@ jobs: buildtest: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -376,7 +376,7 @@ jobs: os: [ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: extra preparations @@ -399,7 +399,7 @@ jobs: external-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: package installs @@ -434,7 +434,7 @@ jobs: PYTHON: - 3.9 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: Configure OpenSSL @@ -457,7 +457,7 @@ jobs: external-test-cf-quiche: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: Configure OpenSSL diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index f055cf04e4541..bd518217a56be 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -114,7 +114,7 @@ jobs: sudo apt-get update sudo apt-get -y install ${{ matrix.zoo.cc }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index abd097cc3c7c7..e0ae7b6534866 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -39,7 +39,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive ref: ${{ matrix.branches.branch }} diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 08f5930c1888d..8f2d7efad5c80 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -160,7 +160,7 @@ jobs: sudo apt-get -yq --force-yes install \ gcc-${{ matrix.platform.arch }} \ ${{ matrix.platform.libs }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 4efad31455e98..d91715b858c6f 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -26,7 +26,7 @@ jobs: mkdir ./build mkdir ./source mkdir ./artifact - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: repository: ${{ github.event.pull_request.base.repo.full_name }} ref: ${{ github.event.pull_request.base.ref }} @@ -43,7 +43,7 @@ jobs: - name: make fips-checksums pristine run: make fips-checksums working-directory: ./build-pristine - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: path: source - name: config diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index bd17791707e57..8b341191b61ac 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -48,7 +48,7 @@ jobs: run: | sudo apt-get update sudo apt-get -yq --force-yes install ${{ matrix.fuzzy.install }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: | diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index 09a2499556547..ff2962ff8de23 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -31,7 +31,7 @@ jobs: run: | apk --no-cache add build-base perl linux-headers git ${{ matrix.cc }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: | @@ -65,7 +65,7 @@ jobs: ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config @@ -88,7 +88,7 @@ jobs: ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - uses: ilammy/msvc-dev-cmd@v1 diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index c16199f9bd4bc..68d8922383ed1 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -122,7 +122,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: path: ${{ matrix.branch.dir }} repository: openssl/openssl diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 88cd79662b6fe..2515382bfd306 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -41,7 +41,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config diff --git a/.github/workflows/run-checker-daily-sctp.yml b/.github/workflows/run-checker-daily-sctp.yml index a04e79339f485..7bc4fbc82d995 100644 --- a/.github/workflows/run-checker-daily-sctp.yml +++ b/.github/workflows/run-checker-daily-sctp.yml @@ -16,7 +16,7 @@ jobs: run-checker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: Install Dependencies for sctp option diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index e2bf91cddc6ea..c197cb0975dc3 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -135,7 +135,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index f79a59e0a6aa4..8eb4b49a95c93 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -37,7 +37,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 737fec3bcb7c0..c2c7c06c81585 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -19,7 +19,7 @@ jobs: coverity: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: tool download run: | wget https://scan.coverity.com/download/linux64 \ diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index b2b969dddf046..679a2c10fe502 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -27,7 +27,7 @@ jobs: config: --strict-warnings no-fips runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - uses: ilammy/msvc-dev-cmd@v1 @@ -65,7 +65,7 @@ jobs: - windows-2022 runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - uses: ilammy/msvc-dev-cmd@v1 @@ -91,7 +91,7 @@ jobs: - windows-2022 runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - uses: ilammy/msvc-dev-cmd@v1 @@ -131,7 +131,7 @@ jobs: MAKE_PARAMS: -j 4 steps: # Checkout before cygwin can mess with PATH... - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: cygwin/cygwin-install-action@master with: packages: perl git make gcc-core diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index bf797e57b6167..834d46b097679 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -22,7 +22,7 @@ jobs: zstd: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - uses: ilammy/msvc-dev-cmd@v1 @@ -49,7 +49,7 @@ jobs: brotli: runs-on: windows-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - uses: ilammy/msvc-dev-cmd@v1 From 17a0e930d2607e1d571c82912d5e1fa3393b2053 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 31 Aug 2023 18:54:16 +0100 Subject: [PATCH 118/324] MUTEX: Assert on locking failure Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21919) --- crypto/thread/arch/thread_posix.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/crypto/thread/arch/thread_posix.c b/crypto/thread/arch/thread_posix.c index 0ab27b12302dd..f88323820f486 100644 --- a/crypto/thread/arch/thread_posix.c +++ b/crypto/thread/arch/thread_posix.c @@ -120,18 +120,22 @@ int ossl_crypto_mutex_try_lock(CRYPTO_MUTEX *mutex) void ossl_crypto_mutex_lock(CRYPTO_MUTEX *mutex) { + int rc; pthread_mutex_t *mutex_p; mutex_p = (pthread_mutex_t *)mutex; - pthread_mutex_lock(mutex_p); + rc = pthread_mutex_lock(mutex_p); + OPENSSL_assert(rc == 0); } void ossl_crypto_mutex_unlock(CRYPTO_MUTEX *mutex) { + int rc; pthread_mutex_t *mutex_p; mutex_p = (pthread_mutex_t *)mutex; - pthread_mutex_unlock(mutex_p); + rc = pthread_mutex_unlock(mutex_p); + OPENSSL_assert(rc == 0); } void ossl_crypto_mutex_free(CRYPTO_MUTEX **mutex) From 81d037b8adb0232c8a4d4654f79c883dafb102bc Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 3 Aug 2023 16:52:49 +0200 Subject: [PATCH 119/324] apps.c: fix error messages (newline and needless text) in load_key_certs_crls() Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21659) --- apps/lib/apps.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 1acc991bb821e..824ef16c2c11a 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -987,7 +987,7 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, if (!maybe_stdin) { if (!quiet) - BIO_printf(bio_err, "No filename or uri specified for loading"); + BIO_printf(bio_err, "No filename or uri specified for loading\n"); goto end; } uri = ""; @@ -1003,11 +1003,8 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin, ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata, params, NULL, NULL); } - if (ctx == NULL) { - if (!quiet) - BIO_printf(bio_err, "Could not open file or uri for loading"); + if (ctx == NULL) goto end; - } if (expect > 0 && !OSSL_STORE_expect(ctx, expect)) goto end; From 49e097344ba51a8b25016794d482813b9c1e137f Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 4 Aug 2023 08:23:58 +0200 Subject: [PATCH 120/324] apps.c: improve warning texts of parse_name() when skipping RDN input Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21659) --- apps/lib/apps.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 824ef16c2c11a..e29a01a4d129b 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1977,16 +1977,17 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti, nid = OBJ_txt2nid(typestr); if (nid == NID_undef) { BIO_printf(bio_err, - "%s: Skipping unknown %s name attribute \"%s\"\n", + "%s warning: Skipping unknown %s name attribute \"%s\"\n", opt_getprog(), desc, typestr); if (ismulti) BIO_printf(bio_err, - "Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n"); + "%s hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n", + opt_getprog()); continue; } if (*valstr == '\0') { BIO_printf(bio_err, - "%s: No value provided for %s name attribute \"%s\", skipped\n", + "%s warning: No value provided for %s name attribute \"%s\", skipped\n", opt_getprog(), desc, typestr); continue; } From 374945a9aa545d4d6f015de0b48cbed6a90258e0 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 4 Aug 2023 19:02:28 +0200 Subject: [PATCH 121/324] apps/cmp.c: fix bug not allowing to reset -csr and -serial option values Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21659) --- apps/cmp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index dbc609a2e0037..b86b8ae5c14bd 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -2648,7 +2648,7 @@ static int get_opts(int argc, char **argv) } break; case OPT_CSR: - opt_csr = opt_arg(); + opt_csr = opt_str(); break; case OPT_OUT_TRUSTED: opt_out_trusted = opt_str(); @@ -2681,7 +2681,7 @@ static int get_opts(int argc, char **argv) opt_issuer = opt_str(); break; case OPT_SERIAL: - opt_serial = opt_arg(); + opt_serial = opt_str(); break; case OPT_CERTFORM: opt_certform_s = opt_str(); From 2ce79d97e338c8eaacf67ce2e1a1b0fb1c639f11 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 4 Sep 2023 08:59:53 +0200 Subject: [PATCH 122/324] OSSL_PARAM_BLD_push_BN_pad(): Allow NULL BIGNUM This was supported previously and regressed with commit 17898ec6011cc583c5af69ca8f25f5d165ff3e6a Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21945) --- crypto/param_build.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/param_build.c b/crypto/param_build.c index 7604f9bd6ce9a..def71f5718d07 100644 --- a/crypto/param_build.c +++ b/crypto/param_build.c @@ -233,8 +233,8 @@ static int push_BN(OSSL_PARAM_BLD *bld, const char *key, int OSSL_PARAM_BLD_push_BN(OSSL_PARAM_BLD *bld, const char *key, const BIGNUM *bn) { - if (BN_is_negative(bn)) - return push_BN(bld, key, bn, bn == NULL ? 0 : BN_num_bytes(bn) + 1, + if (bn != NULL && BN_is_negative(bn)) + return push_BN(bld, key, bn, BN_num_bytes(bn) + 1, OSSL_PARAM_INTEGER); return push_BN(bld, key, bn, bn == NULL ? 0 : BN_num_bytes(bn), OSSL_PARAM_UNSIGNED_INTEGER); @@ -243,8 +243,8 @@ int OSSL_PARAM_BLD_push_BN(OSSL_PARAM_BLD *bld, const char *key, int OSSL_PARAM_BLD_push_BN_pad(OSSL_PARAM_BLD *bld, const char *key, const BIGNUM *bn, size_t sz) { - if (BN_is_negative(bn)) - return push_BN(bld, key, bn, bn == NULL ? 0 : BN_num_bytes(bn), + if (bn != NULL && BN_is_negative(bn)) + return push_BN(bld, key, bn, BN_num_bytes(bn), OSSL_PARAM_INTEGER); return push_BN(bld, key, bn, sz, OSSL_PARAM_UNSIGNED_INTEGER); } From a535e5b73fc374dbbef54d2629728e9602ecf6be Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 4 Sep 2023 09:09:40 +0200 Subject: [PATCH 123/324] Test that NULL BIGNUM is supported in OSSL_PARAM_BLD_push_BN() Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21945) --- test/param_build_test.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test/param_build_test.c b/test/param_build_test.c index d67df3c311e03..68517e66be832 100644 --- a/test/param_build_test.c +++ b/test/param_build_test.c @@ -16,7 +16,7 @@ static const OSSL_PARAM params_empty[] = { OSSL_PARAM_END }; -static int template_public_single_zero_test(void) +static int template_public_single_zero_test(int idx) { OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL, *params_blt = NULL, *p; @@ -25,7 +25,8 @@ static int template_public_single_zero_test(void) if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) || !TEST_ptr(zbn = BN_new()) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "zeronumber", zbn)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, "zeronumber", + idx == 0 ? zbn : NULL)) || !TEST_ptr(params_blt = OSSL_PARAM_BLD_to_param(bld))) goto err; @@ -550,7 +551,7 @@ static int builder_merge_test(void) int setup_tests(void) { - ADD_TEST(template_public_single_zero_test); + ADD_ALL_TESTS(template_public_single_zero_test, 2); ADD_ALL_TESTS(template_public_test, 5); /* Only run the secure memory testing if we have secure memory available */ if (CRYPTO_secure_malloc_init(1<<16, 16)) { From e2cf38d5751d6b48c8625b622c3765d0a39958d7 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 4 Sep 2023 09:40:28 +0200 Subject: [PATCH 124/324] Fix internal memory leaks from OPENSSL_MALLOC_FAILURES There is a rarely used feature that can be enabled with `./config enable-crypto-mdebug` when additionally the environment variable OPENSSL_MALLOC_FAILURES is used. It turns out to be possible that CRYPTO_zalloc may create a leak when the memory is allocated and then the shouldfail happens, then the memory is lost. Likewise when OPENSSL_realloc is used with size=0, then the memory is to be free'd but here the shouldfail check is too early, and the failure may prevent the memory to be freed thus creating a bogus memory leak. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21944) --- crypto/mem.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/mem.c b/crypto/mem.c index 74bf3b892cb60..b9fca98a83c5c 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -214,7 +214,6 @@ void *CRYPTO_zalloc(size_t num, const char *file, int line) void *ret; ret = CRYPTO_malloc(num, file, line); - FAILTEST(); if (ret != NULL) memset(ret, 0, num); @@ -227,7 +226,6 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line) if (realloc_impl != CRYPTO_realloc) return realloc_impl(str, num, file, line); - FAILTEST(); if (str == NULL) return CRYPTO_malloc(num, file, line); @@ -236,6 +234,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line) return NULL; } + FAILTEST(); return realloc(str, num); } From 72a0688552176b658943972b282f2716dff614a0 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Fri, 1 Sep 2023 14:03:07 +0200 Subject: [PATCH 125/324] Update fuzz corpora to latest commit Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21927) --- fuzz/corpora | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzz/corpora b/fuzz/corpora index 084348da0956e..7bdc71fa62c88 160000 --- a/fuzz/corpora +++ b/fuzz/corpora @@ -1 +1 @@ -Subproject commit 084348da0956ea0451a3aaf9a6f9f024db0cc00d +Subproject commit 7bdc71fa62c88173b8f818dd1646ac59b0eadebe From e664ef78b92532bf94c7976b181d88c4abf83074 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 29 Aug 2023 11:09:05 +0200 Subject: [PATCH 126/324] CMP: generalize ossl_cmp_calc_protection() to handle Edwards curves correctly Fixes #21564 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21884) --- crypto/cmp/cmp_protect.c | 36 ++--- crypto/crmf/crmf_lib.c | 5 +- doc/internal/man3/ossl_cmp_msg_protect.pod | 3 + test/cmp_protect_test.c | 130 ++++++++++-------- test/recipes/65-test_cmp_protect.t | 6 +- .../GENM_protected_Ed.der | Bin 0 -> 232 bytes .../65-test_cmp_protect_data/IR_protected.der | Bin 968 -> 970 bytes .../65-test_cmp_protect_data/prot_Ed.pem | 3 + .../65-test_cmp_protect_data/prot_RSA.pem | 27 ++++ 9 files changed, 128 insertions(+), 82 deletions(-) create mode 100644 test/recipes/65-test_cmp_protect_data/GENM_protected_Ed.der create mode 100644 test/recipes/65-test_cmp_protect_data/prot_Ed.pem create mode 100644 test/recipes/65-test_cmp_protect_data/prot_RSA.pem diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 3d633bef79385..c48a47660ecf0 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -22,9 +22,11 @@ /* * This function is also used by the internal verify_PBMAC() in cmp_vfy.c. * - * Calculate protection for given PKImessage according to - * the algorithm and parameters in the message header's protectionAlg + * Calculate protection for |msg| according to |msg->header->protectionAlg| * using the credentials, library context, and property criteria in the ctx. + * Unless |msg->header->protectionAlg| is PasswordBasedMAC, + * its value is completed according to |ctx->pkey| and |ctx->digest|, + * where the latter irrelevant in the case of Edwards curves. * * returns ASN1_BIT_STRING representing the protection on success, else NULL */ @@ -104,23 +106,22 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, OPENSSL_free(prot_part_der); return prot; } else { - int md_nid; - const EVP_MD *md = NULL; + const EVP_MD *md = ctx->digest; + char name[80] = ""; if (ctx->pkey == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION); return NULL; } - if (!OBJ_find_sigid_algs(OBJ_obj2nid(algorOID), &md_nid, NULL) - || (md = EVP_get_digestbynid(md_nid)) == NULL) { - ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_ALGORITHM_ID); - return NULL; - } + if (EVP_PKEY_get_default_digest_name(ctx->pkey, name, sizeof(name)) > 0 + && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */ + md = NULL; if ((prot = ASN1_BIT_STRING_new()) == NULL) return NULL; - if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART), NULL, + if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART), + msg->header->protectionAlg, /* sets X509_ALGOR */ NULL, prot, &prot_part, NULL, ctx->pkey, md, ctx->libctx, ctx->propq)) return prot; @@ -216,18 +217,6 @@ static X509_ALGOR *pbmac_algor(const OSSL_CMP_CTX *ctx) return alg; } -static X509_ALGOR *sig_algor(const OSSL_CMP_CTX *ctx) -{ - int nid = 0; - - if (!OBJ_find_sigid_by_algs(&nid, EVP_MD_get_type(ctx->digest), - EVP_PKEY_get_id(ctx->pkey))) { - ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_KEY_TYPE); - return 0; - } - return ossl_X509_ALGOR_from_nid(nid, V_ASN1_UNDEF, NULL); -} - static int set_senderKID(const OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg, const ASN1_OCTET_STRING *id) { @@ -275,7 +264,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) goto err; } - if ((msg->header->protectionAlg = sig_algor(ctx)) == NULL) + if ((msg->header->protectionAlg = X509_ALGOR_new()) == NULL) goto err; /* set senderKID to keyIdentifier of the cert according to 5.1.1 */ if (!set_senderKID(ctx, msg, X509_get0_subject_key_id(ctx->cert))) @@ -291,6 +280,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) goto err; } if (!ctx->unprotectedSend + /* protect according to msg->header->protectionAlg partly set above */ && ((msg->protection = ossl_cmp_calc_protection(ctx, msg)) == NULL)) goto err; diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 12939b9920c83..6e9f3b7ca26f5 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -386,8 +386,9 @@ static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps, digest = NULL; return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), - ps->algorithmIdentifier, NULL, ps->signature, cr, - NULL, pkey, digest, libctx, propq); + ps->algorithmIdentifier, /* sets this X509_ALGOR */ + NULL, ps->signature, /* sets the ASN1_BIT_STRING */ + cr, NULL, pkey, digest, libctx, propq); } int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod index 04da21fd9f9b6..2956b48ad89c2 100644 --- a/doc/internal/man3/ossl_cmp_msg_protect.pod +++ b/doc/internal/man3/ossl_cmp_msg_protect.pod @@ -21,6 +21,9 @@ ossl_cmp_msg_add_extraCerts ossl_cmp_calc_protection() calculates the protection for the given I according to the algorithm and parameters in the message header's protectionAlg using the credentials, library context, and property criteria in the I. +Unless Iheader->protectionAlg> is B, +its value is completed according to Ipkey> and Idigest>, +where the latter irrelevant in the case of Edwards curves. ossl_cmp_msg_protect() (re-)protects the given message I using an algorithm depending on the available context information given in the I. diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c index b8a50d3157b25..8c6c9f29c27ec 100644 --- a/test/cmp_protect_test.c +++ b/test/cmp_protect_test.c @@ -12,6 +12,7 @@ #include "helpers/cmp_testlib.h" static const char *ir_protected_f; +static const char *genm_prot_Ed_f; static const char *ir_unprotected_f; static const char *ip_PBM_f; @@ -62,10 +63,13 @@ static CMP_PROTECT_TEST_FIXTURE *set_up(const char *const test_case_name) return fixture; } -static EVP_PKEY *loadedprivkey = NULL; -static EVP_PKEY *loadedpubkey = NULL; -static EVP_PKEY *loadedkey = NULL; -static X509 *cert = NULL; +static EVP_PKEY *prot_RSA_key = NULL; +#ifndef OPENSSL_NO_ECX +static EVP_PKEY *prot_Ed_key = NULL; +static OSSL_CMP_MSG *genm_protected_Ed; +#endif +static EVP_PKEY *server_key = NULL; +static X509 *server_cert = NULL; static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH]; static OSSL_CMP_MSG *ir_unprotected, *ir_protected; static X509 *endentity1 = NULL, *endentity2 = NULL, @@ -94,33 +98,20 @@ static int execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE *fixture) } /* - * This function works similarly to parts of CMP_verify_signature in cmp_vfy.c, - * but without the need for an OSSL_CMP_CTX or a X509 certificate + * This function works similarly to parts of verify_signature in cmp_vfy.c, + * but without the need for an OSSL_CMP_CTX or an X509 certificate. */ static int verify_signature(OSSL_CMP_MSG *msg, ASN1_BIT_STRING *protection, EVP_PKEY *pkey, EVP_MD *digest) { OSSL_CMP_PROTECTEDPART prot_part; - unsigned char *prot_part_der = NULL; - int len; - EVP_MD_CTX *ctx = NULL; - int res; prot_part.header = OSSL_CMP_MSG_get0_header(msg); prot_part.body = msg->body; - len = i2d_OSSL_CMP_PROTECTEDPART(&prot_part, &prot_part_der); - res = - TEST_int_ge(len, 0) - && TEST_ptr(ctx = EVP_MD_CTX_new()) - && TEST_true(EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey)) - && TEST_int_eq(EVP_DigestVerify(ctx, protection->data, - protection->length, - prot_part_der, len), 1); - /* cleanup */ - EVP_MD_CTX_free(ctx); - OPENSSL_free(prot_part_der); - return res; + return ASN1_item_verify_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART), + msg->header->protectionAlg, protection, + &prot_part, NULL, pkey, libctx, NULL) > 0; } /* Calls OSSL_CMP_calc_protection and compares and verifies signature */ @@ -130,11 +121,9 @@ static int execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE * ASN1_BIT_STRING *protection = ossl_cmp_calc_protection(fixture->cmp_ctx, fixture->msg); int ret = (TEST_ptr(protection) - && TEST_true(ASN1_STRING_cmp(protection, - fixture->msg->protection) == 0) - && TEST_true(verify_signature(fixture->msg, protection, - fixture->pubkey, - fixture->cmp_ctx->digest))); + && TEST_true(verify_signature(fixture->msg, protection, + fixture->pubkey, + fixture->cmp_ctx->digest))); ASN1_BIT_STRING_free(protection); return ret; @@ -157,9 +146,9 @@ static int test_cmp_calc_protection_no_key_no_secret(void) static int test_cmp_calc_protection_pkey(void) { SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); - fixture->pubkey = loadedpubkey; - if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedprivkey)) - || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))) { + fixture->pubkey = prot_RSA_key; + if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, prot_RSA_key)) + || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))) { tear_down(fixture); fixture = NULL; } @@ -167,6 +156,21 @@ static int test_cmp_calc_protection_pkey(void) return result; } +#ifndef OPENSSL_NO_ECX +static int test_cmp_calc_protection_pkey_Ed(void) +{ + SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up); + fixture->pubkey = prot_Ed_key; + if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, prot_Ed_key)) + || !TEST_ptr(fixture->msg = load_pkimsg(genm_prot_Ed_f, libctx))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_calc_protection_signature_test, tear_down); + return result; +} +#endif + static int test_cmp_calc_protection_pbmac(void) { unsigned char sec_insta[] = { 'i', 'n', 's', 't', 'a' }; @@ -236,8 +240,9 @@ static int test_MSG_protect_with_certificate_and_key(void) if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected)) || !TEST_true(SET_OPT_UNPROTECTED_SEND(fixture->cmp_ctx, 0)) - || !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedkey)) - || !TEST_true(OSSL_CMP_CTX_set1_cert(fixture->cmp_ctx, cert))) { + || !TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, server_key)) + || !TEST_true(OSSL_CMP_CTX_set1_cert(fixture->cmp_ctx, + server_cert))) { tear_down(fixture); fixture = NULL; } @@ -255,11 +260,11 @@ static int test_MSG_protect_certificate_based_without_cert(void) if (!TEST_ptr(fixture->msg = OSSL_CMP_MSG_dup(ir_unprotected)) || !TEST_true(SET_OPT_UNPROTECTED_SEND(ctx, 0)) - || !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, loadedkey))) { + || !TEST_true(OSSL_CMP_CTX_set0_newPkey(ctx, 1, server_key))) { tear_down(fixture); fixture = NULL; } - EVP_PKEY_up_ref(loadedkey); + EVP_PKEY_up_ref(server_key); EXECUTE_TEST(execute_MSG_protect_test, tear_down); return result; } @@ -517,10 +522,13 @@ static int test_X509_STORE_only_self_issued(void) void cleanup_tests(void) { - EVP_PKEY_free(loadedprivkey); - EVP_PKEY_free(loadedpubkey); - EVP_PKEY_free(loadedkey); - X509_free(cert); + EVP_PKEY_free(prot_RSA_key); +#ifndef OPENSSL_NO_ECX + EVP_PKEY_free(prot_Ed_key); + OSSL_CMP_MSG_free(genm_protected_Ed); +#endif + EVP_PKEY_free(server_key); + X509_free(server_cert); X509_free(endentity1); X509_free(endentity2); X509_free(root); @@ -532,14 +540,16 @@ void cleanup_tests(void) OSSL_LIB_CTX_free(libctx); } -#define USAGE "server.pem IR_protected.der IR_unprotected.der IP_PBM.der " \ +#define USAGE "prot_RSA.pem IR_protected.der prot_Ed.pem " \ + "GENM_protected_Ed.der IR_unprotected.der IP_PBM.der " \ "server.crt server.pem EndEntity1.crt EndEntity2.crt Root_CA.crt " \ "Intermediate_CA.crt module_name [module_conf_file]\n" OPT_TEST_DECLARE_USAGE(USAGE) int setup_tests(void) { - char *server_f; + char *prot_RSA_f; + char *prot_Ed_f; char *server_key_f; char *server_cert_f; char *endentity1_f; @@ -553,32 +563,39 @@ int setup_tests(void) } RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH); - if (!TEST_ptr(server_f = test_get_argument(0)) + if (!TEST_ptr(prot_RSA_f = test_get_argument(0)) || !TEST_ptr(ir_protected_f = test_get_argument(1)) - || !TEST_ptr(ir_unprotected_f = test_get_argument(2)) - || !TEST_ptr(ip_PBM_f = test_get_argument(3)) - || !TEST_ptr(server_cert_f = test_get_argument(4)) - || !TEST_ptr(server_key_f = test_get_argument(5)) - || !TEST_ptr(endentity1_f = test_get_argument(6)) - || !TEST_ptr(endentity2_f = test_get_argument(7)) - || !TEST_ptr(root_f = test_get_argument(8)) - || !TEST_ptr(intermediate_f = test_get_argument(9))) { + || !TEST_ptr(prot_Ed_f = test_get_argument(2)) + || !TEST_ptr(genm_prot_Ed_f = test_get_argument(3)) + || !TEST_ptr(ir_unprotected_f = test_get_argument(4)) + || !TEST_ptr(ip_PBM_f = test_get_argument(5)) + || !TEST_ptr(server_cert_f = test_get_argument(6)) + || !TEST_ptr(server_key_f = test_get_argument(7)) + || !TEST_ptr(endentity1_f = test_get_argument(8)) + || !TEST_ptr(endentity2_f = test_get_argument(9)) + || !TEST_ptr(root_f = test_get_argument(10)) + || !TEST_ptr(intermediate_f = test_get_argument(11))) { TEST_error("usage: cmp_protect_test %s", USAGE); return 0; } - if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 10, USAGE)) + if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 12, USAGE)) return 0; - if (!TEST_ptr(loadedkey = load_pkey_pem(server_key_f, libctx)) - || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx))) + if (!TEST_ptr(server_key = load_pkey_pem(server_key_f, libctx)) + || !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx))) return 0; - if (!TEST_ptr(loadedprivkey = load_pkey_pem(server_f, libctx))) + if (!TEST_ptr(prot_RSA_key = load_pkey_pem(prot_RSA_f, libctx))) return 0; - if (TEST_true(EVP_PKEY_up_ref(loadedprivkey))) - loadedpubkey = loadedprivkey; +#ifndef OPENSSL_NO_ECX + if (!TEST_ptr(prot_Ed_key = load_pkey_pem(prot_Ed_f, libctx))) + return 0; +#endif if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f, libctx)) +#ifndef OPENSSL_NO_ECX + || !TEST_ptr(genm_protected_Ed = load_pkimsg(genm_prot_Ed_f, libctx)) +#endif || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx))) return 0; if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx)) @@ -592,6 +609,9 @@ int setup_tests(void) /* Message protection tests */ ADD_TEST(test_cmp_calc_protection_no_key_no_secret); ADD_TEST(test_cmp_calc_protection_pkey); +#ifndef OPENSSL_NO_ECX + ADD_TEST(test_cmp_calc_protection_pkey_Ed); +#endif ADD_TEST(test_cmp_calc_protection_pbmac); ADD_TEST(test_MSG_protect_with_msg_sig_alg_protection_plus_rsa_key); diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t index 631603df7cf8e..d4e863f85a38b 100644 --- a/test/recipes/65-test_cmp_protect.t +++ b/test/recipes/65-test_cmp_protect.t @@ -30,8 +30,10 @@ plan skip_all => "This test is not supported in a shared library build on Window plan tests => 2 + ($no_fips ? 0 : 1); #fips test my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), - data_file("IR_protected.der"), + data_file("prot_RSA.pem"), + data_file("IR_protected.der"), # signed using prot_RSA.pem + data_file("prot_Ed.pem"), # test/certs/root-ed25519.privkey.pem + data_file("GENM_protected_Ed.der"), # signed using prot_Ed.pem data_file("IR_unprotected.der"), data_file("IP_PBM.der"), data_file("server.crt"), diff --git a/test/recipes/65-test_cmp_protect_data/GENM_protected_Ed.der b/test/recipes/65-test_cmp_protect_data/GENM_protected_Ed.der new file mode 100644 index 0000000000000000000000000000000000000000..3efa755b7ede35964ccd53ccc2bb3b43f7039eb7 GIT binary patch literal 232 zcmXqLd}`1*lZlaOiL`;Fp}2u48*?ZNGY_AqYlxddNNRD3f=g;{K3>TMf)e~j21dpP z7DkppY+z&=wUFI_m5o_DwP2ALi^!s$gFo^j6D~indLA=PXZngO9-1~wgjfWQX{a?@ z>8eclk! zXfc&bV6yY_oJSA14Y^-cuqE5XWG85NqMK?35`j@ Ip)+gv0VE_*v;Y7A literal 0 HcmV?d00001 diff --git a/test/recipes/65-test_cmp_protect_data/IR_protected.der b/test/recipes/65-test_cmp_protect_data/IR_protected.der index ce0a7a46dcf2c12e038df94b72be63af77a2e3e4..2912c6b8106ad5b57587b76fd3e10c26d0669481 100644 GIT binary patch delta 37 tcmX@Xeu|yLpo#gIK@%hEM2@op{06*ioLX%jZQpqr8M#>*Ha>pJ1OUny3cLUS delta 35 rcmX@beuACDpo#g2K@%hMM2@q3yawECoLX%jZQpqr8M!w;eaZv?xV{Rn diff --git a/test/recipes/65-test_cmp_protect_data/prot_Ed.pem b/test/recipes/65-test_cmp_protect_data/prot_Ed.pem new file mode 100644 index 0000000000000..e447080ae2859 --- /dev/null +++ b/test/recipes/65-test_cmp_protect_data/prot_Ed.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC +-----END PRIVATE KEY----- diff --git a/test/recipes/65-test_cmp_protect_data/prot_RSA.pem b/test/recipes/65-test_cmp_protect_data/prot_RSA.pem new file mode 100644 index 0000000000000..2324266798455 --- /dev/null +++ b/test/recipes/65-test_cmp_protect_data/prot_RSA.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA4ckRrH0UWmIJFj99kBqvCipGjJRAaPkdvWjdDQLglTpI3eZA +JHnq0ypW/PZccrWjo7mxuvAStEYWF+5Jx6ZFmAsC1K0NNebSAZQoLWYZqiOzkfVV +pLicMnItNFElfCohBzPCYmF5UlC5yp9PSUEfNwPJqDIRMtw+IlVUV3AJw9TJ3uuW +q/vWW9r96/gBKKddmj/q2gGT8RC6LxEaolTbhfPbHaA1DFpv1WQFb3oAV3Wq14SO +Zf9bH1olBVsmBMsUshFEw5MXVrNCv2moM4HtITMyjvZe7eIwHzSzf6dvQjERG6Gv +Z/i5KOhaqgJCnRKdHHzijz9cLec5p9NSOuC1OwIDAQABAoIBAGiYVO+rIfqc38jG +sMxJED2NSBFnvE7k2LoeEgktBA0daxQgziYXtIkOXC3jkwAw1RXLuGH5RTDuJt3/ +LX6nsCW3NCCB6lTGERNaJyKg4dLHpzA+juY3/2P/MKHD1bGncpV7jNk2fpV7gBY1 +pu0wld1Oi+S3DPCaxs3w6Zl39Y4Z7oSNf6DRO5lGN3Asc8TSVjIOWpAl8LIg+P2B +ZvFeHRANVXaV9YmF2uEi7iMgH4vGrK2svsmM9VThVO4ArGcTRTvGYn7aw3/H4Pt+ +lYuhERdpkKBT0tCgIpO5IJXMl4/5RSDTtcBwiJcReN5IHUAItBIPSHcMflNSKG/I +aQf4u0ECgYEA8+PAyzn096Y2UrKzE75yuadCveLjsUWx2NN5ZMohQru99F4k7Pab +/Te4qOe5zlxHAPK3LRwvbwUWo5mLfs45wFrSgZoRlYcCuL+JaX0y2oXMMF9E+UkY +tljMt/HpLo1SfSjN2Sae4LVhC7rWJ43LtyRepptzBPGqd26eLPGAMr8CgYEA7P8u +RGkMOrMzEKAb0A9smrzq2xW88T1VejqEt6R8mUcNt8PFHMgjuzVU4zDysrlb7G/0 +VSkQWnJxBh1yNGc1Av7YgwicIgApr4ty0hZhLcnKX2VrNw+L/sSe/cnwVAc6RtPK +RR6xQubuLlrCGcbYXmyn5Jv+nlY0S3uCyDFHqIUCgYAwtpLxhJf7RwWeqva9wNJl +ZpUcHE9iPwtwxXx/tyfBjoI4Zv11HyS1BQYrJm2kXCYKeHBB4FlREXEeKDMGluZO +F1XocP+GIDtY71jg6xLXNtY76yt5pzH6ae4p53WtyKhrO1UyRFaDh3bkwuK3b8j6 +wZbuLCpjGGn2BPAvBeWXPQKBgEewKN6op/pZmmi9Bay5/bAQ1TnQKYcPdnuyl9K0 +/ruespeTsFw0bhqC11qhw8gsKZIri0z3TusNEwM2hQU08uQlEnkQcaoXQoTHOcQy +4NJo575Tf0r4ePBnqXA7VWcViJtEFTszPYtvLzz2VyBU9b4aP+73AN4EVW0/vx+v +SG3BAoGBAMzESFA2TXwUFmozK5zowIszc995Xqpi7mXKk77WESOpoS1dQ1wF1dSg +XOwxzFoYovLxcc1K9lqOrod8BV+qGuEfc/PIJ2aiXjvEDeZYX2eWaANNmj4OSLoJ +MNYj9tZxbq56slD7snf7AgUBnwKz0Pj6H6UsbE3gdJqZWCDyw/bB +-----END RSA PRIVATE KEY----- From c1673a60e40f6dcd110d1a4ff3e11a3297ada2da Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sat, 2 Sep 2023 13:18:04 -0600 Subject: [PATCH 127/324] Per other commands, make progress dots in req only w/ -verbose Signed-off-by: Philip Prindeville Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21937) --- apps/req.c | 13 ++++++++++--- doc/man1/openssl-req.pod.in | 7 +++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/apps/req.c b/apps/req.c index 711bdff8bfe15..7ef51d4f0b755 100644 --- a/apps/req.c +++ b/apps/req.c @@ -90,7 +90,7 @@ typedef enum OPTION_choice { OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_COPY_EXTENSIONS, OPT_EXTENSIONS, OPT_REQEXTS, OPT_ADDEXT, OPT_PRECERT, OPT_MD, - OPT_SECTION, + OPT_SECTION, OPT_QUIET, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -158,6 +158,7 @@ const OPTIONS req_options[] = { {"batch", OPT_BATCH, '-', "Do not ask anything during request generation"}, {"verbose", OPT_VERBOSE, '-', "Verbose output"}, + {"quiet", OPT_QUIET, '-', "Terse output"}, {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"}, {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"}, {"noout", OPT_NOOUT, '-', "Do not output REQ"}, @@ -259,7 +260,7 @@ int req_main(int argc, char **argv) const char *keyalg = NULL; OPTION_CHOICE o; int days = UNSET_DAYS; - int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; + int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0, progress = 1; int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF; int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0, x509v1 = 0; @@ -389,6 +390,11 @@ int req_main(int argc, char **argv) break; case OPT_VERBOSE: verbose = 1; + progress = 1; + break; + case OPT_QUIET: + verbose = 0; + progress = 0; break; case OPT_UTF8: chtype = MBSTRING_UTF8; @@ -652,8 +658,9 @@ int req_main(int argc, char **argv) } } - EVP_PKEY_CTX_set_cb(genctx, progress_cb); EVP_PKEY_CTX_set_app_data(genctx, bio_err); + if (progress) + EVP_PKEY_CTX_set_cb(genctx, progress_cb); pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose); diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 099582fa72612..ad43dc2357792 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -53,6 +53,7 @@ B B [B<-vfyopt> I:I] [B<-batch>] [B<-verbose>] +[B<-quiet>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} @@ -402,6 +403,12 @@ Non-interactive mode. Print extra details about the operations being performed. +=item B<-quiet> + +Print fewer details about the operations being performed, which may be +handy during batch scripts or pipelines (specifically "progress dots" +during key generation are suppressed). + =item B<-keygen_engine> I Specifies an engine (by its unique I string) which would be used From 09d73d7ba13b868db96476d265c8d99616ca7809 Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 5 Sep 2023 11:49:38 +1000 Subject: [PATCH 128/324] fips compatibility: update 3.1.1 to 3.1.2 The plan at the moment is to validate 3.1.2 all going well. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21962) --- .github/workflows/provider-compatibility.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index 68d8922383ed1..b675e426c173d 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -45,9 +45,9 @@ jobs: url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz", }, { - dir: openssl-3.1.1, - tgz: openssl-3.1.1.tar.gz, - url: "https://www.openssl.org/source/openssl-3.1.1.tar.gz", + dir: openssl-3.1.2, + tgz: openssl-3.1.2.tar.gz, + url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz", }, ] From 5881dd2c080c10ab9f9ca38a2db64deaa79f853a Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 24 Aug 2023 10:16:52 +0100 Subject: [PATCH 129/324] QUIC MULTISTREAM TEST: Run all scripts in both blocking and non-blocking modes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21827) --- test/quic_multistream_test.c | 399 ++++++++++++++++++++++++++--------- 1 file changed, 301 insertions(+), 98 deletions(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 04f2771ed89ea..1f97862146e38 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -33,6 +33,7 @@ struct child_thread_args { CRYPTO_MUTEX *m; int testresult; int done; + int s_checked_out; }; #endif @@ -48,7 +49,11 @@ struct helper { int s_fd; BIO *s_net_bio, *s_net_bio_own, *s_qtf_wbio, *s_qtf_wbio_own; BIO_ADDR *s_net_bio_addr; - QUIC_TSERVER *s; + /* + * When doing a blocking mode test run, s_priv always points to the TSERVER + * and s is NULL when the main thread should not be touching s_priv. + */ + QUIC_TSERVER *s, *s_priv; LHASH_OF(STREAM_INFO) *s_streams; int c_fd; @@ -85,19 +90,29 @@ struct helper { BIO_MSG *m, size_t stride); uint64_t inject_word0, inject_word1; uint64_t scratch0, scratch1, fail_count; +#if defined(OPENSSL_THREADS) + struct { + CRYPTO_THREAD *t; + CRYPTO_MUTEX *m; + CRYPTO_CONDVAR *c; + int ready, stop; + } server_thread; + int s_checked_out; +#endif }; struct helper_local { struct helper *h; LHASH_OF(STREAM_INFO) *c_streams; int thread_idx; + const struct script_op *check_op; }; struct script_op { uint32_t op; const void *arg0; size_t arg1; - int (*check_func)(struct helper *h, const struct script_op *op); + int (*check_func)(struct helper *h, struct helper_local *hl); const char *stream_name; uint64_t arg2; int (*qtf_packet_plain_cb)(struct helper *h, QUIC_PKT_HDR *hdr, @@ -312,23 +327,28 @@ static OSSL_TIME get_time(void *arg) return t; } -static int skip_time_ms(struct helper *h, const struct script_op *op) +static int skip_time_ms(struct helper *h, struct helper_local *hl) { if (!TEST_true(CRYPTO_THREAD_write_lock(h->time_lock))) return 0; - h->time_slip = ossl_time_add(h->time_slip, ossl_ms2time(op->arg2)); + h->time_slip = ossl_time_add(h->time_slip, ossl_ms2time(hl->check_op->arg2)); CRYPTO_THREAD_unlock(h->time_lock); return 1; } -static int check_rejected(struct helper *h, const struct script_op *op) +static QUIC_TSERVER *s_lock(struct helper *h, struct helper_local *hl); +static void s_unlock(struct helper *h, struct helper_local *hl); + +#define ACQUIRE_S() s_lock(h, hl) + +static int check_rejected(struct helper *h, struct helper_local *hl) { - uint64_t stream_id = op->arg2; + uint64_t stream_id = hl->check_op->arg2; - if (!ossl_quic_tserver_stream_has_peer_stop_sending(h->s, stream_id, NULL) - || !ossl_quic_tserver_stream_has_peer_reset_stream(h->s, stream_id, NULL)) { + if (!ossl_quic_tserver_stream_has_peer_stop_sending(ACQUIRE_S(), stream_id, NULL) + || !ossl_quic_tserver_stream_has_peer_reset_stream(ACQUIRE_S(), stream_id, NULL)) { h->check_spin_again = 1; return 0; } @@ -336,11 +356,11 @@ static int check_rejected(struct helper *h, const struct script_op *op) return 1; } -static int check_stream_reset(struct helper *h, const struct script_op *op) +static int check_stream_reset(struct helper *h, struct helper_local *hl) { - uint64_t stream_id = op->arg2, aec = 0; + uint64_t stream_id = hl->check_op->arg2, aec = 0; - if (!ossl_quic_tserver_stream_has_peer_reset_stream(h->s, stream_id, &aec)) { + if (!ossl_quic_tserver_stream_has_peer_reset_stream(ACQUIRE_S(), stream_id, &aec)) { h->check_spin_again = 1; return 0; } @@ -348,11 +368,11 @@ static int check_stream_reset(struct helper *h, const struct script_op *op) return TEST_uint64_t_eq(aec, 42); } -static int check_stream_stopped(struct helper *h, const struct script_op *op) +static int check_stream_stopped(struct helper *h, struct helper_local *hl) { - uint64_t stream_id = op->arg2; + uint64_t stream_id = hl->check_op->arg2; - if (!ossl_quic_tserver_stream_has_peer_stop_sending(h->s, stream_id, NULL)) { + if (!ossl_quic_tserver_stream_has_peer_stop_sending(ACQUIRE_S(), stream_id, NULL)) { h->check_spin_again = 1; return 0; } @@ -360,15 +380,15 @@ static int check_stream_stopped(struct helper *h, const struct script_op *op) return 1; } -static int override_key_update(struct helper *h, const struct script_op *op) +static int override_key_update(struct helper *h, struct helper_local *hl) { QUIC_CHANNEL *ch = ossl_quic_conn_get_channel(h->c_conn); - ossl_quic_channel_set_txku_threshold_override(ch, op->arg2); + ossl_quic_channel_set_txku_threshold_override(ch, hl->check_op->arg2); return 1; } -static int trigger_key_update(struct helper *h, const struct script_op *op) +static int trigger_key_update(struct helper *h, struct helper_local *hl) { if (!TEST_true(SSL_key_update(h->c_conn, SSL_KEY_UPDATE_REQUESTED))) return 0; @@ -376,7 +396,7 @@ static int trigger_key_update(struct helper *h, const struct script_op *op) return 1; } -static int check_key_update_ge(struct helper *h, const struct script_op *op) +static int check_key_update_ge(struct helper *h, struct helper_local *hl) { QUIC_CHANNEL *ch = ossl_quic_conn_get_channel(h->c_conn); int64_t txke = (int64_t)ossl_quic_channel_get_tx_key_epoch(ch); @@ -391,19 +411,19 @@ static int check_key_update_ge(struct helper *h, const struct script_op *op) return 0; /* Caller specifies a minimum number of RXKEs which must have happened. */ - if (!TEST_uint64_t_ge((uint64_t)rxke, op->arg2)) + if (!TEST_uint64_t_ge((uint64_t)rxke, hl->check_op->arg2)) return 0; return 1; } -static int check_key_update_lt(struct helper *h, const struct script_op *op) +static int check_key_update_lt(struct helper *h, struct helper_local *hl) { QUIC_CHANNEL *ch = ossl_quic_conn_get_channel(h->c_conn); uint64_t txke = ossl_quic_channel_get_tx_key_epoch(ch); /* Caller specifies a maximum number of TXKEs which must have happened. */ - if (!TEST_uint64_t_lt(txke, op->arg2)) + if (!TEST_uint64_t_lt(txke, hl->check_op->arg2)) return 0; return 1; @@ -461,12 +481,105 @@ static int join_threads(struct child_thread_args *threads, size_t num_threads) return ok; } + +static int join_server_thread(struct helper *h) +{ + CRYPTO_THREAD_RETVAL rv; + + if (h->server_thread.t == NULL) + return 1; + + ossl_crypto_mutex_lock(h->server_thread.m); + h->server_thread.stop = 1; + ossl_crypto_mutex_unlock(h->server_thread.m); + ossl_crypto_condvar_signal(h->server_thread.c); + + ossl_crypto_thread_native_join(h->server_thread.t, &rv); + ossl_crypto_thread_native_clean(h->server_thread.t); + h->server_thread.t = NULL; + return 1; +} + +/* Ensure the server-state lock is currently held. Idempotent. */ +static int *s_checked_out_p(struct helper *h, int thread_idx) +{ + return (thread_idx < 0) ? &h->s_checked_out + : &h->threads[thread_idx].s_checked_out; +} + +static QUIC_TSERVER *s_lock(struct helper *h, struct helper_local *hl) +{ + int *p_checked_out = s_checked_out_p(h, hl->thread_idx); + + if (h->server_thread.m == NULL || *p_checked_out) + return h->s; + + ossl_crypto_mutex_lock(h->server_thread.m); + h->s = h->s_priv; + *p_checked_out = 1; + return h->s; +} + +/* Ensure the server-state lock is currently not held. Idempotent. */ +static void s_unlock(struct helper *h, struct helper_local *hl) +{ + int *p_checked_out = s_checked_out_p(h, hl->thread_idx); + + if (h->server_thread.m == NULL || !*p_checked_out) + return; + + *p_checked_out = 0; + h->s = NULL; + ossl_crypto_mutex_unlock(h->server_thread.m); +} + +static unsigned int server_helper_thread(void *arg) +{ + struct helper *h = arg; + + ossl_crypto_mutex_lock(h->server_thread.m); + + for (;;) { + int ready, stop; + + ready = h->server_thread.ready; + stop = h->server_thread.stop; + + if (stop) + break; + + if (!ready) { + ossl_crypto_condvar_wait(h->server_thread.c, h->server_thread.m); + continue; + } + + ossl_quic_tserver_tick(h->s_priv); + ossl_crypto_mutex_unlock(h->server_thread.m); + OSSL_sleep(1); + ossl_crypto_mutex_lock(h->server_thread.m); + } + + ossl_crypto_mutex_unlock(h->server_thread.m); + return 1; +} + +#else + +static QUIC_TSERVER *s_lock(struct helper *h, struct helper_local *hl) +{ + return h->s; +} + +static void s_unlock(struct helper *h, struct helper_local *hl) +{} + #endif static void helper_cleanup(struct helper *h) { #if defined(OPENSSL_THREADS) join_threads(h->threads, h->num_threads); + join_server_thread(h); OPENSSL_free(h->threads); h->threads = NULL; h->num_threads = 0; @@ -487,8 +600,8 @@ static void helper_cleanup(struct helper *h) } helper_cleanup_streams(&h->s_streams); - ossl_quic_tserver_free(h->s); - h->s = NULL; + ossl_quic_tserver_free(h->s_priv); + h->s_priv = h->s = NULL; BIO_free(h->s_net_bio_own); h->s_net_bio_own = NULL; @@ -520,9 +633,15 @@ static void helper_cleanup(struct helper *h) CRYPTO_THREAD_lock_free(h->time_lock); h->time_lock = NULL; + +#if defined(OPENSSL_THREADS) + ossl_crypto_mutex_free(&h->server_thread.m); + ossl_crypto_condvar_free(&h->server_thread.c); +#endif } -static int helper_init(struct helper *h, int free_order, int need_injector) +static int helper_init(struct helper *h, int free_order, int blocking, + int need_injector) { short port = 8186; struct in_addr ina = {0}; @@ -532,6 +651,7 @@ static int helper_init(struct helper *h, int free_order, int need_injector) h->c_fd = -1; h->s_fd = -1; h->free_order = free_order; + h->blocking = blocking; h->need_injector = need_injector; h->time_slip = ossl_time_zero(); @@ -593,11 +713,14 @@ static int helper_init(struct helper *h, int free_order, int need_injector) s_args.now_cb_arg = h; s_args.ctx = NULL; - if (!TEST_ptr(h->s = ossl_quic_tserver_new(&s_args, certfile, keyfile))) + if (!TEST_ptr(h->s_priv = ossl_quic_tserver_new(&s_args, certfile, keyfile))) goto err; + if (!blocking) + h->s = h->s_priv; + if (need_injector) { - h->qtf = qtest_create_injector(h->s); + h->qtf = qtest_create_injector(h->s_priv); if (!TEST_ptr(h->qtf)) goto err; @@ -641,8 +764,26 @@ static int helper_init(struct helper *h, int free_order, int need_injector) SSL_set0_wbio(h->c_conn, h->c_net_bio); - if (!TEST_true(SSL_set_blocking_mode(h->c_conn, 0))) + if (!TEST_true(SSL_set_blocking_mode(h->c_conn, h->blocking))) + goto err; + + if (h->blocking) { +#if defined(OPENSSL_THREADS) + if (!TEST_ptr(h->server_thread.m = ossl_crypto_mutex_new())) + goto err; + + if (!TEST_ptr(h->server_thread.c = ossl_crypto_condvar_new())) + goto err; + + h->server_thread.t + = ossl_crypto_thread_native_start(server_helper_thread, h, 1); + if (!TEST_ptr(h->server_thread.t)) + goto err; +#else + TEST_error("cannot support blocking mode without threads"); goto err; +#endif + } h->start_time = ossl_time_now(); h->init = 1; @@ -844,21 +985,31 @@ static int run_script_worker(struct helper *h, const struct script_op *script, int end_wait_warning = 0; #endif OSSL_TIME op_start_time = ossl_time_zero(), op_deadline = ossl_time_zero(); - struct helper_local hl; + struct helper_local hl_, *hl = &hl_; #define REPEAT_SLOTS 8 size_t repeat_stack_idx[REPEAT_SLOTS], repeat_stack_done[REPEAT_SLOTS]; size_t repeat_stack_limit[REPEAT_SLOTS]; size_t repeat_stack_len = 0; - if (!TEST_true(helper_local_init(&hl, h, thread_idx))) + if (!TEST_true(helper_local_init(hl, h, thread_idx))) goto out; -#define SPIN_AGAIN() { OSSL_sleep(1); no_advance = 1; continue; } +#define S_SPIN_AGAIN() { OSSL_sleep(1); no_advance = 1; continue; } +#define C_SPIN_AGAIN() \ + { \ + if (h->blocking) { \ + TEST_error("spin again in blocking mode"); \ + goto out; \ + } \ + S_SPIN_AGAIN(); \ + } for (;;) { SSL *c_tgt = h->c_conn; uint64_t s_stream_id = UINT64_MAX; + s_unlock(h, hl); + if (no_advance) { no_advance = 0; } else { @@ -879,15 +1030,28 @@ static int run_script_worker(struct helper *h, const struct script_op *script, op = &script[op_idx]; if (op->stream_name != NULL) { - c_tgt = helper_local_get_c_stream(&hl, op->stream_name); + c_tgt = helper_local_get_c_stream(hl, op->stream_name); if (thread_idx < 0) s_stream_id = helper_get_s_stream(h, op->stream_name); else s_stream_id = UINT64_MAX; } - if (thread_idx < 0) - ossl_quic_tserver_tick(h->s); + if (thread_idx < 0) { + if (!h->blocking) { + ossl_quic_tserver_tick(h->s); + } +#if defined(OPENSSL_THREADS) + else if (h->blocking && !h->server_thread.ready) { + ossl_crypto_mutex_lock(h->server_thread.m); + h->server_thread.ready = 1; + ossl_crypto_mutex_unlock(h->server_thread.m); + ossl_crypto_condvar_signal(h->server_thread.c); + } + if (h->blocking) + assert(h->s == NULL); +#endif + } if (thread_idx >= 0 || connect_started) SSL_handle_events(h->c_conn); @@ -943,7 +1107,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, end_wait_warning = 1; } - SPIN_AGAIN(); + S_SPIN_AGAIN(); } } } @@ -990,10 +1154,15 @@ static int run_script_worker(struct helper *h, const struct script_op *script, case OPK_CHECK: { - int ok = op->check_func(h, op); + int ok; + + hl->check_op = op; + ok = op->check_func(h, hl); + hl->check_op = NULL; + if (h->check_spin_again) { h->check_spin_again = 0; - SPIN_AGAIN(); + S_SPIN_AGAIN(); } if (!TEST_true(ok)) @@ -1034,7 +1203,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, goto out; if (ret != 1) { if (!h->blocking && is_want(h->c_conn, ret)) - SPIN_AGAIN(); + C_SPIN_AGAIN(); if (op->arg1 == 0 && !TEST_int_eq(ret, 1)) goto out; @@ -1065,7 +1234,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_uint64_t_ne(s_stream_id, UINT64_MAX)) goto out; - if (!TEST_true(ossl_quic_tserver_write(h->s, s_stream_id, + if (!TEST_true(ossl_quic_tserver_write(ACQUIRE_S(), s_stream_id, op->arg0, op->arg1, &bytes_written)) || !TEST_size_t_eq(bytes_written, op->arg1)) @@ -1085,7 +1254,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_uint64_t_ne(s_stream_id, UINT64_MAX)) goto out; - ossl_quic_tserver_conclude(h->s, s_stream_id); + ossl_quic_tserver_conclude(ACQUIRE_S(), s_stream_id); } break; @@ -1099,7 +1268,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!SSL_peek_ex(c_tgt, buf, sizeof(buf), &bytes_read) || bytes_read == 0) - SPIN_AGAIN(); + C_SPIN_AGAIN(); } break; @@ -1118,11 +1287,11 @@ static int run_script_worker(struct helper *h, const struct script_op *script, goto out; if (!r) - SPIN_AGAIN(); + C_SPIN_AGAIN(); if (bytes_read + offset != op->arg1) { offset += bytes_read; - SPIN_AGAIN(); + C_SPIN_AGAIN(); } if (op->arg1 > 0 @@ -1145,7 +1314,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, && !TEST_ptr(tmp_buf = OPENSSL_malloc(op->arg1))) goto out; - if (!TEST_true(ossl_quic_tserver_read(h->s, s_stream_id, + if (!TEST_true(ossl_quic_tserver_read(ACQUIRE_S(), s_stream_id, tmp_buf + offset, op->arg1 - offset, &bytes_read))) @@ -1153,7 +1322,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (bytes_read + offset != op->arg1) { offset += bytes_read; - SPIN_AGAIN(); + S_SPIN_AGAIN(); } if (op->arg1 > 0 @@ -1178,7 +1347,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, goto out; if (is_want(c_tgt, 0)) - SPIN_AGAIN(); + C_SPIN_AGAIN(); if (!TEST_int_eq(SSL_get_error(c_tgt, 0), SSL_ERROR_ZERO_RETURN)) @@ -1194,8 +1363,8 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_uint64_t_ne(s_stream_id, UINT64_MAX)) goto out; - if (!ossl_quic_tserver_has_read_ended(h->s, s_stream_id)) - SPIN_AGAIN(); + if (!ossl_quic_tserver_has_read_ended(ACQUIRE_S(), s_stream_id)) + S_SPIN_AGAIN(); } break; @@ -1212,7 +1381,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_ptr(c_stream = ossl_quic_detach_stream(h->c_conn))) goto out; - if (!TEST_true(helper_local_set_c_stream(&hl, op->stream_name, c_stream))) + if (!TEST_true(helper_local_set_c_stream(hl, op->stream_name, c_stream))) goto out; } break; @@ -1228,7 +1397,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_true(ossl_quic_attach_stream(h->c_conn, c_tgt))) goto out; - if (!TEST_true(helper_local_set_c_stream(&hl, op->stream_name, NULL))) + if (!TEST_true(helper_local_set_c_stream(hl, op->stream_name, NULL))) goto out; } break; @@ -1265,7 +1434,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, op->arg2)) goto out; - if (!TEST_true(helper_local_set_c_stream(&hl, op->stream_name, c_stream))) + if (!TEST_true(helper_local_set_c_stream(hl, op->stream_name, c_stream))) goto out; } break; @@ -1280,7 +1449,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_ptr(op->stream_name)) goto out; - if (!TEST_true(ossl_quic_tserver_stream_new(h->s, + if (!TEST_true(ossl_quic_tserver_stream_new(ACQUIRE_S(), op->arg1 > 0, &stream_id))) goto out; @@ -1306,9 +1475,9 @@ static int run_script_worker(struct helper *h, const struct script_op *script, goto out; if ((c_stream = SSL_accept_stream(h->c_conn, 0)) == NULL) - SPIN_AGAIN(); + C_SPIN_AGAIN(); - if (!TEST_true(helper_local_set_c_stream(&hl, op->stream_name, + if (!TEST_true(helper_local_set_c_stream(hl, op->stream_name, c_stream))) goto out; } @@ -1324,9 +1493,9 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_ptr(op->stream_name)) goto out; - new_stream_id = ossl_quic_tserver_pop_incoming_stream(h->s); + new_stream_id = ossl_quic_tserver_pop_incoming_stream(ACQUIRE_S()); if (new_stream_id == UINT64_MAX) - SPIN_AGAIN(); + S_SPIN_AGAIN(); if (!TEST_true(helper_set_s_stream(h, op->stream_name, new_stream_id))) goto out; @@ -1337,7 +1506,8 @@ static int run_script_worker(struct helper *h, const struct script_op *script, { SSL *c_stream; - if (!TEST_ptr_null(c_stream = SSL_accept_stream(h->c_conn, 0))) { + if (!TEST_ptr_null(c_stream = SSL_accept_stream(h->c_conn, + SSL_ACCEPT_STREAM_NO_BLOCK))) { SSL_free(c_stream); goto out; } @@ -1353,7 +1523,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_ptr(op->stream_name)) goto out; - if (!TEST_true(helper_local_set_c_stream(&hl, op->stream_name, NULL))) + if (!TEST_true(helper_local_set_c_stream(hl, op->stream_name, NULL))) goto out; SSL_free(c_tgt); @@ -1400,13 +1570,13 @@ static int run_script_worker(struct helper *h, const struct script_op *script, goto out; if (ret == 0) - SPIN_AGAIN(); + C_SPIN_AGAIN(); } break; case OPK_S_SHUTDOWN: { - ossl_quic_tserver_shutdown(h->s, op->arg1); + ossl_quic_tserver_shutdown(ACQUIRE_S(), op->arg1); } break; @@ -1420,8 +1590,14 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_ptr(c_tgt)) goto out; + if (h->blocking + && !TEST_true(SSL_shutdown_ex(c_tgt, + SSL_SHUTDOWN_FLAG_WAIT_PEER, + NULL, 0))) + goto out; + if (!SSL_get_conn_close_info(c_tgt, &cc_info, sizeof(cc_info))) - SPIN_AGAIN(); + C_SPIN_AGAIN(); if (!TEST_int_eq(expect_app, (cc_info.flags @@ -1441,12 +1617,12 @@ static int run_script_worker(struct helper *h, const struct script_op *script, int expect_remote = (op->arg1 & EXPECT_CONN_CLOSE_REMOTE) != 0; uint64_t error_code = op->arg2; - if (!ossl_quic_tserver_is_term_any(h->s)) { - ossl_quic_tserver_ping(h->s); - SPIN_AGAIN(); + if (!ossl_quic_tserver_is_term_any(ACQUIRE_S())) { + ossl_quic_tserver_ping(ACQUIRE_S()); + S_SPIN_AGAIN(); } - if (!TEST_ptr(tc = ossl_quic_tserver_get_terminate_cause(h->s))) + if (!TEST_ptr(tc = ossl_quic_tserver_get_terminate_cause(ACQUIRE_S()))) goto out; if (!TEST_uint64_t_eq(error_code, tc->error_code) @@ -1504,7 +1680,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_uint64_t_ne(s_stream_id, UINT64_MAX)) goto out; - if (!TEST_false(ossl_quic_tserver_write(h->s, s_stream_id, + if (!TEST_false(ossl_quic_tserver_write(ACQUIRE_S(), s_stream_id, (const unsigned char *)"apple", 5, &bytes_written))) goto out; @@ -1544,7 +1720,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, goto out; if (is_want(c_tgt, 0)) - SPIN_AGAIN(); + C_SPIN_AGAIN(); } break; @@ -1556,7 +1732,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_uint64_t_ne(s_stream_id, UINT64_MAX)) goto out; - if (!TEST_false(ossl_quic_tserver_read(h->s, s_stream_id, + if (!TEST_false(ossl_quic_tserver_read(ACQUIRE_S(), s_stream_id, buf, sizeof(buf), &bytes_read))) goto out; @@ -1691,6 +1867,11 @@ static int run_script_worker(struct helper *h, const struct script_op *script, break; case OPK_SET_INJECT_WORD: + /* + * Must hold server tick lock - callbacks can be called from other + * thread when running test in blocking mode (tsan). + */ + ACQUIRE_S(); h->inject_word0 = op->arg1; h->inject_word1 = op->arg2; break; @@ -1713,7 +1894,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, break; case OPK_S_NEW_TICKET: - if (!TEST_true(ossl_quic_tserver_new_ticket(h->s))) + if (!TEST_true(ossl_quic_tserver_new_ticket(ACQUIRE_S()))) goto out; break; @@ -1724,6 +1905,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, } out: + s_unlock(h, hl); /* idempotent */ if (!testresult) { size_t i; @@ -1738,18 +1920,19 @@ static int run_script_worker(struct helper *h, const struct script_op *script, } OPENSSL_free(tmp_buf); - helper_local_cleanup(&hl); + helper_local_cleanup(hl); return testresult; } static int run_script(const struct script_op *script, const char *script_name, - int free_order) + int free_order, + int blocking) { int testresult = 0; struct helper h; - if (!TEST_true(helper_init(&h, free_order, 1))) + if (!TEST_true(helper_init(&h, free_order, blocking, 1))) goto out; if (!TEST_true(run_script_worker(&h, script, script_name, -1))) @@ -3011,7 +3194,7 @@ static int script_39_inject_plain(struct helper *h, QUIC_PKT_HDR *hdr, size_t i, written; uint64_t seq_no = 0, retire_prior_to = 0; QUIC_CONN_ID new_cid = {0}; - QUIC_CHANNEL *ch = ossl_quic_tserver_get_channel(h->s); + QUIC_CHANNEL *ch = ossl_quic_tserver_get_channel(h->s_priv); switch (h->inject_word1) { case 0: @@ -3220,13 +3403,13 @@ static void script_41_trace(int write_p, int version, int content_type, ++h->scratch0; } -static int script_41_setup(struct helper *h, const struct script_op *op) +static int script_41_setup(struct helper *h, struct helper_local *hl) { - ossl_quic_tserver_set_msg_callback(h->s, script_41_trace, h); + ossl_quic_tserver_set_msg_callback(ACQUIRE_S(), script_41_trace, h); return 1; } -static int script_41_check(struct helper *h, const struct script_op *op) +static int script_41_check(struct helper *h, struct helper_local *hl) { /* At least one valid challenge/response echo? */ if (!TEST_uint64_t_gt(h->scratch0, 0)) @@ -3393,21 +3576,21 @@ static const struct script_op script_44[] = { }; /* 45. PING must generate ACK */ -static int force_ping(struct helper *h, const struct script_op *op) +static int force_ping(struct helper *h, struct helper_local *hl) { - QUIC_CHANNEL *ch = ossl_quic_tserver_get_channel(h->s); + QUIC_CHANNEL *ch = ossl_quic_tserver_get_channel(ACQUIRE_S()); h->scratch0 = ossl_quic_channel_get_diag_num_rx_ack(ch); - if (!TEST_true(ossl_quic_tserver_ping(h->s))) + if (!TEST_true(ossl_quic_tserver_ping(ACQUIRE_S()))) return 0; return 1; } -static int wait_incoming_acks_increased(struct helper *h, const struct script_op *op) +static int wait_incoming_acks_increased(struct helper *h, struct helper_local *hl) { - QUIC_CHANNEL *ch = ossl_quic_tserver_get_channel(h->s); + QUIC_CHANNEL *ch = ossl_quic_tserver_get_channel(ACQUIRE_S()); uint16_t count; count = ossl_quic_channel_get_diag_num_rx_ack(ch); @@ -3997,7 +4180,7 @@ static const struct script_op script_59[] = { /* 60. Connection close reason truncation */ static char long_reason[2048]; -static int init_reason(struct helper *h, const struct script_op *op) +static int init_reason(struct helper *h, struct helper_local *hl) { memset(long_reason, '~', sizeof(long_reason)); memcpy(long_reason, "This is a long reason string.", 29); @@ -4005,9 +4188,9 @@ static int init_reason(struct helper *h, const struct script_op *op) return 1; } -static int check_shutdown_reason(struct helper *h, const struct script_op *op) +static int check_shutdown_reason(struct helper *h, struct helper_local *hl) { - const QUIC_TERMINATE_CAUSE *tc = ossl_quic_tserver_get_terminate_cause(h->s); + const QUIC_TERMINATE_CAUSE *tc = ossl_quic_tserver_get_terminate_cause(ACQUIRE_S()); if (tc == NULL) { h->check_spin_again = 1; @@ -4397,11 +4580,11 @@ static const struct script_op script_69[] = { OP_END }; -static int set_max_early_data(struct helper *h, const struct script_op *op) +static int set_max_early_data(struct helper *h, struct helper_local *hl) { - if (!TEST_true(ossl_quic_tserver_set_max_early_data(h->s, - (uint32_t)op->arg2))) + if (!TEST_true(ossl_quic_tserver_set_max_early_data(ACQUIRE_S(), + (uint32_t)hl->check_op->arg2))) return 0; return 1; @@ -4447,7 +4630,7 @@ static const struct script_op script_71[] = { }; /* 72. Test that APL stops handing out streams after limit reached (bidi) */ -static int script_72_check(struct helper *h, const struct script_op *op) +static int script_72_check(struct helper *h, struct helper_local *hl) { if (!TEST_uint64_t_ge(h->fail_count, 50)) return 0; @@ -4466,7 +4649,7 @@ static const struct script_op script_72[] = { */ OP_BEGIN_REPEAT (200) - OP_C_NEW_STREAM_BIDI_EX (a, ANY_ID, ALLOW_FAIL) + OP_C_NEW_STREAM_BIDI_EX (a, ANY_ID, ALLOW_FAIL | SSL_STREAM_FLAG_NO_BLOCK) OP_C_SKIP_IF_UNBOUND (a, 2) OP_C_WRITE (a, "apple", 5) OP_C_FREE_STREAM (a) @@ -4490,7 +4673,7 @@ static const struct script_op script_73[] = { */ OP_BEGIN_REPEAT (200) - OP_C_NEW_STREAM_UNI_EX (a, ANY_ID, ALLOW_FAIL) + OP_C_NEW_STREAM_UNI_EX (a, ANY_ID, ALLOW_FAIL | SSL_STREAM_FLAG_NO_BLOCK) OP_C_SKIP_IF_UNBOUND (a, 2) OP_C_WRITE (a, "apple", 5) OP_C_FREE_STREAM (a) @@ -4599,10 +4782,12 @@ static const struct script_op script_75[] = { OP_END }; -/* 74. Test peer-initiated shutdown wait */ -static int script_76_check(struct helper *h, const struct script_op *op) +/* 76. Test peer-initiated shutdown wait */ +static int script_76_check(struct helper *h, struct helper_local *hl) { - if (!TEST_false(SSL_shutdown_ex(h->c_conn, SSL_SHUTDOWN_FLAG_WAIT_PEER, + if (!TEST_false(SSL_shutdown_ex(h->c_conn, + SSL_SHUTDOWN_FLAG_WAIT_PEER + | SSL_SHUTDOWN_FLAG_NO_BLOCK, NULL, 0))) return 0; @@ -4711,14 +4896,32 @@ static const struct script_op *const scripts[] = { static int test_script(int idx) { - int script_idx = idx >> 1; - int free_order = idx & 1; + int script_idx, free_order, blocking; char script_name[64]; + free_order = idx % 2; + idx /= 2; + + blocking = idx % 2; + idx /= 2; + + script_idx = idx; + + if (blocking && free_order) + return 1; /* don't need to test free_order twice */ + +#if !defined(OPENSSL_THREADS) + if (blocking) { + TEST_skip("cannot test in blocking mode without threads"); + return 1; + } +#endif + snprintf(script_name, sizeof(script_name), "script %d", script_idx + 1); - TEST_info("Running script %d (order=%d)", script_idx + 1, free_order); - return run_script(scripts[script_idx], script_name, free_order); + TEST_info("Running script %d (order=%d, blocking=%d)", script_idx + 1, + free_order, blocking); + return run_script(scripts[script_idx], script_name, free_order, blocking); } /* Dynamically generated tests. */ @@ -4802,7 +5005,7 @@ static ossl_unused int test_dyn_frame_types(int idx) snprintf(script_name, sizeof(script_name), "dyn script %d", idx); - return run_script(dyn_frame_types_script, script_name, 0); + return run_script(dyn_frame_types_script, script_name, 0, 0); } OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n") @@ -4819,6 +5022,6 @@ int setup_tests(void) return 0; ADD_ALL_TESTS(test_dyn_frame_types, OSSL_NELEM(forbidden_frame_types)); - ADD_ALL_TESTS(test_script, OSSL_NELEM(scripts) * 2); + ADD_ALL_TESTS(test_script, OSSL_NELEM(scripts) * 2 * 2); return 1; } From 99d6b9f9e2fbf272160a07bed5f4ab7ce2b3e20e Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 24 Aug 2023 15:19:20 +0100 Subject: [PATCH 130/324] QUIC MULTISTREAM TEST: Synchronize script 20 correctly Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21827) --- test/quic_multistream_test.c | 70 ++++++++++++++++++++++++++++++++++-- 1 file changed, 67 insertions(+), 3 deletions(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 1f97862146e38..bc32708d72410 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -65,6 +65,8 @@ struct helper { #if defined(OPENSSL_THREADS) struct child_thread_args *threads; size_t num_threads; + CRYPTO_MUTEX *misc_m; + CRYPTO_CONDVAR *misc_cv; #endif OSSL_TIME start_time; @@ -635,6 +637,8 @@ static void helper_cleanup(struct helper *h) h->time_lock = NULL; #if defined(OPENSSL_THREADS) + ossl_crypto_mutex_free(&h->misc_m); + ossl_crypto_condvar_free(&h->misc_cv); ossl_crypto_mutex_free(&h->server_thread.m); ossl_crypto_condvar_free(&h->server_thread.c); #endif @@ -767,6 +771,13 @@ static int helper_init(struct helper *h, int free_order, int blocking, if (!TEST_true(SSL_set_blocking_mode(h->c_conn, h->blocking))) goto err; +#if defined(OPENSSL_THREADS) + if (!TEST_ptr(h->misc_m = ossl_crypto_mutex_new())) + goto err; + if (!TEST_ptr(h->misc_cv = ossl_crypto_condvar_new())) + goto err; +#endif + if (h->blocking) { #if defined(OPENSSL_THREADS) if (!TEST_ptr(h->server_thread.m = ossl_crypto_mutex_new())) @@ -1060,6 +1071,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, /* Only allow certain opcodes on child threads. */ switch (op->op) { case OPK_END: + case OPK_CHECK: case OPK_C_ACCEPT_STREAM_WAIT: case OPK_C_NEW_STREAM: case OPK_C_READ_EXPECT: @@ -1160,7 +1172,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, ok = op->check_func(h, hl); hl->check_op = NULL; - if (h->check_spin_again) { + if (thread_idx < 0 && h->check_spin_again) { h->check_spin_again = 0; S_SPIN_AGAIN(); } @@ -2564,11 +2576,62 @@ static const struct script_op script_19[] = { }; /* 20. Multiple threads accept stream with socket forcibly closed (error test) */ +static int script_20_trigger(struct helper *h, volatile uint64_t *counter) +{ +#if defined(OPENSSL_THREADS) + ossl_crypto_mutex_lock(h->misc_m); + ++*counter; + ossl_crypto_mutex_unlock(h->misc_m); + ossl_crypto_condvar_broadcast(h->misc_cv); +#endif + return 1; +} + +static int script_20_wait(struct helper *h, volatile uint64_t *counter, uint64_t threshold) +{ +#if defined(OPENSSL_THREADS) + int stop = 0; + + ossl_crypto_mutex_lock(h->misc_m); + while (!stop) { + stop = (*counter >= threshold); + if (stop) + break; + + ossl_crypto_condvar_wait(h->misc_cv, h->misc_m); + } + + ossl_crypto_mutex_unlock(h->misc_m); +#endif + return 1; +} + +static int script_20_trigger1(struct helper *h, struct helper_local *hl) +{ + return script_20_trigger(h, &h->scratch0); +} + +static int script_20_wait1(struct helper *h, struct helper_local *hl) +{ + return script_20_wait(h, &h->scratch0, hl->check_op->arg2); +} + +static int script_20_trigger2(struct helper *h, struct helper_local *hl) +{ + return script_20_trigger(h, &h->scratch1); +} + +static int script_20_wait2(struct helper *h, struct helper_local *hl) +{ + return script_20_wait(h, &h->scratch1, hl->check_op->arg2); +} + static const struct script_op script_20_child[] = { OP_C_ACCEPT_STREAM_WAIT (a) OP_C_READ_EXPECT (a, "foo", 3) - OP_SLEEP (500) + OP_CHECK (script_20_trigger1, 0) + OP_CHECK (script_20_wait2, 1) OP_C_READ_FAIL_WAIT (a) OP_C_EXPECT_SSL_ERR (a, SSL_ERROR_SYSCALL) @@ -2594,9 +2657,10 @@ static const struct script_op script_20[] = { OP_END_REPEAT () - OP_SLEEP (100) + OP_CHECK (script_20_wait1, 5) OP_C_CLOSE_SOCKET () + OP_CHECK (script_20_trigger2, 0) OP_END }; From 425a780462d387a81c83fd2b87d0efd91d6b154b Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Tue, 29 Aug 2023 14:33:44 +0100 Subject: [PATCH 131/324] win32: Support condition variable broadcasting on XP Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21827) --- crypto/thread/arch/thread_win.c | 348 +++++++++++++++++++++++++++++--- 1 file changed, 325 insertions(+), 23 deletions(-) diff --git a/crypto/thread/arch/thread_win.c b/crypto/thread/arch/thread_win.c index ce7ff4931134e..b877211143375 100644 --- a/crypto/thread/arch/thread_win.c +++ b/crypto/thread/arch/thread_win.c @@ -173,58 +173,360 @@ static int determine_timeout(OSSL_TIME deadline, DWORD *w_timeout_p) } # if defined(OPENSSL_THREADS_WINNT_LEGACY) +# include + +/* + * Win32, before Vista, did not have an OS-provided condition variable + * construct. This leads to the need to construct our own condition variable + * construct in order to support Windows XP. + * + * It is difficult to construct a condition variable construct using the + * OS-provided primitives in a way that is both correct (avoiding race + * conditions where broadcasts get lost) and fair. + * + * CORRECTNESS: + * A blocked thread is a thread which is calling wait(), between the + * precise instants at which the external mutex passed to wait() is + * unlocked and the instant at which it is relocked. + * + * a) + * - If broadcast() is called, ALL blocked threads MUST be unblocked. + * - If signal() is called, at least one blocked thread MUST be unblocked. + * + * (i.e.: a signal or broadcast must never get 'lost') + * + * b) + * - If broadcast() or signal() is called, this must not cause a thread + * which is not blocked to return immediately from a subsequent + * call to wait(). + * + * FAIRNESS: + * If broadcast() is called at time T1, all blocked threads must be unblocked + * before any thread which subsequently calls wait() at time T2 > T1 is + * unblocked. + * + * An example of an implementation which lacks fairness is as follows: + * + * t1 enters wait() + * t2 enters wait() + * + * tZ calls broadcast() + * + * t1 exits wait() + * t1 enters wait() + * + * tZ calls broadcast() + * + * t1 exits wait() + * + * IMPLEMENTATION: + * + * The most suitable primitives available to us in Windows XP are semaphores, + * auto-reset events and manual-reset events. A solution based on semaphores + * is chosen. + * + * PROBLEM. Designing a solution based on semaphores is non-trivial because, + * while it is easy to track the number of waiters in an interlocked data + * structure and then add that number to the semaphore, this does not + * guarantee fairness or correctness. Consider the following situation: + * + * - t1 enters wait(), adding 1 to the wait counter & blocks on the semaphore + * - t2 enters wait(), adding 1 to the wait counter & blocks on the semaphore + * - tZ calls broadcast(), finds the wait counter is 2, adds 2 to the semaphore + * + * - t1 exits wait() + * - t1 immediately reenters wait() and blocks on the semaphore + * - The semaphore is still positive due to also having been signalled + * for t2, therefore it is decremented + * - t1 exits wait() immediately; t2 is never woken + * + * GENERATION COUNTERS. One naive solution to this is to use a generation + * counter. Each broadcast() invocation increments a generation counter. If + * the generation counter has not changed during a semaphore wait operation + * inside wait(), this indicates that no broadcast() call has been made in + * the meantime; therefore, the successful semaphore decrement must have + * 'stolen' a wakeup from another thread which was waiting to wakeup from the + * prior broadcast() call but which had not yet had a chance to do so. The + * semaphore can then be reincremented and the wait() operation repeated. + * + * However, this suffers from the obvious problem that without OS guarantees + * as to how semaphore readiness events are distributed amongst threads, + * there is no particular guarantee that the semaphore readiness event will + * not be immediately redistributed back to the same thread t1. + * + * SOLUTION. A solution is chosen as follows. In its initial state, a + * condition variable can accept waiters, who wait for the semaphore + * normally. However, once broadcast() is called, the condition + * variable becomes 'closed'. Any existing blocked threads are unblocked, + * but any new calls to wait() will instead enter a blocking pre-wait stage. + * Pre-wait threads are not considered to be waiting (and the external + * mutex remains held). A call to wait() in pre-wait cannot progress + * to waiting until all threads due to be unblocked by the prior broadcast() + * call have returned and had a chance to execute. + * + * This pre-wait does not affect a thread if it does not call wait() + * again until after all threads have had a chance to execute. + * + * RESOURCE USAGE. Aside from an allocation for the condition variable + * structure, this solution uses two Win32 semaphores. + * + * FUTURE OPTIMISATIONS: + * + * An optimised multi-generation implementation is possible at the cost of + * higher Win32 resource usage. Multiple 'buckets' could be defined, with + * usage rotating between buckets internally as buckets become closed. + * This would avoid the need for the prewait in more cases, depending + * on intensity of usage. + * + */ +typedef struct legacy_condvar_st { + CRYPTO_MUTEX *int_m; /* internal mutex */ + HANDLE sema; /* main wait semaphore */ + HANDLE prewait_sema; /* prewait semaphore */ + /* + * All of the following fields are protected by int_m. + * + * num_wake only ever increases by virtue of a corresponding decrease in + * num_wait. num_wait can decrease for other reasons (for example due to a + * wait operation timing out). + */ + size_t num_wait; /* Num. threads currently blocked */ + size_t num_wake; /* Num. threads due to wake up */ + size_t num_prewait; /* Num. threads in prewait */ + size_t gen; /* Prewait generation */ + int closed; /* Is closed? */ +} LEGACY_CONDVAR; CRYPTO_CONDVAR *ossl_crypto_condvar_new(void) { - HANDLE h; + LEGACY_CONDVAR *cv; + + if ((cv = OPENSSL_malloc(sizeof(LEGACY_CONDVAR))) == NULL) + return NULL; - if ((h = CreateEventA(NULL, FALSE, FALSE, NULL)) == NULL) + if ((cv->int_m = ossl_crypto_mutex_new()) == NULL) { + OPENSSL_free(cv); return NULL; + } - return (CRYPTO_CONDVAR *)h; + if ((cv->sema = CreateSemaphoreA(NULL, 0, LONG_MAX, NULL)) == NULL) { + ossl_crypto_mutex_free(&cv->int_m); + OPENSSL_free(cv); + return NULL; + } + + if ((cv->prewait_sema = CreateSemaphoreA(NULL, 0, LONG_MAX, NULL)) == NULL) { + CloseHandle(cv->sema); + ossl_crypto_mutex_free(&cv->int_m); + OPENSSL_free(cv); + return NULL; + } + + cv->num_wait = 0; + cv->num_wake = 0; + cv->num_prewait = 0; + cv->closed = 0; + + return (CRYPTO_CONDVAR *)cv; } -void ossl_crypto_condvar_wait(CRYPTO_CONDVAR *cv, CRYPTO_MUTEX *mutex) +void ossl_crypto_condvar_free(CRYPTO_CONDVAR **cv_p) { - ossl_crypto_mutex_unlock(mutex); - WaitForSingleObject((HANDLE)cv, INFINITE); - ossl_crypto_mutex_lock(mutex); + if (*cv_p != NULL) { + LEGACY_CONDVAR *cv = *(LEGACY_CONDVAR **)cv_p; + + CloseHandle(cv->sema); + CloseHandle(cv->prewait_sema); + ossl_crypto_mutex_free(&cv->int_m); + OPENSSL_free(cv); + } + + *cv_p = NULL; } -void ossl_crypto_condvar_wait_timeout(CRYPTO_CONDVAR *cv, CRYPTO_MUTEX *mutex, - OSSL_TIME deadline) +static uint32_t obj_wait(HANDLE h, OSSL_TIME deadline) { DWORD timeout; if (!determine_timeout(deadline, &timeout)) timeout = 1; - ossl_crypto_mutex_unlock(mutex); - WaitForSingleObject((HANDLE)cv, timeout); - ossl_crypto_mutex_lock(mutex); + return WaitForSingleObject(h, timeout); } -void ossl_crypto_condvar_broadcast(CRYPTO_CONDVAR *cv) +void ossl_crypto_condvar_wait_timeout(CRYPTO_CONDVAR *cv_, CRYPTO_MUTEX *ext_m, + OSSL_TIME deadline) +{ + LEGACY_CONDVAR *cv = (LEGACY_CONDVAR *)cv_; + int closed, set_prewait = 0, have_orig_gen = 0; + uint32_t rc; + size_t orig_gen; + + /* Admission control - prewait until we can enter our actual wait phase. */ + do { + ossl_crypto_mutex_lock(cv->int_m); + + closed = cv->closed; + + /* + * Once prewait is over the prewait semaphore is signalled and + * num_prewait is set to 0. Use a generation counter to track if we need + * to remove a value we added to num_prewait when exiting (e.g. due to + * timeout or failure of WaitForSingleObject). + */ + if (!have_orig_gen) { + orig_gen = cv->gen; + have_orig_gen = 1; + } else if (cv->gen != orig_gen) { + set_prewait = 0; + orig_gen = cv->gen; + } + + if (!closed) { + /* We can now be admitted. */ + ++cv->num_wait; + if (set_prewait) { + --cv->num_prewait; + set_prewait = 0; + } + } else if (!set_prewait) { + ++cv->num_prewait; + set_prewait = 1; + } + + ossl_crypto_mutex_unlock(cv->int_m); + + if (closed) + if (obj_wait(cv->prewait_sema, deadline) != WAIT_OBJECT_0) { + /* + * If we got WAIT_OBJECT_0 we are safe - num_prewait has been + * set to 0 and the semaphore has been consumed. On the other + * hand if we timed out, there may be a residual posting that + * was made just after we timed out. However in the worst case + * this will just cause an internal spurious wakeup here in the + * future, so we do not care too much about this. We treat + * failure and timeout cases as the same, and simply exit in + * this case. + */ + ossl_crypto_mutex_lock(cv->int_m); + if (set_prewait && cv->gen == orig_gen) + --cv->num_prewait; + ossl_crypto_mutex_unlock(cv->int_m); + return; + } + } while (closed); + + /* + * Unlock external mutex. Do not do this until we have been admitted, as we + * must guarantee we wake if broadcast is called at any time after ext_m is + * unlocked. + */ + ossl_crypto_mutex_unlock(ext_m); + + for (;;) { + /* Wait. */ + rc = obj_wait(cv->sema, deadline); + + /* Reacquire internal mutex and probe state. */ + ossl_crypto_mutex_lock(cv->int_m); + + if (cv->num_wake > 0) { + /* + * A wake token is available, so we can wake up. Consume the token + * and get out of here. We don't care what WaitForSingleObject + * returned here (e.g. if it timed out coincidentally). In the + * latter case a signal might be left in the semaphore which causes + * a future WaitForSingleObject call to return immediately, but in + * this case we will just loop again. + */ + --cv->num_wake; + if (cv->num_wake == 0 && cv->closed) { + /* + * We consumed the last wake token, so we can now open the + * condition variable for new admissions. + */ + cv->closed = 0; + if (cv->num_prewait > 0) { + ReleaseSemaphore(cv->prewait_sema, (LONG)cv->num_prewait, NULL); + cv->num_prewait = 0; + ++cv->gen; + } + } + } else if (rc == WAIT_OBJECT_0) { + /* + * We got a wakeup from the semaphore but we did not have any wake + * tokens. This ideally does not happen, but might if during a + * previous wait() call the semaphore is posted just after + * WaitForSingleObject returns due to a timeout (such that the + * num_wake > 0 case is taken above). Just spin again. (It is worth + * noting that repeated WaitForSingleObject calls is the only method + * documented for decrementing a Win32 semaphore, so this is + * basically the best possible strategy.) + */ + ossl_crypto_mutex_unlock(cv->int_m); + continue; + } else { + /* + * Assume we timed out. The WaitForSingleObject call may also have + * failed for some other reason, which we treat as a timeout. + */ + assert(cv->num_wait > 0); + --cv->num_wait; + } + + break; + } + + ossl_crypto_mutex_unlock(cv->int_m); + ossl_crypto_mutex_lock(ext_m); +} + +void ossl_crypto_condvar_wait(CRYPTO_CONDVAR *cv, CRYPTO_MUTEX *ext_m) { - /* Not supported */ + ossl_crypto_condvar_wait_timeout(cv, ext_m, ossl_time_infinite()); } -void ossl_crypto_condvar_signal(CRYPTO_CONDVAR *cv) +void ossl_crypto_condvar_broadcast(CRYPTO_CONDVAR *cv_) { - HANDLE *cv_p = (HANDLE *)cv; + LEGACY_CONDVAR *cv = (LEGACY_CONDVAR *)cv_; + size_t num_wake; + + ossl_crypto_mutex_lock(cv->int_m); + + num_wake = cv->num_wait; + if (num_wake == 0) { + ossl_crypto_mutex_unlock(cv->int_m); + return; + } - SetEvent(cv_p); + cv->num_wake += num_wake; + cv->num_wait -= num_wake; + cv->closed = 1; + + ossl_crypto_mutex_unlock(cv->int_m); + ReleaseSemaphore(cv->sema, num_wake, NULL); } -void ossl_crypto_condvar_free(CRYPTO_CONDVAR **cv) +void ossl_crypto_condvar_signal(CRYPTO_CONDVAR *cv_) { - HANDLE **cv_p; + LEGACY_CONDVAR *cv = (LEGACY_CONDVAR *)cv_; - cv_p = (HANDLE **)cv; - if (*cv_p != NULL) - CloseHandle(*cv_p); + ossl_crypto_mutex_lock(cv->int_m); - *cv_p = NULL; + if (cv->num_wait == 0) { + ossl_crypto_mutex_unlock(cv->int_m); + return; + } + + /* + * We do not close the condition variable when merely signalling, as there + * are no guaranteed fairness semantics here, unlike for a broadcast. + */ + --cv->num_wait; + ++cv->num_wake; + + ossl_crypto_mutex_unlock(cv->int_m); + ReleaseSemaphore(cv->sema, 1, NULL); } # else From 769c9b1a99b4bb7878a7b4d031d928376de1b8c3 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 30 Aug 2023 08:01:47 +0100 Subject: [PATCH 132/324] QUIC MULTISTREAM TEST: Adjust spin behaviour Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21827) --- test/quic_multistream_test.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index bc32708d72410..1138e3e1e6025 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -1005,14 +1005,24 @@ static int run_script_worker(struct helper *h, const struct script_op *script, if (!TEST_true(helper_local_init(hl, h, thread_idx))) goto out; -#define S_SPIN_AGAIN() { OSSL_sleep(1); no_advance = 1; continue; } +#define COMMON_SPIN_AGAIN() \ + { \ + no_advance = 1; \ + continue; \ + } +#define S_SPIN_AGAIN() \ + { \ + s_lock(h, hl); \ + ossl_quic_tserver_tick(h->s); \ + COMMON_SPIN_AGAIN(); \ + } #define C_SPIN_AGAIN() \ { \ if (h->blocking) { \ TEST_error("spin again in blocking mode"); \ goto out; \ } \ - S_SPIN_AGAIN(); \ + COMMON_SPIN_AGAIN(); \ } for (;;) { From 025535ecd11bdebd8eb28ed4f0f6b509b1b54577 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Mon, 4 Sep 2023 17:53:13 +0100 Subject: [PATCH 133/324] QUIC MULTISTREAM TEST: Add comment Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21827) --- test/quic_multistream_test.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 1138e3e1e6025..e8a145726cd98 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -557,6 +557,10 @@ static unsigned int server_helper_thread(void *arg) ossl_quic_tserver_tick(h->s_priv); ossl_crypto_mutex_unlock(h->server_thread.m); + /* + * Give the main thread an opportunity to get the mutex, which is + * sometimes necessary in some script operations. + */ OSSL_sleep(1); ossl_crypto_mutex_lock(h->server_thread.m); } From da1c088f599af3755aaeed1c447a39621ef12e1f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 7 Sep 2023 09:59:15 +0100 Subject: [PATCH 134/324] Copyright year updates Reviewed-by: Richard Levitte Release: yes --- .github/workflows/ci.yml | 2 +- .github/workflows/compiler-zoo.yml | 2 +- .github/workflows/coveralls.yml | 2 +- .github/workflows/cross-compiles.yml | 2 +- .github/workflows/fips-checksums.yml | 2 +- .github/workflows/fuzz-checker.yml | 2 +- .github/workflows/os-zoo.yml | 2 +- .github/workflows/run-checker-ci.yml | 2 +- .github/workflows/run-checker-daily-sctp.yml | 2 +- .github/workflows/run-checker-daily.yml | 2 +- .github/workflows/run-checker-merge.yml | 2 +- .github/workflows/static-analysis.yml | 2 +- .github/workflows/windows.yml | 2 +- .github/workflows/windows_comp.yml | 2 +- Configurations/shared-info.pl | 2 +- Configure | 2 +- apps/asn1parse.c | 2 +- apps/ca.c | 2 +- apps/cmp.c | 2 +- apps/cms.c | 2 +- apps/dgst.c | 2 +- apps/dsa.c | 2 +- apps/dsaparam.c | 2 +- apps/ec.c | 2 +- apps/enc.c | 2 +- apps/fipsinstall.c | 2 +- apps/genpkey.c | 2 +- apps/include/apps.h | 2 +- apps/include/cmp_mock_srv.h | 2 +- apps/include/opt.h | 2 +- apps/include/s_apps.h | 2 +- apps/lib/app_rand.c | 2 +- apps/lib/apps.c | 2 +- apps/lib/cmp_mock_srv.c | 2 +- apps/lib/http_server.c | 2 +- apps/lib/log.c | 2 +- apps/lib/opt.c | 2 +- apps/lib/s_socket.c | 2 +- apps/lib/tlssrp_depr.c | 2 +- apps/list.c | 2 +- apps/ocsp.c | 2 +- apps/openssl.c | 2 +- apps/pkcs12.c | 2 +- apps/pkey.c | 2 +- apps/pkeyutl.c | 2 +- apps/rehash.c | 2 +- apps/req.c | 2 +- apps/rsa.c | 2 +- apps/rsautl.c | 2 +- apps/smime.c | 2 +- apps/speed.c | 2 +- apps/spkac.c | 2 +- apps/ts.c | 2 +- apps/x509.c | 2 +- crypto/LPdir_unix.c | 2 +- crypto/aes/asm/aes-riscv32-zkn.pl | 2 +- crypto/aes/asm/aes-riscv64-zkn.pl | 2 +- crypto/aes/asm/aesv8-armx.pl | 2 +- crypto/aes/asm/bsaes-armv7.pl | 2 +- crypto/aes/asm/bsaes-armv8.pl | 4 ++-- crypto/aes/asm/vpaes-loongarch64.pl | 2 +- crypto/arm_arch.h | 2 +- crypto/armv4cpuid.pl | 2 +- crypto/asn1/a_bitstr.c | 2 +- crypto/asn1/a_strnid.c | 2 +- crypto/asn1/a_time.c | 2 +- crypto/asn1/a_verify.c | 2 +- crypto/asn1/asn1_gen.c | 2 +- crypto/asn1/asn1_parse.c | 2 +- crypto/asn1/asn_mime.c | 2 +- crypto/asn1/asn_pack.c | 2 +- crypto/asn1/bio_ndef.c | 2 +- crypto/asn1/d2i_pr.c | 2 +- crypto/asn1/i2d_evp.c | 2 +- crypto/asn1/p5_pbe.c | 2 +- crypto/asn1/p5_pbev2.c | 2 +- crypto/asn1/p5_scrypt.c | 2 +- crypto/asn1/standard_methods.h | 2 +- crypto/asn1/tasn_utl.c | 2 +- crypto/bio/bf_buff.c | 2 +- crypto/bio/bf_lbuf.c | 2 +- crypto/bio/bio_lib.c | 2 +- crypto/bio/bio_local.h | 2 +- crypto/bio/bio_meth.c | 2 +- crypto/bio/bio_print.c | 2 +- crypto/bio/bss_acpt.c | 2 +- crypto/bio/bss_conn.c | 2 +- crypto/bio/bss_dgram.c | 2 +- crypto/bio/bss_dgram_pair.c | 2 +- crypto/bio/bss_log.c | 2 +- crypto/bio/bss_mem.c | 2 +- crypto/bio/ossl_core_bio.c | 2 +- crypto/bn/asm/armv4-gf2m.pl | 2 +- crypto/bn/asm/armv4-mont.pl | 2 +- crypto/bn/asm/rsaz-2k-avx512.pl | 2 +- crypto/bn/asm/rsaz-3k-avx512.pl | 2 +- crypto/bn/asm/rsaz-4k-avx512.pl | 2 +- crypto/bn/bn_asm.c | 2 +- crypto/bn/bn_blind.c | 2 +- crypto/bn/bn_exp.c | 2 +- crypto/bn/bn_lib.c | 2 +- crypto/bn/bn_local.h | 2 +- crypto/bn/bn_mont.c | 2 +- crypto/bn/bn_nist.c | 2 +- crypto/bn/bn_rand.c | 2 +- crypto/bn/bn_recp.c | 2 +- crypto/bn/bn_rsa_fips186_4.c | 2 +- crypto/bn/bn_s390x.c | 2 +- crypto/bn/rsaz_exp.c | 2 +- crypto/bn/rsaz_exp_x2.c | 2 +- crypto/cast/cast_local.h | 2 +- crypto/chacha/asm/chacha-armv4.pl | 2 +- crypto/chacha/asm/chacha-armv8-sve.pl | 2 +- crypto/chacha/chacha_ppc.c | 2 +- crypto/cmac/cmac.c | 2 +- crypto/cmp/cmp_asn.c | 2 +- crypto/cmp/cmp_client.c | 2 +- crypto/cmp/cmp_ctx.c | 2 +- crypto/cmp/cmp_genm.c | 2 +- crypto/cmp/cmp_http.c | 2 +- crypto/cmp/cmp_local.h | 2 +- crypto/cmp/cmp_msg.c | 2 +- crypto/cmp/cmp_protect.c | 2 +- crypto/cmp/cmp_server.c | 2 +- crypto/cmp/cmp_status.c | 2 +- crypto/cmp/cmp_vfy.c | 2 +- crypto/cms/cms_dh.c | 2 +- crypto/cms/cms_ec.c | 2 +- crypto/cms/cms_env.c | 2 +- crypto/cms/cms_lib.c | 2 +- crypto/cms/cms_local.h | 2 +- crypto/cms/cms_rsa.c | 2 +- crypto/cms/cms_sd.c | 2 +- crypto/cms/cms_smime.c | 2 +- crypto/comp/c_brotli.c | 2 +- crypto/comp/c_zlib.c | 2 +- crypto/comp/c_zstd.c | 2 +- crypto/conf/conf_def.c | 2 +- crypto/conf/conf_mod.c | 2 +- crypto/conf/conf_sap.c | 2 +- crypto/context.c | 2 +- crypto/core_namemap.c | 2 +- crypto/crmf/crmf_lib.c | 2 +- crypto/cryptlib.c | 2 +- crypto/ctype.c | 2 +- crypto/des/des_local.h | 2 +- crypto/deterministic_nonce.c | 2 +- crypto/dh/dh_backend.c | 2 +- crypto/dh/dh_check.c | 2 +- crypto/dh/dh_key.c | 2 +- crypto/dh/dh_lib.c | 2 +- crypto/dsa/dsa_backend.c | 2 +- crypto/dsa/dsa_key.c | 2 +- crypto/dsa/dsa_lib.c | 2 +- crypto/dsa/dsa_ossl.c | 2 +- crypto/dsa/dsa_sign.c | 2 +- crypto/dso/dso_lib.c | 2 +- crypto/dso/dso_local.h | 2 +- crypto/ec/asm/ecp_nistp521-ppc64.pl | 2 +- crypto/ec/curve25519.c | 2 +- crypto/ec/curve448/arch_32/f_impl32.c | 2 +- crypto/ec/curve448/arch_64/f_impl64.c | 2 +- crypto/ec/curve448/curve448.c | 2 +- crypto/ec/curve448/curve448_local.h | 2 +- crypto/ec/curve448/eddsa.c | 2 +- crypto/ec/curve448/f_generic.c | 2 +- crypto/ec/curve448/field.h | 2 +- crypto/ec/ec_key.c | 2 +- crypto/ec/ec_kmeth.c | 2 +- crypto/ec/ec_lib.c | 2 +- crypto/ec/ec_local.h | 2 +- crypto/ec/ec_mult.c | 2 +- crypto/ec/ecdsa_ossl.c | 2 +- crypto/ec/ecp_nistp224.c | 2 +- crypto/ec/ecp_nistp256.c | 2 +- crypto/ec/ecp_nistp521.c | 2 +- crypto/ec/ecp_nistz256.c | 2 +- crypto/ec/ecx_backend.c | 2 +- crypto/ec/ecx_key.c | 2 +- crypto/ec/ecx_meth.c | 2 +- crypto/encode_decode/decoder_lib.c | 2 +- crypto/encode_decode/decoder_meth.c | 2 +- crypto/encode_decode/decoder_pkey.c | 2 +- crypto/encode_decode/encoder_local.h | 2 +- crypto/encode_decode/encoder_meth.c | 2 +- crypto/encode_decode/encoder_pkey.c | 2 +- crypto/engine/eng_ctrl.c | 2 +- crypto/engine/eng_init.c | 2 +- crypto/engine/eng_lib.c | 2 +- crypto/engine/eng_list.c | 2 +- crypto/engine/eng_local.h | 2 +- crypto/engine/eng_rdrand.c | 2 +- crypto/engine/eng_table.c | 2 +- crypto/engine/tb_asnmth.c | 2 +- crypto/err/err.c | 2 +- crypto/err/err_all.c | 2 +- crypto/err/err_local.h | 2 +- crypto/err/err_mark.c | 2 +- crypto/evp/asymcipher.c | 2 +- crypto/evp/bio_b64.c | 2 +- crypto/evp/bio_enc.c | 2 +- crypto/evp/bio_ok.c | 2 +- crypto/evp/cmeth_lib.c | 2 +- crypto/evp/ctrl_params_translate.c | 2 +- crypto/evp/digest.c | 2 +- crypto/evp/ec_ctrl.c | 2 +- crypto/evp/evp_enc.c | 2 +- crypto/evp/evp_fetch.c | 2 +- crypto/evp/evp_lib.c | 2 +- crypto/evp/evp_local.h | 2 +- crypto/evp/evp_pbe.c | 2 +- crypto/evp/evp_pkey.c | 2 +- crypto/evp/evp_rand.c | 2 +- crypto/evp/exchange.c | 2 +- crypto/evp/kdf_meth.c | 2 +- crypto/evp/kem.c | 2 +- crypto/evp/keymgmt_lib.c | 2 +- crypto/evp/keymgmt_meth.c | 2 +- crypto/evp/m_sigver.c | 2 +- crypto/evp/mac_meth.c | 2 +- crypto/evp/p5_crpt2.c | 2 +- crypto/evp/p_lib.c | 2 +- crypto/evp/p_sign.c | 2 +- crypto/evp/p_verify.c | 2 +- crypto/evp/pmeth_lib.c | 2 +- crypto/evp/signature.c | 2 +- crypto/ex_data.c | 2 +- crypto/ffc/ffc_backend.c | 2 +- crypto/ffc/ffc_key_validate.c | 2 +- crypto/ffc/ffc_params.c | 2 +- crypto/ffc/ffc_params_generate.c | 2 +- crypto/hpke/hpke.c | 2 +- crypto/hpke/hpke_util.c | 2 +- crypto/http/http_client.c | 2 +- crypto/http/http_lib.c | 2 +- crypto/info.c | 2 +- crypto/init.c | 2 +- crypto/loongarch_arch.h | 2 +- crypto/loongarchcap.c | 2 +- crypto/md5/asm/md5-aarch64.pl | 2 +- crypto/mem.c | 2 +- crypto/mem_sec.c | 2 +- crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl | 2 +- crypto/modes/asm/aes-gcm-armv8_64.pl | 2 +- crypto/modes/asm/aes-gcm-avx512.pl | 2 +- crypto/modes/asm/ghash-riscv64.pl | 2 +- crypto/modes/gcm128.c | 2 +- crypto/objects/obj_dat.c | 2 +- crypto/ocsp/ocsp_ext.c | 2 +- crypto/ocsp/ocsp_prn.c | 2 +- crypto/packet.c | 2 +- crypto/param_build.c | 2 +- crypto/params.c | 2 +- crypto/pem/pem_lib.c | 2 +- crypto/pem/pem_pkey.c | 2 +- crypto/perlasm/arm-xlate.pl | 2 +- crypto/pkcs12/p12_add.c | 2 +- crypto/pkcs12/p12_asn.c | 2 +- crypto/pkcs12/p12_init.c | 2 +- crypto/pkcs12/p12_kiss.c | 2 +- crypto/pkcs12/p12_local.h | 2 +- crypto/pkcs12/p12_mutl.c | 2 +- crypto/pkcs12/p12_npas.c | 2 +- crypto/pkcs12/p12_sbag.c | 2 +- crypto/pkcs12/p12_utl.c | 2 +- crypto/pkcs12/pk12err.c | 2 +- crypto/pkcs7/pk7_doit.c | 2 +- crypto/pkcs7/pk7_lib.c | 2 +- crypto/pkcs7/pk7_smime.c | 2 +- crypto/poly1305/asm/poly1305-armv4.pl | 2 +- crypto/poly1305/asm/poly1305-x86_64.pl | 2 +- crypto/poly1305/poly1305_ieee754.c | 2 +- crypto/property/property.c | 2 +- crypto/provider.c | 2 +- crypto/provider_child.c | 2 +- crypto/provider_conf.c | 2 +- crypto/provider_core.c | 2 +- crypto/punycode.c | 2 +- crypto/rand/rand_lib.c | 2 +- crypto/rc2/rc2_local.h | 2 +- crypto/rc4/asm/rc4-x86_64.pl | 2 +- crypto/rc5/rc5_local.h | 2 +- crypto/rsa/rsa_ameth.c | 2 +- crypto/rsa/rsa_chk.c | 2 +- crypto/rsa/rsa_gen.c | 2 +- crypto/rsa/rsa_lib.c | 2 +- crypto/rsa/rsa_ossl.c | 2 +- crypto/rsa/rsa_pk1.c | 2 +- crypto/rsa/rsa_pmeth.c | 2 +- crypto/rsa/rsa_pss.c | 2 +- crypto/rsa/rsa_sp800_56b_gen.c | 2 +- crypto/rsa/rsa_x931g.c | 2 +- crypto/s390x_arch.h | 2 +- crypto/s390xcap.c | 2 +- crypto/sha/asm/keccak1600-avx2.pl | 2 +- crypto/sha/asm/keccak1600-avx512.pl | 2 +- crypto/sha/asm/keccak1600-avx512vl.pl | 2 +- crypto/sha/asm/sha1-armv4-large.pl | 2 +- crypto/sha/asm/sha256-armv4.pl | 2 +- crypto/sha/asm/sha512-armv4.pl | 2 +- crypto/sha/sha256.c | 2 +- crypto/sleep.c | 2 +- crypto/sm2/sm2_sign.c | 2 +- crypto/sm3/asm/sm3-armv8.pl | 2 +- crypto/sm4/asm/vpsm4-armv8.pl | 2 +- crypto/sm4/asm/vpsm4_ex-armv8.pl | 2 +- crypto/stack/stack.c | 2 +- crypto/store/store_local.h | 2 +- crypto/store/store_meth.c | 2 +- crypto/store/store_result.c | 2 +- crypto/thread/arch.c | 2 +- crypto/thread/arch/thread_none.c | 2 +- crypto/thread/arch/thread_posix.c | 2 +- crypto/thread/arch/thread_win.c | 2 +- crypto/thread/internal.c | 2 +- crypto/threads_none.c | 2 +- crypto/threads_pthread.c | 2 +- crypto/threads_win.c | 2 +- crypto/time.c | 2 +- crypto/trace.c | 2 +- crypto/ts/ts_conf.c | 2 +- crypto/txt_db/txt_db.c | 2 +- crypto/ui/ui_lib.c | 2 +- crypto/ui/ui_util.c | 2 +- crypto/uid.c | 2 +- crypto/whrlpool/wp_dgst.c | 2 +- crypto/x509/by_dir.c | 2 +- crypto/x509/by_store.c | 2 +- crypto/x509/pcy_cache.c | 2 +- crypto/x509/pcy_local.h | 2 +- crypto/x509/pcy_node.c | 2 +- crypto/x509/pcy_tree.c | 2 +- crypto/x509/v3_addr.c | 2 +- crypto/x509/v3_admis.c | 2 +- crypto/x509/v3_genn.c | 2 +- crypto/x509/v3_ist.c | 2 +- crypto/x509/v3_lib.c | 2 +- crypto/x509/v3_ncons.c | 2 +- crypto/x509/v3_purp.c | 2 +- crypto/x509/x509_att.c | 2 +- crypto/x509/x509_cmp.c | 2 +- crypto/x509/x509_def.c | 2 +- crypto/x509/x509_err.c | 2 +- crypto/x509/x509_lu.c | 2 +- crypto/x509/x509_set.c | 2 +- crypto/x509/x509_trust.c | 2 +- crypto/x509/x509_vpm.c | 2 +- crypto/x509/x509cset.c | 2 +- crypto/x509/x_all.c | 2 +- crypto/x509/x_pubkey.c | 2 +- demos/bio/client-arg.c | 2 +- demos/bio/client-conf.c | 2 +- demos/cipher/aesccm.c | 2 +- demos/cipher/aesgcm.c | 2 +- demos/cipher/aeskeywrap.c | 2 +- demos/cipher/ariacbc.c | 2 +- demos/cms/cms_comp.c | 2 +- demos/cms/cms_ddec.c | 2 +- demos/cms/cms_dec.c | 2 +- demos/cms/cms_denc.c | 2 +- demos/cms/cms_enc.c | 2 +- demos/cms/cms_sign.c | 2 +- demos/cms/cms_sign2.c | 2 +- demos/cms/cms_uncomp.c | 2 +- demos/cms/cms_ver.c | 2 +- demos/digest/BIO_f_md.c | 2 +- demos/digest/EVP_MD_demo.c | 2 +- demos/digest/EVP_MD_stdin.c | 2 +- demos/digest/EVP_MD_xof.c | 2 +- demos/encode/ec_encode.c | 2 +- demos/encode/rsa_encode.c | 2 +- demos/kdf/hkdf.c | 2 +- demos/kdf/pbkdf2.c | 2 +- demos/kdf/scrypt.c | 2 +- demos/keyexch/x25519.c | 2 +- demos/mac/cmac-aes256.c | 2 +- demos/mac/gmac.c | 2 +- demos/mac/hmac-sha512.c | 2 +- demos/mac/poly1305.c | 2 +- demos/mac/siphash.c | 2 +- demos/pkcs12/pkwrite.c | 2 +- demos/pkey/EVP_PKEY_DSA_keygen.c | 2 +- demos/pkey/EVP_PKEY_DSA_paramfromdata.c | 2 +- demos/pkey/EVP_PKEY_DSA_paramgen.c | 2 +- demos/pkey/EVP_PKEY_DSA_paramvalidate.c | 2 +- demos/pkey/EVP_PKEY_EC_keygen.c | 2 +- demos/pkey/EVP_PKEY_RSA_keygen.c | 2 +- demos/signature/EVP_DSA_Signature_demo.c | 2 +- demos/signature/EVP_EC_Signature_demo.c | 2 +- demos/signature/rsa_pss_direct.c | 2 +- demos/signature/rsa_pss_hash.c | 2 +- demos/smime/smdec.c | 2 +- demos/smime/smenc.c | 2 +- demos/smime/smsign.c | 2 +- demos/smime/smsign2.c | 2 +- demos/smime/smver.c | 2 +- demos/sslecho/main.c | 2 +- doc/internal/man3/OSSL_EVENT.pod | 2 +- doc/internal/man3/evp_generic_fetch.pod | 2 +- doc/internal/man3/evp_keymgmt_util_export_to_provider.pod | 2 +- doc/internal/man3/ossl_cmp_certreq_new.pod | 2 +- doc/internal/man3/ossl_cmp_mock_srv_new.pod | 2 +- doc/internal/man3/ossl_cmp_msg_protect.pod | 2 +- doc/internal/man3/ossl_cmp_pkisi_get_status.pod | 2 +- doc/internal/man3/ossl_punycode_decode.pod | 2 +- doc/internal/man7/build.info.pod | 2 +- doc/man1/openssl-asn1parse.pod.in | 2 +- doc/man1/openssl-ca.pod.in | 2 +- doc/man1/openssl-cmp.pod.in | 2 +- doc/man1/openssl-dhparam.pod.in | 2 +- doc/man1/openssl-dsa.pod.in | 2 +- doc/man1/openssl-dsaparam.pod.in | 2 +- doc/man1/openssl-ec.pod.in | 2 +- doc/man1/openssl-fipsinstall.pod.in | 2 +- doc/man1/openssl-gendsa.pod.in | 2 +- doc/man1/openssl-genpkey.pod.in | 2 +- doc/man1/openssl-genrsa.pod.in | 2 +- doc/man1/openssl-kdf.pod.in | 2 +- doc/man1/openssl-mac.pod.in | 2 +- doc/man1/openssl-ocsp.pod.in | 2 +- doc/man1/openssl-pkcs8.pod.in | 2 +- doc/man1/openssl-pkey.pod.in | 2 +- doc/man1/openssl-pkeyutl.pod.in | 2 +- doc/man1/openssl-req.pod.in | 2 +- doc/man1/openssl-rsa.pod.in | 2 +- doc/man1/openssl-rsautl.pod.in | 2 +- doc/man1/openssl-smime.pod.in | 2 +- doc/man1/openssl-speed.pod.in | 2 +- doc/man1/openssl-storeutl.pod.in | 2 +- doc/man1/openssl-verification-options.pod | 2 +- doc/man1/openssl-x509.pod.in | 2 +- doc/man1/openssl.pod | 2 +- doc/man3/ASN1_STRING_new.pod | 2 +- doc/man3/ASN1_item_d2i_bio.pod | 2 +- doc/man3/ASYNC_WAIT_CTX_new.pod | 2 +- doc/man3/BIO_f_ssl.pod | 2 +- doc/man3/BIO_get_rpoll_descriptor.pod | 2 +- doc/man3/BIO_read.pod | 2 +- doc/man3/BIO_s_connect.pod | 2 +- doc/man3/BIO_s_datagram.pod | 2 +- doc/man3/BIO_s_mem.pod | 2 +- doc/man3/BIO_sendmmsg.pod | 2 +- doc/man3/CMS_add0_cert.pod | 2 +- doc/man3/CMS_sign.pod | 2 +- doc/man3/CMS_verify.pod | 2 +- doc/man3/CRYPTO_THREAD_run_once.pod | 2 +- doc/man3/DEFINE_STACK_OF.pod | 2 +- doc/man3/DTLSv1_listen.pod | 2 +- doc/man3/EC_GROUP_copy.pod | 2 +- doc/man3/EC_GROUP_new.pod | 2 +- doc/man3/EC_KEY_new.pod | 2 +- doc/man3/EC_POINT_add.pod | 2 +- doc/man3/EC_POINT_new.pod | 2 +- doc/man3/ERR_GET_LIB.pod | 2 +- doc/man3/ERR_set_mark.pod | 2 +- doc/man3/EVP_DigestInit.pod | 2 +- doc/man3/EVP_DigestSignInit.pod | 2 +- doc/man3/EVP_DigestVerifyInit.pod | 2 +- doc/man3/EVP_EncryptInit.pod | 2 +- doc/man3/EVP_KDF.pod | 2 +- doc/man3/EVP_PKEY_CTX_get0_pkey.pod | 2 +- doc/man3/EVP_PKEY_decapsulate.pod | 2 +- doc/man3/EVP_PKEY_encapsulate.pod | 2 +- doc/man3/EVP_PKEY_get_default_digest_nid.pod | 2 +- doc/man3/EVP_PKEY_set1_RSA.pod | 2 +- doc/man3/EVP_RAND.pod | 2 +- doc/man3/EVP_SignInit.pod | 2 +- doc/man3/EVP_VerifyInit.pod | 2 +- doc/man3/EVP_aes_128_gcm.pod | 2 +- doc/man3/EVP_aria_128_gcm.pod | 2 +- doc/man3/EVP_bf_cbc.pod | 2 +- doc/man3/EVP_blake2b512.pod | 2 +- doc/man3/EVP_camellia_128_ecb.pod | 2 +- doc/man3/EVP_cast5_cbc.pod | 2 +- doc/man3/EVP_chacha20.pod | 2 +- doc/man3/EVP_des_cbc.pod | 2 +- doc/man3/EVP_desx_cbc.pod | 2 +- doc/man3/EVP_idea_cbc.pod | 2 +- doc/man3/EVP_md2.pod | 2 +- doc/man3/EVP_md4.pod | 2 +- doc/man3/EVP_md5.pod | 2 +- doc/man3/EVP_mdc2.pod | 2 +- doc/man3/EVP_rc2_cbc.pod | 2 +- doc/man3/EVP_rc4.pod | 2 +- doc/man3/EVP_rc5_32_12_16_cbc.pod | 2 +- doc/man3/EVP_ripemd160.pod | 2 +- doc/man3/EVP_seed_cbc.pod | 2 +- doc/man3/EVP_sha1.pod | 2 +- doc/man3/EVP_sha224.pod | 2 +- doc/man3/EVP_sha3_224.pod | 2 +- doc/man3/EVP_sm3.pod | 2 +- doc/man3/EVP_sm4_cbc.pod | 2 +- doc/man3/EVP_whirlpool.pod | 2 +- doc/man3/MD5.pod | 2 +- doc/man3/OPENSSL_s390xcap.pod | 2 +- doc/man3/OSSL_CMP_CTX_new.pod | 2 +- doc/man3/OSSL_CMP_ITAV_new_caCerts.pod | 2 +- doc/man3/OSSL_CMP_MSG_get0_header.pod | 2 +- doc/man3/OSSL_CMP_exec_certreq.pod | 2 +- doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod | 2 +- doc/man3/OSSL_CRMF_MSG_set0_validity.pod | 2 +- doc/man3/OSSL_DECODER_from_bio.pod | 2 +- doc/man3/OSSL_DISPATCH.pod | 2 +- doc/man3/OSSL_HPKE_CTX_new.pod | 2 +- doc/man3/OSSL_HTTP_REQ_CTX.pod | 2 +- doc/man3/OSSL_HTTP_transfer.pod | 2 +- doc/man3/OSSL_PARAM.pod | 2 +- doc/man3/OSSL_PARAM_int.pod | 2 +- doc/man3/OSSL_PROVIDER.pod | 2 +- doc/man3/OSSL_QUIC_client_method.pod | 2 +- doc/man3/OSSL_SELF_TEST_new.pod | 2 +- doc/man3/OSSL_sleep.pod | 2 +- doc/man3/OSSL_trace_enabled.pod | 2 +- doc/man3/OSSL_trace_set_channel.pod | 2 +- doc/man3/PEM_read_CMS.pod | 2 +- doc/man3/PKCS12_SAFEBAG_get1_cert.pod | 2 +- doc/man3/PKCS7_sign.pod | 2 +- doc/man3/SSL_CONF_cmd.pod | 2 +- doc/man3/SSL_CTX_dane_enable.pod | 2 +- doc/man3/SSL_CTX_new.pod | 2 +- doc/man3/SSL_CTX_set_alpn_select_cb.pod | 2 +- doc/man3/SSL_CTX_set_min_proto_version.pod | 2 +- doc/man3/SSL_CTX_set_mode.pod | 2 +- doc/man3/SSL_CTX_set_msg_callback.pod | 2 +- doc/man3/SSL_CTX_set_options.pod | 2 +- doc/man3/SSL_CTX_set_quiet_shutdown.pod | 2 +- doc/man3/SSL_CTX_set_read_ahead.pod | 2 +- doc/man3/SSL_CTX_set_record_padding_callback.pod | 2 +- doc/man3/SSL_CTX_set_split_send_fragment.pod | 2 +- doc/man3/SSL_CTX_set_ssl_version.pod | 2 +- doc/man3/SSL_CTX_set_tlsext_use_srtp.pod | 2 +- doc/man3/SSL_CTX_set_verify.pod | 2 +- doc/man3/SSL_SESSION_free.pod | 2 +- doc/man3/SSL_alloc_buffers.pod | 2 +- doc/man3/SSL_clear.pod | 2 +- doc/man3/SSL_free.pod | 2 +- doc/man3/SSL_get_error.pod | 2 +- doc/man3/SSL_get_event_timeout.pod | 2 +- doc/man3/SSL_get_rpoll_descriptor.pod | 2 +- doc/man3/SSL_get_verify_result.pod | 2 +- doc/man3/SSL_get_version.pod | 2 +- doc/man3/SSL_key_update.pod | 2 +- doc/man3/SSL_new.pod | 2 +- doc/man3/SSL_read.pod | 2 +- doc/man3/SSL_read_early_data.pod | 2 +- doc/man3/SSL_rstate_string.pod | 2 +- doc/man3/SSL_set1_initial_peer_addr.pod | 2 +- doc/man3/SSL_set_bio.pod | 2 +- doc/man3/SSL_set_blocking_mode.pod | 2 +- doc/man3/SSL_set_fd.pod | 2 +- doc/man3/SSL_set_shutdown.pod | 2 +- doc/man3/SSL_shutdown.pod | 2 +- doc/man3/SSL_stream_conclude.pod | 2 +- doc/man3/SSL_want.pod | 2 +- doc/man3/SSL_write.pod | 2 +- doc/man3/X509_STORE_CTX_set_verify_cb.pod | 2 +- doc/man3/X509_VERIFY_PARAM_set_flags.pod | 2 +- doc/man3/X509_get0_notBefore.pod | 2 +- doc/man3/X509_get_version.pod | 2 +- doc/man3/X509_sign.pod | 2 +- doc/man3/d2i_RSAPrivateKey.pod | 2 +- doc/man3/d2i_X509.pod | 2 +- doc/man5/config.pod | 2 +- doc/man5/x509v3_config.pod | 2 +- doc/man7/EVP_CIPHER-AES.pod | 2 +- doc/man7/EVP_KDF-ARGON2.pod | 2 +- doc/man7/EVP_KDF-HMAC-DRBG.pod | 2 +- doc/man7/EVP_KDF-SS.pod | 2 +- doc/man7/EVP_MD-SHA2.pod | 2 +- doc/man7/EVP_PKEY-EC.pod | 2 +- doc/man7/EVP_PKEY-RSA.pod | 2 +- doc/man7/EVP_RAND-HASH-DRBG.pod | 2 +- doc/man7/EVP_RAND-HMAC-DRBG.pod | 2 +- doc/man7/EVP_SIGNATURE-DSA.pod | 2 +- doc/man7/EVP_SIGNATURE-ECDSA.pod | 2 +- doc/man7/EVP_SIGNATURE-ED25519.pod | 2 +- doc/man7/OSSL_PROVIDER-FIPS.pod | 2 +- doc/man7/OSSL_PROVIDER-default.pod | 2 +- doc/man7/fips_module.pod | 2 +- doc/man7/openssl-quic.pod | 2 +- doc/man7/ossl-guide-migration.pod | 2 +- doc/man7/property.pod | 2 +- doc/man7/provider-asym_cipher.pod | 2 +- doc/man7/provider-base.pod | 2 +- doc/man7/provider-cipher.pod | 2 +- doc/man7/provider-decoder.pod | 2 +- doc/man7/provider-digest.pod | 2 +- doc/man7/provider-kem.pod | 2 +- doc/man7/provider-keymgmt.pod | 2 +- doc/man7/provider-signature.pod | 2 +- engines/asm/e_padlock-x86.pl | 2 +- engines/asm/e_padlock-x86_64.pl | 2 +- engines/e_capi.txt | 2 +- engines/e_capi_err.c | 2 +- engines/e_dasync.c | 2 +- engines/e_devcrypto.c | 2 +- engines/e_loader_attic.c | 2 +- engines/e_padlock.c | 2 +- fuzz/fuzz_rand.c | 2 +- fuzz/pem.c | 2 +- fuzz/x509.c | 2 +- include/crypto/aes_platform.h | 2 +- include/crypto/bn.h | 2 +- include/crypto/decoder.h | 2 +- include/crypto/ecx.h | 2 +- include/crypto/evp.h | 2 +- include/crypto/punycode.h | 2 +- include/crypto/riscv_arch.h | 2 +- include/crypto/rsa.h | 2 +- include/crypto/sha.h | 2 +- include/crypto/sm4_platform.h | 2 +- include/crypto/types.h | 2 +- include/internal/bio_tfo.h | 2 +- include/internal/common.h | 2 +- include/internal/cryptlib.h | 2 +- include/internal/e_os.h | 2 +- include/internal/endian.h | 2 +- include/internal/event_queue.h | 2 +- include/internal/ffc.h | 2 +- include/internal/numbers.h | 2 +- include/internal/packet.h | 2 +- include/internal/packet_quic.h | 2 +- include/internal/provider.h | 2 +- include/internal/quic_ackm.h | 2 +- include/internal/quic_cc.h | 2 +- include/internal/quic_cfq.h | 2 +- include/internal/quic_channel.h | 2 +- include/internal/quic_demux.h | 2 +- include/internal/quic_error.h | 2 +- include/internal/quic_fc.h | 2 +- include/internal/quic_fifd.h | 2 +- include/internal/quic_reactor.h | 2 +- include/internal/quic_record_rx.h | 2 +- include/internal/quic_record_tx.h | 2 +- include/internal/quic_record_util.h | 2 +- include/internal/quic_rx_depack.h | 2 +- include/internal/quic_sf_list.h | 2 +- include/internal/quic_ssl.h | 2 +- include/internal/quic_statm.h | 2 +- include/internal/quic_stream.h | 2 +- include/internal/quic_stream_map.h | 2 +- include/internal/quic_tls.h | 2 +- include/internal/quic_tserver.h | 2 +- include/internal/quic_txp.h | 2 +- include/internal/quic_txpim.h | 2 +- include/internal/quic_types.h | 2 +- include/internal/quic_vlint.h | 2 +- include/internal/quic_wire.h | 2 +- include/internal/quic_wire_pkt.h | 2 +- include/internal/recordmethod.h | 2 +- include/internal/refcount.h | 2 +- include/internal/ring_buf.h | 2 +- include/internal/sockets.h | 2 +- include/internal/ssl3_cbc.h | 2 +- include/internal/statem.h | 2 +- include/internal/thread_arch.h | 2 +- include/internal/time.h | 2 +- include/openssl/asn1.h.in | 2 +- include/openssl/bio.h.in | 2 +- include/openssl/cmp.h.in | 2 +- include/openssl/core.h | 2 +- include/openssl/core_dispatch.h | 2 +- include/openssl/core_names.h.in | 2 +- include/openssl/crmf.h.in | 2 +- include/openssl/crypto.h.in | 2 +- include/openssl/dh.h | 2 +- include/openssl/e_os2.h | 2 +- include/openssl/ec.h | 2 +- include/openssl/err.h.in | 2 +- include/openssl/evp.h | 2 +- include/openssl/fips_names.h | 2 +- include/openssl/hpke.h | 2 +- include/openssl/http.h | 2 +- include/openssl/macros.h | 2 +- include/openssl/pkcs12.h.in | 2 +- include/openssl/prov_ssl.h | 2 +- include/openssl/provider.h | 2 +- include/openssl/quic.h | 2 +- include/openssl/sha.h | 2 +- include/openssl/ssl3.h | 2 +- include/openssl/thread.h | 2 +- include/openssl/trace.h | 2 +- include/openssl/x509.h.in | 2 +- include/openssl/x509v3.h.in | 2 +- ms/applink.c | 2 +- providers/baseprov.c | 2 +- providers/common/include/prov/securitycheck.h | 2 +- providers/common/securitycheck.c | 2 +- providers/common/securitycheck_default.c | 2 +- providers/common/securitycheck_fips.c | 2 +- providers/decoders.inc | 2 +- providers/defltprov.c | 2 +- providers/encoders.inc | 2 +- providers/fips/fipsprov.c | 2 +- providers/fips/self_test.c | 2 +- providers/fips/self_test_data.inc | 2 +- providers/implementations/asymciphers/rsa_enc.c | 2 +- providers/implementations/asymciphers/sm2_enc.c | 2 +- providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c | 2 +- providers/implementations/ciphers/cipher_aes_ccm_hw.c | 2 +- providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i.inc | 2 +- providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i.inc | 2 +- providers/implementations/ciphers/cipher_aes_gcm_hw.c | 2 +- providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i.inc | 2 +- providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc | 2 +- providers/implementations/ciphers/cipher_aes_gcm_siv.c | 2 +- .../implementations/ciphers/cipher_aes_gcm_siv_polyval.c | 2 +- providers/implementations/ciphers/cipher_aes_hw.c | 2 +- providers/implementations/ciphers/cipher_aes_hw_rv32i.inc | 2 +- providers/implementations/ciphers/cipher_aes_hw_rv64i.inc | 2 +- providers/implementations/ciphers/cipher_aes_ocb.c | 2 +- providers/implementations/ciphers/cipher_aes_ocb_hw.c | 2 +- providers/implementations/ciphers/cipher_aes_siv.c | 2 +- providers/implementations/ciphers/cipher_aes_wrp.c | 2 +- providers/implementations/ciphers/cipher_aes_xts.c | 2 +- providers/implementations/ciphers/cipher_aes_xts_hw.c | 2 +- providers/implementations/ciphers/cipher_chacha20.c | 2 +- providers/implementations/ciphers/cipher_chacha20_poly1305.c | 2 +- providers/implementations/ciphers/cipher_chacha20_poly1305.h | 2 +- .../implementations/ciphers/cipher_chacha20_poly1305_hw.c | 2 +- providers/implementations/ciphers/cipher_cts.h | 2 +- providers/implementations/ciphers/cipher_des.c | 2 +- providers/implementations/ciphers/cipher_null.c | 2 +- providers/implementations/ciphers/cipher_rc2.c | 2 +- providers/implementations/ciphers/cipher_rc4.c | 2 +- providers/implementations/ciphers/cipher_rc4_hmac_md5.c | 2 +- providers/implementations/ciphers/cipher_rc4_hmac_md5.h | 2 +- providers/implementations/ciphers/cipher_rc5.c | 2 +- providers/implementations/ciphers/cipher_sm4_ccm_hw.c | 2 +- providers/implementations/ciphers/cipher_sm4_gcm_hw.c | 2 +- providers/implementations/ciphers/cipher_sm4_hw.c | 2 +- providers/implementations/ciphers/cipher_sm4_xts.c | 2 +- providers/implementations/ciphers/cipher_sm4_xts.h | 2 +- providers/implementations/ciphers/cipher_sm4_xts_hw.c | 2 +- providers/implementations/ciphers/cipher_tdes.h | 2 +- providers/implementations/ciphers/cipher_tdes_common.c | 2 +- providers/implementations/ciphers/cipher_tdes_wrap.c | 2 +- providers/implementations/ciphers/ciphercommon_block.c | 2 +- providers/implementations/ciphers/ciphercommon_gcm.c | 2 +- providers/implementations/digests/blake2_prov.c | 2 +- providers/implementations/digests/blake2b_prov.c | 2 +- providers/implementations/digests/sha2_prov.c | 2 +- providers/implementations/digests/sha3_prov.c | 2 +- providers/implementations/encode_decode/decode_der2key.c | 2 +- providers/implementations/encode_decode/decode_epki2pki.c | 2 +- providers/implementations/encode_decode/decode_msblob2key.c | 2 +- providers/implementations/encode_decode/decode_pem2der.c | 2 +- providers/implementations/encode_decode/decode_pvk2key.c | 2 +- .../implementations/encode_decode/decode_spki2typespki.c | 2 +- providers/implementations/encode_decode/encode_key2any.c | 2 +- providers/implementations/encode_decode/encode_key2blob.c | 2 +- providers/implementations/encode_decode/encode_key2ms.c | 2 +- providers/implementations/encode_decode/encode_key2text.c | 2 +- providers/implementations/exchange/dh_exch.c | 2 +- providers/implementations/exchange/ecdh_exch.c | 2 +- providers/implementations/exchange/ecx_exch.c | 2 +- providers/implementations/exchange/kdf_exch.c | 2 +- providers/implementations/include/prov/blake2.h | 2 +- providers/implementations/include/prov/ciphercommon.h | 2 +- providers/implementations/include/prov/ciphercommon_aead.h | 2 +- providers/implementations/include/prov/implementations.h | 2 +- providers/implementations/include/prov/kdfexchange.h | 2 +- providers/implementations/include/prov/macsignature.h | 2 +- providers/implementations/include/prov/names.h | 2 +- providers/implementations/kdfs/argon2.c | 2 +- providers/implementations/kdfs/hkdf.c | 2 +- providers/implementations/kdfs/hmacdrbg_kdf.c | 2 +- providers/implementations/kdfs/kbkdf.c | 2 +- providers/implementations/kdfs/krb5kdf.c | 2 +- providers/implementations/kdfs/pbkdf1.c | 2 +- providers/implementations/kdfs/pbkdf2.c | 2 +- providers/implementations/kdfs/pkcs12kdf.c | 2 +- providers/implementations/kdfs/pvkkdf.c | 2 +- providers/implementations/kdfs/scrypt.c | 2 +- providers/implementations/kdfs/sshkdf.c | 2 +- providers/implementations/kdfs/sskdf.c | 2 +- providers/implementations/kdfs/tls1_prf.c | 2 +- providers/implementations/kdfs/x942kdf.c | 2 +- providers/implementations/kem/ec_kem.c | 2 +- providers/implementations/kem/ecx_kem.c | 2 +- providers/implementations/kem/rsa_kem.c | 2 +- providers/implementations/keymgmt/dh_kmgmt.c | 2 +- providers/implementations/keymgmt/dsa_kmgmt.c | 2 +- providers/implementations/keymgmt/ec_kmgmt.c | 2 +- providers/implementations/keymgmt/ecx_kmgmt.c | 2 +- providers/implementations/keymgmt/kdf_legacy_kmgmt.c | 2 +- providers/implementations/keymgmt/mac_legacy_kmgmt.c | 2 +- providers/implementations/keymgmt/rsa_kmgmt.c | 2 +- providers/implementations/macs/blake2_mac_impl.c | 2 +- providers/implementations/macs/cmac_prov.c | 2 +- providers/implementations/macs/gmac_prov.c | 2 +- providers/implementations/macs/hmac_prov.c | 2 +- providers/implementations/macs/kmac_prov.c | 2 +- providers/implementations/macs/poly1305_prov.c | 2 +- providers/implementations/macs/siphash_prov.c | 2 +- providers/implementations/rands/drbg.c | 2 +- providers/implementations/rands/drbg_ctr.c | 2 +- providers/implementations/rands/drbg_hash.c | 2 +- providers/implementations/rands/drbg_hmac.c | 2 +- providers/implementations/rands/drbg_local.h | 2 +- providers/implementations/rands/seed_src.c | 2 +- providers/implementations/rands/seeding/rand_unix.c | 2 +- providers/implementations/rands/test_rng.c | 2 +- providers/implementations/signature/dsa_sig.c | 2 +- providers/implementations/signature/ecdsa_sig.c | 2 +- providers/implementations/signature/eddsa_sig.c | 2 +- providers/implementations/signature/mac_legacy_sig.c | 2 +- providers/implementations/signature/rsa_sig.c | 2 +- providers/implementations/signature/sm2_sig.c | 2 +- providers/implementations/storemgmt/file_store.c | 2 +- providers/implementations/storemgmt/file_store_any2obj.c | 2 +- providers/implementations/storemgmt/winstore_store.c | 2 +- providers/legacyprov.c | 2 +- providers/nullprov.c | 2 +- ssl/bio_ssl.c | 2 +- ssl/d1_lib.c | 2 +- ssl/d1_msg.c | 2 +- ssl/d1_srtp.c | 2 +- ssl/event_queue.c | 2 +- ssl/priority_queue.c | 2 +- ssl/quic/quic_ackm.c | 2 +- ssl/quic/quic_cfq.c | 2 +- ssl/quic/quic_channel.c | 2 +- ssl/quic/quic_demux.c | 2 +- ssl/quic/quic_fc.c | 2 +- ssl/quic/quic_fifd.c | 2 +- ssl/quic/quic_impl.c | 2 +- ssl/quic/quic_local.h | 2 +- ssl/quic/quic_method.c | 2 +- ssl/quic/quic_reactor.c | 2 +- ssl/quic/quic_record_rx.c | 2 +- ssl/quic/quic_record_tx.c | 2 +- ssl/quic/quic_record_util.c | 2 +- ssl/quic/quic_rstream.c | 2 +- ssl/quic/quic_rx_depack.c | 2 +- ssl/quic/quic_sf_list.c | 2 +- ssl/quic/quic_sstream.c | 2 +- ssl/quic/quic_statm.c | 2 +- ssl/quic/quic_stream_map.c | 2 +- ssl/quic/quic_tls.c | 2 +- ssl/quic/quic_tserver.c | 2 +- ssl/quic/quic_txp.c | 2 +- ssl/quic/quic_txpim.c | 2 +- ssl/quic/quic_wire.c | 2 +- ssl/quic/quic_wire_pkt.c | 2 +- ssl/quic/uint_set.c | 2 +- ssl/record/methods/dtls_meth.c | 2 +- ssl/record/methods/ktls_meth.c | 2 +- ssl/record/methods/recmethod_local.h | 2 +- ssl/record/methods/ssl3_cbc.c | 2 +- ssl/record/methods/ssl3_meth.c | 2 +- ssl/record/methods/tls13_meth.c | 2 +- ssl/record/methods/tls1_meth.c | 2 +- ssl/record/methods/tls_common.c | 2 +- ssl/record/methods/tls_multib.c | 2 +- ssl/record/methods/tls_pad.c | 2 +- ssl/record/rec_layer_d1.c | 2 +- ssl/record/rec_layer_s3.c | 2 +- ssl/record/record.h | 2 +- ssl/s3_enc.c | 2 +- ssl/s3_lib.c | 2 +- ssl/ssl_cert_comp.c | 2 +- ssl/ssl_cert_table.h | 2 +- ssl/ssl_ciph.c | 2 +- ssl/ssl_conf.c | 2 +- ssl/ssl_rsa.c | 2 +- ssl/statem/statem_dtls.c | 2 +- ssl/t1_enc.c | 2 +- ssl/tls13_enc.c | 2 +- test/asn1_internal_test.c | 2 +- test/bio_core_test.c | 2 +- test/bio_dgram_test.c | 2 +- test/bntest.c | 2 +- test/build_wincrypt_test.c | 2 +- test/cc_dummy.c | 2 +- test/certs/mkcert.sh | 2 +- test/cmp_asn_test.c | 2 +- test/cmp_client_test.c | 2 +- test/cmp_ctx_test.c | 2 +- test/cmp_hdr_test.c | 2 +- test/cmp_msg_test.c | 2 +- test/cmp_protect_test.c | 2 +- test/cmp_vfy_test.c | 2 +- test/cmsapitest.c | 2 +- test/curve448_internal_test.c | 2 +- test/destest.c | 2 +- test/dhkem_test.inc | 2 +- test/dhtest.c | 2 +- test/dsatest.c | 2 +- test/dtlstest.c | 2 +- test/ecdsatest.c | 2 +- test/ectest.c | 2 +- test/endecode_test.c | 2 +- test/errtest.c | 2 +- test/evp_extra_test.c | 2 +- test/evp_extra_test2.c | 2 +- test/evp_kdf_test.c | 2 +- test/evp_pkey_dhkem_test.c | 2 +- test/evp_pkey_provided_test.c | 2 +- test/evp_test.c | 2 +- test/exptest.c | 2 +- test/ext_internal_test.c | 2 +- test/fake_rsaprov.c | 2 +- test/ffc_internal_test.c | 2 +- test/filterprov.c | 2 +- test/helpers/quictestlib.c | 2 +- test/helpers/quictestlib.h | 2 +- test/helpers/ssl_test_ctx.c | 2 +- test/helpers/ssl_test_ctx.h | 2 +- test/helpers/ssltestlib.c | 2 +- test/helpers/ssltestlib.h | 2 +- test/hpke_test.c | 2 +- test/membio_test.c | 2 +- test/p_test.c | 2 +- test/packettest.c | 2 +- test/param_build_test.c | 2 +- test/pbetest.c | 2 +- test/pemtest.c | 2 +- test/pkcs12_api_test.c | 2 +- test/property_test.c | 2 +- test/provfetchtest.c | 2 +- test/provider_internal_test.c | 2 +- test/provider_test.c | 2 +- test/punycode_test.c | 2 +- test/quic_ackm_test.c | 2 +- test/quic_cc_test.c | 2 +- test/quic_cfq_test.c | 2 +- test/quic_fc_test.c | 2 +- test/quic_fifd_test.c | 2 +- test/quic_record_test.c | 2 +- test/quic_record_test_util.h | 2 +- test/quic_stream_test.c | 2 +- test/quic_tserver_test.c | 2 +- test/quic_txp_test.c | 2 +- test/quic_wire_test.c | 2 +- test/quicapitest.c | 2 +- test/quicfaultstest.c | 2 +- test/recipes/00-prep_fipsmodule_cnf.t | 2 +- test/recipes/01-test_symbol_presence.t | 2 +- test/recipes/03-test_fipsinstall.t | 2 +- test/recipes/03-test_internal_curve448.t | 2 +- test/recipes/04-test_encoder_decoder.t | 2 +- test/recipes/06-test_algorithmid.t | 2 +- test/recipes/15-test_ec.t | 2 +- test/recipes/15-test_gendsa.t | 2 +- test/recipes/15-test_genpkey.t | 2 +- test/recipes/15-test_genrsa.t | 2 +- test/recipes/15-test_mp_rsa.t | 2 +- test/recipes/15-test_rsa.t | 2 +- test/recipes/15-test_rsapss.t | 2 +- test/recipes/20-test_app.t | 2 +- test/recipes/20-test_cli_fips.t | 2 +- test/recipes/20-test_dgst.t | 2 +- test/recipes/20-test_enc.t | 2 +- test/recipes/20-test_pkeyutl.t | 2 +- test/recipes/25-test_pkcs7.t | 2 +- test/recipes/25-test_pkcs8.t | 2 +- test/recipes/25-test_req.t | 2 +- test/recipes/25-test_verify.t | 2 +- test/recipes/25-test_x509.t | 2 +- test/recipes/30-test_defltfips.t | 2 +- test/recipes/30-test_evp.t | 2 +- test/recipes/30-test_evp_data/evpciph_aes_common.txt | 2 +- test/recipes/30-test_evp_data/evpciph_aes_siv.txt | 2 +- test/recipes/30-test_evp_data/evpciph_chacha.txt | 2 +- test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt | 2 +- test/recipes/30-test_evp_data/evpkdf_ss.txt | 2 +- test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 2 +- test/recipes/30-test_evp_data/evpkdf_x963.txt | 2 +- test/recipes/30-test_evp_data/evpmac_common.txt | 2 +- test/recipes/30-test_evp_data/evpmd_blake.txt | 2 +- test/recipes/30-test_evp_data/evpmd_sha.txt | 2 +- test/recipes/30-test_evp_data/evppkey_dsa.txt | 2 +- test/recipes/30-test_evp_data/evppkey_ecx.txt | 2 +- test/recipes/30-test_evp_data/evppkey_mismatch.txt | 2 +- test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt | 2 +- test/recipes/30-test_evp_data/evppkey_rsa.txt | 2 +- test/recipes/30-test_evp_data/evppkey_rsa_common.txt | 2 +- test/recipes/30-test_evp_data/evprand.txt | 2 +- test/recipes/65-test_cmp_protect.t | 2 +- test/recipes/70-test_key_share.t | 2 +- test/recipes/70-test_quic_multistream.t | 2 +- test/recipes/70-test_quic_tserver.t | 2 +- test/recipes/70-test_tls13cookie.t | 2 +- test/recipes/70-test_tls13hrr.t | 2 +- test/recipes/70-test_tls13kexmodes.t | 2 +- test/recipes/70-test_tls13messages.t | 2 +- test/recipes/70-test_tls13psk.t | 2 +- test/recipes/75-test_quic_cc.t | 2 +- test/recipes/75-test_quicapi.t | 2 +- test/recipes/79-test_http.t | 2 +- test/recipes/80-test_ca.t | 2 +- test/recipes/80-test_cmp_http.t | 2 +- test/recipes/80-test_cms.t | 2 +- test/recipes/80-test_ssl_new.t | 2 +- test/recipes/90-test_quicfaults.t | 2 +- test/recipes/90-test_store.t | 2 +- test/recipes/90-test_trace_api.t | 2 +- test/recipes/91-test_pkey_check.t | 2 +- test/recipes/99-test_fuzz_decoder.t | 2 +- test/recipes/99-test_fuzz_pem.t | 2 +- test/recipes/99-test_fuzz_punycode.t | 2 +- test/recipes/99-test_fuzz_v3name.t | 2 +- test/recipes/99-test_fuzz_x509.t | 2 +- test/recipes/tconversion.pl | 2 +- test/recordlentest.c | 2 +- test/rsa_mp_test.c | 2 +- test/rsa_sp800_56b_test.c | 2 +- test/rsa_test.c | 2 +- test/rsa_x931_test.c | 2 +- test/sanitytest.c | 2 +- test/smime-certs/mksmime-certs.sh | 2 +- test/ssl-tests/28-seclevel.cnf.in | 2 +- test/ssl-tests/30-extended-master-secret.cnf.in | 2 +- test/ssl_ctx_test.c | 2 +- test/ssl_old_test.c | 2 +- test/ssl_test.c | 2 +- test/sslapitest.c | 2 +- test/sslbuffertest.c | 2 +- test/testutil.h | 2 +- test/testutil/basic_output.c | 2 +- test/testutil/fake_random.c | 2 +- test/testutil/main.c | 2 +- test/testutil/provider.c | 2 +- test/threadstest.c | 2 +- test/tls-provider.c | 2 +- test/tls13ccstest.c | 2 +- test/tls13encryptiontest.c | 2 +- test/tls13secretstest.c | 2 +- test/trace_api_test.c | 2 +- test/upcallstest.c | 2 +- test/user_property_test.c | 2 +- test/v3nametest.c | 2 +- test/wpackettest.c | 2 +- test/x509_check_cert_pkey_test.c | 2 +- util/check-format.pl | 2 +- util/find-doc-nits | 2 +- util/mk-fipsmodule-cnf.pl | 2 +- util/mkerr.pl | 2 +- util/perl/OpenSSL/Ordinals.pm | 2 +- util/perl/OpenSSL/Util.pm | 2 +- util/perl/OpenSSL/config.pm | 2 +- util/perl/TLSProxy/Message.pm | 2 +- 1043 files changed, 1044 insertions(+), 1044 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7ce1ef292ea8a..596a82a560a72 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index bd518217a56be..658d33f082a45 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index e0ae7b6534866..e0282459bfcbb 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -1,4 +1,4 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 8f2d7efad5c80..e2cd6cbb003a9 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index d91715b858c6f..1b56755bfbb17 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -1,4 +1,4 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 8b341191b61ac..3e84fdbac6fc6 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -1,4 +1,4 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index ff2962ff8de23..ee327f4c1bfe2 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -1,4 +1,4 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 2515382bfd306..b4a20bcedd936 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-daily-sctp.yml b/.github/workflows/run-checker-daily-sctp.yml index 7bc4fbc82d995..d258847e7e5f6 100644 --- a/.github/workflows/run-checker-daily-sctp.yml +++ b/.github/workflows/run-checker-daily-sctp.yml @@ -1,4 +1,4 @@ -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index c197cb0975dc3..fe8a3a8e66c79 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 8eb4b49a95c93..31148bf0b82d5 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -1,4 +1,4 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index c2c7c06c81585..11d1b03abda52 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -1,4 +1,4 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 679a2c10fe502..9c32d2689bd2e 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,4 +1,4 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index 834d46b097679..8f19b812a7350 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -1,4 +1,4 @@ -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/Configurations/shared-info.pl b/Configurations/shared-info.pl index 0bded76d89bdf..caf6f901261f7 100644 --- a/Configurations/shared-info.pl +++ b/Configurations/shared-info.pl @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/Configure b/Configure index cb11a55b7a1fb..d7f5ef8ce3316 100755 --- a/Configure +++ b/Configure @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/apps/asn1parse.c b/apps/asn1parse.c index 6c436d2f766f4..097b0cc1eddfb 100644 --- a/apps/asn1parse.c +++ b/apps/asn1parse.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/ca.c b/apps/ca.c index e51352aacbc94..e12a8c2370cd4 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/cmp.c b/apps/cmp.c index b86b8ae5c14bd..eb14f1f404800 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/apps/cms.c b/apps/cms.c index b22848299ea66..9c4e4ee5e0553 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/dgst.c b/apps/dgst.c index 9d00c06472142..c983da80f9884 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/dsa.c b/apps/dsa.c index d6030c44f647c..9ba8c252dafe6 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/dsaparam.c b/apps/dsaparam.c index ca98fe58c4546..4eb157042e562 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/ec.c b/apps/ec.c index 30d651a89eb62..677876ccc90e3 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/enc.c b/apps/enc.c index a3b17da08d652..26e009e43791c 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 0f6cf5f3ac05f..6d86bb44e2b06 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/genpkey.c b/apps/genpkey.c index 52d1b44edbb95..5a59dae6811d6 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/include/apps.h b/apps/include/apps.h index 62b4d19ae3e7f..a1b2cbbdc3d6e 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h index 6308ab93dac31..fcc1ef7bb4f0b 100644 --- a/apps/include/cmp_mock_srv.h +++ b/apps/include/cmp_mock_srv.h @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/apps/include/opt.h b/apps/include/opt.h index 26d40eb436777..82b383c2691ca 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h index bc8f4bf27bd79..33c3b6278c823 100644 --- a/apps/include/s_apps.h +++ b/apps/include/s_apps.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/app_rand.c b/apps/lib/app_rand.c index 9691e71d7c722..9ca6056563823 100644 --- a/apps/lib/app_rand.c +++ b/apps/lib/app_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/apps.c b/apps/lib/apps.c index e29a01a4d129b..79617c0db7aba 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index f0ef2317db8a4..a0450446c1ca6 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c index 93f06626fba8c..f406bb062876b 100644 --- a/apps/lib/http_server.c +++ b/apps/lib/http_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/log.c b/apps/lib/log.c index b2e356261f166..a5e2f5507afdf 100644 --- a/apps/lib/log.c +++ b/apps/lib/log.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 509a4aae34626..2d61ac9a7865e 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c index 5ae689a4db9de..014c1c0bc0ece 100644 --- a/apps/lib/s_socket.c +++ b/apps/lib/s_socket.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/lib/tlssrp_depr.c b/apps/lib/tlssrp_depr.c index 9a0d2ddb7db7e..f03b013428f7e 100644 --- a/apps/lib/tlssrp_depr.c +++ b/apps/lib/tlssrp_depr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/apps/list.c b/apps/list.c index 56b0917d11b26..7cbef78719644 100644 --- a/apps/list.c +++ b/apps/list.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/ocsp.c b/apps/ocsp.c index 83142c07d8033..17313520cf858 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/openssl.c b/apps/openssl.c index 87f004d320721..0122117ce262e 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 857a2a10c09a0..8e8c771819a34 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/pkey.c b/apps/pkey.c index f280846fa952f..3e4c09b362552 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index efd98684cb46b..b5390c64c2a81 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/rehash.c b/apps/rehash.c index 5b979288b0e94..dbd1389acdf4f 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2013-2014 Timo Teräs * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/apps/req.c b/apps/req.c index 7ef51d4f0b755..e65bdad9b6fe9 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/rsa.c b/apps/rsa.c index 09ab81d5aeb13..9a4d16cbb01c8 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/rsautl.c b/apps/rsautl.c index ad5df2e36ae20..3ee8224f48d87 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/smime.c b/apps/smime.c index 59e96dcaec4b3..88b0475d2d4fd 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/speed.c b/apps/speed.c index 114854f4d066a..367e2e08c7b85 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/apps/spkac.c b/apps/spkac.c index f8fa24e99a54f..5a129a7fa775a 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/ts.c b/apps/ts.c index a4218c9bf2fef..65e941d263bd6 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/x509.c b/apps/x509.c index bd19cbd551cae..578af2364fc12 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/LPdir_unix.c b/crypto/LPdir_unix.c index aa266c5979298..b6dda7bce2eca 100644 --- a/crypto/LPdir_unix.c +++ b/crypto/LPdir_unix.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/aes/asm/aes-riscv32-zkn.pl b/crypto/aes/asm/aes-riscv32-zkn.pl index 67ec63230e5dc..6fac45184620f 100644 --- a/crypto/aes/asm/aes-riscv32-zkn.pl +++ b/crypto/aes/asm/aes-riscv32-zkn.pl @@ -2,7 +2,7 @@ # This file is dual-licensed, meaning that you can use it under your # choice of either of the following two licenses: # -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You can obtain # a copy in the file LICENSE in the source distribution or at diff --git a/crypto/aes/asm/aes-riscv64-zkn.pl b/crypto/aes/asm/aes-riscv64-zkn.pl index a0689ae645eb1..0e8a1540c4382 100644 --- a/crypto/aes/asm/aes-riscv64-zkn.pl +++ b/crypto/aes/asm/aes-riscv64-zkn.pl @@ -2,7 +2,7 @@ # This file is dual-licensed, meaning that you can use it under your # choice of either of the following two licenses: # -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You can obtain # a copy in the file LICENSE in the source distribution or at diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl index a2adbe2951edc..dd2c7038e4712 100755 --- a/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/aes/asm/aesv8-armx.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl index ff0b62287b83c..6cbd00e2c6721 100644 --- a/crypto/aes/asm/bsaes-armv7.pl +++ b/crypto/aes/asm/bsaes-armv7.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl index 16a6850d7adba..b3c97e439fb0f 100644 --- a/crypto/aes/asm/bsaes-armv8.pl +++ b/crypto/aes/asm/bsaes-armv8.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -32,7 +32,7 @@ sub data } __END__ -// Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +// Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use // this file except in compliance with the License. You can obtain a copy diff --git a/crypto/aes/asm/vpaes-loongarch64.pl b/crypto/aes/asm/vpaes-loongarch64.pl index 2f6abba1b7436..c85ec40db2de5 100644 --- a/crypto/aes/asm/vpaes-loongarch64.pl +++ b/crypto/aes/asm/vpaes-loongarch64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index ffa619bf49c29..43aa6b97c5eed 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/armv4cpuid.pl b/crypto/armv4cpuid.pl index 78dc90c5202fc..04b342551c260 100644 --- a/crypto/armv4cpuid.pl +++ b/crypto/armv4cpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index bd5fcaaa34fb4..d394070632241 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index 59bbd1a039ece..99ac2aed11a83 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index 3bce55c01ad3f..f1702f262ef8a 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c index 8aae75ac134c7..94d29e7c2736c 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 1ed9d2afcffbf..2b27624d8ae85 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn1_parse.c b/crypto/asn1/asn1_parse.c index b565a16647514..6a4618d253d54 100644 --- a/crypto/asn1/asn1_parse.c +++ b/crypto/asn1/asn1_parse.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index b228b29ed7d14..3a7386f163975 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn_pack.c b/crypto/asn1/asn_pack.c index d22925510dd3b..54f4ae3a67b2e 100644 --- a/crypto/asn1/asn_pack.c +++ b/crypto/asn1/asn_pack.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 96625afa28735..279609e603549 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index c49f22b3e0908..44e685c4965e6 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c index e75a8b0152394..106ea152733c5 100644 --- a/crypto/asn1/i2d_evp.c +++ b/crypto/asn1/i2d_evp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index c595973fe5166..a90c200d42a5e 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index c188a08a6eb23..8575d05bf6d5a 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index d6ec2445fa1b6..4f3dcecd41ab8 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/standard_methods.h b/crypto/asn1/standard_methods.h index 0e2cdbd50e92f..6b73d9a771ff3 100644 --- a/crypto/asn1/standard_methods.h +++ b/crypto/asn1/standard_methods.h @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index 7bd57dc03038d..67a9ccde62db4 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index bad465c07290f..737910cc7514b 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c index 170e375e7f8d9..eed3dc4633e05 100644 --- a/crypto/bio/bf_lbuf.c +++ b/crypto/bio/bf_lbuf.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index c0dfc6cc44c1a..dc7f1b7b9eb89 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bio_local.h b/crypto/bio/bio_local.h index e3dd38612d3ed..05954f85bb2f4 100644 --- a/crypto/bio/bio_local.h +++ b/crypto/bio/bio_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bio_meth.c b/crypto/bio/bio_meth.c index ca03b5c423a04..30b1db5aa8d46 100644 --- a/crypto/bio/bio_meth.c +++ b/crypto/bio/bio_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c index 1d8fa1c44df4f..e5397c8b7a071 100644 --- a/crypto/bio/bio_print.c +++ b/crypto/bio/bio_print.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c index 9514727cdf671..4ccdca18ec5c2 100644 --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index f09160b3c0c98..fb3c4d2ba3019 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index cc947943e5e25..b0c08b362a70a 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_dgram_pair.c b/crypto/bio/bss_dgram_pair.c index 3d7987833692b..534a2216aa42a 100644 --- a/crypto/bio/bss_dgram_pair.c +++ b/crypto/bio/bss_dgram_pair.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c index a90aebe0b4866..c22e603b04fc5 100644 --- a/crypto/bio/bss_log.c +++ b/crypto/bio/bss_log.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c index 9153c1f1cd816..6deacba42db71 100644 --- a/crypto/bio/bss_mem.c +++ b/crypto/bio/bss_mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/ossl_core_bio.c b/crypto/bio/ossl_core_bio.c index 3e6a90abeb980..8d21115b652de 100644 --- a/crypto/bio/ossl_core_bio.c +++ b/crypto/bio/ossl_core_bio.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/armv4-gf2m.pl b/crypto/bn/asm/armv4-gf2m.pl index b0b87ef611c13..17af0e07741a4 100644 --- a/crypto/bn/asm/armv4-gf2m.pl +++ b/crypto/bn/asm/armv4-gf2m.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/armv4-mont.pl b/crypto/bn/asm/armv4-mont.pl index ab69c2186bc96..d85da92406799 100644 --- a/crypto/bn/asm/armv4-mont.pl +++ b/crypto/bn/asm/armv4-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/rsaz-2k-avx512.pl b/crypto/bn/asm/rsaz-2k-avx512.pl index 1f7e21ec38d0d..7ee02778df555 100644 --- a/crypto/bn/asm/rsaz-2k-avx512.pl +++ b/crypto/bn/asm/rsaz-2k-avx512.pl @@ -1,4 +1,4 @@ -# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2020, Intel Corporation. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/bn/asm/rsaz-3k-avx512.pl b/crypto/bn/asm/rsaz-3k-avx512.pl index c2ec9073aea11..8ed5496479b22 100644 --- a/crypto/bn/asm/rsaz-3k-avx512.pl +++ b/crypto/bn/asm/rsaz-3k-avx512.pl @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2021, Intel Corporation. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/bn/asm/rsaz-4k-avx512.pl b/crypto/bn/asm/rsaz-4k-avx512.pl index aa1143b43beeb..8c59b77f7787c 100644 --- a/crypto/bn/asm/rsaz-4k-avx512.pl +++ b/crypto/bn/asm/rsaz-4k-avx512.pl @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2021, Intel Corporation. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c index 5d9c58bd867a1..c39907a7dfd36 100644 --- a/crypto/bn/bn_asm.c +++ b/crypto/bn/bn_asm.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index a293634485430..6c6de1a30f545 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 0d68bd0f3fecc..cb6d19229fe6f 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 1b8d47a28166d..9070647b35ea2 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h index 0f2de0dd3bec5..b5be37ba973e3 100644 --- a/crypto/bn/bn_local.h +++ b/crypto/bn/bn_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index 35565426af950..8b4c7900ad47f 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index 71efc596c27f1..c1dbed05984fc 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 3b213d46c5c62..a94dfcecdf207 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c index aa548d62eaef5..83fd175c437f5 100644 --- a/crypto/bn/bn_recp.c +++ b/crypto/bn/bn_recp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c index 1af30190059be..c967ca962978a 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/bn/bn_s390x.c b/crypto/bn/bn_s390x.c index da69b02d902db..5449143f4f040 100644 --- a/crypto/bn/bn_s390x.c +++ b/crypto/bn/bn_s390x.c @@ -1,5 +1,5 @@ /* - * Copyright 2023-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/rsaz_exp.c b/crypto/bn/rsaz_exp.c index 844140720ccb1..80b583f35ae85 100644 --- a/crypto/bn/rsaz_exp.c +++ b/crypto/bn/rsaz_exp.c @@ -1,5 +1,5 @@ /* - * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2012, Intel Corporation. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/bn/rsaz_exp_x2.c b/crypto/bn/rsaz_exp_x2.c index 6ef49ae129686..70705486a154f 100644 --- a/crypto/bn/rsaz_exp_x2.c +++ b/crypto/bn/rsaz_exp_x2.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2020-2021, Intel Corporation. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/cast/cast_local.h b/crypto/cast/cast_local.h index 4105f9fb62a33..e99fe0882ae73 100644 --- a/crypto/cast/cast_local.h +++ b/crypto/cast/cast_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/chacha/asm/chacha-armv4.pl b/crypto/chacha/asm/chacha-armv4.pl index 3fdecf2d2832c..ac32d5bda76f1 100755 --- a/crypto/chacha/asm/chacha-armv4.pl +++ b/crypto/chacha/asm/chacha-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/chacha/asm/chacha-armv8-sve.pl b/crypto/chacha/asm/chacha-armv8-sve.pl index 6afc629368581..0e19bffc4de27 100755 --- a/crypto/chacha/asm/chacha-armv8-sve.pl +++ b/crypto/chacha/asm/chacha-armv8-sve.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/chacha/chacha_ppc.c b/crypto/chacha/chacha_ppc.c index 29eb9833d00e4..91ed85eaf02b1 100644 --- a/crypto/chacha/chacha_ppc.c +++ b/crypto/chacha/chacha_ppc.c @@ -1,5 +1,5 @@ /* - * Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c index f8823f4aa9c58..50c8511ba7dd5 100644 --- a/crypto/cmac/cmac.c +++ b/crypto/cmac/cmac.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 4cf203f8e4ef3..0133dc5f80b61 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 0c39b13f91d5d..b5b0557b0d046 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index ce8e94662e757..b95c540133ca7 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c index 97a7293db3d99..dad6ef1189713 100644 --- a/crypto/cmp/cmp_genm.c +++ b/crypto/cmp/cmp_genm.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2022 * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c index 6e77c9c708a1c..ef77d251efc93 100644 --- a/crypto/cmp/cmp_http.c +++ b/crypto/cmp/cmp_http.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index d1035c2da965a..3fb479ca39c39 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 242ba866d5e75..e00afc809e2b8 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index c48a47660ecf0..f59fee44ec26c 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index ce85dbe2f4e54..06ef8fbb613ef 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c index ecb97854d975b..b9086d84f8462 100644 --- a/crypto/cmp/cmp_status.c +++ b/crypto/cmp/cmp_status.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index d6521d8700794..2d7b2388ced41 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2020 * Copyright Siemens AG 2015-2020 * diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index c1b763e98ec03..c6e8c076da72d 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index 2e4f19552f507..a4427d7ee21b0 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 6fc27565cddf7..b877e106199ae 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index fb1c8203e8f83..afc210c9d0c8a 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index 92d8723428a95..7069021267def 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c index 4e0712f94c9b1..7f327dec93f33 100644 --- a/crypto/cms/cms_rsa.c +++ b/crypto/cms/cms_rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 0d3e22c9e8ed1..40142ea2d3599 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index cf12c5b78580e..65f9674037761 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/comp/c_brotli.c b/crypto/comp/c_brotli.c index df63a43b417d9..07e1e76471c5d 100644 --- a/crypto/comp/c_brotli.c +++ b/crypto/comp/c_brotli.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index 52f2e26a73f7e..0fbab8f014fe5 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/comp/c_zstd.c b/crypto/comp/c_zstd.c index 7f6c5cc72c214..b4667649f3ce0 100644 --- a/crypto/comp/c_zstd.c +++ b/crypto/comp/c_zstd.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 2a2b3d211467d..0a6de477e32d9 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index 38a8d4412f11f..d6a5f3ff3556b 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c index 2e1848866418e..3019bcf31af81 100644 --- a/crypto/conf/conf_sap.c +++ b/crypto/conf/conf_sap.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/context.c b/crypto/context.c index ba67b0c618e9c..33d52a964b136 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index 25e0eb90ebb71..1dcf390fc2e77 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 6e9f3b7ca26f5..cb077e41d2c4c 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -1,5 +1,5 @@ /*- - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2018 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 1b1830f31aa7a..6c1947943879d 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ctype.c b/crypto/ctype.c index d46aeac6ec042..48b3025ba539d 100644 --- a/crypto/ctype.c +++ b/crypto/ctype.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/des/des_local.h b/crypto/des/des_local.h index 5abf62d6f7a8f..d43f2c87374d6 100644 --- a/crypto/des/des_local.h +++ b/crypto/des/des_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/deterministic_nonce.c b/crypto/deterministic_nonce.c index afa8543336e97..60af7f6ab6655 100644 --- a/crypto/deterministic_nonce.c +++ b/crypto/deterministic_nonce.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c index abc66a5b30911..1aaa88dacae11 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index 58c1d1798b620..f4173e21371e0 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 328780b9a9f1f..bc26cee303e97 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index d67511f15c4e4..e2eb53961cb65 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index ceaf6e6877f36..8bd4b8ad7e0e2 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 7fc762880bed2..1c2bab1714b3b 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index c2ae3bf1584a2..b18fda3378270 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 38e8fa145233b..29e2a8057250b 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index 487a7e251686f..b806e7e65511a 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index 7680c40547a01..8f3387e9b8020 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dso/dso_local.h b/crypto/dso/dso_local.h index 3100ba0844615..d7af0b064e504 100644 --- a/crypto/dso/dso_local.h +++ b/crypto/dso/dso_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/asm/ecp_nistp521-ppc64.pl b/crypto/ec/asm/ecp_nistp521-ppc64.pl index f8393e465d15b..cf3bc79085f83 100755 --- a/crypto/ec/asm/ecp_nistp521-ppc64.pl +++ b/crypto/ec/asm/ecp_nistp521-ppc64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index 4f033d74d0e5e..cae2ac101dbaf 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/curve448/arch_32/f_impl32.c b/crypto/ec/curve448/arch_32/f_impl32.c index 8a7a1fdbdeae5..140c73c64fc19 100644 --- a/crypto/ec/curve448/arch_32/f_impl32.c +++ b/crypto/ec/curve448/arch_32/f_impl32.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/curve448/arch_64/f_impl64.c b/crypto/ec/curve448/arch_64/f_impl64.c index 419f8a8e65d04..c944005da5d77 100644 --- a/crypto/ec/curve448/arch_64/f_impl64.c +++ b/crypto/ec/curve448/arch_64/f_impl64.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index 914a15d77e2f3..f9cc0b9732713 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/curve448/curve448_local.h b/crypto/ec/curve448/curve448_local.h index f118d851ee282..5c569ea8b9d2b 100644 --- a/crypto/ec/curve448/curve448_local.h +++ b/crypto/ec/curve448/curve448_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index cbef27d9bb0b2..ff7f11dd343ac 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/curve448/f_generic.c b/crypto/ec/curve448/f_generic.c index 997862ec20055..9a4675a8b3db4 100644 --- a/crypto/ec/curve448/f_generic.c +++ b/crypto/ec/curve448/f_generic.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h index 73a6c7374312d..80b1355b77aa4 100644 --- a/crypto/ec/curve448/field.h +++ b/crypto/ec/curve448/field.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 2bf3e601f17f2..9bc4e032c5571 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c index 3471a82d7c8de..054a3333a78f1 100644 --- a/crypto/ec/ec_kmeth.c +++ b/crypto/ec/ec_kmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index e0d6cf73426a7..c92b4dcb0ac45 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/ec_local.h b/crypto/ec/ec_local.h index 803786fdd2096..2814d8739438f 100644 --- a/crypto/ec/ec_local.h +++ b/crypto/ec/ec_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 2317fc0ab5620..9eb007cdf9082 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index 0d0506937ab37..0da33799e43c7 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 6c55724689510..debfdb3dc942e 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index b20107a5fa2fb..d28306a6bd15b 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 32a9268ecf171..db5a9dd5def36 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 8addb1e40c08b..5760639a2ee24 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2014, Intel Corporation. All Rights Reserved. * Copyright (c) 2015, CloudFlare, Inc. * diff --git a/crypto/ec/ecx_backend.c b/crypto/ec/ecx_backend.c index 0107a612a8b9f..943a6bb3702a2 100644 --- a/crypto/ec/ecx_backend.c +++ b/crypto/ec/ecx_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ecx_key.c b/crypto/ec/ecx_key.c index 36276ce98e473..ba725eb573c28 100644 --- a/crypto/ec/ecx_key.c +++ b/crypto/ec/ecx_key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index 81e0beb485a80..6c445f9121b6f 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 3718a696ae344..2e74816ee1d04 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c index fca8be1bb1f68..2e70e8aa37949 100644 --- a/crypto/encode_decode/decoder_meth.c +++ b/crypto/encode_decode/decoder_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index c38c7e3dffa4b..24f61fbf1593a 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/encoder_local.h b/crypto/encode_decode/encoder_local.h index 62da028becb79..91e601aeafffd 100644 --- a/crypto/encode_decode/encoder_local.h +++ b/crypto/encode_decode/encoder_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c index dbc8d9f997450..adf34bbb9f1b4 100644 --- a/crypto/encode_decode/encoder_meth.c +++ b/crypto/encode_decode/encoder_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c index d482260102b38..29060c5f9de87 100644 --- a/crypto/encode_decode/encoder_pkey.c +++ b/crypto/encode_decode/encoder_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_ctrl.c b/crypto/engine/eng_ctrl.c index 2e085d6d8e949..f1da9b23bb58a 100644 --- a/crypto/engine/eng_ctrl.c +++ b/crypto/engine/eng_ctrl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_init.c b/crypto/engine/eng_init.c index ca1cd45e976fb..0ac91ff5ed798 100644 --- a/crypto/engine/eng_init.c +++ b/crypto/engine/eng_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 3bb89111ff8cb..8345f684c813f 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 5a6238daf4c02..119e1c60459a8 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index 71d65cda6db1a..6f5d380d02a43 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/engine/eng_rdrand.c b/crypto/engine/eng_rdrand.c index 6245d68206be6..b3ece7bd91237 100644 --- a/crypto/engine/eng_rdrand.c +++ b/crypto/engine/eng_rdrand.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index d6a7452c76d0d..17225d0ad44cb 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/engine/tb_asnmth.c b/crypto/engine/tb_asnmth.c index a436a1856d9e8..c74fc4700b4fb 100644 --- a/crypto/engine/tb_asnmth.c +++ b/crypto/engine/tb_asnmth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/err/err.c b/crypto/err/err.c index 972856ad2356e..3fc296929c5f6 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index bbb7eda6d5bce..86b609a555f02 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/err/err_local.h b/crypto/err/err_local.h index 202ac35ad484f..c5c5bf45ba5ce 100644 --- a/crypto/err/err_local.h +++ b/crypto/err/err_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/err/err_mark.c b/crypto/err/err_mark.c index 1395e944dd23d..82dc4764c498b 100644 --- a/crypto/err/err_mark.c +++ b/crypto/err/err_mark.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/asymcipher.c b/crypto/evp/asymcipher.c index c431d78a403f3..d22ab2a01a16d 100644 --- a/crypto/evp/asymcipher.c +++ b/crypto/evp/asymcipher.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index 4822d37ea4bec..8700315a6bfca 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index 4a2e5a8303fe9..ece3f6d57f070 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index a72acfb39be96..2aa1ed75582e3 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/cmeth_lib.c b/crypto/evp/cmeth_lib.c index ab0d2465853ad..41a1bade2c445 100644 --- a/crypto/evp/cmeth_lib.c +++ b/crypto/evp/cmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index 87773feb33031..54e589054c603 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 9a0d1b5b08b80..01f54792f6f37 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c index ae4955287cc41..c1cf221a0db53 100644 --- a/crypto/evp/ec_ctrl.c +++ b/crypto/evp/ec_ctrl.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 8dddcc0bb51ef..84ce108b2540e 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index 11281312993b2..c643ae8f9a028 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index bc263b643021c..f29d592e0fbcd 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h index e3a1d7d53c913..9e4059d703797 100644 --- a/crypto/evp/evp_local.h +++ b/crypto/evp/evp_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 9901d66a777fc..9153ecfaab1ea 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 97237e01abe58..a4505a9d036c5 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index 03458a090f362..ecfc876cda861 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index 195c32cfc9b98..d9eed1cea5be2 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/kdf_meth.c b/crypto/evp/kdf_meth.c index c043598d07fdc..5ee36b2b4213e 100644 --- a/crypto/evp/kdf_meth.c +++ b/crypto/evp/kdf_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/kem.c b/crypto/evp/kem.c index 5491cabd4eeef..f96012ccf01ed 100644 --- a/crypto/evp/kem.c +++ b/crypto/evp/kem.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index 47c802bfb4af8..6408076b1f3be 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c index 882c068a71b9b..1d7031f33c824 100644 --- a/crypto/evp/keymgmt_meth.c +++ b/crypto/evp/keymgmt_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index e7888d2acd6e9..3a979f4bd4592 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/mac_meth.c b/crypto/evp/mac_meth.c index a146c4afba1d2..a3e7a0220850d 100644 --- a/crypto/evp/mac_meth.c +++ b/crypto/evp/mac_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index d9a81f23b831f..3561739023342 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 0fce412c372d5..bd9e5a91003f8 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c index ae0de57202a10..e5555281a6b09 100644 --- a/crypto/evp/p_sign.c +++ b/crypto/evp/p_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c index 8478e643dd858..02db143d13241 100644 --- a/crypto/evp/p_verify.c +++ b/crypto/evp/p_verify.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index e5ca009b5c344..6bd9994072632 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c index 0596a2b337c5e..379b344f0da68 100644 --- a/crypto/evp/signature.c +++ b/crypto/evp/signature.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ex_data.c b/crypto/ex_data.c index 48321febe4c9e..c9ec9d33370d2 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c index 954efb27bbc45..c12a88148fc81 100644 --- a/crypto/ffc/ffc_backend.c +++ b/crypto/ffc/ffc_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c index 442303e4b334f..342789621d6df 100644 --- a/crypto/ffc/ffc_key_validate.c +++ b/crypto/ffc/ffc_key_validate.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index 54068cbd9efbb..680f85ffaf804 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c index a369370145413..8294fbec36b20 100644 --- a/crypto/ffc/ffc_params_generate.c +++ b/crypto/ffc/ffc_params_generate.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/hpke/hpke.c b/crypto/hpke/hpke.c index 8178ff249a19d..e2cbd17915626 100644 --- a/crypto/hpke/hpke.c +++ b/crypto/hpke/hpke.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/hpke/hpke_util.c b/crypto/hpke/hpke_util.c index 2f863cd6089de..0d1cc602f717f 100644 --- a/crypto/hpke/hpke_util.c +++ b/crypto/hpke/hpke_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index fba81021ccb89..615d48a72444f 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c index 23327a3b9b558..3164d01d9e48f 100644 --- a/crypto/http/http_lib.c +++ b/crypto/http/http_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/info.c b/crypto/info.c index b4c9afd36b5a4..9ef9ee4704705 100644 --- a/crypto/info.c +++ b/crypto/info.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/init.c b/crypto/init.c index eaff1f324cbc0..33c739c30e6c7 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/loongarch_arch.h b/crypto/loongarch_arch.h index 9d895fe344d94..c7fd42df1e0a8 100644 --- a/crypto/loongarch_arch.h +++ b/crypto/loongarch_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/loongarchcap.c b/crypto/loongarchcap.c index 89839099386be..2123fd9c08317 100644 --- a/crypto/loongarchcap.c +++ b/crypto/loongarchcap.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl index 41f81051bb604..3200a0fa9bff0 100755 --- a/crypto/md5/asm/md5-aarch64.pl +++ b/crypto/md5/asm/md5-aarch64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/mem.c b/crypto/mem.c index b9fca98a83c5c..62fee878429ac 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c index 409aee5e0c2e9..557c697c9aaf6 100644 --- a/crypto/mem_sec.c +++ b/crypto/mem_sec.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2004-2014, Akamai Technologies. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl b/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl index f123be7db1232..d516359eb81b8 100644 --- a/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl +++ b/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/modes/asm/aes-gcm-armv8_64.pl b/crypto/modes/asm/aes-gcm-armv8_64.pl index 0904440a44426..e7b1a17895d41 100755 --- a/crypto/modes/asm/aes-gcm-armv8_64.pl +++ b/crypto/modes/asm/aes-gcm-armv8_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl index 3433f52f50059..afd2af941a853 100644 --- a/crypto/modes/asm/aes-gcm-avx512.pl +++ b/crypto/modes/asm/aes-gcm-avx512.pl @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2021, Intel Corporation. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/modes/asm/ghash-riscv64.pl b/crypto/modes/asm/ghash-riscv64.pl index 2ed4740b49646..ee97ff0dd3f38 100644 --- a/crypto/modes/asm/ghash-riscv64.pl +++ b/crypto/modes/asm/ghash-riscv64.pl @@ -2,7 +2,7 @@ # This file is dual-licensed, meaning that you can use it under your # choice of either of the following two licenses: # -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You can obtain # a copy in the file LICENSE in the source distribution or at diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 9639ef4666926..677eb21a0bd35 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index b55a3a5be8df6..2c1a288167e4e 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index 753b30ce47a79..9707ccb94f4c5 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ocsp/ocsp_prn.c b/crypto/ocsp/ocsp_prn.c index f79aca5bdad0a..6fe65b6c0de38 100644 --- a/crypto/ocsp/ocsp_prn.c +++ b/crypto/ocsp/ocsp_prn.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/packet.c b/crypto/packet.c index ac5c2e33f8238..6a43b35655fb4 100644 --- a/crypto/packet.c +++ b/crypto/packet.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/param_build.c b/crypto/param_build.c index def71f5718d07..2392e5909cf43 100644 --- a/crypto/param_build.c +++ b/crypto/param_build.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/params.c b/crypto/params.c index 258d1a5f0dd1e..f2582b0927a16 100644 --- a/crypto/params.c +++ b/crypto/params.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index f7a1bd830217e..f9256c8565d66 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 284b144fd640f..4deee46ce5506 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl index b9b56463b2a9c..3b0dcad4139f9 100755 --- a/crypto/perlasm/arm-xlate.pl +++ b/crypto/perlasm/arm-xlate.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c index aaef5874f1584..64b17d74e8740 100644 --- a/crypto/pkcs12/p12_add.c +++ b/crypto/pkcs12/p12_add.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_asn.c b/crypto/pkcs12/p12_asn.c index caae639f8835f..e4247b27fc3a2 100644 --- a/crypto/pkcs12/p12_asn.c +++ b/crypto/pkcs12/p12_asn.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c index 1d6c74b8c438b..537a1e3168cea 100644 --- a/crypto/pkcs12/p12_init.c +++ b/crypto/pkcs12/p12_init.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index f172e8b96d392..0901dc94085f5 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_local.h b/crypto/pkcs12/p12_local.h index 97697922bd72d..7f02874a97623 100644 --- a/crypto/pkcs12/p12_local.h +++ b/crypto/pkcs12/p12_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index d20b9db9ffbe5..4096aa1f8a729 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index 90139100c6dbf..9ea82d09d803e 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c index 73e55461eb18a..04ef0b74edef4 100644 --- a/crypto/pkcs12/p12_sbag.c +++ b/crypto/pkcs12/p12_sbag.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c index 59e0cda814c8b..a96623f19fbad 100644 --- a/crypto/pkcs12/p12_utl.c +++ b/crypto/pkcs12/p12_utl.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c index 798b38a6c0fbc..e9bcaf4b6e5a4 100644 --- a/crypto/pkcs12/pk12err.c +++ b/crypto/pkcs12/pk12err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index d3f65adb66d6a..43ea2a9b60f9b 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index aa600d1794634..7be2928542964 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 5b7b8e26badbe..1f951d77fb41a 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/poly1305/asm/poly1305-armv4.pl index 7cc681838d1ab..b98beefa184ee 100755 --- a/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/poly1305/asm/poly1305-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index 24bab9d0bcf95..4cddca1c514c0 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/poly1305/poly1305_ieee754.c b/crypto/poly1305/poly1305_ieee754.c index ac555d2a2206d..fa0ab1ed1d2fb 100644 --- a/crypto/poly1305/poly1305_ieee754.c +++ b/crypto/poly1305/poly1305_ieee754.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/property/property.c b/crypto/property/property.c index 0ea984a7fbe56..c551c825b19b3 100644 --- a/crypto/property/property.c +++ b/crypto/property/property.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/provider.c b/crypto/provider.c index 9cc51d3ae7aad..b55561abf8318 100644 --- a/crypto/provider.c +++ b/crypto/provider.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/provider_child.c b/crypto/provider_child.c index ed8ee3b3a1421..52e9cb405f28a 100644 --- a/crypto/provider_child.c +++ b/crypto/provider_child.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index 11294b2996f9d..288ade6b4de25 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 2e2c597f37dde..7f5e48f26c68a 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/punycode.c b/crypto/punycode.c index 332817763dc6e..68fc586e68157 100644 --- a/crypto/punycode.c +++ b/crypto/punycode.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index d3e156700a2c6..8dd1d071e8941 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rc2/rc2_local.h b/crypto/rc2/rc2_local.h index 2b8dccdc5d1db..f9ca888a638c5 100644 --- a/crypto/rc2/rc2_local.h +++ b/crypto/rc2/rc2_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rc4/asm/rc4-x86_64.pl b/crypto/rc4/asm/rc4-x86_64.pl index 65752d19bf521..83a1d13635fdc 100755 --- a/crypto/rc4/asm/rc4-x86_64.pl +++ b/crypto/rc4/asm/rc4-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rc5/rc5_local.h b/crypto/rc5/rc5_local.h index 74d072a3797df..4ba8745ca5bb9 100644 --- a/crypto/rc5/rc5_local.h +++ b/crypto/rc5/rc5_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index a0cb63f3b86ee..a84adb608eff5 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c index 73ac607da9489..0df254676adfa 100644 --- a/crypto/rsa/rsa_chk.c +++ b/crypto/rsa/rsa_chk.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 4acaa515f7742..0cdbb3fde2501 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 1601e92ddb006..f1be43351292b 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 6e1350c51bfdb..14dfd457f9d2a 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index c91457db60809..7655ef9a97dc0 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 3279ea02edcb8..fc3391ead20b5 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 75fdef1f8c210..089730bbaef35 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c index 819feaa3ac6a2..04fbe5e86ef44 100644 --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/rsa/rsa_x931g.c b/crypto/rsa/rsa_x931g.c index 86b4e72f5c3b2..290e95b468544 100644 --- a/crypto/rsa/rsa_x931g.c +++ b/crypto/rsa/rsa_x931g.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h index 3f7dac2e7424c..fdc682af06bc9 100644 --- a/crypto/s390x_arch.h +++ b/crypto/s390x_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c index 6bb9abb809811..7721b5c801a93 100644 --- a/crypto/s390xcap.c +++ b/crypto/s390xcap.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/keccak1600-avx2.pl b/crypto/sha/asm/keccak1600-avx2.pl index 4fa3f787fa80b..864066533445a 100755 --- a/crypto/sha/asm/keccak1600-avx2.pl +++ b/crypto/sha/asm/keccak1600-avx2.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/keccak1600-avx512.pl b/crypto/sha/asm/keccak1600-avx512.pl index 8bcf3a0804157..efc32545c3562 100755 --- a/crypto/sha/asm/keccak1600-avx512.pl +++ b/crypto/sha/asm/keccak1600-avx512.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/keccak1600-avx512vl.pl b/crypto/sha/asm/keccak1600-avx512vl.pl index da93faa53941a..f941556b42a8b 100755 --- a/crypto/sha/asm/keccak1600-avx512vl.pl +++ b/crypto/sha/asm/keccak1600-avx512vl.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl index ec7195a070872..2832c5b5302e2 100644 --- a/crypto/sha/asm/sha1-armv4-large.pl +++ b/crypto/sha/asm/sha1-armv4-large.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl index 0ac72bda63c7d..8bac84b1a855f 100644 --- a/crypto/sha/asm/sha256-armv4.pl +++ b/crypto/sha/asm/sha256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha512-armv4.pl b/crypto/sha/asm/sha512-armv4.pl index 5579cda6e9b7f..c8b81106719f0 100644 --- a/crypto/sha/asm/sha512-armv4.pl +++ b/crypto/sha/asm/sha512-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c index 2e844f8587f50..4017137c27013 100644 --- a/crypto/sha/sha256.c +++ b/crypto/sha/sha256.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sleep.c b/crypto/sleep.c index d57a9e3caa954..d9c5b35b215f7 100644 --- a/crypto/sleep.c +++ b/crypto/sleep.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c index 67d020ffaacd7..ca76128a248b7 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * diff --git a/crypto/sm3/asm/sm3-armv8.pl b/crypto/sm3/asm/sm3-armv8.pl index 56b4efd3bc608..bdbb1af1d6f8f 100644 --- a/crypto/sm3/asm/sm3-armv8.pl +++ b/crypto/sm3/asm/sm3-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl index 11da0d3976f9c..ee96046b957db 100755 --- a/crypto/sm4/asm/vpsm4-armv8.pl +++ b/crypto/sm4/asm/vpsm4-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sm4/asm/vpsm4_ex-armv8.pl b/crypto/sm4/asm/vpsm4_ex-armv8.pl index 60aebc2faf7f9..27dd25aa539ed 100644 --- a/crypto/sm4/asm/vpsm4_ex-armv8.pl +++ b/crypto/sm4/asm/vpsm4_ex-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index 1e7f300723009..72e3087e89b32 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h index 6526a7260a02a..223758ab2b718 100644 --- a/crypto/store/store_local.h +++ b/crypto/store/store_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index e9f5a0eb8ab04..7fc79e2989087 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 6fe2b71bc1743..27323ad2b0fa9 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/thread/arch.c b/crypto/thread/arch.c index f6a83540b37aa..7c139a6a60cf8 100644 --- a/crypto/thread/arch.c +++ b/crypto/thread/arch.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/thread/arch/thread_none.c b/crypto/thread/arch/thread_none.c index 675944bc5296f..10a804f1b78ee 100644 --- a/crypto/thread/arch/thread_none.c +++ b/crypto/thread/arch/thread_none.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/thread/arch/thread_posix.c b/crypto/thread/arch/thread_posix.c index f88323820f486..7650ddc85abee 100644 --- a/crypto/thread/arch/thread_posix.c +++ b/crypto/thread/arch/thread_posix.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/thread/arch/thread_win.c b/crypto/thread/arch/thread_win.c index b877211143375..fc0c2147701e7 100644 --- a/crypto/thread/arch/thread_win.c +++ b/crypto/thread/arch/thread_win.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/thread/internal.c b/crypto/thread/internal.c index 688848738bd19..61486c8d4d586 100644 --- a/crypto/thread/internal.c +++ b/crypto/thread/internal.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/threads_none.c b/crypto/threads_none.c index a2f4b1fde0e1c..580e5345d20db 100644 --- a/crypto/threads_none.c +++ b/crypto/threads_none.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index 0581d09486596..59ddcdbff8328 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/threads_win.c b/crypto/threads_win.c index 8018e87b2565e..4cdc62339dea6 100644 --- a/crypto/threads_win.c +++ b/crypto/threads_win.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/time.c b/crypto/time.c index 4e7d3eebac7f8..b0593a238bd1a 100644 --- a/crypto/time.c +++ b/crypto/time.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/trace.c b/crypto/trace.c index 8e5836de3227a..76f1fc98aa1b0 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c index 3fde53cf9fb7c..158e1c424258d 100644 --- a/crypto/ts/ts_conf.c +++ b/crypto/ts/ts_conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/txt_db/txt_db.c b/crypto/txt_db/txt_db.c index 437b1b9c10903..25fe9bf64bf7b 100644 --- a/crypto/txt_db/txt_db.c +++ b/crypto/txt_db/txt_db.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 859557a0a4e4e..a8756af1cdeab 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c index e26c1b5d25d50..59b00b225adfa 100644 --- a/crypto/ui/ui_util.c +++ b/crypto/ui/ui_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/uid.c b/crypto/uid.c index e26c27c6749b2..45b63a431e082 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c index 2a4e392e08731..3f970deb9c7be 100644 --- a/crypto/whrlpool/wp_dgst.c +++ b/crypto/whrlpool/wp_dgst.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index bb683a7795f86..1d401d0420884 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c index 6a80ab7ed0b74..ee92f4b16fd81 100644 --- a/crypto/x509/by_store.c +++ b/crypto/x509/by_store.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/pcy_cache.c b/crypto/x509/pcy_cache.c index b5bb49d43708d..2d1d4cd367c03 100644 --- a/crypto/x509/pcy_cache.c +++ b/crypto/x509/pcy_cache.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h index cba107ca03580..523f3e35feeba 100644 --- a/crypto/x509/pcy_local.h +++ b/crypto/x509/pcy_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c index 32e3d226bb1d7..c6e7af5ab1985 100644 --- a/crypto/x509/pcy_node.c +++ b/crypto/x509/pcy_node.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c index dc525b0051cad..d7307b12dabb4 100644 --- a/crypto/x509/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c index 221acd09b05c3..f4c8de2d160b9 100644 --- a/crypto/x509/v3_addr.c +++ b/crypto/x509/v3_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/v3_admis.c b/crypto/x509/v3_admis.c index 7aa8a4a420050..3316e93bf2294 100644 --- a/crypto/x509/v3_admis.c +++ b/crypto/x509/v3_admis.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c index 1741c2d2f6293..1f67bf2f63ab8 100644 --- a/crypto/x509/v3_genn.c +++ b/crypto/x509/v3_genn.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c index c30725dc48683..978a0f3ed8670 100644 --- a/crypto/x509/v3_ist.c +++ b/crypto/x509/v3_ist.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/v3_lib.c b/crypto/x509/v3_lib.c index 3f933ee8b9291..077b22c863ec6 100644 --- a/crypto/x509/v3_lib.c +++ b/crypto/x509/v3_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c index ba8141b8c1b4c..a6817b9e177f3 100644 --- a/crypto/x509/v3_ncons.c +++ b/crypto/x509/v3_ncons.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index 800cbbcd51a18..e917c455dec7c 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c index 325a0dc1dd538..3878bb3ef598f 100644 --- a/crypto/x509/x509_att.c +++ b/crypto/x509/x509_att.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 046a10bbbbf2b..7094280d485e8 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c index b8bdcb4841950..2851fbcd9f93b 100644 --- a/crypto/x509/x509_def.c +++ b/crypto/x509/x509_def.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 3e10443582d75..226e45a737b85 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index c639b54a543c8..0ca7cb960d4fd 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index d4a68918290fe..0881be7292b06 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c index d85b775f5ef37..3143de0d74d07 100644 --- a/crypto/x509/x509_trust.c +++ b/crypto/x509/x509_trust.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index e635bea6b69ae..023a38a1c9fc8 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index 3eec7d6412d99..205fe3d6e5a4d 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 09a1034a530ba..3e4c852b70a10 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index ed10e0fbc2b42..004c7bdfebacc 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/bio/client-arg.c b/demos/bio/client-arg.c index c96e6eb08c09f..c4abdf5cd351e 100644 --- a/demos/bio/client-arg.c +++ b/demos/bio/client-arg.c @@ -1,5 +1,5 @@ /* - * Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/bio/client-conf.c b/demos/bio/client-conf.c index b8bb6819b9cf5..766f1b5299a5f 100644 --- a/demos/bio/client-conf.c +++ b/demos/bio/client-conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cipher/aesccm.c b/demos/cipher/aesccm.c index b70209be86cab..3c4b9e7445339 100644 --- a/demos/cipher/aesccm.c +++ b/demos/cipher/aesccm.c @@ -1,5 +1,5 @@ /* - * Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cipher/aesgcm.c b/demos/cipher/aesgcm.c index 0e4cf7122d7d1..64fa8184f1372 100644 --- a/demos/cipher/aesgcm.c +++ b/demos/cipher/aesgcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cipher/aeskeywrap.c b/demos/cipher/aeskeywrap.c index 3909fd473ca04..3207b85663d19 100644 --- a/demos/cipher/aeskeywrap.c +++ b/demos/cipher/aeskeywrap.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cipher/ariacbc.c b/demos/cipher/ariacbc.c index 8542e4673eac0..f9898e12c7985 100644 --- a/demos/cipher/ariacbc.c +++ b/demos/cipher/ariacbc.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_comp.c b/demos/cms/cms_comp.c index 3ccbfddddaedc..30c5fc7fcf536 100644 --- a/demos/cms/cms_comp.c +++ b/demos/cms/cms_comp.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_ddec.c b/demos/cms/cms_ddec.c index 285eba91df002..f65a77e129dc2 100644 --- a/demos/cms/cms_ddec.c +++ b/demos/cms/cms_ddec.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_dec.c b/demos/cms/cms_dec.c index 436f0088d2055..ebc34a5f94cbb 100644 --- a/demos/cms/cms_dec.c +++ b/demos/cms/cms_dec.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_denc.c b/demos/cms/cms_denc.c index 4fbd72aae548f..53b680f67484d 100644 --- a/demos/cms/cms_denc.c +++ b/demos/cms/cms_denc.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_enc.c b/demos/cms/cms_enc.c index 3af321521cb3d..a0af2c47742a5 100644 --- a/demos/cms/cms_enc.c +++ b/demos/cms/cms_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_sign.c b/demos/cms/cms_sign.c index 8abc561941a48..35fc889f8001f 100644 --- a/demos/cms/cms_sign.c +++ b/demos/cms/cms_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_sign2.c b/demos/cms/cms_sign2.c index 72c7862593fc3..b10043f92137f 100644 --- a/demos/cms/cms_sign2.c +++ b/demos/cms/cms_sign2.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_uncomp.c b/demos/cms/cms_uncomp.c index 02106197b40a7..13f1e756da1ea 100644 --- a/demos/cms/cms_uncomp.c +++ b/demos/cms/cms_uncomp.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/cms/cms_ver.c b/demos/cms/cms_ver.c index 0b6c469bf4332..f7d3a9bc85431 100644 --- a/demos/cms/cms_ver.c +++ b/demos/cms/cms_ver.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/digest/BIO_f_md.c b/demos/digest/BIO_f_md.c index 1317e82237a55..14697c3a8a9a6 100644 --- a/demos/digest/BIO_f_md.c +++ b/demos/digest/BIO_f_md.c @@ -1,5 +1,5 @@ /*- - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/digest/EVP_MD_demo.c b/demos/digest/EVP_MD_demo.c index 51a87559d22e6..e525eaa7b090a 100644 --- a/demos/digest/EVP_MD_demo.c +++ b/demos/digest/EVP_MD_demo.c @@ -1,5 +1,5 @@ /*- - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/digest/EVP_MD_stdin.c b/demos/digest/EVP_MD_stdin.c index 6990b721c5f98..534c723d57554 100644 --- a/demos/digest/EVP_MD_stdin.c +++ b/demos/digest/EVP_MD_stdin.c @@ -1,5 +1,5 @@ /*- - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/digest/EVP_MD_xof.c b/demos/digest/EVP_MD_xof.c index c2bd1a9fc50d8..a70e4dc412a4d 100644 --- a/demos/digest/EVP_MD_xof.c +++ b/demos/digest/EVP_MD_xof.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/encode/ec_encode.c b/demos/encode/ec_encode.c index a5fe2213dfb31..4f15ce41e542b 100644 --- a/demos/encode/ec_encode.c +++ b/demos/encode/ec_encode.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/encode/rsa_encode.c b/demos/encode/rsa_encode.c index fd06b970db0ce..8905ebe91f55f 100644 --- a/demos/encode/rsa_encode.c +++ b/demos/encode/rsa_encode.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/kdf/hkdf.c b/demos/kdf/hkdf.c index 52f505cfa3bd2..8d7c436575fd6 100644 --- a/demos/kdf/hkdf.c +++ b/demos/kdf/hkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/kdf/pbkdf2.c b/demos/kdf/pbkdf2.c index fc87e6bbe090e..ae9a9d726c125 100644 --- a/demos/kdf/pbkdf2.c +++ b/demos/kdf/pbkdf2.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/kdf/scrypt.c b/demos/kdf/scrypt.c index e4565ae7242bd..5c07ebffbdddb 100644 --- a/demos/kdf/scrypt.c +++ b/demos/kdf/scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/keyexch/x25519.c b/demos/keyexch/x25519.c index b4f1a43189534..f0fb160a2fa43 100644 --- a/demos/keyexch/x25519.c +++ b/demos/keyexch/x25519.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/mac/cmac-aes256.c b/demos/mac/cmac-aes256.c index 0431508b98335..64069cf3a8296 100644 --- a/demos/mac/cmac-aes256.c +++ b/demos/mac/cmac-aes256.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/mac/gmac.c b/demos/mac/gmac.c index 86bd4720856d0..d4e350a2da65a 100644 --- a/demos/mac/gmac.c +++ b/demos/mac/gmac.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/mac/hmac-sha512.c b/demos/mac/hmac-sha512.c index 4bdac63e55337..47b5246a19abc 100644 --- a/demos/mac/hmac-sha512.c +++ b/demos/mac/hmac-sha512.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/mac/poly1305.c b/demos/mac/poly1305.c index bd2a6da0a2590..15c9c0097d97f 100644 --- a/demos/mac/poly1305.c +++ b/demos/mac/poly1305.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/mac/siphash.c b/demos/mac/siphash.c index 5487e35c8e855..2fdbfb07be5db 100644 --- a/demos/mac/siphash.c +++ b/demos/mac/siphash.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/pkcs12/pkwrite.c b/demos/pkcs12/pkwrite.c index 214ab5cbac20c..7bb73f35a41ea 100644 --- a/demos/pkcs12/pkwrite.c +++ b/demos/pkcs12/pkwrite.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/pkey/EVP_PKEY_DSA_keygen.c b/demos/pkey/EVP_PKEY_DSA_keygen.c index c0c13bf2f5b89..579f5f790ac76 100644 --- a/demos/pkey/EVP_PKEY_DSA_keygen.c +++ b/demos/pkey/EVP_PKEY_DSA_keygen.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/pkey/EVP_PKEY_DSA_paramfromdata.c b/demos/pkey/EVP_PKEY_DSA_paramfromdata.c index f1c6c560c27bb..ec7d69d54389d 100644 --- a/demos/pkey/EVP_PKEY_DSA_paramfromdata.c +++ b/demos/pkey/EVP_PKEY_DSA_paramfromdata.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/pkey/EVP_PKEY_DSA_paramgen.c b/demos/pkey/EVP_PKEY_DSA_paramgen.c index e2754f10ce3ac..ad879f0d7f8cc 100644 --- a/demos/pkey/EVP_PKEY_DSA_paramgen.c +++ b/demos/pkey/EVP_PKEY_DSA_paramgen.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/pkey/EVP_PKEY_DSA_paramvalidate.c b/demos/pkey/EVP_PKEY_DSA_paramvalidate.c index 7a0c1ba71bd60..4754789f9c9df 100644 --- a/demos/pkey/EVP_PKEY_DSA_paramvalidate.c +++ b/demos/pkey/EVP_PKEY_DSA_paramvalidate.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/pkey/EVP_PKEY_EC_keygen.c b/demos/pkey/EVP_PKEY_EC_keygen.c index 785799daa48ff..76c6217975e03 100644 --- a/demos/pkey/EVP_PKEY_EC_keygen.c +++ b/demos/pkey/EVP_PKEY_EC_keygen.c @@ -1,5 +1,5 @@ /*- - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/pkey/EVP_PKEY_RSA_keygen.c b/demos/pkey/EVP_PKEY_RSA_keygen.c index ebb971b6b038f..353c08152c048 100644 --- a/demos/pkey/EVP_PKEY_RSA_keygen.c +++ b/demos/pkey/EVP_PKEY_RSA_keygen.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/signature/EVP_DSA_Signature_demo.c b/demos/signature/EVP_DSA_Signature_demo.c index 8c23db647be4d..de1efd2b490c7 100644 --- a/demos/signature/EVP_DSA_Signature_demo.c +++ b/demos/signature/EVP_DSA_Signature_demo.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/signature/EVP_EC_Signature_demo.c b/demos/signature/EVP_EC_Signature_demo.c index 8779fced47c05..9e4f8e45daddb 100644 --- a/demos/signature/EVP_EC_Signature_demo.c +++ b/demos/signature/EVP_EC_Signature_demo.c @@ -1,5 +1,5 @@ /*- - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/signature/rsa_pss_direct.c b/demos/signature/rsa_pss_direct.c index 6e996cdadd2e4..41d8c2211df36 100644 --- a/demos/signature/rsa_pss_direct.c +++ b/demos/signature/rsa_pss_direct.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/signature/rsa_pss_hash.c b/demos/signature/rsa_pss_hash.c index 71f50cab802c9..a84df8ab626d8 100644 --- a/demos/signature/rsa_pss_hash.c +++ b/demos/signature/rsa_pss_hash.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/smime/smdec.c b/demos/smime/smdec.c index bd8ac88d93c12..7cf66f1dcd813 100644 --- a/demos/smime/smdec.c +++ b/demos/smime/smdec.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/smime/smenc.c b/demos/smime/smenc.c index 87c43b6e73d95..3e3f34d1cf354 100644 --- a/demos/smime/smenc.c +++ b/demos/smime/smenc.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/smime/smsign.c b/demos/smime/smsign.c index 6e627ec944f2e..4ce671d05ceeb 100644 --- a/demos/smime/smsign.c +++ b/demos/smime/smsign.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/smime/smsign2.c b/demos/smime/smsign2.c index 88a61b7f22f2a..4e62c6b82cc8c 100644 --- a/demos/smime/smsign2.c +++ b/demos/smime/smsign2.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/smime/smver.c b/demos/smime/smver.c index 9f77b7f552c9d..2e55c72584e26 100644 --- a/demos/smime/smver.c +++ b/demos/smime/smver.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/sslecho/main.c b/demos/sslecho/main.c index 3f508b6756201..bdc824f2c785e 100644 --- a/demos/sslecho/main.c +++ b/demos/sslecho/main.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/OSSL_EVENT.pod b/doc/internal/man3/OSSL_EVENT.pod index 089890de9d7c7..fb3e937ea85a0 100644 --- a/doc/internal/man3/OSSL_EVENT.pod +++ b/doc/internal/man3/OSSL_EVENT.pod @@ -191,7 +191,7 @@ This functionality was added to OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file diff --git a/doc/internal/man3/evp_generic_fetch.pod b/doc/internal/man3/evp_generic_fetch.pod index b4f625285a98d..8057a7170eca8 100644 --- a/doc/internal/man3/evp_generic_fetch.pod +++ b/doc/internal/man3/evp_generic_fetch.pod @@ -270,7 +270,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod index 0a32da25a9899..1008d2113149e 100644 --- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod @@ -95,7 +95,7 @@ L, L =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_certreq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod index 159a00c1ecafe..37a234066d368 100644 --- a/doc/internal/man3/ossl_cmp_certreq_new.pod +++ b/doc/internal/man3/ossl_cmp_certreq_new.pod @@ -168,7 +168,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_mock_srv_new.pod b/doc/internal/man3/ossl_cmp_mock_srv_new.pod index 1789fad2754c8..6f4f4fe86ba0c 100644 --- a/doc/internal/man3/ossl_cmp_mock_srv_new.pod +++ b/doc/internal/man3/ossl_cmp_mock_srv_new.pod @@ -102,7 +102,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod index 2956b48ad89c2..7e14274f584ab 100644 --- a/doc/internal/man3/ossl_cmp_msg_protect.pod +++ b/doc/internal/man3/ossl_cmp_msg_protect.pod @@ -59,7 +59,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod index 135be39ed674d..e44bfd3f01904 100644 --- a/doc/internal/man3/ossl_cmp_pkisi_get_status.pod +++ b/doc/internal/man3/ossl_cmp_pkisi_get_status.pod @@ -89,7 +89,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_punycode_decode.pod b/doc/internal/man3/ossl_punycode_decode.pod index 7a20864bcd8c0..64fe670ac6ae2 100644 --- a/doc/internal/man3/ossl_punycode_decode.pod +++ b/doc/internal/man3/ossl_punycode_decode.pod @@ -40,7 +40,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man7/build.info.pod b/doc/internal/man7/build.info.pod index 0f1f8be006034..6f67aca7a55ad 100644 --- a/doc/internal/man7/build.info.pod +++ b/doc/internal/man7/build.info.pod @@ -667,7 +667,7 @@ L =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file diff --git a/doc/man1/openssl-asn1parse.pod.in b/doc/man1/openssl-asn1parse.pod.in index 892fc47e7de7d..6fd5ed692d95e 100644 --- a/doc/man1/openssl-asn1parse.pod.in +++ b/doc/man1/openssl-asn1parse.pod.in @@ -210,7 +210,7 @@ L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 3474e12c794e9..fe09f85c2c1ca 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -852,7 +852,7 @@ L =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 6aca2ae71e534..fec815e756bc0 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -1394,7 +1394,7 @@ The B<-engine option> was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-dhparam.pod.in b/doc/man1/openssl-dhparam.pod.in index 7edcdf21ffdc6..f896109164129 100644 --- a/doc/man1/openssl-dhparam.pod.in +++ b/doc/man1/openssl-dhparam.pod.in @@ -137,7 +137,7 @@ The B<-C> option was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in index cdcbbc206c59b..116cafd71e725 100644 --- a/doc/man1/openssl-dsa.pod.in +++ b/doc/man1/openssl-dsa.pod.in @@ -186,7 +186,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in index 87fc97ff5f28e..62d443145757a 100644 --- a/doc/man1/openssl-dsaparam.pod.in +++ b/doc/man1/openssl-dsaparam.pod.in @@ -123,7 +123,7 @@ The B<-C> option was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index 083a3f6e4274a..51200076a89b5 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -199,7 +199,7 @@ with keys loaded from an engine in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index eab19385f098d..b1768b7f91dbb 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -280,7 +280,7 @@ L =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-gendsa.pod.in b/doc/man1/openssl-gendsa.pod.in index 41b5a6fbef8de..cfbb305eb3e30 100644 --- a/doc/man1/openssl-gendsa.pod.in +++ b/doc/man1/openssl-gendsa.pod.in @@ -103,7 +103,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-genpkey.pod.in b/doc/man1/openssl-genpkey.pod.in index a1e0c51f4d6ec..e760d613fe071 100644 --- a/doc/man1/openssl-genpkey.pod.in +++ b/doc/man1/openssl-genpkey.pod.in @@ -502,7 +502,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in index 95250bbe3ca91..c75d52ceae78f 100644 --- a/doc/man1/openssl-genrsa.pod.in +++ b/doc/man1/openssl-genrsa.pod.in @@ -123,7 +123,7 @@ L =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-kdf.pod.in b/doc/man1/openssl-kdf.pod.in index 9c89e22c4e289..6eed74d70d4c8 100644 --- a/doc/man1/openssl-kdf.pod.in +++ b/doc/man1/openssl-kdf.pod.in @@ -220,7 +220,7 @@ Added in OpenSSL 3.0 =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-mac.pod.in b/doc/man1/openssl-mac.pod.in index aa00ebcc8312a..a820085efa41b 100644 --- a/doc/man1/openssl-mac.pod.in +++ b/doc/man1/openssl-mac.pod.in @@ -164,7 +164,7 @@ L =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index d45abab1e054f..29fbd3d04fbdf 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -520,7 +520,7 @@ The -no_alt_chains option was added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in index bf87c590c79b7..08c3272a70afc 100644 --- a/doc/man1/openssl-pkcs8.pod.in +++ b/doc/man1/openssl-pkcs8.pod.in @@ -285,7 +285,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index 042862b960205..884680a4f06e5 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -229,7 +229,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index 880cd3548afcb..1dae76cc1288b 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -437,7 +437,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index ad43dc2357792..b0b6fd25ebe70 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -794,7 +794,7 @@ and key identifier extensions are included by default. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index 5d7af53d0b610..faa4872e19e6a 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -207,7 +207,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in index 4f890c689c0e4..41d0d309dd2e6 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -239,7 +239,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 1460221e13178..655bf18822b98 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -484,7 +484,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in index 38e95720a31df..9e16b2d8d1286 100644 --- a/doc/man1/openssl-speed.pod.in +++ b/doc/man1/openssl-speed.pod.in @@ -160,7 +160,7 @@ DSA512 was removed in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-storeutl.pod.in b/doc/man1/openssl-storeutl.pod.in index 554e1a687b8b1..f5c461e303d96 100644 --- a/doc/man1/openssl-storeutl.pod.in +++ b/doc/man1/openssl-storeutl.pod.in @@ -136,7 +136,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index 2a3fe8849a816..05bb560d8674a 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -686,7 +686,7 @@ The checks enabled by B<-x509_strict> have been extended in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 9d1b0bd6bd403..2d7a1b859ac4a 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -796,7 +796,7 @@ and key identifier extensions are included by default. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 3d185bdc272cc..f4274d53b75b6 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -875,7 +875,7 @@ that program with no arguments is now equivalent to C. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASN1_STRING_new.pod b/doc/man3/ASN1_STRING_new.pod index 9fec854166d1e..642b6f47777b6 100644 --- a/doc/man3/ASN1_STRING_new.pod +++ b/doc/man3/ASN1_STRING_new.pod @@ -42,7 +42,7 @@ L =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASN1_item_d2i_bio.pod b/doc/man3/ASN1_item_d2i_bio.pod index 0f391440cee8d..f8e4678367ef8 100644 --- a/doc/man3/ASN1_item_d2i_bio.pod +++ b/doc/man3/ASN1_item_d2i_bio.pod @@ -105,7 +105,7 @@ The function ASN1_item_unpack_ex() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASYNC_WAIT_CTX_new.pod b/doc/man3/ASYNC_WAIT_CTX_new.pod index a98635c2a1ed1..7621a8b3a166b 100644 --- a/doc/man3/ASYNC_WAIT_CTX_new.pod +++ b/doc/man3/ASYNC_WAIT_CTX_new.pod @@ -216,7 +216,7 @@ were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_f_ssl.pod b/doc/man3/BIO_f_ssl.pod index 629aeb5e64517..a6eff2bb4926a 100644 --- a/doc/man3/BIO_f_ssl.pod +++ b/doc/man3/BIO_f_ssl.pod @@ -302,7 +302,7 @@ be modified to handle this fix or they may free up an already freed BIO. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_get_rpoll_descriptor.pod b/doc/man3/BIO_get_rpoll_descriptor.pod index ce33e23f26e48..e5712fb90fa51 100644 --- a/doc/man3/BIO_get_rpoll_descriptor.pod +++ b/doc/man3/BIO_get_rpoll_descriptor.pod @@ -102,7 +102,7 @@ added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_read.pod b/doc/man3/BIO_read.pod index 5acc5b8906bb7..f337aab353bb6 100644 --- a/doc/man3/BIO_read.pod +++ b/doc/man3/BIO_read.pod @@ -119,7 +119,7 @@ I parameter of the function can be NULL since OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_connect.pod b/doc/man3/BIO_s_connect.pod index 35d67787ffe05..bcefbd59f826b 100644 --- a/doc/man3/BIO_s_connect.pod +++ b/doc/man3/BIO_s_connect.pod @@ -227,7 +227,7 @@ Connect BIOs support BIO_gets() since OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_datagram.pod b/doc/man3/BIO_s_datagram.pod index 3045536200fe7..87d6fb34e7a29 100644 --- a/doc/man3/BIO_s_datagram.pod +++ b/doc/man3/BIO_s_datagram.pod @@ -260,7 +260,7 @@ L, L, L, L =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_mem.pod b/doc/man3/BIO_s_mem.pod index 8d79b818f4ee2..b9bfedcdc65f6 100644 --- a/doc/man3/BIO_s_mem.pod +++ b/doc/man3/BIO_s_mem.pod @@ -199,7 +199,7 @@ and BUF_MEM structure: =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_sendmmsg.pod b/doc/man3/BIO_sendmmsg.pod index 04075dd591940..5c13e566650fa 100644 --- a/doc/man3/BIO_sendmmsg.pod +++ b/doc/man3/BIO_sendmmsg.pod @@ -219,7 +219,7 @@ These functions were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_add0_cert.pod b/doc/man3/CMS_add0_cert.pod index fa19532e2efa7..c876238fe4e53 100644 --- a/doc/man3/CMS_add0_cert.pod +++ b/doc/man3/CMS_add0_cert.pod @@ -74,7 +74,7 @@ not to throw an error if a certificate to be added is already present. =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_sign.pod b/doc/man3/CMS_sign.pod index 325b6aac861f0..933f89a84bc44 100644 --- a/doc/man3/CMS_sign.pod +++ b/doc/man3/CMS_sign.pod @@ -135,7 +135,7 @@ certificates in their I argument and no longer throw an error for them. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod index b3434af9ffaba..bd46a1262cffc 100644 --- a/doc/man3/CMS_verify.pod +++ b/doc/man3/CMS_verify.pod @@ -160,7 +160,7 @@ CMS_SignedData_verify() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index b6ca5f1fafad2..470b741c109a1 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -233,7 +233,7 @@ L, L. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/DEFINE_STACK_OF.pod b/doc/man3/DEFINE_STACK_OF.pod index 044228129baa7..06a0256bacf10 100644 --- a/doc/man3/DEFINE_STACK_OF.pod +++ b/doc/man3/DEFINE_STACK_OF.pod @@ -299,7 +299,7 @@ B_sort>() should be called before these find operations. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/DTLSv1_listen.pod b/doc/man3/DTLSv1_listen.pod index 73b72a66939c4..eda8aaf22a27e 100644 --- a/doc/man3/DTLSv1_listen.pod +++ b/doc/man3/DTLSv1_listen.pod @@ -146,7 +146,7 @@ The type of "peer" also changed in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_GROUP_copy.pod b/doc/man3/EC_GROUP_copy.pod index 25c91d731bdfd..e525fad0bf6b3 100644 --- a/doc/man3/EC_GROUP_copy.pod +++ b/doc/man3/EC_GROUP_copy.pod @@ -252,7 +252,7 @@ EC_GROUP_get0_order(), EC_GROUP_order_bits() and EC_GROUP_get0_cofactor() were a =head1 COPYRIGHT -Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_GROUP_new.pod b/doc/man3/EC_GROUP_new.pod index d7f8d001c263a..26c0088435f43 100644 --- a/doc/man3/EC_GROUP_new.pod +++ b/doc/man3/EC_GROUP_new.pod @@ -236,7 +236,7 @@ instead. =head1 COPYRIGHT -Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod index 3c152d0aadbab..d93586b1d01e8 100644 --- a/doc/man3/EC_KEY_new.pod +++ b/doc/man3/EC_KEY_new.pod @@ -235,7 +235,7 @@ For replacement see L. =head1 COPYRIGHT -Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_POINT_add.pod b/doc/man3/EC_POINT_add.pod index 57f1dd87d083e..591308be3fc21 100644 --- a/doc/man3/EC_POINT_add.pod +++ b/doc/man3/EC_POINT_add.pod @@ -90,7 +90,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EC_POINT_new.pod b/doc/man3/EC_POINT_new.pod index fc8643cd60845..3bbf8bb089ac0 100644 --- a/doc/man3/EC_POINT_new.pod +++ b/doc/man3/EC_POINT_new.pod @@ -269,7 +269,7 @@ added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ERR_GET_LIB.pod b/doc/man3/ERR_GET_LIB.pod index a35165b059f4f..1d7fa587f9df1 100644 --- a/doc/man3/ERR_GET_LIB.pod +++ b/doc/man3/ERR_GET_LIB.pod @@ -62,7 +62,7 @@ ERR_GET_FUNC() was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ERR_set_mark.pod b/doc/man3/ERR_set_mark.pod index add9b232c09df..b2c0f7de0a18f 100644 --- a/doc/man3/ERR_set_mark.pod +++ b/doc/man3/ERR_set_mark.pod @@ -40,7 +40,7 @@ most recent mark, if any, or the total number of error stack entries. =head1 COPYRIGHT -Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 167ebbbad53f3..9b5fda08ee9f4 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -797,7 +797,7 @@ EVP_MD_CTX_dup() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_DigestSignInit.pod b/doc/man3/EVP_DigestSignInit.pod index f38eefcbbf786..07e99db231a2f 100644 --- a/doc/man3/EVP_DigestSignInit.pod +++ b/doc/man3/EVP_DigestSignInit.pod @@ -208,7 +208,7 @@ EVP_DigestSignUpdate() was converted from a macro to a function in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod index 0dc8151a90a13..c927b7e4e82a8 100644 --- a/doc/man3/EVP_DigestVerifyInit.pod +++ b/doc/man3/EVP_DigestVerifyInit.pod @@ -193,7 +193,7 @@ EVP_DigestVerifyUpdate() was converted from a macro to a function in OpenSSL =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 3d1a6b5615ca9..a04e6d102f1ad 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -1785,7 +1785,7 @@ EVP_CIPHER_CTX_dup() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_KDF.pod b/doc/man3/EVP_KDF.pod index 374318cbcfdda..31d61b2a3df0a 100644 --- a/doc/man3/EVP_KDF.pod +++ b/doc/man3/EVP_KDF.pod @@ -304,7 +304,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_CTX_get0_pkey.pod b/doc/man3/EVP_PKEY_CTX_get0_pkey.pod index 26eef87cc1cd1..8db726127ec63 100644 --- a/doc/man3/EVP_PKEY_CTX_get0_pkey.pod +++ b/doc/man3/EVP_PKEY_CTX_get0_pkey.pod @@ -46,7 +46,7 @@ L, L =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. diff --git a/doc/man3/EVP_PKEY_decapsulate.pod b/doc/man3/EVP_PKEY_decapsulate.pod index 12339dfb743b2..b59aab8bbf9fe 100644 --- a/doc/man3/EVP_PKEY_decapsulate.pod +++ b/doc/man3/EVP_PKEY_decapsulate.pod @@ -101,7 +101,7 @@ The function EVP_PKEY_auth_decapsulate_init() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod index df1f948c8dd3c..6874f31cf5b2c 100644 --- a/doc/man3/EVP_PKEY_encapsulate.pod +++ b/doc/man3/EVP_PKEY_encapsulate.pod @@ -109,7 +109,7 @@ The function EVP_PKEY_auth_encapsulate_init() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod index 243268e4e613f..e22a3e7b4717c 100644 --- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod +++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod @@ -57,7 +57,7 @@ This function was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_set1_RSA.pod b/doc/man3/EVP_PKEY_set1_RSA.pod index f2bdede46f67f..6489b1189403b 100644 --- a/doc/man3/EVP_PKEY_set1_RSA.pod +++ b/doc/man3/EVP_PKEY_set1_RSA.pod @@ -228,7 +228,7 @@ It was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index 5a50f510a69c5..0c79c57b81ef8 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -411,7 +411,7 @@ The remaining functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SignInit.pod b/doc/man3/EVP_SignInit.pod index c274ad9917fbd..553ce0e34778a 100644 --- a/doc/man3/EVP_SignInit.pod +++ b/doc/man3/EVP_SignInit.pod @@ -109,7 +109,7 @@ The function EVP_SignFinal_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_VerifyInit.pod b/doc/man3/EVP_VerifyInit.pod index f05b9135bfc1f..04598046712d0 100644 --- a/doc/man3/EVP_VerifyInit.pod +++ b/doc/man3/EVP_VerifyInit.pod @@ -104,7 +104,7 @@ The function EVP_VerifyFinal_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod index a8c1d06b0083c..09cae99129504 100644 --- a/doc/man3/EVP_aes_128_gcm.pod +++ b/doc/man3/EVP_aes_128_gcm.pod @@ -190,7 +190,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aria_128_gcm.pod b/doc/man3/EVP_aria_128_gcm.pod index a05c3346c1481..92913652630d5 100644 --- a/doc/man3/EVP_aria_128_gcm.pod +++ b/doc/man3/EVP_aria_128_gcm.pod @@ -113,7 +113,7 @@ L =head1 COPYRIGHT -Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_bf_cbc.pod b/doc/man3/EVP_bf_cbc.pod index 89fd5c21a4b54..4df98f4bdf47e 100644 --- a/doc/man3/EVP_bf_cbc.pod +++ b/doc/man3/EVP_bf_cbc.pod @@ -58,7 +58,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_blake2b512.pod b/doc/man3/EVP_blake2b512.pod index cc437325d88c6..98e1899f6a935 100644 --- a/doc/man3/EVP_blake2b512.pod +++ b/doc/man3/EVP_blake2b512.pod @@ -59,7 +59,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_camellia_128_ecb.pod b/doc/man3/EVP_camellia_128_ecb.pod index c70af300e317f..a6b597156a77a 100644 --- a/doc/man3/EVP_camellia_128_ecb.pod +++ b/doc/man3/EVP_camellia_128_ecb.pod @@ -96,7 +96,7 @@ L =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_cast5_cbc.pod b/doc/man3/EVP_cast5_cbc.pod index c8c1c9dabdbb9..85ff2ad014888 100644 --- a/doc/man3/EVP_cast5_cbc.pod +++ b/doc/man3/EVP_cast5_cbc.pod @@ -58,7 +58,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod index 47b6f9c16fe7a..683faa326e145 100644 --- a/doc/man3/EVP_chacha20.pod +++ b/doc/man3/EVP_chacha20.pod @@ -64,7 +64,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_des_cbc.pod b/doc/man3/EVP_des_cbc.pod index 651622df56a40..501216cd6d77b 100644 --- a/doc/man3/EVP_des_cbc.pod +++ b/doc/man3/EVP_des_cbc.pod @@ -106,7 +106,7 @@ L =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_desx_cbc.pod b/doc/man3/EVP_desx_cbc.pod index e1b48534255de..fae827192ee99 100644 --- a/doc/man3/EVP_desx_cbc.pod +++ b/doc/man3/EVP_desx_cbc.pod @@ -48,7 +48,7 @@ L =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_idea_cbc.pod b/doc/man3/EVP_idea_cbc.pod index d7e0102c182b2..5a9adaedc4462 100644 --- a/doc/man3/EVP_idea_cbc.pod +++ b/doc/man3/EVP_idea_cbc.pod @@ -56,7 +56,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md2.pod b/doc/man3/EVP_md2.pod index bb01005b87b56..0b473887e01b9 100644 --- a/doc/man3/EVP_md2.pod +++ b/doc/man3/EVP_md2.pod @@ -49,7 +49,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md4.pod b/doc/man3/EVP_md4.pod index 682937fa87887..baaff9e4eaa2a 100644 --- a/doc/man3/EVP_md4.pod +++ b/doc/man3/EVP_md4.pod @@ -50,7 +50,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md5.pod b/doc/man3/EVP_md5.pod index aec1d8d820b90..752fdd1f6c37b 100644 --- a/doc/man3/EVP_md5.pod +++ b/doc/man3/EVP_md5.pod @@ -60,7 +60,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_mdc2.pod b/doc/man3/EVP_mdc2.pod index bc148079f3769..e9de6f3c560a6 100644 --- a/doc/man3/EVP_mdc2.pod +++ b/doc/man3/EVP_mdc2.pod @@ -51,7 +51,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc2_cbc.pod b/doc/man3/EVP_rc2_cbc.pod index 26966e34bb70b..bf4a13ba45c19 100644 --- a/doc/man3/EVP_rc2_cbc.pod +++ b/doc/man3/EVP_rc2_cbc.pod @@ -72,7 +72,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc4.pod b/doc/man3/EVP_rc4.pod index 9f8e72c00bc42..f22e88a652147 100644 --- a/doc/man3/EVP_rc4.pod +++ b/doc/man3/EVP_rc4.pod @@ -64,7 +64,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc5_32_12_16_cbc.pod b/doc/man3/EVP_rc5_32_12_16_cbc.pod index cbb8d71b8eb57..c177b1845196f 100644 --- a/doc/man3/EVP_rc5_32_12_16_cbc.pod +++ b/doc/man3/EVP_rc5_32_12_16_cbc.pod @@ -78,7 +78,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_ripemd160.pod b/doc/man3/EVP_ripemd160.pod index 46eebf846d43d..6ad2d3e018696 100644 --- a/doc/man3/EVP_ripemd160.pod +++ b/doc/man3/EVP_ripemd160.pod @@ -50,7 +50,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_seed_cbc.pod b/doc/man3/EVP_seed_cbc.pod index 07d03367ed08e..010607e574059 100644 --- a/doc/man3/EVP_seed_cbc.pod +++ b/doc/man3/EVP_seed_cbc.pod @@ -58,7 +58,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha1.pod b/doc/man3/EVP_sha1.pod index 574b9d8ba8c39..264ddd1addb71 100644 --- a/doc/man3/EVP_sha1.pod +++ b/doc/man3/EVP_sha1.pod @@ -49,7 +49,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha224.pod b/doc/man3/EVP_sha224.pod index 1062e0c059bb3..7a50cf9b6c3f1 100644 --- a/doc/man3/EVP_sha224.pod +++ b/doc/man3/EVP_sha224.pod @@ -69,7 +69,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha3_224.pod b/doc/man3/EVP_sha3_224.pod index c59b4663ae6a2..5bb9ae1b89e55 100644 --- a/doc/man3/EVP_sha3_224.pod +++ b/doc/man3/EVP_sha3_224.pod @@ -74,7 +74,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sm3.pod b/doc/man3/EVP_sm3.pod index 56cc25c6f319d..4e8112dc0afee 100644 --- a/doc/man3/EVP_sm3.pod +++ b/doc/man3/EVP_sm3.pod @@ -48,7 +48,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_sm4_cbc.pod b/doc/man3/EVP_sm4_cbc.pod index d1400ed347dad..b67ade549968c 100644 --- a/doc/man3/EVP_sm4_cbc.pod +++ b/doc/man3/EVP_sm4_cbc.pod @@ -62,7 +62,7 @@ L =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_whirlpool.pod b/doc/man3/EVP_whirlpool.pod index 3b008ac990b7c..a9826e290a427 100644 --- a/doc/man3/EVP_whirlpool.pod +++ b/doc/man3/EVP_whirlpool.pod @@ -51,7 +51,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/MD5.pod b/doc/man3/MD5.pod index 535fb925a312c..2e01fe8193dd9 100644 --- a/doc/man3/MD5.pod +++ b/doc/man3/MD5.pod @@ -105,7 +105,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod index a8ade1b612e09..d7185530eceab 100644 --- a/doc/man3/OPENSSL_s390xcap.pod +++ b/doc/man3/OPENSSL_s390xcap.pod @@ -194,7 +194,7 @@ Disables the KM-XTS-AES and the KIMD-SHAKE function codes: =head1 COPYRIGHT -Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index b07d18229df70..32fbc0915813d 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -844,7 +844,7 @@ OSSL_CMP_CTX_set1_serialNumber() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod index 882103f4c3b54..66f0ac90309d2 100644 --- a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod +++ b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod @@ -88,7 +88,7 @@ were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index 653f568d0c825..b3175683c782f 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -148,7 +148,7 @@ OSSL_CMP_MSG_update_recipNonce() was added in OpenSSL 3.0.9. =head1 COPYRIGHT -Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index e752b8e270697..38aa4abc834b6 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -218,7 +218,7 @@ were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index 48eda2c2ba8c0..d0769ac61b490 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -95,7 +95,7 @@ OSSL_CRMF_CERTTEMPLATE_get0_publicKey() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod index 4add69c40da62..93185a5528d84 100644 --- a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod +++ b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod @@ -110,7 +110,7 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER_from_bio.pod b/doc/man3/OSSL_DECODER_from_bio.pod index e9df3c046dce2..0cefeb2bf5456 100644 --- a/doc/man3/OSSL_DECODER_from_bio.pod +++ b/doc/man3/OSSL_DECODER_from_bio.pod @@ -110,7 +110,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DISPATCH.pod b/doc/man3/OSSL_DISPATCH.pod index 52b7f3994505f..232b6dca826c3 100644 --- a/doc/man3/OSSL_DISPATCH.pod +++ b/doc/man3/OSSL_DISPATCH.pod @@ -72,7 +72,7 @@ B was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HPKE_CTX_new.pod b/doc/man3/OSSL_HPKE_CTX_new.pod index c169ee8f5ea64..df951d7120e1d 100644 --- a/doc/man3/OSSL_HPKE_CTX_new.pod +++ b/doc/man3/OSSL_HPKE_CTX_new.pod @@ -561,7 +561,7 @@ This functionality described here was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index 932ed4b496dee..f74fcb35cea08 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -276,7 +276,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index bc9ed071367ae..e0375377e66c8 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -290,7 +290,7 @@ All the functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod index 18da5bf99a04a..1e5bf06cf767a 100644 --- a/doc/man3/OSSL_PARAM.pod +++ b/doc/man3/OSSL_PARAM.pod @@ -364,7 +364,7 @@ B was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index 091a9e9e36707..29cefe673cc34 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -402,7 +402,7 @@ These APIs were introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index 12151021c5827..2a1531e983b85 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -239,7 +239,7 @@ added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_QUIC_client_method.pod b/doc/man3/OSSL_QUIC_client_method.pod index eaae2b049d294..9d7fbaa20c4fb 100644 --- a/doc/man3/OSSL_QUIC_client_method.pod +++ b/doc/man3/OSSL_QUIC_client_method.pod @@ -40,7 +40,7 @@ OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_SELF_TEST_new.pod b/doc/man3/OSSL_SELF_TEST_new.pod index 77eaa9acdbeba..4c4b10fca96ad 100644 --- a/doc/man3/OSSL_SELF_TEST_new.pod +++ b/doc/man3/OSSL_SELF_TEST_new.pod @@ -165,7 +165,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_sleep.pod b/doc/man3/OSSL_sleep.pod index 896adb7f15295..78761d2d196a0 100644 --- a/doc/man3/OSSL_sleep.pod +++ b/doc/man3/OSSL_sleep.pod @@ -32,7 +32,7 @@ OSSL_sleep() was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_trace_enabled.pod b/doc/man3/OSSL_trace_enabled.pod index 1cc45b11c77da..da78eba234bcb 100644 --- a/doc/man3/OSSL_trace_enabled.pod +++ b/doc/man3/OSSL_trace_enabled.pod @@ -315,7 +315,7 @@ were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_trace_set_channel.pod b/doc/man3/OSSL_trace_set_channel.pod index 5b1981c1c3071..0db38e8db0d29 100644 --- a/doc/man3/OSSL_trace_set_channel.pod +++ b/doc/man3/OSSL_trace_set_channel.pod @@ -336,7 +336,7 @@ in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PEM_read_CMS.pod b/doc/man3/PEM_read_CMS.pod index 311f40e343d16..dbccf26cd893e 100644 --- a/doc/man3/PEM_read_CMS.pod +++ b/doc/man3/PEM_read_CMS.pod @@ -142,7 +142,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod index 25338c4ac70bf..28bed08e3d405 100644 --- a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod +++ b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod @@ -79,7 +79,7 @@ added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS7_sign.pod b/doc/man3/PKCS7_sign.pod index 3ad8cbf3391fe..1d997045fe142 100644 --- a/doc/man3/PKCS7_sign.pod +++ b/doc/man3/PKCS7_sign.pod @@ -122,7 +122,7 @@ The B flag was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index b7555b54bf329..7ffd731410a0e 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -780,7 +780,7 @@ added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_dane_enable.pod b/doc/man3/SSL_CTX_dane_enable.pod index 1a466020a7113..d558e63895fda 100644 --- a/doc/man3/SSL_CTX_dane_enable.pod +++ b/doc/man3/SSL_CTX_dane_enable.pod @@ -376,7 +376,7 @@ These functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index fb46cbca75ee9..f467f93659b57 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -249,7 +249,7 @@ SSL_CTX_new_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod index 5f5872ee672e9..05fee2fbecbce 100644 --- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod +++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod @@ -192,7 +192,7 @@ L =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_min_proto_version.pod b/doc/man3/SSL_CTX_set_min_proto_version.pod index 3d269018d0542..9a2da37ab7294 100644 --- a/doc/man3/SSL_CTX_set_min_proto_version.pod +++ b/doc/man3/SSL_CTX_set_min_proto_version.pod @@ -67,7 +67,7 @@ were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_mode.pod b/doc/man3/SSL_CTX_set_mode.pod index c0484f190fe20..325e086c54843 100644 --- a/doc/man3/SSL_CTX_set_mode.pod +++ b/doc/man3/SSL_CTX_set_mode.pod @@ -140,7 +140,7 @@ SSL_MODE_ASYNC was added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_msg_callback.pod b/doc/man3/SSL_CTX_set_msg_callback.pod index bb29761e8d20f..7484773afe653 100644 --- a/doc/man3/SSL_CTX_set_msg_callback.pod +++ b/doc/man3/SSL_CTX_set_msg_callback.pod @@ -174,7 +174,7 @@ B were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index dd30873f36655..56695e4abd507 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -531,7 +531,7 @@ whether these macros are defined or not. =head1 COPYRIGHT -Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_quiet_shutdown.pod b/doc/man3/SSL_CTX_set_quiet_shutdown.pod index 867c331a3d87b..b7c2a32069174 100644 --- a/doc/man3/SSL_CTX_set_quiet_shutdown.pod +++ b/doc/man3/SSL_CTX_set_quiet_shutdown.pod @@ -65,7 +65,7 @@ L, L =head1 COPYRIGHT -Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_read_ahead.pod b/doc/man3/SSL_CTX_set_read_ahead.pod index a4c482ee35d2d..9e6409dbbc9ca 100644 --- a/doc/man3/SSL_CTX_set_read_ahead.pod +++ b/doc/man3/SSL_CTX_set_read_ahead.pod @@ -67,7 +67,7 @@ L, L =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_record_padding_callback.pod b/doc/man3/SSL_CTX_set_record_padding_callback.pod index a3ba8a5118346..e91f903b0154a 100644 --- a/doc/man3/SSL_CTX_set_record_padding_callback.pod +++ b/doc/man3/SSL_CTX_set_record_padding_callback.pod @@ -98,7 +98,7 @@ changed to int in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod index e01a696f0d58d..8f92ec1ec76f0 100644 --- a/doc/man3/SSL_CTX_set_split_send_fragment.pod +++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod @@ -187,7 +187,7 @@ and SSL_SESSION_get_max_fragment_length() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_ssl_version.pod b/doc/man3/SSL_CTX_set_ssl_version.pod index 357807187abb1..2de853314325e 100644 --- a/doc/man3/SSL_CTX_set_ssl_version.pod +++ b/doc/man3/SSL_CTX_set_ssl_version.pod @@ -83,7 +83,7 @@ SSL_CTX_set_ssl_version() was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_tlsext_use_srtp.pod b/doc/man3/SSL_CTX_set_tlsext_use_srtp.pod index 5cb6b2cc8277b..5d1e063f01225 100644 --- a/doc/man3/SSL_CTX_set_tlsext_use_srtp.pod +++ b/doc/man3/SSL_CTX_set_tlsext_use_srtp.pod @@ -138,7 +138,7 @@ L =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod index c49bb39ff0296..ac6a42c191266 100644 --- a/doc/man3/SSL_CTX_set_verify.pod +++ b/doc/man3/SSL_CTX_set_verify.pod @@ -366,7 +366,7 @@ and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_SESSION_free.pod b/doc/man3/SSL_SESSION_free.pod index 33475d76b6a69..4af750a358ba2 100644 --- a/doc/man3/SSL_SESSION_free.pod +++ b/doc/man3/SSL_SESSION_free.pod @@ -79,7 +79,7 @@ The SSL_SESSION_dup() function was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_alloc_buffers.pod b/doc/man3/SSL_alloc_buffers.pod index d2d5b1e59b4bf..8810001df846d 100644 --- a/doc/man3/SSL_alloc_buffers.pod +++ b/doc/man3/SSL_alloc_buffers.pod @@ -61,7 +61,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_clear.pod b/doc/man3/SSL_clear.pod index 6b6b11b482603..3496213c52d76 100644 --- a/doc/man3/SSL_clear.pod +++ b/doc/man3/SSL_clear.pod @@ -77,7 +77,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_free.pod b/doc/man3/SSL_free.pod index 61ce50e9cc9c5..7fabaa2159f4e 100644 --- a/doc/man3/SSL_free.pod +++ b/doc/man3/SSL_free.pod @@ -76,7 +76,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod index a91acd9836721..27dd584687f30 100644 --- a/doc/man3/SSL_get_error.pod +++ b/doc/man3/SSL_get_error.pod @@ -190,7 +190,7 @@ The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_get_event_timeout.pod b/doc/man3/SSL_get_event_timeout.pod index 8649cb4f03e75..361f87cbfc1f8 100644 --- a/doc/man3/SSL_get_event_timeout.pod +++ b/doc/man3/SSL_get_event_timeout.pod @@ -78,7 +78,7 @@ The SSL_get_event_timeout() function was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_get_rpoll_descriptor.pod b/doc/man3/SSL_get_rpoll_descriptor.pod index 0d17bce69866e..5e1879580e82f 100644 --- a/doc/man3/SSL_get_rpoll_descriptor.pod +++ b/doc/man3/SSL_get_rpoll_descriptor.pod @@ -83,7 +83,7 @@ and SSL_net_write_desired() functions were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_get_verify_result.pod b/doc/man3/SSL_get_verify_result.pod index ab13e912b11ac..08c46c0576ba2 100644 --- a/doc/man3/SSL_get_verify_result.pod +++ b/doc/man3/SSL_get_verify_result.pod @@ -63,7 +63,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_get_version.pod b/doc/man3/SSL_get_version.pod index 04b8eea61d4e4..b8a0f5e3b15de 100644 --- a/doc/man3/SSL_get_version.pod +++ b/doc/man3/SSL_get_version.pod @@ -142,7 +142,7 @@ SSL_is_quic() functions were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_key_update.pod b/doc/man3/SSL_key_update.pod index f0e535c3135b7..6238e67649e03 100644 --- a/doc/man3/SSL_key_update.pod +++ b/doc/man3/SSL_key_update.pod @@ -118,7 +118,7 @@ OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index 309430d9b718e..d01996fba1432 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -127,7 +127,7 @@ L =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_read.pod b/doc/man3/SSL_read.pod index 0c1f1dbf4c49f..206f06afe0918 100644 --- a/doc/man3/SSL_read.pod +++ b/doc/man3/SSL_read.pod @@ -150,7 +150,7 @@ The SSL_read_ex() and SSL_peek_ex() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod index 65015124b2e3a..ec71c6eba9fbc 100644 --- a/doc/man3/SSL_read_early_data.pod +++ b/doc/man3/SSL_read_early_data.pod @@ -370,7 +370,7 @@ All of the functions described above were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_rstate_string.pod b/doc/man3/SSL_rstate_string.pod index ad1ec0ae28714..d1fa22243d614 100644 --- a/doc/man3/SSL_rstate_string.pod +++ b/doc/man3/SSL_rstate_string.pod @@ -57,7 +57,7 @@ L =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_set1_initial_peer_addr.pod b/doc/man3/SSL_set1_initial_peer_addr.pod index d1cdeb0234e6f..0aec15f770782 100644 --- a/doc/man3/SSL_set1_initial_peer_addr.pod +++ b/doc/man3/SSL_set1_initial_peer_addr.pod @@ -51,7 +51,7 @@ The SSL_set1_initial_peer_addr() function was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_set_bio.pod b/doc/man3/SSL_set_bio.pod index 121a955a3ee47..5cb2a9a427aa0 100644 --- a/doc/man3/SSL_set_bio.pod +++ b/doc/man3/SSL_set_bio.pod @@ -108,7 +108,7 @@ SSL_set0_rbio() and SSL_set0_wbio() were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_set_blocking_mode.pod b/doc/man3/SSL_set_blocking_mode.pod index 602045c0efa8d..7f5b4baa74b15 100644 --- a/doc/man3/SSL_set_blocking_mode.pod +++ b/doc/man3/SSL_set_blocking_mode.pod @@ -64,7 +64,7 @@ OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_set_fd.pod b/doc/man3/SSL_set_fd.pod index 396777d72174d..a431183a328bd 100644 --- a/doc/man3/SSL_set_fd.pod +++ b/doc/man3/SSL_set_fd.pod @@ -68,7 +68,7 @@ L, L , L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_set_shutdown.pod b/doc/man3/SSL_set_shutdown.pod index 730d819c8ad02..c3b613a247d1e 100644 --- a/doc/man3/SSL_set_shutdown.pod +++ b/doc/man3/SSL_set_shutdown.pod @@ -73,7 +73,7 @@ L, L =head1 COPYRIGHT -Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_shutdown.pod b/doc/man3/SSL_shutdown.pod index 5d59f677f1de8..a9894b717af73 100644 --- a/doc/man3/SSL_shutdown.pod +++ b/doc/man3/SSL_shutdown.pod @@ -429,7 +429,7 @@ The SSL_shutdown_ex() function was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_stream_conclude.pod b/doc/man3/SSL_stream_conclude.pod index 9473ad0b9eea3..2f6df1986061c 100644 --- a/doc/man3/SSL_stream_conclude.pod +++ b/doc/man3/SSL_stream_conclude.pod @@ -50,7 +50,7 @@ The SSL_stream_conclude() function was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_want.pod b/doc/man3/SSL_want.pod index 8a17bdf228af7..b397fc0521cb2 100644 --- a/doc/man3/SSL_want.pod +++ b/doc/man3/SSL_want.pod @@ -114,7 +114,7 @@ were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_write.pod b/doc/man3/SSL_write.pod index b8a7dcbbc71bf..46427d7059e9f 100644 --- a/doc/man3/SSL_write.pod +++ b/doc/man3/SSL_write.pod @@ -154,7 +154,7 @@ The SSL_sendfile() function was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_STORE_CTX_set_verify_cb.pod b/doc/man3/X509_STORE_CTX_set_verify_cb.pod index 969856d8f31af..845ff8e91b865 100644 --- a/doc/man3/X509_STORE_CTX_set_verify_cb.pod +++ b/doc/man3/X509_STORE_CTX_set_verify_cb.pod @@ -232,7 +232,7 @@ X509_STORE_CTX_print_verify_cb() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 89d2266cfa2f2..fcbbfc4c30673 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -407,7 +407,7 @@ The documentation was changed to align with the implementation. =head1 COPYRIGHT -Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_get0_notBefore.pod b/doc/man3/X509_get0_notBefore.pod index 27fd34284c846..1ca0a1b128aa8 100644 --- a/doc/man3/X509_get0_notBefore.pod +++ b/doc/man3/X509_get0_notBefore.pod @@ -95,7 +95,7 @@ X509_get_notBefore() and X509_get_notAfter() were deprecated in OpenSSL =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_get_version.pod b/doc/man3/X509_get_version.pod index 5d377c91d323e..c5db26c5790ce 100644 --- a/doc/man3/X509_get_version.pod +++ b/doc/man3/X509_get_version.pod @@ -75,7 +75,7 @@ functions in OpenSSL 1.1.0, in previous versions they were macros. =head1 COPYRIGHT -Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_sign.pod b/doc/man3/X509_sign.pod index af21148f67946..7ca8a1a55ecf8 100644 --- a/doc/man3/X509_sign.pod +++ b/doc/man3/X509_sign.pod @@ -70,7 +70,7 @@ and X509_CRL_sign_ctx() functions were added in OpenSSL 1.0.1. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 5156f0edb27ad..b3ea95c692a0d 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -309,7 +309,7 @@ L =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index ed9ed062d2219..c79a964e6d7f9 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -595,7 +595,7 @@ efficiency reasons. =head1 COPYRIGHT -Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 364c57c292899..8d312c661fa09 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -575,7 +575,7 @@ L. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index cf42e9053a58a..2440f23dddc28 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -605,7 +605,7 @@ L =head1 COPYRIGHT -Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_CIPHER-AES.pod b/doc/man7/EVP_CIPHER-AES.pod index 04d269295b600..fa1eaa843be20 100644 --- a/doc/man7/EVP_CIPHER-AES.pod +++ b/doc/man7/EVP_CIPHER-AES.pod @@ -73,7 +73,7 @@ The GCM-SIV mode ciphers were added in OpenSSL version 3.2. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-ARGON2.pod b/doc/man7/EVP_KDF-ARGON2.pod index c44250e10e27c..e2dfb6edbf783 100644 --- a/doc/man7/EVP_KDF-ARGON2.pod +++ b/doc/man7/EVP_KDF-ARGON2.pod @@ -182,7 +182,7 @@ This functionality was added to OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-HMAC-DRBG.pod b/doc/man7/EVP_KDF-HMAC-DRBG.pod index 63a2070e019c8..e4c1ed9d3cb91 100644 --- a/doc/man7/EVP_KDF-HMAC-DRBG.pod +++ b/doc/man7/EVP_KDF-HMAC-DRBG.pod @@ -61,7 +61,7 @@ The EVP_KDF-HMAC-DRBG functionality was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-SS.pod b/doc/man7/EVP_KDF-SS.pod index fbc4a6acec1a5..7f158e421698e 100644 --- a/doc/man7/EVP_KDF-SS.pod +++ b/doc/man7/EVP_KDF-SS.pod @@ -177,7 +177,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Copyright +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man7/EVP_MD-SHA2.pod b/doc/man7/EVP_MD-SHA2.pod index ffee7d1231a1e..6266bf659e758 100644 --- a/doc/man7/EVP_MD-SHA2.pod +++ b/doc/man7/EVP_MD-SHA2.pod @@ -71,7 +71,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod index a7254c573621f..318f2cc8b2d50 100644 --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -280,7 +280,7 @@ L =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_PKEY-RSA.pod b/doc/man7/EVP_PKEY-RSA.pod index 1a3f14cc230ca..161e9d4d71d16 100644 --- a/doc/man7/EVP_PKEY-RSA.pod +++ b/doc/man7/EVP_PKEY-RSA.pod @@ -264,7 +264,7 @@ L, L, L, L =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_RAND-HASH-DRBG.pod b/doc/man7/EVP_RAND-HASH-DRBG.pod index 97a3ecc684fa4..33330187941d6 100644 --- a/doc/man7/EVP_RAND-HASH-DRBG.pod +++ b/doc/man7/EVP_RAND-HASH-DRBG.pod @@ -116,7 +116,7 @@ L, =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod index ea167f2784ba9..a19d467c0d758 100644 --- a/doc/man7/EVP_SIGNATURE-ECDSA.pod +++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod @@ -51,7 +51,7 @@ L, =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_SIGNATURE-ED25519.pod b/doc/man7/EVP_SIGNATURE-ED25519.pod index dbb7de3279d2b..aba56f3182493 100644 --- a/doc/man7/EVP_SIGNATURE-ED25519.pod +++ b/doc/man7/EVP_SIGNATURE-ED25519.pod @@ -156,7 +156,7 @@ L, =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 844c14df9e257..449d5624e004a 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -469,7 +469,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 96409ae5ba590..603fd06331bbf 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -280,7 +280,7 @@ All other functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod index 9756a89f06ca8..249588598b037 100644 --- a/doc/man7/fips_module.pod +++ b/doc/man7/fips_module.pod @@ -510,7 +510,7 @@ in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/openssl-quic.pod b/doc/man7/openssl-quic.pod index e4f73952f5e87..69db29fdd831a 100644 --- a/doc/man7/openssl-quic.pod +++ b/doc/man7/openssl-quic.pod @@ -836,7 +836,7 @@ L, L =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod index 1042744d66eaa..064ad21789511 100644 --- a/doc/man7/ossl-guide-migration.pod +++ b/doc/man7/ossl-guide-migration.pod @@ -2474,7 +2474,7 @@ The migration guide was created for OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/property.pod b/doc/man7/property.pod index bc57a67648140..eb0f6b176ccb9 100644 --- a/doc/man7/property.pod +++ b/doc/man7/property.pod @@ -167,7 +167,7 @@ Properties were added in OpenSSL 3.0 =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod index 137bc21d9278b..e3f11d8543997 100644 --- a/doc/man7/provider-asym_cipher.pod +++ b/doc/man7/provider-asym_cipher.pod @@ -267,7 +267,7 @@ The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index c015b54967123..33d7fe7f55140 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -935,7 +935,7 @@ introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index cb79c18b9f72a..14ff581c72c49 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -237,7 +237,7 @@ The provider CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-decoder.pod b/doc/man7/provider-decoder.pod index bde8c7038b0a7..e968e661f7cf7 100644 --- a/doc/man7/provider-decoder.pod +++ b/doc/man7/provider-decoder.pod @@ -302,7 +302,7 @@ The DECODER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod index 62307c8a5fdea..2c99b8b3fb243 100644 --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -277,7 +277,7 @@ The provider DIGEST interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-kem.pod b/doc/man7/provider-kem.pod index fbbf5a5feee9c..970105a269a57 100644 --- a/doc/man7/provider-kem.pod +++ b/doc/man7/provider-kem.pod @@ -223,7 +223,7 @@ were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 0f692f6f62c17..d5c628a93d18e 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -462,7 +462,7 @@ were added with OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index fc0b2ed7ee169..3e900677d319f 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -438,7 +438,7 @@ The provider SIGNATURE interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/engines/asm/e_padlock-x86.pl b/engines/asm/e_padlock-x86.pl index bb2b14468982c..3e9a22fca4bf0 100644 --- a/engines/asm/e_padlock-x86.pl +++ b/engines/asm/e_padlock-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/asm/e_padlock-x86_64.pl b/engines/asm/e_padlock-x86_64.pl index 2622e272db287..b147868851d52 100644 --- a/engines/asm/e_padlock-x86_64.pl +++ b/engines/asm/e_padlock-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_capi.txt b/engines/e_capi.txt index dab3471be46ce..58f4a15962311 100644 --- a/engines/e_capi.txt +++ b/engines/e_capi.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_capi_err.c b/engines/e_capi_err.c index bf4648523490c..2588c15304468 100644 --- a/engines/e_capi_err.c +++ b/engines/e_capi_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_dasync.c b/engines/e_dasync.c index 9781085587a0d..92be34d427ae4 100644 --- a/engines/e_dasync.c +++ b/engines/e_dasync.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index 92c8f0e3568fd..3a4082d22bb53 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c index f87bd921d0177..84dff6e2c305a 100644 --- a/engines/e_loader_attic.c +++ b/engines/e_loader_attic.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_padlock.c b/engines/e_padlock.c index 989e53df31bbb..7e0cfc21fc9b8 100644 --- a/engines/e_padlock.c +++ b/engines/e_padlock.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/fuzz_rand.c b/fuzz/fuzz_rand.c index af9df7b22d31a..d3351147ec8cd 100644 --- a/fuzz/fuzz_rand.c +++ b/fuzz/fuzz_rand.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/fuzz/pem.c b/fuzz/pem.c index 4b2cf701e711a..cc2969f6bedb8 100644 --- a/fuzz/pem.c +++ b/fuzz/pem.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/fuzz/x509.c b/fuzz/x509.c index 6293f1a5c547a..e2d2639164c01 100644 --- a/fuzz/x509.c +++ b/fuzz/x509.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index 17cd9e3238345..5d90ddaf1fe2c 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 58271179fa866..33f979ce91767 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/decoder.h b/include/crypto/decoder.h index b7b91209df1f6..a0d5de65211eb 100644 --- a/include/crypto/decoder.h +++ b/include/crypto/decoder.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index 5f100ef16c14c..f35b875fb64f4 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 9605c9daa53ff..473b95514a0ad 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/punycode.h b/include/crypto/punycode.h index 554819a2809e0..2e1c85c1f74fa 100644 --- a/include/crypto/punycode.h +++ b/include/crypto/punycode.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/riscv_arch.h b/include/crypto/riscv_arch.h index 0e0f946ddcc4f..95185841115e8 100644 --- a/include/crypto/riscv_arch.h +++ b/include/crypto/riscv_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index c9f9f84cea80b..8eddc168f6d68 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/sha.h b/include/crypto/sha.h index 3f32e96086fc2..99bcf0ff88355 100644 --- a/include/crypto/sha.h +++ b/include/crypto/sha.h @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h index a37dc5f6d37ba..8a26885097b38 100644 --- a/include/crypto/sm4_platform.h +++ b/include/crypto/sm4_platform.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/types.h b/include/crypto/types.h index 0a75f03a3f933..ad17f052e45f5 100644 --- a/include/crypto/types.h +++ b/include/crypto/types.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/bio_tfo.h b/include/internal/bio_tfo.h index fc907e6c2ceca..6351443933b77 100644 --- a/include/internal/bio_tfo.h +++ b/include/internal/bio_tfo.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/common.h b/include/internal/common.h index ce4a4e3086021..15666f11108c8 100644 --- a/include/internal/common.h +++ b/include/internal/common.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h index fd2eb5d56c739..843a720b8f149 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/e_os.h b/include/internal/e_os.h index df5d0b058406d..6d15bc55ee6e0 100644 --- a/include/internal/e_os.h +++ b/include/internal/e_os.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/endian.h b/include/internal/endian.h index eb43eade17a27..7d5a73b1bb1fa 100644 --- a/include/internal/endian.h +++ b/include/internal/endian.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/event_queue.h b/include/internal/event_queue.h index 7027378307e09..bda1ee6ad46d9 100644 --- a/include/internal/event_queue.h +++ b/include/internal/event_queue.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/ffc.h b/include/internal/ffc.h index 3a6d9f67bb423..01b8a4f9d30a6 100644 --- a/include/internal/ffc.h +++ b/include/internal/ffc.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/numbers.h b/include/internal/numbers.h index 41fd693bd1d3b..47fb167709f52 100644 --- a/include/internal/numbers.h +++ b/include/internal/numbers.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/packet.h b/include/internal/packet.h index e35281d700e05..7abc6b8b1bc97 100644 --- a/include/internal/packet.h +++ b/include/internal/packet.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/packet_quic.h b/include/internal/packet_quic.h index e75b81e422281..5173b4675d8df 100644 --- a/include/internal/packet_quic.h +++ b/include/internal/packet_quic.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/provider.h b/include/internal/provider.h index 88a16062c77e4..ab41d643df061 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_ackm.h b/include/internal/quic_ackm.h index 96673303bd2bb..f92f0ebaf28d4 100644 --- a/include/internal/quic_ackm.h +++ b/include/internal/quic_ackm.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_cc.h b/include/internal/quic_cc.h index d3b74e8cbdde9..60c710b0bdaae 100644 --- a/include/internal/quic_cc.h +++ b/include/internal/quic_cc.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_cfq.h b/include/internal/quic_cfq.h index 2256f2f0a3e63..22c436dc0746a 100644 --- a/include/internal/quic_cfq.h +++ b/include/internal/quic_cfq.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_channel.h b/include/internal/quic_channel.h index 1624870865c74..0841001c23da9 100644 --- a/include/internal/quic_channel.h +++ b/include/internal/quic_channel.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_demux.h b/include/internal/quic_demux.h index 81077425fe02d..444249e728881 100644 --- a/include/internal/quic_demux.h +++ b/include/internal/quic_demux.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_error.h b/include/internal/quic_error.h index 4c68350f4954d..ae195a5f88e01 100644 --- a/include/internal/quic_error.h +++ b/include/internal/quic_error.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_fc.h b/include/internal/quic_fc.h index 06a7cc1db0d8d..7a8273d54288f 100644 --- a/include/internal/quic_fc.h +++ b/include/internal/quic_fc.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_fifd.h b/include/internal/quic_fifd.h index b395865f2ebd6..a260ec4471d14 100644 --- a/include/internal/quic_fifd.h +++ b/include/internal/quic_fifd.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_reactor.h b/include/internal/quic_reactor.h index 2ca32f17ac439..57bb551e27a22 100644 --- a/include/internal/quic_reactor.h +++ b/include/internal/quic_reactor.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_record_rx.h b/include/internal/quic_record_rx.h index ed5cdefb2f987..e26fd35600d66 100644 --- a/include/internal/quic_record_rx.h +++ b/include/internal/quic_record_rx.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_record_tx.h b/include/internal/quic_record_tx.h index 20fc5e268b4e1..f3b798fea06ce 100644 --- a/include/internal/quic_record_tx.h +++ b/include/internal/quic_record_tx.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_record_util.h b/include/internal/quic_record_util.h index 4ef5016b18fcf..97e630d924e0c 100644 --- a/include/internal/quic_record_util.h +++ b/include/internal/quic_record_util.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_rx_depack.h b/include/internal/quic_rx_depack.h index f69e0703117a9..c90964a7c16c1 100644 --- a/include/internal/quic_rx_depack.h +++ b/include/internal/quic_rx_depack.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_sf_list.h b/include/internal/quic_sf_list.h index 2583ae28112dc..8ed1dcb137e38 100644 --- a/include/internal/quic_sf_list.h +++ b/include/internal/quic_sf_list.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h index 77ff85a022cd4..260cef87b9763 100644 --- a/include/internal/quic_ssl.h +++ b/include/internal/quic_ssl.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_statm.h b/include/internal/quic_statm.h index 4ea60ff761029..5b33551b06cab 100644 --- a/include/internal/quic_statm.h +++ b/include/internal/quic_statm.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_stream.h b/include/internal/quic_stream.h index ad76488e8bab5..0da8febd5a8c8 100644 --- a/include/internal/quic_stream.h +++ b/include/internal/quic_stream.h @@ -1,5 +1,5 @@ /* -* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_stream_map.h b/include/internal/quic_stream_map.h index cc071dba4c773..ae7490619bb16 100644 --- a/include/internal/quic_stream_map.h +++ b/include/internal/quic_stream_map.h @@ -1,5 +1,5 @@ /* -* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_tls.h b/include/internal/quic_tls.h index 30a521a7a8b3c..0e4a9d339b74f 100644 --- a/include/internal/quic_tls.h +++ b/include/internal/quic_tls.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_tserver.h b/include/internal/quic_tserver.h index b1415d5edf78e..9213f60666aa6 100644 --- a/include/internal/quic_tserver.h +++ b/include/internal/quic_tserver.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_txp.h b/include/internal/quic_txp.h index b2dbb85f92498..64efedc27f385 100644 --- a/include/internal/quic_txp.h +++ b/include/internal/quic_txp.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_txpim.h b/include/internal/quic_txpim.h index 0f1f11c63095c..ed6e3875c47b2 100644 --- a/include/internal/quic_txpim.h +++ b/include/internal/quic_txpim.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_types.h b/include/internal/quic_types.h index f3509da2fbf9f..d42164ba56115 100644 --- a/include/internal/quic_types.h +++ b/include/internal/quic_types.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_vlint.h b/include/internal/quic_vlint.h index 77e7b592817d0..d4b70b229c323 100644 --- a/include/internal/quic_vlint.h +++ b/include/internal/quic_vlint.h @@ -1,5 +1,5 @@ /* -* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_wire.h b/include/internal/quic_wire.h index 35fc298ea19b9..cd01feb036285 100644 --- a/include/internal/quic_wire.h +++ b/include/internal/quic_wire.h @@ -1,5 +1,5 @@ /* -* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/quic_wire_pkt.h b/include/internal/quic_wire_pkt.h index b505bc0cf37a8..18a483fc2cc68 100644 --- a/include/internal/quic_wire_pkt.h +++ b/include/internal/quic_wire_pkt.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h index 23eee7956648e..e0bc0f3231a9d 100644 --- a/include/internal/recordmethod.h +++ b/include/internal/recordmethod.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/refcount.h b/include/internal/refcount.h index b82fba89ae4d6..4c9ab266d3d3f 100644 --- a/include/internal/refcount.h +++ b/include/internal/refcount.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/ring_buf.h b/include/internal/ring_buf.h index 85a8d309bae6a..436f1ca146284 100644 --- a/include/internal/ring_buf.h +++ b/include/internal/ring_buf.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/sockets.h b/include/internal/sockets.h index 050be74672f0f..27a26184f09d6 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/ssl3_cbc.h b/include/internal/ssl3_cbc.h index 3843696ffee70..4fb5da1906e2f 100644 --- a/include/internal/ssl3_cbc.h +++ b/include/internal/ssl3_cbc.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/statem.h b/include/internal/statem.h index db0b214a3259b..136e6523660a5 100644 --- a/include/internal/statem.h +++ b/include/internal/statem.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/thread_arch.h b/include/internal/thread_arch.h index 24280d9706527..1bfc0ebb3d377 100644 --- a/include/internal/thread_arch.h +++ b/include/internal/thread_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/internal/time.h b/include/internal/time.h index 968ebbe6bdcf8..9bc5e545129cb 100644 --- a/include/internal/time.h +++ b/include/internal/time.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/asn1.h.in b/include/openssl/asn1.h.in index beeac1b37f6f9..798b22115ccc4 100644 --- a/include/openssl/asn1.h.in +++ b/include/openssl/asn1.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index 735361b17b1d0..8aad1414460d9 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index d7f2354b3a974..e6af016c7fe4d 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/include/openssl/core.h b/include/openssl/core.h index b35392656cb84..18c199182e34a 100644 --- a/include/openssl/core.h +++ b/include/openssl/core.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 92767e413fda2..7c48bd7f863d4 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/core_names.h.in b/include/openssl/core_names.h.in index da1767d1e95eb..c14520fe2868c 100644 --- a/include/openssl/core_names.h.in +++ b/include/openssl/core_names.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index f5fe1ace4ed4e..43411fa42f66f 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -1,7 +1,7 @@ /*- * {- join("\n * ", @autowarntext) -} * - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in index fb672811337fd..b2d691b90f0ec 100644 --- a/include/openssl/crypto.h.in +++ b/include/openssl/crypto.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/dh.h b/include/openssl/dh.h index da6e7b06c879a..8bc17448a0817 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index 42edbb923bdf5..e01f62751da55 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 85ec5e3bb12bd..2fe819c462f1b 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/err.h.in b/include/openssl/err.h.in index a28afa885fe23..1ef09de02e02e 100644 --- a/include/openssl/err.h.in +++ b/include/openssl/err.h.in @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/evp.h b/include/openssl/evp.h index e10c0617a4860..f343eccbffa19 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h index 67aa1c7e42e78..5c77f6d691223 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/hpke.h b/include/openssl/hpke.h index e39a485023d06..1bb9ada3c4a08 100644 --- a/include/openssl/hpke.h +++ b/include/openssl/hpke.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/http.h b/include/openssl/http.h index aa4dac1c1d58e..a3cbf15f5a0f6 100644 --- a/include/openssl/http.h +++ b/include/openssl/http.h @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/macros.h b/include/openssl/macros.h index 55b825a1f1fbc..66fa4eec2e730 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/pkcs12.h.in b/include/openssl/pkcs12.h.in index ad235391e06c6..35759d4deadc3 100644 --- a/include/openssl/pkcs12.h.in +++ b/include/openssl/pkcs12.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/prov_ssl.h b/include/openssl/prov_ssl.h index b120ca4be47b1..76d01e1eb89c4 100644 --- a/include/openssl/prov_ssl.h +++ b/include/openssl/prov_ssl.h @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/provider.h b/include/openssl/provider.h index 80e6db7bb2f85..24ec0827bd6bb 100644 --- a/include/openssl/provider.h +++ b/include/openssl/provider.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/quic.h b/include/openssl/quic.h index a8798a9a44951..74a6345d5df73 100644 --- a/include/openssl/quic.h +++ b/include/openssl/quic.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/sha.h b/include/openssl/sha.h index 67f89da8f0697..163a7d588af93 100644 --- a/include/openssl/sha.h +++ b/include/openssl/sha.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 3f72835a3e5b0..4f076c6c9dfb9 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/thread.h b/include/openssl/thread.h index d34aa5ba949e9..3926ce54d78b5 100644 --- a/include/openssl/thread.h +++ b/include/openssl/thread.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/trace.h b/include/openssl/trace.h index dbd2ffdf5ec82..9a5b56ea5fc4b 100644 --- a/include/openssl/trace.h +++ b/include/openssl/trace.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index d74f944bdc5c2..72103913053b0 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 2d7164e3a24cd..569680378dfd0 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ms/applink.c b/ms/applink.c index af9462a2b9c7d..601d016633a11 100644 --- a/ms/applink.c +++ b/ms/applink.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/baseprov.c b/providers/baseprov.c index 9705314261d2a..2e5dbe410fece 100644 --- a/providers/baseprov.c +++ b/providers/baseprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index 62e60cc0103f0..611c6d531b136 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 2dc43334de4d7..0d3acdbe56e2f 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index 63c875ecd0b71..246323493eafe 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index a6711b42c1b95..d1262d8795387 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/decoders.inc b/providers/decoders.inc index f0bbad807cfa9..0191aa771ea6c 100644 --- a/providers/decoders.inc +++ b/providers/decoders.inc @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/defltprov.c b/providers/defltprov.c index fa4165b365792..f02e04835ddf0 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/encoders.inc b/providers/encoders.inc index e36b99957f198..cd0d1137bb697 100644 --- a/providers/encoders.inc +++ b/providers/encoders.inc @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index fb64633b7e26e..0a95d2364d43e 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index 0a0046389aa6f..0be314692e887 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index 8bbe3121490f2..2057378d3d8c4 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c index be7952510074e..497d69edd47c5 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c index 707f1aa9e6705..a9d652be307ee 100644 --- a/providers/implementations/asymciphers/sm2_enc.c +++ b/providers/implementations/asymciphers/sm2_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index 4ca4459218b17..f0ebfb6836732 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw.c b/providers/implementations/ciphers/cipher_aes_ccm_hw.c index a7e9fb4a21396..575a8ba88d8e3 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i.inc b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i.inc index a09a1e8dd8c8c..7cfe0fc4ce8b6 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i.inc +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i.inc @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i.inc b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i.inc index f37c36118caa3..203664e62e41e 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i.inc +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i.inc @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c index 38d8115f24e1f..4830cdc1b2d66 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i.inc index 32abd05210dae..bf3f98df16314 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i.inc @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc index a89ab1781185a..7387adfdeddf3 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_gcm_siv.c b/providers/implementations/ciphers/cipher_aes_gcm_siv.c index dd2fdb64a48ed..3f3606cc79b03 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_siv.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_siv.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_gcm_siv_polyval.c b/providers/implementations/ciphers/cipher_aes_gcm_siv_polyval.c index 1b82e0f194a89..fead51dd36f70 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_siv_polyval.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_siv_polyval.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_hw.c b/providers/implementations/ciphers/cipher_aes_hw.c index 1a59f24d352d4..0a1243a5fc031 100644 --- a/providers/implementations/ciphers/cipher_aes_hw.c +++ b/providers/implementations/ciphers/cipher_aes_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_hw_rv32i.inc b/providers/implementations/ciphers/cipher_aes_hw_rv32i.inc index a23c08ac9e172..f6c652c32d9b3 100644 --- a/providers/implementations/ciphers/cipher_aes_hw_rv32i.inc +++ b/providers/implementations/ciphers/cipher_aes_hw_rv32i.inc @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_hw_rv64i.inc b/providers/implementations/ciphers/cipher_aes_hw_rv64i.inc index 3cf3c8e3a41be..7ebf52f97149e 100644 --- a/providers/implementations/ciphers/cipher_aes_hw_rv64i.inc +++ b/providers/implementations/ciphers/cipher_aes_hw_rv64i.inc @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index 3044faa306ae0..3f3cc6efbb3c7 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_ocb_hw.c b/providers/implementations/ciphers/cipher_aes_ocb_hw.c index 62d762d49b8f1..2672b92ec4712 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c +++ b/providers/implementations/ciphers/cipher_aes_ocb_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c index 01d02b14874cf..e780cfa44c734 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index b3737e34d9b76..ecebf213e2631 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c index f5a97bf0bb9dd..cce2537ea778f 100644 --- a/providers/implementations/ciphers/cipher_aes_xts.c +++ b/providers/implementations/ciphers/cipher_aes_xts.c @@ -1,6 +1,6 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c index 223b49b0b98f1..564d6d67645e0 100644 --- a/providers/implementations/ciphers/cipher_aes_xts_hw.c +++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c index 49e36ba1a9777..5e2ad91445e7e 100644 --- a/providers/implementations/ciphers/cipher_chacha20.c +++ b/providers/implementations/ciphers/cipher_chacha20.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 50fdd15bdc172..662b4e03e5424 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.h b/providers/implementations/ciphers/cipher_chacha20_poly1305.h index 9a5ce34e7bc3a..f2ea26a77f3a4 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.h +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c index 421380e86ebb7..8173663e5e7ee 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_cts.h b/providers/implementations/ciphers/cipher_cts.h index d52c99f1ac40c..a26e5a9e0719e 100644 --- a/providers/implementations/ciphers/cipher_cts.h +++ b/providers/implementations/ciphers/cipher_cts.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c index 1cbf677b27e86..ca2a924a91738 100644 --- a/providers/implementations/ciphers/cipher_des.c +++ b/providers/implementations/ciphers/cipher_des.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_null.c b/providers/implementations/ciphers/cipher_null.c index 0bd2bcbb1488f..c911049e2d0b7 100644 --- a/providers/implementations/ciphers/cipher_null.c +++ b/providers/implementations/ciphers/cipher_null.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c index 34e6375a7d093..5c2301e86610b 100644 --- a/providers/implementations/ciphers/cipher_rc2.c +++ b/providers/implementations/ciphers/cipher_rc2.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc4.c b/providers/implementations/ciphers/cipher_rc4.c index 4672c3fe53ca0..9107500a14dad 100644 --- a/providers/implementations/ciphers/cipher_rc4.c +++ b/providers/implementations/ciphers/cipher_rc4.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index 053bcda6536f6..99d5dd716926f 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.h b/providers/implementations/ciphers/cipher_rc4_hmac_md5.h index c79e5ad6dfb0f..4a1d154a7ceb1 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.h +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_rc5.c b/providers/implementations/ciphers/cipher_rc5.c index 3d6aa0e24bdaf..5b68b25938f08 100644 --- a/providers/implementations/ciphers/cipher_rc5.c +++ b/providers/implementations/ciphers/cipher_rc5.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c index 468c1f3b8b927..537024b09c02b 100644 --- a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c index 508280998237a..432e3589ed86d 100644 --- a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c +++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_hw.c b/providers/implementations/ciphers/cipher_sm4_hw.c index d8bc5a1e856ea..7419744a46c51 100644 --- a/providers/implementations/ciphers/cipher_sm4_hw.c +++ b/providers/implementations/ciphers/cipher_sm4_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_xts.c b/providers/implementations/ciphers/cipher_sm4_xts.c index 24b0771f2b602..e8c28e266044c 100644 --- a/providers/implementations/ciphers/cipher_sm4_xts.c +++ b/providers/implementations/ciphers/cipher_sm4_xts.c @@ -1,6 +1,6 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_xts.h b/providers/implementations/ciphers/cipher_sm4_xts.h index cfca596979cc8..43d9a212e55fd 100644 --- a/providers/implementations/ciphers/cipher_sm4_xts.h +++ b/providers/implementations/ciphers/cipher_sm4_xts.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_xts_hw.c b/providers/implementations/ciphers/cipher_sm4_xts_hw.c index 67a9923d94084..44af243a69241 100644 --- a/providers/implementations/ciphers/cipher_sm4_xts_hw.c +++ b/providers/implementations/ciphers/cipher_sm4_xts_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes.h b/providers/implementations/ciphers/cipher_tdes.h index 88987d76fb605..3c98ed241d39b 100644 --- a/providers/implementations/ciphers/cipher_tdes.h +++ b/providers/implementations/ciphers/cipher_tdes.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index c688b990a0db2..ceaa0f9821a76 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_tdes_wrap.c b/providers/implementations/ciphers/cipher_tdes_wrap.c index dbaf4890ac845..391383b550d7d 100644 --- a/providers/implementations/ciphers/cipher_tdes_wrap.c +++ b/providers/implementations/ciphers/cipher_tdes_wrap.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/ciphercommon_block.c b/providers/implementations/ciphers/ciphercommon_block.c index ccc3dfb2d7099..cfc78e07709fb 100644 --- a/providers/implementations/ciphers/ciphercommon_block.c +++ b/providers/implementations/ciphers/ciphercommon_block.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c index dac123f0c66e1..cd7852a547aa9 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c index aa6ddace39e90..2288286bbe44e 100644 --- a/providers/implementations/digests/blake2_prov.c +++ b/providers/implementations/digests/blake2_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index 109a6ce1c8082..8125dab41f415 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c index 039c616095667..60f1912cc4fa8 100644 --- a/providers/implementations/digests/sha2_prov.c +++ b/providers/implementations/digests/sha2_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index 7bb0bff851946..0c643f8238284 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index 45b39ed35848b..b0d4e0ecf6a35 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_epki2pki.c b/providers/implementations/encode_decode/decode_epki2pki.c index 5dd13f5a928ec..37d9bd1858ffd 100644 --- a/providers/implementations/encode_decode/decode_epki2pki.c +++ b/providers/implementations/encode_decode/decode_epki2pki.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_msblob2key.c b/providers/implementations/encode_decode/decode_msblob2key.c index 7c4f993b899eb..df327210f1140 100644 --- a/providers/implementations/encode_decode/decode_msblob2key.c +++ b/providers/implementations/encode_decode/decode_msblob2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index 4423c1e5a584c..ea6eb7f9610f1 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c index 5355cf11d6f70..ea4585d93c5c7 100644 --- a/providers/implementations/encode_decode/decode_pvk2key.c +++ b/providers/implementations/encode_decode/decode_pvk2key.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/decode_spki2typespki.c b/providers/implementations/encode_decode/decode_spki2typespki.c index 11f5426661b0d..7074be93d6b3c 100644 --- a/providers/implementations/encode_decode/decode_spki2typespki.c +++ b/providers/implementations/encode_decode/decode_spki2typespki.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index df0b0fd608f85..c1b0dea7803e4 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2blob.c b/providers/implementations/encode_decode/encode_key2blob.c index ae1612aaf1d71..29e72faa63def 100644 --- a/providers/implementations/encode_decode/encode_key2blob.c +++ b/providers/implementations/encode_decode/encode_key2blob.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2ms.c b/providers/implementations/encode_decode/encode_key2ms.c index d11affbfa9765..1f21a5129615a 100644 --- a/providers/implementations/encode_decode/encode_key2ms.c +++ b/providers/implementations/encode_decode/encode_key2ms.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index 4c8ca992d3687..f335870a4cf5d 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 7d77e6aae8b18..20b8fa0078c90 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index 164417abc8b2f..5b8412aba16df 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c index 335ec6f7630aa..ccf39462eddc3 100644 --- a/providers/implementations/exchange/ecx_exch.c +++ b/providers/implementations/exchange/ecx_exch.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c index b1be99f2e2281..4aaf67339828c 100644 --- a/providers/implementations/exchange/kdf_exch.c +++ b/providers/implementations/exchange/kdf_exch.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/blake2.h b/providers/implementations/include/prov/blake2.h index 379dfedc0bcc9..4ec780c21f50b 100644 --- a/providers/implementations/include/prov/blake2.h +++ b/providers/implementations/include/prov/blake2.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h index 62903b16bb343..2a7a059086fb9 100644 --- a/providers/implementations/include/prov/ciphercommon.h +++ b/providers/implementations/include/prov/ciphercommon.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h index face9c9e3642e..0dd63cbe5343d 100644 --- a/providers/implementations/include/prov/ciphercommon_aead.h +++ b/providers/implementations/include/prov/ciphercommon_aead.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 1c7bb4ab8d867..80b544c4297ae 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/kdfexchange.h b/providers/implementations/include/prov/kdfexchange.h index 8d95a99438d37..cf08f785ee0cf 100644 --- a/providers/implementations/include/prov/kdfexchange.h +++ b/providers/implementations/include/prov/kdfexchange.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/macsignature.h b/providers/implementations/include/prov/macsignature.h index 45a50c36f2580..e13ff362ce00e 100644 --- a/providers/implementations/include/prov/macsignature.h +++ b/providers/implementations/include/prov/macsignature.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index af7e45a3f6e3a..f0ad4353460d2 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/argon2.c b/providers/implementations/kdfs/argon2.c index ffeb810fbc016..323b0f3ab6b87 100644 --- a/providers/implementations/kdfs/argon2.c +++ b/providers/implementations/kdfs/argon2.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 7f42f426479f3..a83e2982278bf 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/hmacdrbg_kdf.c b/providers/implementations/kdfs/hmacdrbg_kdf.c index 1ffb368d01ea8..30f1dfbd2439f 100644 --- a/providers/implementations/kdfs/hmacdrbg_kdf.c +++ b/providers/implementations/kdfs/hmacdrbg_kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index 2460236b31936..e6855d5732404 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019 Red Hat, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index 5143462f4fddd..b6cf0e3a2bcf3 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/pbkdf1.c b/providers/implementations/kdfs/pbkdf1.c index 713d51d597dbc..6f95df071b359 100644 --- a/providers/implementations/kdfs/pbkdf1.c +++ b/providers/implementations/kdfs/pbkdf1.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index fb2cd87fb7045..f2d190c308f6a 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index 38303a7464b29..0679c05f931be 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/pvkkdf.c b/providers/implementations/kdfs/pvkkdf.c index 7e7cf36b0018b..85a250ff7c13c 100644 --- a/providers/implementations/kdfs/pvkkdf.c +++ b/providers/implementations/kdfs/pvkkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index 94d06f29eea85..ee2d4a7d321c9 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 50d2943204c8e..90986bc7622eb 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index ca5042b22de7f..db750a4f23366 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index 32662360e9c44..ff305579c3249 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index 4539c44872f7e..19b54493efca0 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/providers/implementations/kem/ec_kem.c b/providers/implementations/kem/ec_kem.c index 6a7abbc75c8f1..b82f903662388 100644 --- a/providers/implementations/kem/ec_kem.c +++ b/providers/implementations/kem/ec_kem.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kem/ecx_kem.c b/providers/implementations/kem/ecx_kem.c index 87ec09c50ffae..4a762f21534ff 100644 --- a/providers/implementations/kem/ecx_kem.c +++ b/providers/implementations/kem/ecx_kem.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index f0a3462f8e069..ff22ddffcf6c6 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index eaca876bb9d13..a16817d2036ba 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index c2400e4602ddd..a89d20822bf12 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c +++ b/providers/implementations/keymgmt/dsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index d9c585cd3b4ed..93909353942fd 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c index 0a354ea721d02..8a9fe1b21b813 100644 --- a/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/providers/implementations/keymgmt/ecx_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/kdf_legacy_kmgmt.c b/providers/implementations/keymgmt/kdf_legacy_kmgmt.c index a2303f2e193fa..deb49600066d9 100644 --- a/providers/implementations/keymgmt/kdf_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/kdf_legacy_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 9b37027a966e7..f952ebb2277ab 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 41b5390bf57ee..c24cb8da88ea6 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c index e52544fc5baf4..ec22e607a0467 100644 --- a/providers/implementations/macs/blake2_mac_impl.c +++ b/providers/implementations/macs/blake2_mac_impl.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c index 5a2421ccfc746..1b3893598d888 100644 --- a/providers/implementations/macs/cmac_prov.c +++ b/providers/implementations/macs/cmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index 5455ffc490d6d..122df5f609070 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index 32940e6a0b485..a1f3c2db84d65 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index b38dba2d7d99b..4d920c249a74e 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/poly1305_prov.c b/providers/implementations/macs/poly1305_prov.c index 2d10d10521c60..19974f9289b16 100644 --- a/providers/implementations/macs/poly1305_prov.c +++ b/providers/implementations/macs/poly1305_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c index ded324acb6348..a54def3b85727 100644 --- a/providers/implementations/macs/siphash_prov.c +++ b/providers/implementations/macs/siphash_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index 7a4854f0d7cc4..348d5f50808ed 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index c303d03eb0ad2..2dc51d03c1653 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index b2395b61c8d87..246aab58c96c0 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index 3df0c2ac2b007..ca190a740e4ca 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h index 4c815ae2e67b7..dd46593a5f096 100644 --- a/providers/implementations/rands/drbg_local.h +++ b/providers/implementations/rands/drbg_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index ee7dfc35b285f..e57c9c4d4160f 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c index a6d246ad235e8..ab77814a7466b 100644 --- a/providers/implementations/rands/seeding/rand_unix.c +++ b/providers/implementations/rands/seeding/rand_unix.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index 46d18f28c567b..bbea11cd6baf0 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index c840032ef41f5..b89a0f6836b2b 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c index ec01b741732da..fe65ed8dc6454 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c index acc6f5e4e70bc..8594af39e140d 100644 --- a/providers/implementations/signature/eddsa_sig.c +++ b/providers/implementations/signature/eddsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/mac_legacy_sig.c b/providers/implementations/signature/mac_legacy_sig.c index d3172f86b3787..b25a74506ab02 100644 --- a/providers/implementations/signature/mac_legacy_sig.c +++ b/providers/implementations/signature/mac_legacy_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index e4c08617d2827..b8648b54bf606 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c index aef9aa0d3104d..a61fd0864f141 100644 --- a/providers/implementations/signature/sm2_sig.c +++ b/providers/implementations/signature/sm2_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index e7added1a9f51..171c74d581aeb 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/storemgmt/file_store_any2obj.c b/providers/implementations/storemgmt/file_store_any2obj.c index bcf175fff2ef8..b8fa591085600 100644 --- a/providers/implementations/storemgmt/file_store_any2obj.c +++ b/providers/implementations/storemgmt/file_store_any2obj.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/storemgmt/winstore_store.c b/providers/implementations/storemgmt/winstore_store.c index 5e873a183fe50..e230101d73c43 100644 --- a/providers/implementations/storemgmt/winstore_store.c +++ b/providers/implementations/storemgmt/winstore_store.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/legacyprov.c b/providers/legacyprov.c index 690c3a8bda737..16e3639e76f18 100644 --- a/providers/legacyprov.c +++ b/providers/legacyprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/nullprov.c b/providers/nullprov.c index c79ffccff4739..bace75af15763 100644 --- a/providers/nullprov.c +++ b/providers/nullprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index b342c846daa03..68dd48a5ef3be 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index f1ad5e39552a4..a217480b08058 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/d1_msg.c b/ssl/d1_msg.c index 23cfa150fc990..b1e1fad16d9e4 100644 --- a/ssl/d1_msg.c +++ b/ssl/d1_msg.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index 6228fe1871e71..5ca135d970370 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/event_queue.c b/ssl/event_queue.c index f2169ec3abd00..49890a36b505f 100644 --- a/ssl/event_queue.c +++ b/ssl/event_queue.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/priority_queue.c b/ssl/priority_queue.c index c34f21830b8d1..ab2442aeae72a 100644 --- a/ssl/priority_queue.c +++ b/ssl/priority_queue.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_ackm.c b/ssl/quic/quic_ackm.c index aa035da91268e..728a186d3b057 100644 --- a/ssl/quic/quic_ackm.c +++ b/ssl/quic/quic_ackm.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_cfq.c b/ssl/quic/quic_cfq.c index f9d66281cdf13..9b9999a823dc7 100644 --- a/ssl/quic/quic_cfq.c +++ b/ssl/quic/quic_cfq.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 78aaabef52525..ce938b70f06a6 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_demux.c b/ssl/quic/quic_demux.c index bc2cde726b9a5..88135fe5b9e44 100644 --- a/ssl/quic/quic_demux.c +++ b/ssl/quic/quic_demux.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_fc.c b/ssl/quic/quic_fc.c index 6cb5834c259f5..1a9c5890f80a9 100644 --- a/ssl/quic/quic_fc.c +++ b/ssl/quic/quic_fc.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_fifd.c b/ssl/quic/quic_fifd.c index 5a69e0e8ff8c0..a3dd1db978a96 100644 --- a/ssl/quic/quic_fifd.c +++ b/ssl/quic/quic_fifd.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index c43f8a7fc866c..ca4ef0ebbbbda 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index f492dc656b902..517904d90f775 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_method.c b/ssl/quic/quic_method.c index 118f5a07c57cd..2882a40f3f482 100644 --- a/ssl/quic/quic_method.c +++ b/ssl/quic/quic_method.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_reactor.c b/ssl/quic/quic_reactor.c index 9aea218d27d01..3975b87717ad8 100644 --- a/ssl/quic/quic_reactor.c +++ b/ssl/quic/quic_reactor.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index e4705a1cce85a..31c1f8fffdf5b 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c index 044c19da38ea6..d450470366db3 100644 --- a/ssl/quic/quic_record_tx.c +++ b/ssl/quic/quic_record_tx.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_record_util.c b/ssl/quic/quic_record_util.c index 008500f724325..e95a84c39b5df 100644 --- a/ssl/quic/quic_record_util.c +++ b/ssl/quic/quic_record_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_rstream.c b/ssl/quic/quic_rstream.c index c51bc2014c09f..dd3dbf756b447 100644 --- a/ssl/quic/quic_rstream.c +++ b/ssl/quic/quic_rstream.c @@ -1,5 +1,5 @@ /* -* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_rx_depack.c b/ssl/quic/quic_rx_depack.c index f7f8bf6ea3dda..f2a564862b9ac 100644 --- a/ssl/quic/quic_rx_depack.c +++ b/ssl/quic/quic_rx_depack.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_sf_list.c b/ssl/quic/quic_sf_list.c index 7f3fc9b842531..0541a2ab6371f 100644 --- a/ssl/quic/quic_sf_list.c +++ b/ssl/quic/quic_sf_list.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_sstream.c b/ssl/quic/quic_sstream.c index b6cf311cfc6c1..a5ae234a8e817 100644 --- a/ssl/quic/quic_sstream.c +++ b/ssl/quic/quic_sstream.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_statm.c b/ssl/quic/quic_statm.c index 4e24fc11db5de..f1e0f65914117 100644 --- a/ssl/quic/quic_statm.c +++ b/ssl/quic/quic_statm.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_stream_map.c b/ssl/quic/quic_stream_map.c index 4b595f50e7c82..0f41b03da58d6 100644 --- a/ssl/quic/quic_stream_map.c +++ b/ssl/quic/quic_stream_map.c @@ -1,5 +1,5 @@ /* -* Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index ff4c8dac0bc28..a1bcedbfb0716 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c index a3359c21c022f..788d4780d8e38 100644 --- a/ssl/quic/quic_tserver.c +++ b/ssl/quic/quic_tserver.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c index 97cba812e767c..8a825b5bfe9d6 100644 --- a/ssl/quic/quic_txp.c +++ b/ssl/quic/quic_txp.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_txpim.c b/ssl/quic/quic_txpim.c index 716a0141ab564..04b25ee47a046 100644 --- a/ssl/quic/quic_txpim.c +++ b/ssl/quic/quic_txpim.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_wire.c b/ssl/quic/quic_wire.c index a38efa758a6a7..6f8da05124b6f 100644 --- a/ssl/quic/quic_wire.c +++ b/ssl/quic/quic_wire.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/quic_wire_pkt.c b/ssl/quic/quic_wire_pkt.c index 069f0c8fa5e69..136c40e7ad853 100644 --- a/ssl/quic/quic_wire_pkt.c +++ b/ssl/quic/quic_wire_pkt.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/quic/uint_set.c b/ssl/quic/uint_set.c index 3649e7eec2434..faca906003b02 100644 --- a/ssl/quic/uint_set.c +++ b/ssl/quic/uint_set.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index c5477b9b75e36..fd89038eb0c46 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index ff8d7218597cb..af91455c2914c 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index bd893b5e4c089..300b146a7b07f 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/ssl3_cbc.c b/ssl/record/methods/ssl3_cbc.c index b42f5a39ff1cf..a8282989ed39e 100644 --- a/ssl/record/methods/ssl3_cbc.c +++ b/ssl/record/methods/ssl3_cbc.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c index a38fccae7bba7..76a108e44328f 100644 --- a/ssl/record/methods/ssl3_meth.c +++ b/ssl/record/methods/ssl3_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 8704c7260354f..ec22f1ee49e40 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index 6112c349a1798..46a83ad8f42aa 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 6ea090df244ba..423777c18dd40 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/tls_multib.c b/ssl/record/methods/tls_multib.c index 8aa89f86b2843..3c2c30ef162a6 100644 --- a/ssl/record/methods/tls_multib.c +++ b/ssl/record/methods/tls_multib.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/methods/tls_pad.c b/ssl/record/methods/tls_pad.c index d326a7608a895..23198f3a4935b 100644 --- a/ssl/record/methods/tls_pad.c +++ b/ssl/record/methods/tls_pad.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 5dc8d12e76a98..87b588b84bed9 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 29c5de88d418b..260d163a50d93 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/record.h b/ssl/record/record.h index e4d1e34036299..6fb579fe19f14 100644 --- a/ssl/record/record.h +++ b/ssl/record/record.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index d13a28697e60f..54c47dd3f9bc8 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ae97e39420357..29af55bc61e8f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/ssl/ssl_cert_comp.c b/ssl/ssl_cert_comp.c index ebc92b00390d0..639610a5f77e2 100644 --- a/ssl/ssl_cert_comp.c +++ b/ssl/ssl_cert_comp.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_cert_table.h b/ssl/ssl_cert_table.h index e70d9d624e167..28918b976751c 100644 --- a/ssl/ssl_cert_table.h +++ b/ssl/ssl_cert_table.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 18b9c6d10e1c8..66bff8b2391b6 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 45c74119076a7..442e852c1b13f 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 1df087abd1a27..c245c24080f36 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 31dc9f3511ea2..a88b0dfeac61a 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 712a784a0d739..673a53ad36a4b 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 30fcfe8861f39..772a6fc173839 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c index f91e21cb54506..3c2222d988dfb 100644 --- a/test/asn1_internal_test.c +++ b/test/asn1_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/bio_core_test.c b/test/bio_core_test.c index e3d6625382366..be2ae49932e77 100644 --- a/test/bio_core_test.c +++ b/test/bio_core_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/bio_dgram_test.c b/test/bio_dgram_test.c index 5aafe389f7056..f6c3e30c14925 100644 --- a/test/bio_dgram_test.c +++ b/test/bio_dgram_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/bntest.c b/test/bntest.c index 35471ac3bb408..9c0633d7f16c5 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/build_wincrypt_test.c b/test/build_wincrypt_test.c index 0c0a54652767b..550e600b48854 100644 --- a/test/build_wincrypt_test.c +++ b/test/build_wincrypt_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/cc_dummy.c b/test/cc_dummy.c index 0331a7cdcf580..4b2bc041998ed 100644 --- a/test/cc_dummy.c +++ b/test/cc_dummy.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index 5bba5893580fd..1cb4a9000c692 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -1,6 +1,6 @@ #! /bin/bash # -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright (c) 2016 Viktor Dukhovni . # All rights reserved. # diff --git a/test/cmp_asn_test.c b/test/cmp_asn_test.c index 6dab3944b9a23..786bd3296e0f7 100644 --- a/test/cmp_asn_test.c +++ b/test/cmp_asn_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c index 5782a91868e6b..44c369bc907f6 100644 --- a/test/cmp_client_test.c +++ b/test/cmp_client_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c index 485e0e47f1e29..137f67331b068 100644 --- a/test/cmp_ctx_test.c +++ b/test/cmp_ctx_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/test/cmp_hdr_test.c b/test/cmp_hdr_test.c index c4cab22f5f7e5..69f75a24e2a4a 100644 --- a/test/cmp_hdr_test.c +++ b/test/cmp_hdr_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c index 4438b53cb3c13..e98b5624285b5 100644 --- a/test/cmp_msg_test.c +++ b/test/cmp_msg_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c index 8c6c9f29c27ec..0d2311fc29c73 100644 --- a/test/cmp_protect_test.c +++ b/test/cmp_protect_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c index 26f2015e8e8f8..4ce309992fce4 100644 --- a/test/cmp_vfy_test.c +++ b/test/cmp_vfy_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/test/cmsapitest.c b/test/cmsapitest.c index ecb5e1054db6d..5839eb74310aa 100644 --- a/test/cmsapitest.c +++ b/test/cmsapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/curve448_internal_test.c b/test/curve448_internal_test.c index 226c870607081..c0b3ae3c80c3b 100644 --- a/test/curve448_internal_test.c +++ b/test/curve448_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/destest.c b/test/destest.c index 41977ff6e020e..d5f00fa691ff7 100644 --- a/test/destest.c +++ b/test/destest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/dhkem_test.inc b/test/dhkem_test.inc index b9562c887948d..8b4d36bbd01b0 100644 --- a/test/dhkem_test.inc +++ b/test/dhkem_test.inc @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/dhtest.c b/test/dhtest.c index 14b00f0d3dd92..bef706909c734 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/dsatest.c b/test/dsatest.c index 49966088e5e07..5fa83020f87a2 100644 --- a/test/dsatest.c +++ b/test/dsatest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/dtlstest.c b/test/dtlstest.c index 79cd37f45e8c3..011d8775c1578 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ecdsatest.c b/test/ecdsatest.c index 0954239684dae..33a52eb1b5624 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/ectest.c b/test/ectest.c index f93fd768114f0..87d81741b8e7e 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/endecode_test.c b/test/endecode_test.c index b334d427ebe12..e28fd41b7558b 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/errtest.c b/test/errtest.c index 93e6ebbd4777c..dbf07f8a72cd8 100644 --- a/test/errtest.c +++ b/test/errtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 0b61d5c9e8e0b..bec16144f994a 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c index db33ead3ee813..a06bd697941e8 100644 --- a/test/evp_extra_test2.c +++ b/test/evp_extra_test2.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index fb30fca1ef929..85bae39988b30 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/evp_pkey_dhkem_test.c b/test/evp_pkey_dhkem_test.c index a99b6b913b435..97d40a27723c8 100644 --- a/test/evp_pkey_dhkem_test.c +++ b/test/evp_pkey_dhkem_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 47363e0bfdb13..02e7aa727c6ab 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/evp_test.c b/test/evp_test.c index 0a33ed3ba860e..5a6cdd876d69c 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/exptest.c b/test/exptest.c index ac2e6d3756def..143dfa99581ab 100644 --- a/test/exptest.c +++ b/test/exptest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ext_internal_test.c b/test/ext_internal_test.c index b86f82ebf98bc..20cf708de27a3 100644 --- a/test/ext_internal_test.c +++ b/test/ext_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c index 501da0b53be39..a4f81be0232ea 100644 --- a/test/fake_rsaprov.c +++ b/test/fake_rsaprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c index 58064f6dc261e..0332e777c0aec 100644 --- a/test/ffc_internal_test.c +++ b/test/ffc_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019-2020, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/filterprov.c b/test/filterprov.c index c7cda32261095..ea6583be1b52e 100644 --- a/test/filterprov.c +++ b/test/filterprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 2fcb4bdb6f83e..f0955559dcac2 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index fb1c5d88b534d..45f6ebec7918e 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c index c7777f8f07516..ec2c7885ba7c7 100644 --- a/test/helpers/ssl_test_ctx.c +++ b/test/helpers/ssl_test_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/ssl_test_ctx.h b/test/helpers/ssl_test_ctx.h index 982d15a5c30a4..017d2d1121514 100644 --- a/test/helpers/ssl_test_ctx.h +++ b/test/helpers/ssl_test_ctx.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 01a51ac41d327..94a170b9a52f4 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h index defcb35115958..c8dcb8a82d28d 100644 --- a/test/helpers/ssltestlib.h +++ b/test/helpers/ssltestlib.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/hpke_test.c b/test/hpke_test.c index 891560d2dcaa7..4ca67682a3fef 100644 --- a/test/hpke_test.c +++ b/test/hpke_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/membio_test.c b/test/membio_test.c index 254f71b9c5205..f566184af7e06 100644 --- a/test/membio_test.c +++ b/test/membio_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/p_test.c b/test/p_test.c index fc9f179310189..b27a38c13e30e 100644 --- a/test/p_test.c +++ b/test/p_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/packettest.c b/test/packettest.c index ac37c10baede2..40b68d310a724 100644 --- a/test/packettest.c +++ b/test/packettest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/param_build_test.c b/test/param_build_test.c index 68517e66be832..f693b4b11bf61 100644 --- a/test/param_build_test.c +++ b/test/param_build_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/pbetest.c b/test/pbetest.c index 7bf0680785d80..cfffc2b932332 100644 --- a/test/pbetest.c +++ b/test/pbetest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pemtest.c b/test/pemtest.c index 171d238533c83..bf97098365443 100644 --- a/test/pemtest.c +++ b/test/pemtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pkcs12_api_test.c b/test/pkcs12_api_test.c index da023f364d08b..5afef5a16ad3a 100644 --- a/test/pkcs12_api_test.c +++ b/test/pkcs12_api_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/property_test.c b/test/property_test.c index cd89958a01b70..45b1db3e855b6 100644 --- a/test/property_test.c +++ b/test/property_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/provfetchtest.c b/test/provfetchtest.c index 12f744a688091..d8c9307ddd177 100644 --- a/test/provfetchtest.c +++ b/test/provfetchtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/provider_internal_test.c b/test/provider_internal_test.c index 6c333f85dbb23..9998e6bf973fa 100644 --- a/test/provider_internal_test.c +++ b/test/provider_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/provider_test.c b/test/provider_test.c index d1fe71f46d957..3268a287a2f6d 100644 --- a/test/provider_test.c +++ b/test/provider_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/punycode_test.c b/test/punycode_test.c index 8a4ea0dc41717..00a21bb78e5b5 100644 --- a/test/punycode_test.c +++ b/test/punycode_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_ackm_test.c b/test/quic_ackm_test.c index b5019ccb829bc..0f26e9d38a0e8 100644 --- a/test/quic_ackm_test.c +++ b/test/quic_ackm_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_cc_test.c b/test/quic_cc_test.c index 17290ba7dac89..e1f750e412c4d 100644 --- a/test/quic_cc_test.c +++ b/test/quic_cc_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_cfq_test.c b/test/quic_cfq_test.c index 44705b3507735..f6af23d908433 100644 --- a/test/quic_cfq_test.c +++ b/test/quic_cfq_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_fc_test.c b/test/quic_fc_test.c index 56ea103a422fc..e624d81b7344c 100644 --- a/test/quic_fc_test.c +++ b/test/quic_fc_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_fifd_test.c b/test/quic_fifd_test.c index de3188a929541..4e0f252fa4837 100644 --- a/test/quic_fifd_test.c +++ b/test/quic_fifd_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_record_test.c b/test/quic_record_test.c index a2144744a3fe2..5966b93730128 100644 --- a/test/quic_record_test.c +++ b/test/quic_record_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_record_test_util.h b/test/quic_record_test_util.h index 8c6f68bc1d2c4..fba4bf21d671a 100644 --- a/test/quic_record_test_util.h +++ b/test/quic_record_test_util.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_stream_test.c b/test/quic_stream_test.c index 627e630a3e3ca..c80a4bf0494c4 100644 --- a/test/quic_stream_test.c +++ b/test/quic_stream_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_tserver_test.c b/test/quic_tserver_test.c index 452d523d0ee28..3d1249863b2ae 100644 --- a/test/quic_tserver_test.c +++ b/test/quic_tserver_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_txp_test.c b/test/quic_txp_test.c index 7c3e84b41a5e5..4682483acc3d1 100644 --- a/test/quic_txp_test.c +++ b/test/quic_txp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quic_wire_test.c b/test/quic_wire_test.c index 5691be7dd59b2..69f4cf2977d76 100644 --- a/test/quic_wire_test.c +++ b/test/quic_wire_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quicapitest.c b/test/quicapitest.c index 5eff924527ee6..87c134eb88bf3 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/quicfaultstest.c b/test/quicfaultstest.c index 76887527424f2..3b80385584b65 100644 --- a/test/quicfaultstest.c +++ b/test/quicfaultstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t index bf1b0c8081ae3..4e3a6d85e8393 100644 --- a/test/recipes/00-prep_fipsmodule_cnf.t +++ b/test/recipes/00-prep_fipsmodule_cnf.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t index 4e0a9a384268b..9efa9f8d2d6eb 100644 --- a/test/recipes/01-test_symbol_presence.t +++ b/test/recipes/01-test_symbol_presence.t @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: Perl -*- -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t index 1e933c94874f5..b8b136d110bb7 100644 --- a/test/recipes/03-test_fipsinstall.t +++ b/test/recipes/03-test_fipsinstall.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/03-test_internal_curve448.t b/test/recipes/03-test_internal_curve448.t index a67a419a2c230..0497d4d2c5375 100644 --- a/test/recipes/03-test_internal_curve448.t +++ b/test/recipes/03-test_internal_curve448.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t index 56c7d6e714a2e..8e7ed629bea53 100644 --- a/test/recipes/04-test_encoder_decoder.t +++ b/test/recipes/04-test_encoder_decoder.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/06-test_algorithmid.t b/test/recipes/06-test_algorithmid.t index 0a8fe44ed6522..d73794aa62bfb 100644 --- a/test/recipes/06-test_algorithmid.t +++ b/test/recipes/06-test_algorithmid.t @@ -1,6 +1,6 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t index a7a7caadd3eda..c953fad9f1ec4 100644 --- a/test/recipes/15-test_ec.t +++ b/test/recipes/15-test_ec.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t index b4bb9b29ca9e9..4bc460784b461 100644 --- a/test/recipes/15-test_gendsa.t +++ b/test/recipes/15-test_gendsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_genpkey.t b/test/recipes/15-test_genpkey.t index 866d6e977ea47..b918f73f9fe06 100644 --- a/test/recipes/15-test_genpkey.t +++ b/test/recipes/15-test_genpkey.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t index 5632efe5fc5c2..83196031d776a 100644 --- a/test/recipes/15-test_genrsa.t +++ b/test/recipes/15-test_genrsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_mp_rsa.t b/test/recipes/15-test_mp_rsa.t index ffaf36cd52ffd..956626de00eaf 100644 --- a/test/recipes/15-test_mp_rsa.t +++ b/test/recipes/15-test_mp_rsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright 2017 BaishanCloud. All rights reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/recipes/15-test_rsa.t b/test/recipes/15-test_rsa.t index c3c0bc34d6de8..e0ac15772a5bd 100644 --- a/test/recipes/15-test_rsa.t +++ b/test/recipes/15-test_rsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index cea1c605d1e33..56e3b3c60c04e 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_app.t b/test/recipes/20-test_app.t index 2560b20fc45a5..29ce3e6e486f5 100644 --- a/test/recipes/20-test_app.t +++ b/test/recipes/20-test_app.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t index 3e2d745f44f37..d4b4d4ca51c68 100644 --- a/test/recipes/20-test_cli_fips.t +++ b/test/recipes/20-test_cli_fips.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_dgst.t b/test/recipes/20-test_dgst.t index cf5e20d2234e8..d1b2ccf5c7bd4 100644 --- a/test/recipes/20-test_dgst.t +++ b/test/recipes/20-test_dgst.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_enc.t b/test/recipes/20-test_enc.t index d16d73e64a9e9..2b430b74fcb66 100644 --- a/test/recipes/20-test_enc.t +++ b/test/recipes/20-test_enc.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t index adfe9e366eea5..76e4f0a869459 100644 --- a/test/recipes/20-test_pkeyutl.t +++ b/test/recipes/20-test_pkeyutl.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t index cdbcf3869c84d..23f1c8a7645dd 100644 --- a/test/recipes/25-test_pkcs7.t +++ b/test/recipes/25-test_pkcs7.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_pkcs8.t b/test/recipes/25-test_pkcs8.t index 2db574bb69575..93cb7629bf9c2 100644 --- a/test/recipes/25-test_pkcs8.t +++ b/test/recipes/25-test_pkcs8.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index c65c21d317b25..07a5975655a52 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 7d3d758ac710c..c69dcb2239319 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index df49ce2750ca9..408ac40c7c3e5 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t index 103f28da764a0..c8f145405b2b4 100644 --- a/test/recipes/30-test_defltfips.t +++ b/test/recipes/30-test_defltfips.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 3ab3ea6d4ad24..eddca5c58ea39 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpciph_aes_common.txt b/test/recipes/30-test_evp_data/evpciph_aes_common.txt index 3355bc90f014a..484147b26a961 100644 --- a/test/recipes/30-test_evp_data/evpciph_aes_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_common.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt index e434f13f4154b..ab7f2b6f6aa28 100644 --- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt @@ -1,5 +1,5 @@ # -# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpciph_chacha.txt b/test/recipes/30-test_evp_data/evpciph_chacha.txt index f283b240f3a09..52a39c03f8f2f 100644 --- a/test/recipes/30-test_evp_data/evpciph_chacha.txt +++ b/test/recipes/30-test_evp_data/evpciph_chacha.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt index 04cef6f7e81b5..d05a1b1ac50f6 100644 --- a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt @@ -1,5 +1,5 @@ # -# Copyright 2021-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt index c2b405a6481eb..80dcbcb071478 100644 --- a/test/recipes/30-test_evp_data/evpkdf_ss.txt +++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt index fe62453dbb999..44040ff66b481 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt index 7d078debfb102..ad175acc11466 100644 --- a/test/recipes/30-test_evp_data/evpkdf_x963.txt +++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt index 7bcce7d9204b2..e47023aae6cc3 100644 --- a/test/recipes/30-test_evp_data/evpmac_common.txt +++ b/test/recipes/30-test_evp_data/evpmac_common.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpmd_blake.txt b/test/recipes/30-test_evp_data/evpmd_blake.txt index 0aaee9e07a5d8..02b3df9e9c6d1 100644 --- a/test/recipes/30-test_evp_data/evpmd_blake.txt +++ b/test/recipes/30-test_evp_data/evpmd_blake.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpmd_sha.txt b/test/recipes/30-test_evp_data/evpmd_sha.txt index 149137b7122d1..b3b95ed76b561 100644 --- a/test/recipes/30-test_evp_data/evpmd_sha.txt +++ b/test/recipes/30-test_evp_data/evpmd_sha.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evppkey_dsa.txt b/test/recipes/30-test_evp_data/evppkey_dsa.txt index 8c19153ca17eb..debd62bca84cb 100644 --- a/test/recipes/30-test_evp_data/evppkey_dsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_dsa.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evppkey_ecx.txt b/test/recipes/30-test_evp_data/evppkey_ecx.txt index 56930372305fa..2d6c6854239be 100644 --- a/test/recipes/30-test_evp_data/evppkey_ecx.txt +++ b/test/recipes/30-test_evp_data/evppkey_ecx.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evppkey_mismatch.txt b/test/recipes/30-test_evp_data/evppkey_mismatch.txt index 10d8db3427fe1..0859814860e34 100644 --- a/test/recipes/30-test_evp_data/evppkey_mismatch.txt +++ b/test/recipes/30-test_evp_data/evppkey_mismatch.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt b/test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt index ebbd4d4b39d1e..bf8b21ca0645d 100644 --- a/test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt +++ b/test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt index d127ef7b5d380..78d14d31be10f 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt index 351b257323963..76ddc1ec60a1d 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt index 090a9fa9fb5df..0e2ee82c587a0 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt @@ -1,5 +1,5 @@ # -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t index d4e863f85a38b..92c91d8b88aca 100644 --- a/test/recipes/65-test_cmp_protect.t +++ b/test/recipes/65-test_cmp_protect.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright Nokia 2007-2019 # Copyright Siemens AG 2015-2019 # diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index 2c2527ca5c45d..ef21146e0c796 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_quic_multistream.t b/test/recipes/70-test_quic_multistream.t index e7bdf03d74c9e..b4e6e4147330f 100644 --- a/test/recipes/70-test_quic_multistream.t +++ b/test/recipes/70-test_quic_multistream.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_quic_tserver.t b/test/recipes/70-test_quic_tserver.t index 4ff2d208b6576..ea432e529a3ba 100644 --- a/test/recipes/70-test_quic_tserver.t +++ b/test/recipes/70-test_quic_tserver.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index ead0f37cf891a..4be31c52e7f9c 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index ece9f033ded03..3feabef060ce7 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index ea61a01f82c79..c4711e442b6c1 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index 4fa56d59ba12c..f579cd3c9fbab 100644 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index d352bc18bf8e9..5607dd604ca85 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/75-test_quic_cc.t b/test/recipes/75-test_quic_cc.t index 97f4151779ba1..5a310f325947d 100644 --- a/test/recipes/75-test_quic_cc.t +++ b/test/recipes/75-test_quic_cc.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/75-test_quicapi.t b/test/recipes/75-test_quicapi.t index 5f248a18f62a5..bd411f221c8d6 100644 --- a/test/recipes/75-test_quicapi.t +++ b/test/recipes/75-test_quicapi.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/79-test_http.t b/test/recipes/79-test_http.t index ecf6eb23a213d..236120071790c 100644 --- a/test/recipes/79-test_http.t +++ b/test/recipes/79-test_http.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t index 6a7a74b7e7dc6..916f952a0c3e1 100644 --- a/test/recipes/80-test_ca.t +++ b/test/recipes/80-test_ca.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 1b0ec8a659a69..6cfdcaedfd146 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright Nokia 2007-2019 # Copyright Siemens AG 2015-2019 # diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 25b0238f8550c..a0e6e874c3eb1 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 1a3a3c1567772..195b85ea8cdd5 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_quicfaults.t b/test/recipes/90-test_quicfaults.t index addac8fc0ab79..7fa039a370604 100644 --- a/test/recipes/90-test_quicfaults.t +++ b/test/recipes/90-test_quicfaults.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index c0bf1d1bb0aef..7c5624e5a225a 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_trace_api.t b/test/recipes/90-test_trace_api.t index 8d7ee4adb9af8..bc4f34858be79 100644 --- a/test/recipes/90-test_trace_api.t +++ b/test/recipes/90-test_trace_api.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t index c290b0ba72968..dc7cc64533af2 100644 --- a/test/recipes/91-test_pkey_check.t +++ b/test/recipes/91-test_pkey_check.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/99-test_fuzz_decoder.t b/test/recipes/99-test_fuzz_decoder.t index 17758e03d0fc7..99a9b6db119b8 100644 --- a/test/recipes/99-test_fuzz_decoder.t +++ b/test/recipes/99-test_fuzz_decoder.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/99-test_fuzz_pem.t b/test/recipes/99-test_fuzz_pem.t index a0ca846afd02f..28b5c24ac860d 100644 --- a/test/recipes/99-test_fuzz_pem.t +++ b/test/recipes/99-test_fuzz_pem.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/99-test_fuzz_punycode.t b/test/recipes/99-test_fuzz_punycode.t index daba65768335b..b12ae3154a803 100644 --- a/test/recipes/99-test_fuzz_punycode.t +++ b/test/recipes/99-test_fuzz_punycode.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/99-test_fuzz_v3name.t b/test/recipes/99-test_fuzz_v3name.t index 2c586501be1e5..e6d88c7946f47 100644 --- a/test/recipes/99-test_fuzz_v3name.t +++ b/test/recipes/99-test_fuzz_v3name.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/99-test_fuzz_x509.t b/test/recipes/99-test_fuzz_x509.t index 7ca3ee8ae7ca0..b0b86365d1019 100644 --- a/test/recipes/99-test_fuzz_x509.t +++ b/test/recipes/99-test_fuzz_x509.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index 222ef1ac13d9a..6f10758f29acc 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recordlentest.c b/test/recordlentest.c index d46b75f686d25..c7fb27408f46d 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/rsa_mp_test.c b/test/rsa_mp_test.c index 81b42a2fdf70d..cc9e282b14090 100644 --- a/test/rsa_mp_test.c +++ b/test/rsa_mp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 BaishanCloud. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c index 10443683b9c2e..7660019f4739f 100644 --- a/test/rsa_sp800_56b_test.c +++ b/test/rsa_sp800_56b_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/rsa_test.c b/test/rsa_test.c index 82c3097085e78..fe2087465f63a 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/rsa_x931_test.c b/test/rsa_x931_test.c index 5f3396a3a03fc..4310f7beab450 100644 --- a/test/rsa_x931_test.c +++ b/test/rsa_x931_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/sanitytest.c b/test/sanitytest.c index 9628fdb4bf814..dd19bfbc71da0 100644 --- a/test/sanitytest.c +++ b/test/sanitytest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh index 160fcbfb4fb9c..ab7e22a136e28 100644 --- a/test/smime-certs/mksmime-certs.sh +++ b/test/smime-certs/mksmime-certs.sh @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2013-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index 3fc301eb140f8..9204f215e530e 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl-tests/30-extended-master-secret.cnf.in b/test/ssl-tests/30-extended-master-secret.cnf.in index 40f4df3308462..9401026e20afa 100644 --- a/test/ssl-tests/30-extended-master-secret.cnf.in +++ b/test/ssl-tests/30-extended-master-secret.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl_ctx_test.c b/test/ssl_ctx_test.c index ea7aadc2f69fe..16da838dea106 100644 --- a/test/ssl_ctx_test.c +++ b/test/ssl_ctx_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 8218ab1a90877..21834b1a36313 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * diff --git a/test/ssl_test.c b/test/ssl_test.c index 56b765ad8e7ff..ea608518f92ed 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/sslapitest.c b/test/sslapitest.c index b50929eddbe79..75fbd3bd3b575 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c index beace8ffd6495..94229d54d62aa 100644 --- a/test/sslbuffertest.c +++ b/test/sslbuffertest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/testutil.h b/test/testutil.h index 033c6f587d800..a247f55ed6b83 100644 --- a/test/testutil.h +++ b/test/testutil.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/testutil/basic_output.c b/test/testutil/basic_output.c index ebd646ce14457..5297b350e7c35 100644 --- a/test/testutil/basic_output.c +++ b/test/testutil/basic_output.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/testutil/fake_random.c b/test/testutil/fake_random.c index ebf3a9d74b079..b211f48625c2d 100644 --- a/test/testutil/fake_random.c +++ b/test/testutil/fake_random.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/test/testutil/main.c b/test/testutil/main.c index 2945bb52b8e58..32e32d8328723 100644 --- a/test/testutil/main.c +++ b/test/testutil/main.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/testutil/provider.c b/test/testutil/provider.c index 30c757c5c1d3f..79ae13b42a1f0 100644 --- a/test/testutil/provider.c +++ b/test/testutil/provider.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/threadstest.c b/test/threadstest.c index a4bab43cc7bfe..317b637a07e3d 100644 --- a/test/threadstest.c +++ b/test/threadstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/tls-provider.c b/test/tls-provider.c index 39dde831f4856..a914620cd22b8 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c index fe44d90fbc4dc..1dde451c950a3 100644 --- a/test/tls13ccstest.c +++ b/test/tls13ccstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/tls13encryptiontest.c b/test/tls13encryptiontest.c index cecbb4296be57..f1e6490f9f900 100644 --- a/test/tls13encryptiontest.c +++ b/test/tls13encryptiontest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c index f51dd9e9db88b..352c1898adfb1 100644 --- a/test/tls13secretstest.c +++ b/test/tls13secretstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/trace_api_test.c b/test/trace_api_test.c index 15b5805e64cae..e12750f06a70b 100644 --- a/test/trace_api_test.c +++ b/test/trace_api_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/upcallstest.c b/test/upcallstest.c index 096d0b188d527..d2c89b5202eec 100644 --- a/test/upcallstest.c +++ b/test/upcallstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/user_property_test.c b/test/user_property_test.c index a7e7abb05104f..73ae149ad08d1 100644 --- a/test/user_property_test.c +++ b/test/user_property_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/v3nametest.c b/test/v3nametest.c index 0341995dde823..3609eba04552a 100644 --- a/test/v3nametest.c +++ b/test/v3nametest.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/wpackettest.c b/test/wpackettest.c index dd88a7e15b31d..aaa374af188be 100644 --- a/test/wpackettest.c +++ b/test/wpackettest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/x509_check_cert_pkey_test.c b/test/x509_check_cert_pkey_test.c index 83f4cb563c861..52c4ea40e081b 100644 --- a/test/x509_check_cert_pkey_test.c +++ b/test/x509_check_cert_pkey_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/util/check-format.pl b/util/check-format.pl index afae3d4a76c37..e1a91bcc58150 100755 --- a/util/check-format.pl +++ b/util/check-format.pl @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. # Copyright Siemens AG 2019-2022 # # Licensed under the Apache License 2.0 (the "License"). diff --git a/util/find-doc-nits b/util/find-doc-nits index 877838f00e697..7d1cdb59b1dbd 100755 --- a/util/find-doc-nits +++ b/util/find-doc-nits @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl index a1867140640c2..3eb397adad5e4 100644 --- a/util/mk-fipsmodule-cnf.pl +++ b/util/mk-fipsmodule-cnf.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/mkerr.pl b/util/mkerr.pl index cf9dc3771e323..6f22bbd5827e9 100755 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm index 4f770ad1ad9f6..da5a31bd21abe 100644 --- a/util/perl/OpenSSL/Ordinals.pm +++ b/util/perl/OpenSSL/Ordinals.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/perl/OpenSSL/Util.pm b/util/perl/OpenSSL/Util.pm index e75b1a43b8eeb..970fc009b3bc3 100644 --- a/util/perl/OpenSSL/Util.pm +++ b/util/perl/OpenSSL/Util.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index 6b2cd9b9fb438..791b19847ad85 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm index 21e04a5cbc35b..ce221875697f1 100644 --- a/util/perl/TLSProxy/Message.pm +++ b/util/perl/TLSProxy/Message.pm @@ -1,4 +1,4 @@ -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy From e97c6c3cdf8b4f69e58e8cd610236ae474b9a97f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 7 Sep 2023 10:00:21 +0100 Subject: [PATCH 135/324] make update Reviewed-by: Richard Levitte Release: yes --- providers/fips-sources.checksums | 211 ++++++++++++++++--------------- providers/fips.checksum | 2 +- providers/fips.module.sources | 9 +- 3 files changed, 118 insertions(+), 104 deletions(-) diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index c337becad6d3b..db0dda5af6d5c 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -26,16 +26,16 @@ f3a8f3c960c0f47aaa8fc2633d18b14e7c7feeccc536b0115a08bc58333122b6 crypto/aes/asm e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm/aest4-sparcv9.pl 030dd54699b6ab0d71db5a436489ef3265d358337259798ef9d0ee690c182386 crypto/aes/asm/aesv8-armx.pl 5e8005fdb6641df465bdda20c3476f7176e6bcd63d5073044a0c02a327c7f172 crypto/aes/asm/bsaes-armv7.pl -cebab3945a6c4921ebc12b922362c3f65299876a8401eb99770aa981d1311fed crypto/aes/asm/bsaes-armv8.pl +9b9c9d7541edb49dcb9fe331f91fca1b6a1e14cc204c07b8cc2b530da8719279 crypto/aes/asm/bsaes-armv8.pl 0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl 762cadf988080f45d1a2f1232058688ac3f5afe76767649d15513a7a5eedcf38 crypto/aes/asm/vpaes-armv8.pl -4b723628a4ea14a763c3b21afa2439534ccf9d21480f2d0e3a0f5ee270169c23 crypto/aes/asm/vpaes-loongarch64.pl +14146589f53dc898fa86aeffd0e0ba36737b04da26ab0b14c1da09a28836c8f8 crypto/aes/asm/vpaes-loongarch64.pl c3541865cd02d81101cdbab4877ed82772e6980d2c677b9008b38fa1b26d36d4 crypto/aes/asm/vpaes-ppc.pl 3ec24185750a995377516bc2fb2eae8b1c52094c6fff093bff591837fc12d6c3 crypto/aes/asm/vpaes-x86.pl 060bb6620f50af9afecdf97df051b45b9a50be9daf343dfec1cbb29693ce00a4 crypto/aes/asm/vpaes-x86_64.pl 2bc67270155e2d6c7da87d9070e005ee79cea18311004907edfd6a078003532a crypto/alphacpuid.pl 269e52f8867c13ca75d2f88ec1f89b692cb8c6c3ee89abe2fd3c1821925191d8 crypto/arm64cpuid.pl -7144d95f74d8f84b5c32fe5b343c1d6d958a96ffcf9d0374a343cd82e599d753 crypto/armcap.c +5d8595338d4ae8bbaba81dab36c00b325abccf5c4a51b7d1b6c622ac893792de crypto/armcap.c b0f528db5658d7c98657eb322bf78e326202f43da88f7c56ada053a494be9977 crypto/armv4cpuid.pl 16739d54200fb81ca7835b5814f965022a2ab41589c7787e2697e3ea72d4fafa crypto/asn1_dsa.c 819c9fd2b0cae9aab81c3cbd1815c2e22949d75f132f649b5883812d0bbaa39a crypto/bn/asm/alpha-mont.pl @@ -84,13 +84,13 @@ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/ f53d3804456b787be45ace2b33b7a323e5e4fb6cfbe3aa3b6696e3ce0a640baa crypto/bn/bn_ctx.c d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16 crypto/bn/bn_dh.c 74b63a4515894592b7241fb30b91b21510beaa3d397809e3d74bc9a73e879d18 crypto/bn/bn_div.c -98f5d5ac4bb7cc9ba4326ff48eca6830763c72efe13c97f523714aed082be860 crypto/bn/bn_exp.c +569dd0efeac8ced359c96732c694cab8ed8f75e2e6a0e34997c0a4b60e31d0d3 crypto/bn/bn_exp.c ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434 crypto/bn/bn_exp2.c 7af02a3a30897311fee695fc42af67091ea4cd03abe6d911cf3381d5dbc05f58 crypto/bn/bn_gcd.c e37be15f771ab0b1da741266b0081190436edc9b7eb5298be4a0aca0d4c47ada crypto/bn/bn_gf2m.c 73ee247467879d4ec984c9900dfe7761233c5b889b8762be37c7e8fdd6d1d210 crypto/bn/bn_intern.c 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c -633eb61f39d047ea3373c96667ef3ca72771ea2a6735ee2870fd63159d43ffb9 crypto/bn/bn_lib.c +18840c8a7996b619a871efdc834d28556e210b8bddddef606a901f094c45fe81 crypto/bn/bn_lib.c d5beb9fbac2ff5dc3ccbdfa4d1aabca7225c778cff4e3b05b6d6c63e182637f5 crypto/bn/bn_local.h b76134e0b4cff3e706cfd018b038439de6f69b75015d8c276a2831c0a9c1623e crypto/bn/bn_mod.c 7ddcb7b9b2b008d6f31783c7697d77dd3188d9f643ca948cf49a805d770c3a14 crypto/bn/bn_mont.c @@ -100,23 +100,23 @@ b76134e0b4cff3e706cfd018b038439de6f69b75015d8c276a2831c0a9c1623e crypto/bn/bn_m 5377e9596c3b9a3153ce75004599dce1f0fef23612d4e086cc936a87d4d5fa99 crypto/bn/bn_prime.c c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h 3dd5ce6ddea13d04a9470625af35328319d1a5f3a963183095edf3add314b7e0 crypto/bn/bn_rand.c -6a6bb2ca178e1d5415c9b0e7933930009127e6ec5ffb6d8992cbc0a68880865b crypto/bn/bn_recp.c +b5cc902624b3af2149c9ea91f9d18bea56302144e87dfe49105ec6789b73764b crypto/bn/bn_recp.c 669a157968afe07588507a2e9e35c1c4df9c2b0a95cd9c21404b0bfa21be0d37 crypto/bn/bn_rsa_fips186_4.c 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c 42c8ce944c889abcfcf089d0ad2744b7587696d8d7785efa91b3f7ec53dc062a crypto/bn/bn_sqrt.c 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c -be27115efd36f0077a3ec26b1ff1f586b0b8969ba05d8ffa34b2ff4badf227bf crypto/bn/rsaz_exp.c +ec684bfc01a74492150e930fe6d6cc5586be48b9674bbd7a492efa517d04c340 crypto/bn/rsaz_exp.c c4d64da1cdc732ea918fccd6a7bb2746b03365dd26f7ba1e74e08c307ca4c58e crypto/bn/rsaz_exp.h 55266c387202fd4f90bebfe7bb93c550b23b78dc3a90edcc668e5dbf480f916c crypto/bn/rsaz_exp_x2.c 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c 82117f6a7cfc31fc86ecd9629bd3bf614126b8e8b2c23717a03ff5c1db7c3c5c crypto/buffer/buffer.c 5f43844b5d8665de9ab895f93599150a327d73ec2674bbf7d7c512d30163022d crypto/c64xpluscpuid.pl -019439681d6611d4cb56e62bf27ea110a3fa57f6ee3b11dfc7014cb0b2511c88 crypto/cmac/cmac.c -d211d34a4378198e772765972425571b1b3b497169166c6a602980efb6dfa553 crypto/context.c +40bd11fbe3de4c0fcf16639a3dcfe0f26e3bf447c79f59ec59d7dfc77350a956 crypto/cmac/cmac.c +a6e8cf30340ffaec8aec41dfbef7341afe21e7b13e48899403c529368c0ec6fa crypto/context.c 67c2367871b9350a7f7af5be903d6bcca9ebdbff0e9a9bd9f61b56bef5b76696 crypto/core_algorithm.c f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c -b2fda5598c9709aa294bf05f94558672ab152ae144c7cb2255e025ae7712b0e0 crypto/core_namemap.c +2f03908edadddc55a61e4cfb4d76751a342f61aad564971df37a6b90c7b2a26f crypto/core_namemap.c fe83e1d30a9ef0aa86c1342b4228380dea7e90f9f3cc8d28f5423dfbc1ded011 crypto/cpuid.c a6732e22ccb49cf51fc9dbf23f6059774b70ecc3d7e848c5df112a2d3c179027 crypto/cryptlib.c 66dbfc58916709d5a6913777346083247942a8d9458ee9b2bf443f0ea4988d64 crypto/ctype.c @@ -134,17 +134,18 @@ c117ac4fd24369c7813ac9dc9685640700a82bb32b0f7e038e85afd6c8db75c7 crypto/dh/dh_g 6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64 crypto/dh/dh_group_params.c a539a8930035fee3b723d74a1d13e931ff69a2b523c83d4a2d0d9db6c78ba902 crypto/dh/dh_kdf.c dbb82807f63ef2d9b3cc7b18165091b7c1b90f01b53e03090e4327edcac82001 crypto/dh/dh_key.c -3d9d0cd47a81e69303ebf1a93b4fa9f198fd23cb8edb4730bc8faa11cd751fa6 crypto/dh/dh_lib.c +518edbe8171bd80102869826640abdab5430c47c4cb3f2ad4dfb7c4118833721 crypto/dh/dh_lib.c 8300775d88db0a1aa26a77eb49d6c4f7252e7fee69e1440de4c40edadc9da044 crypto/dh/dh_local.h bbcf4fc3067ac462a27d7277973180b7dc140df9262a686c7fbe4318ca01f7b8 crypto/dsa/dsa_backend.c b9c5992089203123c3fae46e39bb4d05e19854087bca7a30ad1f82a3505deec7 crypto/dsa/dsa_check.c ae727bf6319eb57e682de35d75ea357921987953b3688365c710e7fba51c7c58 crypto/dsa/dsa_gen.c 9978d27e9fc8ff152830ebb781f71338e56a5e116f29c1c2d59a5a112d86362a crypto/dsa/dsa_key.c -0934d01d96dcec39b59ee3d1ec0235ee3829048db73fed3da0882d1da57d5725 crypto/dsa/dsa_lib.c +e67efe8c8e93681ba18e9f9cacf2ca71c36455ffe983df366b585dd453668038 crypto/dsa/dsa_lib.c f261f9d4f83ecc51ab58de89083e9af4ba4a4c922ccd06b0d628f4b60fc104ec crypto/dsa/dsa_local.h f44f24a3f41c58067d49a80f15f314583522d86bcd741b4dd88b78582df3f748 crypto/dsa/dsa_ossl.c 9776be9ac89d4ea1ed33c2055166a12bff474bc6669660b24da61a63a137cc1b crypto/dsa/dsa_sign.c 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1 crypto/dsa/dsa_vrf.c +62fbc4465a5b37dc794bee277dd216d77917e715c2bb5d37a7e1735e80ad0f8d crypto/ec/asm/ecp_nistp384-ppc64.pl d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a crypto/ec/asm/ecp_nistp521-ppc64.pl 78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1 crypto/ec/asm/ecp_nistz256-armv4.pl 598da295053253578d5461892098b74ec9dcd02c1eb99d537e14e0c5e958c7b9 crypto/ec/asm/ecp_nistz256-armv8.pl @@ -152,21 +153,22 @@ d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a crypto/ec/asm/ cfe7e75a2fddc87a7251684469a8808b9da82b2f5725eafad5806920f89932bd crypto/ec/asm/ecp_nistz256-sparcv9.pl 922725c4761cfa567af6ed9ecab04f2c7729ae2595f2fc0fa46dc67879dc87b0 crypto/ec/asm/ecp_nistz256-x86.pl ac327475c7ec828d11aa05628b4e3b81ec3b1400f30fe7bec01daf3cf71f2dc9 crypto/ec/asm/ecp_nistz256-x86_64.pl +fc1eff2296d843eec4487321daec0cfb733bbb3ba91d34e75cbefabdad5705c7 crypto/ec/asm/ecp_sm2p256-armv8.pl cc727533130f5f1a29229929b3d4e8454585d647be25d6344f3c6a0240998368 crypto/ec/asm/x25519-ppc64.pl ee897e230964511baa0d1bf95fb938312407a40a88ebe01476879c2763e5f732 crypto/ec/asm/x25519-x86_64.pl 5fe1cfb5bb13a1aa838453101f5a9783cd6cdd0c5f904d5372a74750ac43c302 crypto/ec/curve25519.c -ebd47dd501b147a53ea3c0a0cca18789ac14e2ee4b94e2eed54248992763d454 crypto/ec/curve448/arch_32/f_impl32.c +5daf9f524cd63dd95a2136535b27f2b3d90966562ea5766f4b2d1cd4fccf2502 crypto/ec/curve448/arch_32/f_impl32.c 063dac1e4a9573c47532123e9e03e3532a7473cc3e146521ba9ec6f486ddf3b1 crypto/ec/curve448/arch_64/arch_intrinsics.h 43423b7ee85a5c740c1d81499ee06f4a17732c7731a598e7429d5e402ee77cf4 crypto/ec/curve448/arch_64/f_impl.h -6b01b404354822a5d9cee5ab26f015c362b8ea64be373236e6526bfa67380b51 crypto/ec/curve448/arch_64/f_impl64.c -b35976955a49414313e3823144a898bc58873b755f4e3a772d520cdd63099581 crypto/ec/curve448/curve448.c +c3146bb6777776d39b89647e3dd3e8afc3d19338c75ff294d6986289cef59c40 crypto/ec/curve448/arch_64/f_impl64.c +a3803940dcb1e53358edac1bc05fe8777b8007668d5aa11af5812b97d4f94c63 crypto/ec/curve448/curve448.c a6c70707c520234ccd111562f012e1abf83c43b20b3b36c339ef1ea0369a9e5f crypto/ec/curve448/curve448_local.h 178fb9863c33174b633c2e7607160b1bedb506d66cc06d53382d87431441f306 crypto/ec/curve448/curve448_tables.c f30e13bba5a136ab9ba5225c98b9b94c2cd73fb3aef60f9dcde3cd471cfa1ca4 crypto/ec/curve448/curve448utils.h 4a45e7828831fbe9f282f933cda54b12cd393ec9bffe5c0ace8e4d1c4d5d6358 crypto/ec/curve448/ed448.h 498fda3e0f2d261ab9729ae4de05ff1b496af4582aa019f507570f852d5a2726 crypto/ec/curve448/eddsa.c -560f59ae21672e90d20dd1560cf32e914ffa67b2b5c5353a829267402105c810 crypto/ec/curve448/f_generic.c -0f0515def4bd6625a6bd230cd52256056c622f3ba6c94674067176b023aa041b crypto/ec/curve448/field.h +9f712e7397b10f1dc88a6d18ff38dcda13d09c02775f3682f2b8698715b1095a crypto/ec/curve448/f_generic.c +070daafb9a532ebb8bc0af8b1341254f0cd3e8932a8c8a2dca7baeef6678768b crypto/ec/curve448/field.h 2ad8331e893b5db33198e27603891587686c0dfdab29706dc52a7097c5d6f219 crypto/ec/curve448/point_448.h 1ff6e467d72530c71d21c310180d04a24f0a9cb41168fba94b43309ecdda3888 crypto/ec/curve448/scalar.c 3052a044afae2e91b677542fc8b34b3ec9d033e0c6562b0d43098cfb34ab3c9d crypto/ec/curve448/word.h @@ -175,13 +177,13 @@ ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_ a1f22814f501780591da20de5e724895438094824fce440fd026850c46ad8149 crypto/ec/ec_asn1.c 29783240b377e98006d21b13e984545aa296b26070fd74e77f7d75c01d2616f3 crypto/ec/ec_backend.c 7f19cebad4a94db291464b0d93006a87d15ccec93b94f725052a1037107a96be crypto/ec/ec_check.c -fe690c2e9563813c523eedd4ebe80dc055591699c72058eb04ffbb898c571ad2 crypto/ec/ec_curve.c +c85f4885f2892dcf074451b137efe0828e486ff5ceadae1fac9b2543fa2114a1 crypto/ec/ec_curve.c 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f crypto/ec/ec_cvt.c -9d6f41b7d7b2aaa0fcb06be833a5d0994f45d377e599107cd2f084275ba5e815 crypto/ec/ec_key.c -8528e8a2329ad6dcc0a90f8d8ba2a89065c6fd5dd01ad0b4af37a4e2136b5d94 crypto/ec/ec_kmeth.c -f4585fe3cf728b73f8c96e6e12317863e6a97694d6b456ce0e57956601eaad33 crypto/ec/ec_lib.c -a8a4690e42b4af60aad822aa8b16196df337906af53ea4db926707f7b596ff27 crypto/ec/ec_local.h -0565e3b0d3ae0aa5e27397d67fdcdc026840273fd20b51f8ba94111c40db3a7c crypto/ec/ec_mult.c +f4b1f679ca6da3e54121109d4f40b0c46a2366ef48bbf17d8e769f8baaa35f5f crypto/ec/ec_key.c +93f35d2e21d49bb6780d200fda8486edd4a7123956337ba535720bb547a47c4a crypto/ec/ec_kmeth.c +1829428993aa5c51c6322d7d800cb13ccd566bf1f9e38d271f618f1a2315c3c5 crypto/ec/ec_lib.c +eb2f08624819f5d5d865b954a1123a833bc18e9024980f5701125f230e6406b1 crypto/ec/ec_local.h +7417037d376a99498b3044982d72fbe07bcd2cc5b78f73c3665e87c9202af418 crypto/ec/ec_mult.c 5ad8b7c52f91416c5e93b96e1d19f6c0ba1bb8f99d1e382ac43025e8d060a278 crypto/ec/ec_oct.c c7fba2f2c33f67dafa23caef8c3abd12f5336274a9a07d412b83be0366969ee6 crypto/ec/ecdh_kdf.c b86a943ae62145438a7214539ceb3e0de5a30e17a6e59742c6e30991db730ab6 crypto/ec/ecdh_ossl.c @@ -190,37 +192,37 @@ b6baa42b16e8df69a12e0ab101033100cddc808ec2682ba1574373e6ec86ae93 crypto/ec/ecds f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35 crypto/ec/ecdsa_vrf.c 141cfc1459214555b623517a054a9e8d5e4065a11301237b7247be2c6f397a0a crypto/ec/ecp_mont.c 13b30f34aeeb0c98747239bfe91b5f0f14e91b2c1f11db62ebb5950c7219daa0 crypto/ec/ecp_nist.c -c31fa62261bfb2bebe336067b6e3a662b5b0bb3d30f8ad7d47b72b99429a45be crypto/ec/ecp_nistz256.c +b19d2ffc6a21405c125e7831a9c1385acad8eea283f52c6b57ac6c8728233ccf crypto/ec/ecp_nistz256.c 51cb98e7e9c241e33261589f0d74103238baaa850e333c61ff1da360e127518a crypto/ec/ecp_oct.c 9cf3bacc8a990f6dffe369c28f2f47b192c8d17178185acec601e3fee5b05fac crypto/ec/ecp_smpl.c -8de7a1fbe71eef60696ce8feb77515d18ed5b890f3276dd2b13ee0286966fa3f crypto/ec/ecx_backend.c +aeb2c57685fd610dd1a9d176b70b42cd8d91a252a1e54d3b90b07406d9570883 crypto/ec/ecx_backend.c 5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3 crypto/ec/ecx_backend.h -30e7f80d6b1947ab2eafdd60209763dda059f77dff395ac5d7e430924fb571d6 crypto/ec/ecx_key.c -ce0c8dc6215a0180bc3163c232944baaeda19d6f2e19482fe89e657d5469e3f6 crypto/evp/asymcipher.c +72caa2b7d2a54165fb35fea5ec7f5f230a3e9746fa71d56cb345e809bfdaf0a0 crypto/ec/ecx_key.c +64d0ed4018f874f6f88f60eea7b8cc093ebd2495172132603f759445d0bf0edc crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c -4cd4a0eb50c5d8997711dbd05cd447db48ae985274307badaadff4b6bbea6ea1 crypto/evp/digest.c +d418a565008404e44f1b4324902cf57384dee9b1e01e897eaa072f7dcafce0cb crypto/evp/digest.c 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c -8bd1c1241fa9f47295df137ddefbeabd0438ea958044bf0de91996edbd1c497d crypto/evp/evp_enc.c -619bd698996d7fd369ce9b859b783238a36c5eaa6ce4007f2f78cefa0d607b74 crypto/evp/evp_fetch.c -ce982249442688249f7c53d0824ae6affb1cf89281f35fbd68c1e0c4c57217d3 crypto/evp/evp_lib.c -785035bcf2f91d6cde921c344c2c5d535c1ec11b5061c6d2352d1a0ade44368f crypto/evp/evp_local.h -4012e1fb755b64dbc3655fda83beeecdf8e9fb09fb15ad2ed0d31aa8bd7b285c crypto/evp/evp_rand.c +3e724128a7589dd7cd354993493d6b38f95c64a5fb018c63058e0a7591623a63 crypto/evp/evp_enc.c +2531ea569aeb8805180a963373ed7eac52acc5eb45d12bda03316bb8a1a8ed47 crypto/evp/evp_fetch.c +f70344599d39e667978e939c553abd3a3dd6660541378d44e1c438f31f5d71a6 crypto/evp/evp_lib.c +33c1282761af93b4a17565dd30f8f031729ef09fc3d643b2a812f8c4ef0df570 crypto/evp/evp_local.h +cf82d0376e9550c0e5bfdddc8c1d6ebd0e9055c4ed3c70458cdf5a96ffee653c crypto/evp/evp_rand.c 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c -25453a1f3eb3c2771cfabc301319fd7aadfc6567a1c309a79f20e924ca49b0d7 crypto/evp/exchange.c +a9e940b29f3064e771eeafe9d4d0e6d1f7258cd61a57258faabdbe8121764986 crypto/evp/exchange.c 294284ad040fe4b74845f91b1903c961c757e1ef3fcc2ffa35f43f37f1655e64 crypto/evp/kdf_lib.c -20289ff0abde47be4d99cbe97605e2174077a8f0dcbce28650664f1102334299 crypto/evp/kdf_meth.c -7a9c03d559bf9e1f88348b52bb07084eb5db29b7907a2ab57a472827b41a2659 crypto/evp/kem.c -eae211e3333b1048d84532c625aab7e2014519c09b0a52495fedc4d05b2b057f crypto/evp/keymgmt_lib.c -9ffc3c7f01afc1d311485aa726c7b83de4b669c6b384f577b999d5eb85ec5342 crypto/evp/keymgmt_meth.c +9328c7ea06e0719aaff2d59c959d1b7907b9e6a337f784680e2e289e8c3e4328 crypto/evp/kdf_meth.c +c67d90f42c4d2294ecd103bdb02296a13248ead4aebadc3aead0cb964e171d81 crypto/evp/kem.c +c4c8a30541a51d50872f03994829419a72d52c8207f9047fdc6fd28dfd43c057 crypto/evp/keymgmt_lib.c +43a8d931d2abceea1c009b62f93bd720fa33e261491d395ec6857462db4bef77 crypto/evp/keymgmt_meth.c 41f2e8d9fca78dfce6116e659fdefbdeb590cee567d5f9681eb2c028c0b5c424 crypto/evp/m_sigver.c 2a1207fc3108d1aef4fc10f5d450dc344214f3cfff7a6e9688468c12846d4b64 crypto/evp/mac_lib.c -1fff35c066fa6fc5acb81492efaf8153b265f64ab01675a5e4e8cf5319ffb4f6 crypto/evp/mac_meth.c -1bdbe938aa6d8b5fa74cbc24dfec9b2222554ae9b6bc70f7b89ce22f046b7028 crypto/evp/p_lib.c +036307223518ec03a93c9e519cbad9903341bf105642b6b694a791d31a1f232c crypto/evp/mac_meth.c +91acfeae1ee4ac6ee1760a820d8ca6688087e77756e09e151e3bc17c76b12064 crypto/evp/p_lib.c 3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c 759573aea2a4cc7b6f763b440e6868bfcfcb7ca94d812fa61ab24a194be2cb36 crypto/evp/pmeth_gn.c 7d9dfc974d15a2b7e2c1c6c54a594f0a14ccdfe5e2e1afe84a3a52130ac8097b crypto/evp/pmeth_lib.c -dfac9cb90864156a3e6aa59b1f105f0420d7f3d36a2dac54ba5e29978af38865 crypto/evp/signature.c -ab5734306605c9b83c1041084d7e3af619b15ade78da92b4151e09d80a79f88e crypto/ex_data.c +76d005962440945c127571ca3b3ece7c55944828b41d48c0bd1b819bd40408ab crypto/evp/signature.c +49059c31a933b2cc173ea0e3b5778e3cde9cf209fff624827c0915dc9f0324d7 crypto/ex_data.c d986ec74995b05ff65a68df320ab45894ba35d7be4906f8d78ca5fca294a4e6c crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c @@ -235,9 +237,9 @@ c9c635805b26d85e8c0c7720592fb04b674cde4339fcd94712a4403e8677cb41 crypto/ffc/ffc 6259c0e543faadc1c06a16095df38e9e4ce74a25b74e2951e601f9d4ea9bfb77 crypto/lhash/lhash.c 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h a4f8f200ca749db91da97735c107836dfb2b623424b15c020ec6e48d874f4564 crypto/loongarch64cpuid.pl -fcb2f1770dbf603134efec340ffd577524b7b9874d7c84372c0644d20ac75ada crypto/loongarchcap.c +460a7af09cde89a820b091522ada1310cfcec99c60aee505f94c48c35e9a29e8 crypto/loongarchcap.c f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c -9abccd2f35b3b2419efb58b1d77950f8020754b452999a84476c32b65743b5ce crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl +36e24eae5d38cc9666ae40e4e8a2dc12328e1159fea68447cb19dab174d25adf crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl 580b90b1a2b4324afbe680c3ff59d58d0eff0b59511e5cf56fb119d2634c9a3b crypto/modes/asm/aes-gcm-armv8_64.pl 4fc1e83482ecc5c6cd01f1e1ccb7b84aa39993f1445e529062b7d4041a7eb190 crypto/modes/asm/aes-gcm-avx512.pl 400a202abf66c6a3430965c38f7164ac297c856e8585862f59e3ff188bb35a6b crypto/modes/asm/aes-gcm-ppc.pl @@ -265,20 +267,21 @@ e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/w fb874ea18e9754dde11ef1c2993818074ff7cd8a74a981598745f7e11317bb91 crypto/modes/xts128gb.c e49f44c0c91789015fd45f9260eafe3139e6b73ca2af612df4aa21b71c637ca1 crypto/o_str.c b0decda3aae1d3e07cf3cbe9153cdde9deafe65fae346cd208951b4d7dec512e crypto/packet.c -83e09119c8dccfa6b562af2b04744fac46306a26a53826cf9007382a1de8eee4 crypto/param_build.c +fb60966da0d636a59921c7eeadebedb79caa9667eb1622330ab7e1f31a8d24eb crypto/param_build.c fa2062acdb901c9b15904b5c8f805247bba8b0eaa935c35fdfbe8d53ff463a7a crypto/param_build_set.c -e8ca4fc583eed166620ae3d8493407842525f1824cd747aadc0b4810cb27b257 crypto/params.c +a267f41a7dead2b1f7ea35ad7d2d04db50cb75d0fb20fbc2fa72ba7ea4dc34a0 crypto/params.c bb7b79b5a070050f5e7dfc66b5635f0891bc278e3e24eec3583b769b33bef657 crypto/params_dup.c b2bd2b5cf3de2fe130223470da22fe4c1b08e75f0c10fcb7d0c089c9f9851f78 crypto/params_from_text.c +e7bdda0dcbf7aa6d4b9d55efd7c59e78bc68aca644d64a7c316a044bccf20505 crypto/params_idx.c c27b8c1659274be74e2d6e9fd76980df499d1331c0c2d51f41b3ad547ba88d59 crypto/ppccap.c 46fa4994a6234a98a2845d9337475913f6bc229f1928abc82224de7edf2784b8 crypto/ppccpuid.pl 467c416422ecf61e3b713c5eb259fdbcb4aa73ae8dee61804d0b85cfd3fff4f7 crypto/property/defn_cache.c -1fb5cf16e5e1bd0bef77585660ed70b9f472ecec127f5ae1aca23c1d3a6e57c5 crypto/property/property.c +289f8d0569123201d700934663fabf7215079731a4ea2f5db7944a6cb80d9868 crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h 988e14f794b50729aa9e809e1160d7c52cc77bc891df037ac19cefa946df20cc crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 20e69b9d594dfc443075eddbb0e6bcc0ed36ca51993cd50cc5a4f86eb31127f8 crypto/property/property_string.c -adb76fa39fbf34ac261af97b8d03322995b07cd2ef11a0e6979870cf84dd11ba crypto/provider_core.c +bf5e9f8e49672afc09f4130ba300844d4412f9e3467985f693da70e34f1a4f3a crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c ba5c07983cb1d18e6d3e97f8ea16f99175c5461efe99d160051c6bd2886c0217 crypto/rand/rand_lib.c @@ -291,27 +294,27 @@ f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa 38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c e762c599b17d5c89f4b1c9eb7d0ca1f04a95d815c86a3e72c30b231ce57fb199 crypto/rsa/rsa_crpt.c e995da1c2e5007bd7f5907f369fe45ed15f4e657143a85078c755bd5e6863d0b crypto/rsa/rsa_gen.c -98854736de2bc5cb1d092f116969f7121b6d56a0d7b00a51310c930caddeec32 crypto/rsa/rsa_lib.c +b8e4d0aca3bcf9290163a5ef19a8de92552ab70ce4fe28cf2a4ee04211289f6f crypto/rsa/rsa_lib.c a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b crypto/rsa/rsa_local.h cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c 5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c d0538475c5ebd2b2c585dc33fdcfb9a7a2f59f623b7ab0f8a09344a439082dfc crypto/rsa/rsa_oaep.c -2e00c4f957b3e8bf08ffc79f9da349750f10b7c16d8cc4d5f804a99e45e15f95 crypto/rsa/rsa_ossl.c -b99b1133abf85c69d631498aed886d360ad5883c727f3108f807a0b6f370e204 crypto/rsa/rsa_pk1.c +6adc9202558e531f4d78c75920882e916be27395dca386044a91adae5b331c64 crypto/rsa/rsa_ossl.c +54446a41065d85d22ed521285196bf285427a071d32d00d070b2248723c2a914 crypto/rsa/rsa_pk1.c cdf66a4964152e16b7da5b6631f31bd2d90bf730b5a46c2622d5279abdecabe1 crypto/rsa/rsa_pss.c bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c 58db0509f34d970a2f206d468f718c17513970315d5d5ec92822fe6f4b6523fa crypto/rsa/rsa_sign.c 740c022caff3b2487c5838b581cdddcc7de2ceabb504aad72dc0dd70a67bf7cf crypto/rsa/rsa_sp800_56b_check.c 8eee673d98a640e30a245556ea046080d4272d20832f0c29157ec9a23cc43d3a crypto/rsa/rsa_sp800_56b_gen.c 1c1c2aeeb18bf1d69e8f134315b7e50d8f43d30eb1aa5bf42983eec9136a2fdc crypto/rsa/rsa_x931.c -8f9bf9d8d51032960441bc0143bd800051f9eb5d8475da0a5ba18049e751dcad crypto/s390xcap.c +4bf7f5cbbf7bf0e6c904b8c4988d077842cdd6aed0ad184cbfa4d4b3bfee79af crypto/s390xcap.c 22205848cfb55116ebf999dced8331b575886a609ce29e6886e6267b2310c337 crypto/s390xcpuid.pl 465f850c3d6f2e9410f2e1ee9604b1b5b80f99bae1f6c581161c2f7ebc2c6e41 crypto/self_test_core.c 05c533fde7fdba0c76103e97d881b7224c8427451b453e2f6413552996063e31 crypto/sha/asm/keccak1600-armv4.pl e32c7d698a6f156544aa42443e359af67076097471d9a171177afc668e9ebc74 crypto/sha/asm/keccak1600-armv8.pl -ef575a7fb4956cc3be4ef10a6aeaa10702eadfc92c86167880690320ce942b26 crypto/sha/asm/keccak1600-avx2.pl -f1dcf75789dfb0c5d7cd35988cb8046f60097bbaf1fbdab32a9269fa5492214c crypto/sha/asm/keccak1600-avx512.pl -63e547b100562d1142512d5b54e16efc276ecb6c743c27873dbcdd7cb917c828 crypto/sha/asm/keccak1600-avx512vl.pl +12b7acce2fba0bc0e1ca07842ec84be6a022f141c86e077abb42c864af1d8d9c crypto/sha/asm/keccak1600-avx2.pl +faf0cccb685d5abc807e08db194f847c67b940da2fc3c235c210dc31d73a5334 crypto/sha/asm/keccak1600-avx512.pl +be1e7dd9998e3f31cfa6e1b17bc198aeec584a8b76820e38f71d51b05f8a9f2a crypto/sha/asm/keccak1600-avx512vl.pl 33bdcc6f7668460c3bdf779633e43bfad62b937042a73acb007b462fc5b0a034 crypto/sha/asm/keccak1600-c64x.pl 09fc831dd39bd90a701e9b16d9e9987cc215252a22e1e0355f5da6c495fca35a crypto/sha/asm/keccak1600-mmx.pl bd0157f1a5741e0d23f3d84a8dad5a939f8d3c6182573ba2446187dd0d195233 crypto/sha/asm/keccak1600-ppc64.pl @@ -351,7 +354,7 @@ f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm 8725cabb8d695c576619f19283b034074a3fa0f1c0be952a9dbe9793be15b907 crypto/sha/asm/sha512p8-ppc.pl b69b8a21115f4167641ef94f30846e367f479a2153a5de2991f0a34c564ce4b1 crypto/sha/keccak1600.c 306cacd3f86e5cacaca74c58ef862516515e5c0cafaff48636d537fd84f1c2fb crypto/sha/sha1dgst.c -58f6bacfa26273c9cf1b7b11dd2456253f44f20958905f7cb9d0f8eaf40f9591 crypto/sha/sha256.c +af4756bfeeabca490834f51e45e3fd726b5bbb35bb682b73d857a8c2e080c64f crypto/sha/sha256.c 3d972a11be18bfbfcd45790028635d63548bfe0a2e45d2fc56b6051b759d22f0 crypto/sha/sha3.c dc89d6740cfb58729e3276e03d290ae8319c6b081bfeaf21a0aa15ffb9839e17 crypto/sha/sha512.c 6c6f0e6069ac98e407a5810b84deace2d1396d252c584703bcd154d1a015c3ea crypto/sha/sha_local.h @@ -362,17 +365,17 @@ cd677fd62171621d5e6b142df164aa847149ef4a01f6e3cea4516dcb137824e7 crypto/stack/s c0c4fd0f112465c6766072e25268c2f9019430e2c08c3c0a4271603d24d79f04 crypto/thread/api.c e298c753be277ad9a2ac0132d9897cb4c85607dbb2d11cfefd0c98e0f6a723d9 crypto/thread/arch.c 5c02ff77d290ca0deb19672c1ed6fc0f47a0d630f61398a204a2684a7d418f0a crypto/thread/arch/thread_none.c -021d73b0a8789e138b1f5858b15409f3aff0bdae342ddc949b2d7631562abab4 crypto/thread/arch/thread_posix.c -541f31c5666eb389eba59581cf1d5e3705ceba3f24845914b7dc3615db1f7379 crypto/thread/arch/thread_win.c +1506ddf108b99cd192b70dbb00154fbb5e632527fa0ef56796bda4c68f833464 crypto/thread/arch/thread_posix.c +a00e16963e1e2a0126c6a8e62da8a14f98de9736027654c925925dadd0ca3cc1 crypto/thread/arch/thread_win.c 27ec0090f4243c96e4fbe1babfd4320c2a16615ffa368275433217d50a1ef76c crypto/thread/internal.c 67ba8d87fbbb7c9a9e438018e7ecfd1cedd4d00224be05755580d044f5f1317a crypto/threads_lib.c -6822fc32ea6765728f8e077454b4c12b9f2270eb6d85a31227db7a633f76f33a crypto/threads_none.c -37b270126b6a2eed21f11149f9ea5f22a4aec2736761c059944fd8d787826c45 crypto/threads_pthread.c -5ba10c7b18169b6db216bb043c3930f75da3feda0bff72e211edc91ddd1b42da crypto/threads_win.c +5128f6ff98a37b6f9266c6b776020a62e536d8e9e05212c600f42150f32d3d23 crypto/threads_none.c +e29e0fc64feaa71c68da6e5f2fa8a00853f9b2d6a8b516eb474bde51e23065f6 crypto/threads_pthread.c +88b1a6c282ea8e6d3eff5c0808894b49e4b4883847ed45ed448e99249dacf499 crypto/threads_win.c 8b45f948303045d8f753858b1b892e3da13bebe1bdac500db91fbb54a0ac07da crypto/time.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl -bfbd591ebc5c9cd46cd03f1f76cc4e77ebacb522e3f017422d3cc85a3a3aecee include/crypto/aes_platform.h +f24620e63469b36f9e015841fdabde2af35982268e61183fafcbd6fbdeeeca1d include/crypto/aes_platform.h 99e3f29e2f7f78a4f43f634c5c56a74e3b64b05ad077249eba64976bc47d6d37 include/crypto/asn1.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h d95af0a278bc2edef9c3e1129fc6e7b1577b1ea95249b05ef39c4a4847e9ddac include/crypto/bn.h @@ -381,12 +384,13 @@ d95af0a278bc2edef9c3e1129fc6e7b1577b1ea95249b05ef39c4a4847e9ddac include/crypto 9a7c2ed3703a83e14d25440dc63ef933b21a7225dfc28314a2a23e31706153e9 include/crypto/context.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c include/crypto/ctype.h +09a27585de4638577b482ec9102a0e70d843dee6297a2d45e27d888f6de5e27f include/crypto/decoder.h 89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7 include/crypto/des_platform.h daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f include/crypto/dh.h 679f6e52d9becdf51fde1649478083d18fa4f5a6ece21eeb1decf70f739f49d5 include/crypto/dsa.h c7aafee54cc3ace0c563f15aa5af2cdce13e2cfc4f9a9a133952825fb7c8faf5 include/crypto/ec.h -35bf6ad4d804544d8ae56b63a5bf8958dfa76b9a62e02b64cc6b3791e964b78d include/crypto/ecx.h -e11a5d3e68e01fc1e94ed054bc3924b613fc916f2fe30a6347847057ea7cef19 include/crypto/evp.h +2d8cba492193c170d1f759508556188a568cabe5960020b9a889b69838adbfa4 include/crypto/ecx.h +4c3aab5edf9ffc34908a8f74c1263f02573e2ca0ed805e1208ec389e4089867c include/crypto/evp.h bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 906bc2316e4f4651e5db7a8273ec3bb4bcbfb55f0f484bebdae4f6d0ce033bdf include/crypto/md32_common.h 6e7762e7fb63f56d25b24f70209f4dc834c59a87f74467531ec81646f565dbe3 include/crypto/modes.h @@ -394,14 +398,14 @@ bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h 2f502340909e531a9a7c71451400eb68a53bf62015c17b0169b1efffb0703882 include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h -0f743762f646656b5480648c05632575fe8acc7506460c63e0fcdf42cf20c08a include/crypto/sha.h +80338f3865b7c74aab343879432a6399507b834e2f55dd0e9ee7a5eeba11242a include/crypto/sha.h 7676b02824b2d68df6bddeb251e9b8a8fa2e35a95dad9a7ebeca53f9ab8d2dad include/crypto/sparse_array.h 7ad02c7de77304c3b298deeb038ab2550cf8b2bce03021994477c6c43dbcf86e include/crypto/types.h 27d13538d9303b1c2f0b2ce9b6d376097ce7661354fbefbde24b7ef07206ea45 include/internal/bio.h -704a7b439036f517df08fe2cab9b92ca5bf60457ae1902b965bdc0f74358a8aa include/internal/common.h +92c4187dc051dbab777271e6976eb10bc90197abfd9b0d6f20bc17503f54564d include/internal/common.h 92aacb3e49288f91b44f97e41933e88fe455706e1dd21a365683c2ab545db131 include/internal/constant_time.h c5bb97f654984130c8b44c09a52395bce0b22985d5dbc9c4d9377d86283f11f8 include/internal/core.h -e5711c7480f6d1818d9eba2ba379961446f9cc24def2368dfe8171e077854d3d include/internal/cryptlib.h +3e4700edd79786624a6a4ea00b609290f70ad89325e220eae8a5c7fe7b0a7d99 include/internal/cryptlib.h 9571cfd3d5666749084b354a6d65adee443deeb5713a58c098c7b03bc69dbc63 include/internal/deprecated.h dc5afb955d810feb5af9f8d25cd8a92118abef320fee95c07b04f301c4e0d96c include/internal/der.h 8059e715f981fbe02b5731610ed24bb6ae617a55e90b03f4260cbb6ccd71e8de include/internal/deterministic_nonce.h @@ -412,14 +416,15 @@ f144daebef828a5bd4416466257a50f06b894e0ce0adf1601aa381f34f25a9e7 include/intern 19b0b6356921484359c2e5e7839ffc476fe48a31fbae31595545a58c920ae224 include/internal/ffc.h 55c4102496ed5ab16de11afe38c328a1396c3b6e2c7e44add4a38855103c19da include/internal/namemap.h b02701592960eb4608bb83b297eed90184004828c7fc03ea81568062f347623d include/internal/nelem.h -ae41a2fb41bf592bbb47e4855cf4efd9ef85fc11f910a7e195ceef78fb4321dc include/internal/numbers.h +3363405b2d6afab68f7e13921385ccb648fe7f77522bd0aa5fdf2d7af0b87660 include/internal/numbers.h 66f7c420e531383e8a93c1daccbdc4ab64d11e0ed167af1b7f7be54bd61329aa include/internal/packet.h f42d4a6108a18ade3eb99682c072adf83889b6ba3fc80ee3e20929ed8d0f7137 include/internal/param_build_set.h +5c6c98b1a642b999c909c7cfb91e7925422fbd0b9eca56210ea745bc20668783 include/internal/param_names.h.in 46d7980258a8d11353af3e3dab87c368eec054e46ac8a0facec68b23ba94d91b include/internal/params.h d4ac19b28ea61f03383364cfad1e941cac44fc36787d80882c5b76ecc9d34e29 include/internal/property.h 727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635 include/internal/propertyerr.h -9a73c9ac02eb93a8399381862397bc27fbf8abb7523b07e9f1da9f2e66a913ae include/internal/provider.h -80d7d12b8b3d9945bde3991cb0d1413d120a58a04b17ac673549789e3f37b18a include/internal/refcount.h +811eff73f789e535530cf23ea6037d4da6cde53398e0e7063e60c68b8923a9b5 include/internal/provider.h +9b7d51e4bcf7375dff3ef2d815443c36f19b4a48bcf89a5805a55dfac30505f8 include/internal/refcount.h 5f48b2caa1986f85fc31d1f96621684736c27964291b3718dd35f3a15534fa99 include/internal/safe_math.h 11ee9893f7774c83fcfdee6e0ca593af3d28b779107883553facdbfdae3a68f5 include/internal/sha3.h 494ab5c802716bf38032986674fb094dde927a21752fe395d82e6044d81801d1 include/internal/sizes.h @@ -435,7 +440,7 @@ ef96b731db0e0998c11a297d601f5b37c02525774d532fb4f92160e9069c7dfc include/intern 47fd81a330f042baf3675f4154c6276ab7a8cf76efaf01288abe41f119ec5588 include/openssl/asn1.h.in d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openssl/asn1err.h 1550474ee05423896ec4abfb6346f1bc44c7be22329efac9ea25de10e81d549c include/openssl/asn1t.h.in -7942aecc6a5459c7ab0afc09ddfb60dcc89734026b760a20fedee5999d0ea919 include/openssl/bio.h.in +96c3b90a890f5dce1c9186c8d5bc26769bb8e1f0254d304fc9f1ae018344b497 include/openssl/bio.h.in fe5ab4bc904b7c77e5411c4b7dda6d29595eb60a87f00e30ab32f48391f98b44 include/openssl/bioerr.h 9caa80699882befcce556446a45e5ffde5aa938aa2aae0e8ecd46c9c6a3fe419 include/openssl/bn.h 9ad8b04764797f5138f01f549ba18b44cf698ffc7fe795fef42c1822d84a6ff4 include/openssl/bnerr.h @@ -448,12 +453,14 @@ f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3 include/openss 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h 28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1 include/openssl/core.h 99d507e9aa0b4ad94b191b1aba2cb5d426b8fe130910e6f9c86a8ca62f42f8cc include/openssl/core_dispatch.h -f61a4730da115ebb967d9515412226030b94902d05e96b685f2579adda629fe1 include/openssl/core_names.h -bdd4f653c09f762e89fd498f4e597789d1e491967910591f8504684dc79ed593 include/openssl/crypto.h.in +8b4027cf19ce2a7cbad506cde61552123818b6eae62d5fbdae34e9f68660e6f8 include/openssl/core_names.h.in +371413ef13841f1245a225c8ec1cec463629c42bfc33254f979d2a8672112f9a include/openssl/crypto.h.in 2f9570c2514b4d1b2a86fbdf30ced879e5c52e62f1d3691cb3da37ce4f6a98dd include/openssl/cryptoerr.h bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h +83af275af84cf88c4e420030a9ea07c38d1887009c8f471874ed1458a4b1cda7 include/openssl/decoder.h +503b45367b035ddf6e54587125c2100ceec324d646e6f3df92c12513185e977c include/openssl/decodererr.h fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openssl/des.h -0558a131214f508cd0619658a33af1d62579d94d50df5348994a1de12371b98e include/openssl/dh.h +0837b1ec7074b37d2e1d5ac46d6003c3fc4f1ff10f2e44c64b5709b0bacec4e8 include/openssl/dh.h 8db02ada121100704950b2199c8129daf7562b9ad2812121e20fcf50d7ba7c3d include/openssl/dherr.h 3cfb7211419c5dcc98b9a20713e2245befa0182a10615edb89a5ce0a0725a787 include/openssl/dsa.h 276d1f6e111ba933bc708e6a0670047cbe0d0b67aabe31807abbbc231de4d8cf include/openssl/dsaerr.h @@ -463,7 +470,7 @@ bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openss 7aa8c5bee779af59d4733f6a50f7f6be39f1eb43409e5b3357440f9a7d0ca115 include/openssl/ecerr.h 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h -c6ee8f17d7252bdd0807a124dc6d50a95c32c04e17688b7c2e061998570b7028 include/openssl/err.h.in +d4d376d2251df847f8c8aaf164834787332802ff3ce0c9263be3de952cf00ea4 include/openssl/err.h.in 644cb0cb1d8a6f94395088d5f628a5771513f58708893839647894f4875f5278 include/openssl/evp.h 5bd1b5dcd14067a1fe490d49df911002793c0b4f0bd4492cd8f71cfed7bf9f2a include/openssl/evperr.h 3085bc5a77ea3776619bf9c748632a3a23f1d8dcad5239ba0f48939f375fb0e8 include/openssl/fips_names.h @@ -471,9 +478,9 @@ b1d41beba560a41383f899a361b786e04f889106fb5960ec831b0af7996c9783 include/openss 47a088c98ad536ea99f2c6a9333e372507cb61b9bdffb930c586ed52f8f261eb include/openssl/hmac.h faab8accc9520269dd874126ae164a43526d5784e6280521c7ab3772c02b0a0c include/openssl/kdf.h a09630e7aaf5862aa9f1dc8aaa8e9b9326606ccf3f4adf250d156d79c886da8b include/openssl/lhash.h.in -7326b7d7849ff7aed85a2da3ef382d930a72b8ee6b027aba9bc59bfe88c039c6 include/openssl/macros.h +1368eab024d7d2bf9297ed08dce20ed1a57bbc6ab423b026c46d855ba870a6cb include/openssl/macros.h 9184207c562fd1fa7bd3a4f1fadcb984130561279818f0cdfcf3e9c55be8a7d1 include/openssl/modes.h -186f94274cb36d40bda9a8815aa87e85a19a7844d8391e2c3aca5200dee01112 include/openssl/obj_mac.h +290ff74354553fc9746e4725bc5cfd9de59dad691fda3f3f5880cb0d767b08df include/openssl/obj_mac.h 157797b450215f973eb10be96a04e58048ab9c131ad29427e80d0e37e230ed98 include/openssl/objects.h d25537af264684dff033dd8ae62b0348f868fcfec4aa51fa8f07bcfa4bd807ad include/openssl/objectserr.h fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970 include/openssl/opensslconf.h @@ -482,17 +489,17 @@ fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970 include/openss 30085f4d1b4934bb25ffe7aa9a30859966318a1b4d4dcea937c426e90e6e1984 include/openssl/params.h ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d include/openssl/prov_ssl.h 08980b1dbc01e2926fc59707d867030fc7a3d37dc625c0e1edf2d31bdf71b2fb include/openssl/proverr.h -7d9830aba8090cbf9daec67ac6127e22486b3b2fdccdc465f1cd231cae38006e include/openssl/provider.h +03bda8974476f0f038a7cfa0cb30f0b8210d55c74c6e7e853fd1564dca3e2b14 include/openssl/provider.h e512ab2e492d968a9bf8b2b048f79ac5dfe11bddf3c00f2eec6e9c6ecc57d330 include/openssl/rand.h 108966f56c82fedff53df76a4aa7861c82be4db1fd1ddafb59dc086ea155831c include/openssl/randerr.h 2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in 676015d7541e7929c8ecbea648665f869d7edf50f9e7292a401b18c63a7ffe05 include/openssl/self_test.h -2964274ab32b1ba8578a06b06663db2eda4317ae806369271d889176bb5a7d04 include/openssl/sha.h +a435cb5d87a37c05921afb2d68f581018ec9f62fd9b3194ab651139b24f616d2 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h -f25d4ab79482051e723115aa7bdb6d6aa3ed23c0192d4a0f2ba2b7e58d05b440 include/openssl/thread.h +8acd8147402a816c835b4240e18972072bab41d3fb6ee364fc17e543d6a854f6 include/openssl/thread.h a99dcb756a27eb019c9e3f5c49bd55ca39def82684aea891bac011e9e99f9b8d include/openssl/trace.h a22bb862d4e1e7bb41b4199f81fc6737dc0a277534b17f9e22b102ea297532c1 include/openssl/types.h c0a9551efccf43f3dd748d4fd8ec897ddaabbc629c00ec1ad76ce983e1195a13 providers/common/bio_prov.c @@ -528,15 +535,15 @@ c2b4301a9f835c0b3776ad3afba7121d00cd7ae6387fe11c96269a37da08027c providers/comm 3f5656c405ec57a261df7af940c1512990555361f69488a28d65e16f6b865a1d providers/common/provider_err.c 2f334bf2292bc394778eacaec57e7419e62d0918c166098cc65a09e8c3f5171e providers/common/provider_seeding.c 6e833d259d04cdedc007e6cda52fd706527edcf4b4432dbd88cbf45c3f7a4442 providers/common/provider_util.c -ba345b0d71f74c9e3d752579e16d11cc70b4b00faa329cc674bc43dd2620e044 providers/common/securitycheck.c +5b94312727ca33e4f5c038f4caaae8417bf584cfde22df83d91f3c55c30c81ee providers/common/securitycheck.c bc4370324c4c8791ea6de8641d255073c6745ee984e18912d535e155d9815244 providers/common/securitycheck_fips.c abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c -7578ad47066b4c8f9aaec36cd2c41db2217e0cf605b2aa9dc295f22b2bfb97e2 providers/fips/fipsprov.c -2ceef6e94dfef12be887cfaeda47dff780c44acbb45564b779c3e1823cb22eb8 providers/fips/self_test.c +5d4c2e93c2aef3f74aea56e6680bc1735081f680102f09d7d0b22d1df53767fb providers/fips/fipsprov.c +bf247e11ce05e274ab668e80e6e86ed3747b2848570e20b993e68b54559334a3 providers/fips/self_test.c f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h 551631b909f8d173eafcccac782a44c8aed92bb8463bfccdb936b7f3aee2a48b providers/fips/self_test_data.inc ed6dc106e223a422b133f774f94079fcd404899d7fad624179dd152354dbb500 providers/fips/self_test_kats.c -1346a7f28880d7c74b9daf560e629ff8a21111b81371e9de8c9ea5b885105012 providers/implementations/asymciphers/rsa_enc.c +4428a56f5d195547348c743df0c14ac9c97cd7b60ce09b76cffe5e7c9296daec providers/implementations/asymciphers/rsa_enc.c c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879 providers/implementations/ciphers/cipher_aes.c f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h 480c1f44157dff5fc65369f5c29a5369528061576c00a6454f3e54b37f9f8af1 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -550,7 +557,7 @@ f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/impl a8eaca99a71521ff8ac4ffcf08315e59220f7e0b7f505ecddad04fadd021ec14 providers/implementations/ciphers/cipher_aes_cts.inc 710ee60704dd9dffa2a11e2e96596af1f7f84f915cedcedeec7292e0d978317a providers/implementations/ciphers/cipher_aes_gcm.c 79f5a732820d2512a7f4fc2a99ece7e6e2523a51e62561eb67a4b70d5538b0c4 providers/implementations/ciphers/cipher_aes_gcm.h -590557c6baad5e4e01d3730898b1fc48d62609be686f6726aee0b31db65b558f providers/implementations/ciphers/cipher_aes_gcm_hw.c +986450da9f87b3cea00880c5bb5b0908b201ba27f68942b9f8bfff393610b3bb providers/implementations/ciphers/cipher_aes_gcm_hw.c be18c20e0197f25fe7b9e0268657a2271a69d216b89cb100f082fa5fcaad1e07 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc 26b55801b80128e60fa4cd4fb2b7a81a8741fc78142b0b670b09483ada592f0d providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc 4dea01dde337e6416db6217ae4a64a0681187c38325a27bc449160f8de7580bb providers/implementations/ciphers/cipher_aes_hw.c @@ -573,13 +580,13 @@ db10699b91e2634ac5de4f42661a15e1f718823c092301d862088bae267bc212 providers/impl ab9a2edb23aa61cf31da6addd8674a6028f93399eceeeee35a56ee770338fd6c providers/implementations/ciphers/ciphercommon_block.c 4b4106f85e36eb2c07acc5a3ca5ccd77b736b3ac46cc4af786cf57405ecd54b2 providers/implementations/ciphers/ciphercommon_ccm.c 8b6828f188c2590c7d9c6cac13fa0eb6d38a522b0f2859e7c8a766580fa9b66e providers/implementations/ciphers/ciphercommon_ccm_hw.c -3b83f58d6ff1ae77de1ae8bee8a44ea2e5e4491c802b156fa77783ddebd44598 providers/implementations/ciphers/ciphercommon_gcm.c +90a727b88ae6cdef8b93a9e5a326f3647087d137dc21b99921a8c5a463fc4d21 providers/implementations/ciphers/ciphercommon_gcm.c bb67eaa7a98494ca938726f9218213870fc97dd87b56bda950626cc794baf20b providers/implementations/ciphers/ciphercommon_gcm_hw.c 23fd89e3239e596c325a8c5d23eb1fe157a8d23aa4d90ed2c574bf06dfabd693 providers/implementations/ciphers/ciphercommon_hw.c c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/implementations/ciphers/ciphercommon_local.h 39b47b6ef9d71852964c26e07ef0e9b23f04c7493b1b16ba7c3dba7074b6b70d providers/implementations/digests/digestcommon.c 5f41dd1bf77bd08d287a875f9d6e5a423bf286524694ae7ee133cdd03ee763c0 providers/implementations/digests/sha2_prov.c -b733ad7e1b5cff37753436a133a6fbd53402285455bc3b2bd6834b4bce001fdd providers/implementations/digests/sha3_prov.c +9aa1ab14059f0b3db8091c7bb900e5f1487c0d0e925a71d79d7575f4a7a60444 providers/implementations/digests/sha3_prov.c 4b774bf9267ebe05bf90076bc18e19a21e03ee2716bdb8fc4e6458774e9a820c providers/implementations/exchange/dh_exch.c b2d80c38dd62b46f2dd71e81a5684f54f43200d3ddbb86178081760ecc93525c providers/implementations/exchange/ecdh_exch.c 4994df237719649b086a032bd64c1cf38ceb4e67dd8ec98da20edf5bc3eadb0b providers/implementations/exchange/ecx_exch.c @@ -591,12 +598,12 @@ a07b9c86346100feef15c9abb57e48a6099bc9fa782724a2283f17910ef192fb providers/impl b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/implementations/include/prov/digestcommon.h 1baf1c06b20a0eb8ec271452544922d67c1cc168dbe9853b259191de4bd99918 providers/implementations/include/prov/ecx.h 062b49fc5cfa405fbcb184b1b48c9141db22531493bf828ba8543d24b0b72692 providers/implementations/include/prov/hmac_drbg.h -41969ce8fef1535648dbc8ce441dc904c420d5f53cc749cae9ef86be4ed680f4 providers/implementations/include/prov/implementations.h -5f09fc71874b00419d71646714f21ebbdcceda277463b6f77d3d3ea6946914e8 providers/implementations/include/prov/kdfexchange.h -c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h -24ad9d90469cdab5fc0445e9bd9d2a5d147d335354790ec8a4185d033fd1878c providers/implementations/include/prov/names.h +a6879c2e107597c49efa07fae48f0554ffbea9814c31d186bf0ce9f83e1ec9d2 providers/implementations/include/prov/implementations.h +05eedab6b16c80025f72281fa619d9480c437b800cb821b761fe4c05bc9d3af0 providers/implementations/include/prov/kdfexchange.h +4014246d44fa3f34aad5372c75d3f7eea528f1cf1798e30d5627e7620a356631 providers/implementations/include/prov/macsignature.h +27e57358e8ad201e382b50d5760f010badd9d6253deb34e6fb93a2af35450d9a providers/implementations/include/prov/names.h b9f8781167f274ccd8b643b3bb6c4e1108fb27b2aae588518261af9415228dae providers/implementations/include/prov/seeding.h -5f7326910bc9ce663c9bd8509f555c0a68c1b2577b6122ef20da3d1d6884122e providers/implementations/kdfs/hkdf.c +976a18396364387b36b83d1cb723b530dce37ffc57fa066567fe730853f84444 providers/implementations/kdfs/hkdf.c 0d0c153bbb7234a98cd95fb802bed6bfc00a6002dd61a7fe77a44433a3cd9181 providers/implementations/kdfs/kbkdf.c 03b3dffd32a2b8f94e7d39b97f3d7b36f00cd0177ee5e7329a39aeca20ed4baf providers/implementations/kdfs/pbkdf2.c c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h @@ -606,24 +613,24 @@ da5fa36d4fbb2816221560f5cd1c1710b59b8f948c1b9d2a37ee8e30a07b04f2 providers/impl 7aab45293d8cb6d6a778f6d8fb243a679d98a73a26ac7c681ff280a8d5e06664 providers/implementations/kdfs/tls1_prf.c 1664cb4137073e9c0e202b82ca251e8620dbc83aa3d3d6b85de440183288ea61 providers/implementations/kdfs/x942kdf.c bb7ad10481d496f3227897c00b2a9d516ce8e0a6627f4addeabd9c72d9cf825f providers/implementations/kem/rsa_kem.c -de1c027137ec0d647b29f33b87a183c80033a8a39fbead0c42712b40033c6d05 providers/implementations/keymgmt/dh_kmgmt.c -e2df47ce7eacbfd3884c9a0505eaa4c76e5351197983b7bf1cc9f544d514f93f providers/implementations/keymgmt/dsa_kmgmt.c +ae4bb64d67e22df2ea43345af50b3c205781aff9f677a7436e35c00c5c3b99ff providers/implementations/keymgmt/dh_kmgmt.c +2d229f89413d3a3c945f5862145258cadf24bfdde37b637a1bf51d683308873d providers/implementations/keymgmt/dsa_kmgmt.c 3964a23ac071b0d6e54ea12c382e98abe1becfd9890194d94804715002b2b5b8 providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -e1562e8c964920f24ac51dacebbc108aff5bf2a55017be209048ed5b16bb0a66 providers/implementations/keymgmt/ecx_kmgmt.c -61dd255d3bd029fe923bda46371a85d58ec9d4ca078727c47ebca86e26a2b13e providers/implementations/keymgmt/kdf_legacy_kmgmt.c -c6a9144e1bfbd53b3a44dc9aaa8d4c96dcb1db417439de10d3bcfe8057f98f70 providers/implementations/keymgmt/mac_legacy_kmgmt.c +02bcd47c626b65ef7eba3be418bd6c77b1949f1feb3fe99869fad33ebb6ca475 providers/implementations/keymgmt/ecx_kmgmt.c +daf35a7ab961ef70aefca981d80407935904c5da39dca6692432d6e6bc98759d providers/implementations/keymgmt/kdf_legacy_kmgmt.c +91832fb65cc8ee591989fcf0f039ad04ba463008b5be9549a2b0ae6882b257ab providers/implementations/keymgmt/mac_legacy_kmgmt.c 9034a66a4bae1a15e127a5eca94bcec2ecaa971b205e945fcf7fba6b6bb8e47d providers/implementations/keymgmt/rsa_kmgmt.c 7a94dfdf6c0ea272b49a52191f1aaaa74b88cc9d08efa7789c1984be22a2052f providers/implementations/macs/cmac_prov.c f29f282463f5bc432129850619edc427fe1d6cc8aa107b5703b11858b48790da providers/implementations/macs/gmac_prov.c 47065d5f3460bedc344376754debec56d0e83b8cab94018db77f899c403115bd providers/implementations/macs/hmac_prov.c 145f3d5d5ebd5fb3bbe32705d7d71ff03e35b776f1c77d2f43781263ccc6a808 providers/implementations/macs/kmac_prov.c 3034074f99b02db045f2ccecc8782322e876dad07a3c169bdb24168b6b1f8cbd providers/implementations/rands/crngt.c -fd5dcaaf50ce7bf583bb6b5412007d1f15b42408304c94763027deba7d600556 providers/implementations/rands/drbg.c -b366405d17c53b904951342d00c8c302109b88558933de33374f4c9d53b49581 providers/implementations/rands/drbg_ctr.c -4a659ef3301020e68f89d43a6519e01905dd0dd62c2e8770e4b63507ee156f6a providers/implementations/rands/drbg_hash.c -e60130d3131684913a370f674165a5b1d511fff93ca8753eeac4fc0e68fbf4da providers/implementations/rands/drbg_hmac.c -e1c1c2554adb92d29b035015c1114512e6b8a6781ed31861d812a8a5bb9b34ec providers/implementations/rands/drbg_local.h +51688b34a8ba14234cf91c318ce9f97b8a54dbb501d6f56aa53d472f877d3660 providers/implementations/rands/drbg.c +b436b9f1c5525884e9adcc941726e0cf4bb135517f4dc403f24fec128c9cae8c providers/implementations/rands/drbg_ctr.c +118c2f62f765c0324695cb286670ae024cbeaacd989666da8e3daa8d0ec44c65 providers/implementations/rands/drbg_hash.c +3096525926ee80fec225c16e89fc9d58867de5f63b1e7a0736ed56ca09f19f2b providers/implementations/rands/drbg_hmac.c +e65a6972711303a71636ee7e31cab6dfd1734a97e25b4dce119060c1487bbe33 providers/implementations/rands/drbg_local.h 26d86b55837f515684865cb0e327aea435a9b7f27bf296287d44209f9a5df6ff providers/implementations/rands/test_rng.c a9aa31d091df5b8f6710dd36761dfe7d32b6da1881f8581bed85ad4e171b0969 providers/implementations/signature/dsa_sig.c 6c8b5f325c997014bd71331c9eb6c185838cd81c10c3ad74dd65289ae923d629 providers/implementations/signature/ecdsa_sig.c diff --git a/providers/fips.checksum b/providers/fips.checksum index aab7df72271e6..5697105a43261 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -d36d84f3f9dfbb0127f6b2462583ecabcc1956c60d2f8c19425c6854f5934e3b providers/fips-sources.checksums +91f820645394cd8895d6fef399ee8e0df13817aa5430eda3ce8fbfb14ccfd3fc providers/fips-sources.checksums diff --git a/providers/fips.module.sources b/providers/fips.module.sources index 9613a4aa87a53..3ab2c245d8ec9 100644 --- a/providers/fips.module.sources +++ b/providers/fips.module.sources @@ -145,6 +145,7 @@ crypto/dsa/dsa_local.h crypto/dsa/dsa_ossl.c crypto/dsa/dsa_sign.c crypto/dsa/dsa_vrf.c +crypto/ec/asm/ecp_nistp384-ppc64.pl crypto/ec/asm/ecp_nistp521-ppc64.pl crypto/ec/asm/ecp_nistz256-armv4.pl crypto/ec/asm/ecp_nistz256-armv8.pl @@ -152,6 +153,7 @@ crypto/ec/asm/ecp_nistz256-ppc64.pl crypto/ec/asm/ecp_nistz256-sparcv9.pl crypto/ec/asm/ecp_nistz256-x86.pl crypto/ec/asm/ecp_nistz256-x86_64.pl +crypto/ec/asm/ecp_sm2p256-armv8.pl crypto/ec/asm/x25519-ppc64.pl crypto/ec/asm/x25519-x86_64.pl crypto/ec/curve25519.c @@ -270,6 +272,7 @@ crypto/param_build_set.c crypto/params.c crypto/params_dup.c crypto/params_from_text.c +crypto/params_idx.c crypto/ppccap.c crypto/ppccpuid.pl crypto/property/defn_cache.c @@ -381,6 +384,7 @@ include/crypto/bn_dh.h include/crypto/context.h include/crypto/cryptlib.h include/crypto/ctype.h +include/crypto/decoder.h include/crypto/des_platform.h include/crypto/dh.h include/crypto/dsa.h @@ -415,6 +419,7 @@ include/internal/nelem.h include/internal/numbers.h include/internal/packet.h include/internal/param_build_set.h +include/internal/param_names.h.in include/internal/params.h include/internal/property.h include/internal/propertyerr.h @@ -448,10 +453,12 @@ include/openssl/configuration.h.in include/openssl/conftypes.h include/openssl/core.h include/openssl/core_dispatch.h -include/openssl/core_names.h +include/openssl/core_names.h.in include/openssl/crypto.h.in include/openssl/cryptoerr.h include/openssl/cryptoerr_legacy.h +include/openssl/decoder.h +include/openssl/decodererr.h include/openssl/des.h include/openssl/dh.h include/openssl/dherr.h From 6262ff748fe7e3487c86d6feeebd92f61c9ae76a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 7 Sep 2023 10:00:22 +0100 Subject: [PATCH 136/324] Prepare for release of 3.2 alpha 1 Reviewed-by: Richard Levitte Release: yes --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 974e549486017..c5c804fbf3672 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,7 +23,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Changes between 3.1 and 3.2 [xx XXX xxxx] +### Changes between 3.1 and 3.2 alpha 1 [7 Sep 2023] * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. diff --git a/NEWS.md b/NEWS.md index 8a1ca6b97305c..2471a69868aa7 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Major changes between OpenSSL 3.1 and OpenSSL 3.2 [under development] +### Major changes between OpenSSL 3.1 and OpenSSL 3.2 alpha 1 [in pre-release] * Added client side support for QUIC. * Added multiple tutorials on the OpenSSL library and in particular diff --git a/VERSION.dat b/VERSION.dat index 848915b9a2861..56dc55ab5d538 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=2 PATCH=0 -PRE_RELEASE_TAG=dev +PRE_RELEASE_TAG=alpha1 BUILD_METADATA= -RELEASE_DATE="" +RELEASE_DATE="7 Sep 2023" SHLIB_VERSION=3 From 75708029ad693fb541be65f9ac1841c47a27648d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 7 Sep 2023 10:00:46 +0100 Subject: [PATCH 137/324] Prepare for 3.2 alpha 2 Reviewed-by: Richard Levitte Release: yes --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c5c804fbf3672..974e549486017 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,7 +23,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Changes between 3.1 and 3.2 alpha 1 [7 Sep 2023] +### Changes between 3.1 and 3.2 [xx XXX xxxx] * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. diff --git a/NEWS.md b/NEWS.md index 2471a69868aa7..8a1ca6b97305c 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Major changes between OpenSSL 3.1 and OpenSSL 3.2 alpha 1 [in pre-release] +### Major changes between OpenSSL 3.1 and OpenSSL 3.2 [under development] * Added client side support for QUIC. * Added multiple tutorials on the OpenSSL library and in particular diff --git a/VERSION.dat b/VERSION.dat index 56dc55ab5d538..584de32867eb5 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=2 PATCH=0 -PRE_RELEASE_TAG=alpha1 +PRE_RELEASE_TAG=alpha2-dev BUILD_METADATA= -RELEASE_DATE="7 Sep 2023" +RELEASE_DATE="" SHLIB_VERSION=3 From e6b6b18af3e85a6b5f0d8ea1070f7070557d6357 Mon Sep 17 00:00:00 2001 From: Min Zhou Date: Wed, 6 Sep 2023 11:52:26 +0800 Subject: [PATCH 138/324] test/chacha: replace CPUID_OBJ with OPENSSL_CPUID_OBJ Fixes #21977 Signed-off-by: Min Zhou Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21978) --- test/chacha_internal_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/chacha_internal_test.c b/test/chacha_internal_test.c index 878bd752e054b..d52479b6584d8 100644 --- a/test/chacha_internal_test.c +++ b/test/chacha_internal_test.c @@ -181,7 +181,7 @@ static int test_cha_cha_internal(int n) int setup_tests(void) { -#ifdef CPUID_OBJ +#ifdef OPENSSL_CPUID_OBJ OPENSSL_cpuid_setup(); #endif From b9a189ce87fde1de4bf691031624538262f005c5 Mon Sep 17 00:00:00 2001 From: wangcheng Date: Wed, 6 Sep 2023 21:29:38 +0800 Subject: [PATCH 139/324] Modify the dkeyform type to support engine The valtype value of dkeyform defined in the s_server_options structure is F, which leads to the judgment that the engine is not supported when processing parameters in the opt_next function. This the valtype value of dkeyform should be changed to "f". CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21982) --- apps/s_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 7f5ab35b766ad..1dc04d0060d4b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -799,7 +799,7 @@ const OPTIONS s_server_options[] = { "second server certificate chain file in PEM format"}, {"dkey", OPT_DKEY, '<', "Second private key file to use (usually for DSA)"}, - {"dkeyform", OPT_DKEYFORM, 'F', + {"dkeyform", OPT_DKEYFORM, 'f', "Second key file format (ENGINE, other values ignored)"}, {"dpass", OPT_DPASS, 's', "Second private key and cert file pass phrase source"}, From b0da24bd2dc64e3a01df24e01aba37fe4c269230 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 7 Sep 2023 05:57:36 +0200 Subject: [PATCH 140/324] BIO_set_accept_name(): To accept from any interface, use * Using "*:{port}" is preferred to "[::]:{port}", because it won't break on IPv4-only machines. This fixes test failures in 79-test_http.t and 80-test_ssl_new.t on machines without IPv6. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21989) --- apps/lib/http_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c index f406bb062876b..bca2e7110d457 100644 --- a/apps/lib/http_server.c +++ b/apps/lib/http_server.c @@ -200,7 +200,7 @@ BIO *http_server_init(const char *prog, const char *port, int verb) int port_num; char name[40]; - snprintf(name, sizeof(name), "[::]:%s", port); /* port may be "0" */ + snprintf(name, sizeof(name), "*:%s", port); /* port may be "0" */ if (verb >= 0 && !log_set_verbosity(prog, verb)) return NULL; bufbio = BIO_new(BIO_f_buffer()); From 769e47ecddd1ca4292ffa792f45998629447d743 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 7 Sep 2023 07:34:33 +0200 Subject: [PATCH 141/324] Fix 80-test_cmp_http.t to be more flexible regarding IP versions Because apps/lib/http_server.c had a hard coded "[::]" for the accept host, 80-test_cmp_http.t assumed that it would always get a CMP server on an IPv6 address, and tested for that. With the fix in apps/lib/http_server.c, that test was of course doomed to fail. Since CMP should be about IP version testing, 80-test_cmp_http.t is adapted to allow the Mock server to accept connections on either IP version, and the test for IPv6 is removed. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21989) --- test/recipes/80-test_cmp_http.t | 9 ++++++--- test/recipes/80-test_cmp_http_data/test_connection.csv | 1 - 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 6cfdcaedfd146..bd4df0dd0dc2c 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -299,16 +299,19 @@ sub start_server { } print "$server_name server PID=$pid\n"; - if ($server_port == 0) { - # Find out the actual server port and possibly different PID + if ($server_host eq '*' || $server_port == 0) { + # Find out the actual server host and port and possibly different PID $pid = 0; while (<$server_fh>) { print "$server_name server output: $_"; next if m/using section/; s/\R$//; # Better chomp - ($server_port, $pid) = ($1, $2) if /^ACCEPT\s.*:(\d+) PID=(\d+)$/; + ($server_host, $server_port, $pid) = ($1, $2, $3) + if /^ACCEPT\s(.*?):(\d+) PID=(\d+)$/; last; # Do not loop further to prevent hangs on server misbehavior } + $server_host = "[::1]" if $server_host eq "[::]"; + $server_host = "127.0.0.1" if $server_host eq "0.0.0.0"; } unless ($server_port > 0) { stop_server($server_name, $pid); diff --git a/test/recipes/80-test_cmp_http_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv index 3c0a598d11cec..202eb223c496a 100644 --- a/test/recipes/80-test_cmp_http_data/test_connection.csv +++ b/test/recipes/80-test_cmp_http_data/test_connection.csv @@ -3,7 +3,6 @@ expected,description, -section,val, -server,val, -proxy,val, -no_proxy,val, -tls ,,,,,,,,,,,,,,,,,,, 1,default config, -section,,,,,,,,BLANK,,,,BLANK,,BLANK,,BLANK, 1,server domain name, -section,, -server,localhost:_SERVER_PORT,,,,,,,,,,,,,, -1,server IPv6 address, -section,, -server,[::1]:_SERVER_PORT,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,, 0,wrong server, -section,, -server,xn--rksmrgs-5wao1o.example.com:_SERVER_PORT,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK, 0,wrong server port, -section,, -server,_SERVER_HOST:99,,,,,BLANK,,,, -msg_timeout,1,BLANK,,BLANK, From 00a413e2483257a17239cef5dde52df14926284c Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 7 Sep 2023 09:27:37 +1000 Subject: [PATCH 142/324] Check error return from cms_sd_asn1_ctrl() correctly. Fixes #21986 Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/21988) --- crypto/cms/cms_sd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 40142ea2d3599..c32e95f10dda1 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -262,13 +262,13 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) int i; if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC")) - return cms_generic_sign(si, cmd); + return cms_generic_sign(si, cmd) > 0; else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS")) - return ossl_cms_rsa_sign(si, cmd); + return ossl_cms_rsa_sign(si, cmd) > 0; /* Now give engines, providers, etc a chance to handle this */ if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) - return cms_generic_sign(si, cmd); + return cms_generic_sign(si, cmd) > 0; i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si); if (i == -2) { ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); From c870a465864259f0bdec0953ad085da31941bc27 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 7 Sep 2023 12:35:10 +1000 Subject: [PATCH 143/324] Add test case for #21986 Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/21988) --- test/recipes/80-test_cms.t | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index a0e6e874c3eb1..21c683c4046a7 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 20; +plan tests => 21; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -1140,3 +1140,13 @@ with({ exit_checker => sub { return shift == 6; } }, ])), "Check failure during BIO setup with -stream is handled correctly"); }); + +# Test case for return value mis-check reported in #21986 +with({ exit_checker => sub { return shift == 3; } }, + sub { + ok(run(app(['openssl', 'cms', '-sign', + '-in', srctop_file("test", "smcont.txt"), + '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), + '-md', 'SHAKE256'])), + "issue#21986"); + }); From 17dd9a2c6262c00800301fddd9441a9c590a630e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 6 Sep 2023 07:13:26 +0200 Subject: [PATCH 144/324] OSSL_STORE: Fix error flag clearing and setting (provider path only) When the provider's load function returned with an error, the libcrypto error flag was only set if EOF hadn't been reached. This is troublesome, as an error can very well occur during the last load before EOF is reached! Also, the error flag was never reset, even though documentation specifies that it should indicate an error in the last load (i.e. not the one before that). Fixes #21968 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21976) --- crypto/store/store_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index fcacf687e629d..0e805062ac0c0 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -428,14 +428,14 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) load_data.v = NULL; load_data.ctx = ctx; + ctx->error_flag = 0; if (!ctx->fetched_loader->p_load(ctx->loader_ctx, ossl_store_handle_load_result, &load_data, ossl_pw_passphrase_callback_dec, &ctx->pwdata)) { - if (!OSSL_STORE_eof(ctx)) - ctx->error_flag = 1; + ctx->error_flag = 1; return NULL; } v = load_data.v; From 68e95f7840d0d8ac4e5e03381cf9d305578dd1c7 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 6 Sep 2023 14:06:52 +0200 Subject: [PATCH 145/324] Fix a possible memleak in SRP_VBASE_new In the error handling case the memory in vb->users_pwd was accidentally not released. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21981) --- crypto/srp/srp_vfy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 72ef5e814e68c..2ca515396b718 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -281,6 +281,7 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key) return NULL; if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL || (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) { + sk_SRP_user_pwd_free(vb->users_pwd); OPENSSL_free(vb); return NULL; } From ebce766bb82b472eb3b796c5ee5ee2c19beb71f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Sep 2023 08:14:37 +0000 Subject: [PATCH 146/324] Bump coverallsapp/github-action from 2.2.1 to 2.2.3 Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.2.1 to 2.2.3. - [Release notes](https://github.com/coverallsapp/github-action/releases) - [Commits](https://github.com/coverallsapp/github-action/compare/v2.2.1...v2.2.3) --- updated-dependencies: - dependency-name: coverallsapp/github-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22012) --- .github/workflows/coveralls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index e0282459bfcbb..7771f5fd38f76 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -68,7 +68,7 @@ jobs: - name: generate coverage info run: lcov -d . -c -o ./lcov.info - name: Coveralls upload - uses: coverallsapp/github-action@v2.2.1 + uses: coverallsapp/github-action@v2.2.3 with: github-token: ${{ secrets.github_token }} git-branch: ${{ matrix.branches.branch }} From 0295364548bbab92b7002451c432489b55229ab8 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 24 Aug 2023 09:14:21 +0100 Subject: [PATCH 147/324] Add a TLS non-blocking demo Show how to write a TLS client using a non-blocking socket Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21950) --- demos/guide/Makefile | 8 +- demos/guide/tls-client-non-block.c | 338 +++++++++++++++++++++++++++++ 2 files changed, 344 insertions(+), 2 deletions(-) create mode 100644 demos/guide/tls-client-non-block.c diff --git a/demos/guide/Makefile b/demos/guide/Makefile index d665edc27d345..9a5ce0bab6b7b 100644 --- a/demos/guide/Makefile +++ b/demos/guide/Makefile @@ -9,7 +9,7 @@ CFLAGS = -I../../include -g LDFLAGS = -L../.. LDLIBS = -lcrypto -lssl -all: tls-client-block quic-client-block quic-multi-stream +all: tls-client-block quic-client-block quic-multi-stream tls-client-non-block tls-client-block: tls-client-block.c $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) @@ -20,5 +20,9 @@ quic-client-block: quic-client-block.c quic-multi-stream: quic-multi-stream.c $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) +tls-client-non-block: tls-client-non-block.c + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) + clean: - $(RM) *.o tls-client-block quic-client-block quic-multi-stream + $(RM) *.o tls-client-block quic-client-block quic-multi-stream \ + tls-client-non-block diff --git a/demos/guide/tls-client-non-block.c b/demos/guide/tls-client-non-block.c new file mode 100644 index 0000000000000..05db0f529e66b --- /dev/null +++ b/demos/guide/tls-client-non-block.c @@ -0,0 +1,338 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * NB: Changes to this file should also be reflected in + * doc/man7/ossl-guide-tls-client-non-block.pod + */ + +#include + +/* Include the appropriate header file for SOCK_STREAM */ +#ifdef _WIN32 /* Windows */ +# include +#else /* Linux/Unix */ +# include +# include +#endif + +#include +#include +#include + +/* Helper function to create a BIO connected to the server */ +static BIO *create_socket_bio(const char *hostname, const char *port) +{ + int sock = -1; + BIO_ADDRINFO *res; + const BIO_ADDRINFO *ai = NULL; + BIO *bio; + + /* + * Lookup IP address info for the server. + */ + if (!BIO_lookup_ex(hostname, port, BIO_LOOKUP_CLIENT, 0, SOCK_STREAM, 0, + &res)) + return NULL; + + /* + * Loop through all the possible addresses for the server and find one + * we can connect to. + */ + for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { + /* + * Create a TCP socket. We could equally use non-OpenSSL calls such + * as "socket" here for this and the subsequent connect and close + * functions. But for portability reasons and also so that we get + * errors on the OpenSSL stack in the event of a failure we use + * OpenSSL's versions of these functions. + */ + sock = BIO_socket(BIO_ADDRINFO_family(ai), SOCK_STREAM, 0, 0); + if (sock == -1) + continue; + + /* Connect the socket to the server's address */ + if (!BIO_connect(sock, BIO_ADDRINFO_address(ai), BIO_SOCK_NODELAY)) { + BIO_closesocket(sock); + sock = -1; + continue; + } + + /* Set to nonblocking mode */ + if (!BIO_socket_nbio(sock, 1)) { + sock = -1; + continue; + } + + /* We have a connected socket so break out of the loop */ + break; + } + + /* Free the address information resources we allocated earlier */ + BIO_ADDRINFO_free(res); + + /* If sock is -1 then we've been unable to connect to the server */ + if (sock == -1) + return NULL; + + /* Create a BIO to wrap the socket*/ + bio = BIO_new(BIO_s_socket()); + if (bio == NULL) + BIO_closesocket(sock); + + /* + * Associate the newly created BIO with the underlying socket. By + * passing BIO_CLOSE here the socket will be automatically closed when + * the BIO is freed. Alternatively you can use BIO_NOCLOSE, in which + * case you must close the socket explicitly when it is no longer + * needed. + */ + BIO_set_fd(bio, sock, BIO_CLOSE); + + return bio; +} + +static void wait_for_activity(SSL *ssl, int write) +{ + fd_set fds; + int width, sock; + + /* Get hold of the underlying file descriptor for the socket */ + sock = SSL_get_fd(ssl); + + FD_ZERO(&fds); + FD_SET(sock, &fds); + width = sock + 1; + + /* + * Wait until the socket is writeable or readable. We use select here for + * the sake of simplicity and portability, but you could equally use + * poll/epoll or similar functions + */ + if (write) + select(width, NULL, &fds, NULL, NULL); + else + select(width, &fds, NULL, NULL, NULL); +} + +static int handle_io_failure(SSL *ssl, int res) +{ + switch (SSL_get_error(ssl, res)) { + case SSL_ERROR_WANT_READ: + /* Temporary failure. Wait until we can read and try again */ + wait_for_activity(ssl, 0); + return 1; + + case SSL_ERROR_WANT_WRITE: + /* Temporary failure. Wait until we can write and try again */ + wait_for_activity(ssl, 1); + return 1; + + case SSL_ERROR_ZERO_RETURN: + /* EOF */ + return 0; + + case SSL_ERROR_SYSCALL: + return -1; + + case SSL_ERROR_SSL: + /* + * If the failure is due to a verification error we can get more + * information about it from SSL_get_verify_result(). + */ + if (SSL_get_verify_result(ssl) != X509_V_OK) + printf("Verify error: %s\n", + X509_verify_cert_error_string(SSL_get_verify_result(ssl))); + return -1; + + default: + return -1; + } +} + +/* Server hostname and port details. Must be in quotes */ +#ifndef HOSTNAME +# define HOSTNAME "www.example.com" +#endif +#ifndef PORT +# define PORT "443" +#endif + +/* + * Simple application to send a basic HTTP/1.0 request to a server and + * print the response on the screen. + */ +int main(void) +{ + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + BIO *bio = NULL; + int res = EXIT_FAILURE; + int ret; + const char *request = + "GET / HTTP/1.0\r\nConnection: close\r\nHost: "HOSTNAME"\r\n\r\n"; + size_t written, readbytes; + char buf[160]; + int eof = 0; + + /* + * Create an SSL_CTX which we can use to create SSL objects from. We + * want an SSL_CTX for creating clients so we use TLS_client_method() + * here. + */ + ctx = SSL_CTX_new(TLS_client_method()); + if (ctx == NULL) { + printf("Failed to create the SSL_CTX\n"); + goto end; + } + + /* + * Configure the client to abort the handshake if certificate + * verification fails. Virtually all clients should do this unless you + * really know what you are doing. + */ + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + + /* Use the default trusted certificate store */ + if (!SSL_CTX_set_default_verify_paths(ctx)) { + printf("Failed to set the default trusted certificate store\n"); + goto end; + } + + /* + * TLSv1.1 or earlier are deprecated by IETF and are generally to be + * avoided if possible. We require a minimum TLS version of TLSv1.2. + */ + if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) { + printf("Failed to set the minimum TLS protocol version\n"); + goto end; + } + + /* Create an SSL object to represent the TLS connection */ + ssl = SSL_new(ctx); + if (ssl == NULL) { + printf("Failed to create the SSL object\n"); + goto end; + } + + /* + * Create the underlying transport socket/BIO and associate it with the + * connection. + */ + bio = create_socket_bio(HOSTNAME, PORT); + if (bio == NULL) { + printf("Failed to crete the BIO\n"); + goto end; + } + SSL_set_bio(ssl, bio, bio); + + /* + * Tell the server during the handshake which hostname we are attempting + * to connect to in case the server supports multiple hosts. + */ + if (!SSL_set_tlsext_host_name(ssl, HOSTNAME)) { + printf("Failed to set the SNI hostname\n"); + goto end; + } + + /* + * Ensure we check during certificate verification that the server has + * supplied a certificate for the hostname that we were expecting. + * Virtually all clients should do this unless you really know what you + * are doing. + */ + if (!SSL_set1_host(ssl, HOSTNAME)) { + printf("Failed to set the certificate verification hostname"); + goto end; + } + + /* Do the handshake with the server */ + while ((ret = SSL_connect(ssl)) != 1) { + if (handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + printf("Failed to connect to server\n"); + goto end; /* Cannot retry: error */ + } + + /* Write an HTTP GET request to the peer */ + while (!SSL_write_ex(ssl, request, strlen(request), &written)) { + if (handle_io_failure(ssl, 0) == 1) + continue; /* Retry */ + printf("Failed to write HTTP request\n"); + goto end; /* Cannot retry: error */ + } + + do { + /* + * Get up to sizeof(buf) bytes of the response. We keep reading until + * the server closes the connection. + */ + while (!eof && !SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) { + switch (handle_io_failure(ssl, 0)) { + case 1: + continue; /* Retry */ + case 0: + eof = 1; + continue; + case -1: + default: + printf("Failed reading remaining data\n"); + goto end; /* Cannot retry: error */ + } + } + /* + * OpenSSL does not guarantee that the returned data is a string or + * that it is NUL terminated so we use fwrite() to write the exact + * number of bytes that we read. The data could be non-printable or + * have NUL characters in the middle of it. For this simple example + * we're going to print it to stdout anyway. + */ + if (!eof) + fwrite(buf, 1, readbytes, stdout); + } while (!eof); + /* In case the response didn't finish with a newline we add one now */ + printf("\n"); + + /* + * The peer already shutdown gracefully (we know this because of the + * SSL_ERROR_ZERO_RETURN (i.e. EOF) above). We should do the same back. + */ + while ((ret = SSL_shutdown(ssl)) != 1) { + if (ret < 0 && handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + /* + * ret == 0 is unexpected here because that means "we've sent a + * close_notify and we're waiting for one back". But we already know + * we got one from the peer because of the SSL_ERROR_ZERO_RETURN + * (i.e. EOF) above. + */ + printf("Error shutting down\n"); + goto end; /* Cannot retry: error */ + } + + /* Success! */ + res = EXIT_SUCCESS; + end: + /* + * If something bad happened then we will dump the contents of the + * OpenSSL error stack to stderr. There might be some useful diagnostic + * information there. + */ + if (res == EXIT_FAILURE) + ERR_print_errors_fp(stderr); + + /* + * Free the resources we allocated. We do not free the BIO object here + * because ownership of it was immediately transferred to the SSL object + * via SSL_set_bio(). The BIO will be freed when we free the SSL object. + */ + SSL_free(ssl); + SSL_CTX_free(ctx); + return res; +} From b71784f741d5a90712607f57a45912292fba9573 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 25 Aug 2023 13:44:14 +0100 Subject: [PATCH 148/324] Add a QUIC non-blocking demo Show how to write a QUIC client using a non-blocking socket Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21950) --- demos/guide/Makefile | 8 +- demos/guide/quic-client-block.c | 1 - demos/guide/quic-client-non-block.c | 388 ++++++++++++++++++++++++++++ 3 files changed, 394 insertions(+), 3 deletions(-) create mode 100644 demos/guide/quic-client-non-block.c diff --git a/demos/guide/Makefile b/demos/guide/Makefile index 9a5ce0bab6b7b..d12d6c0cad944 100644 --- a/demos/guide/Makefile +++ b/demos/guide/Makefile @@ -9,7 +9,8 @@ CFLAGS = -I../../include -g LDFLAGS = -L../.. LDLIBS = -lcrypto -lssl -all: tls-client-block quic-client-block quic-multi-stream tls-client-non-block +all: tls-client-block quic-client-block quic-multi-stream tls-client-non-block \ + quic-client-non-block tls-client-block: tls-client-block.c $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) @@ -23,6 +24,9 @@ quic-multi-stream: quic-multi-stream.c tls-client-non-block: tls-client-non-block.c $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) +quic-client-non-block: quic-client-non-block.c + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS) + clean: $(RM) *.o tls-client-block quic-client-block quic-multi-stream \ - tls-client-non-block + tls-client-non-block quic-client-non-block diff --git a/demos/guide/quic-client-block.c b/demos/guide/quic-client-block.c index 54e52d5c28e0c..3d5a56a8dfb26 100644 --- a/demos/guide/quic-client-block.c +++ b/demos/guide/quic-client-block.c @@ -81,7 +81,6 @@ static BIO *create_socket_bio(const char *hostname, const char *port, } } - /* Free the address information resources we allocated earlier */ BIO_ADDRINFO_free(res); diff --git a/demos/guide/quic-client-non-block.c b/demos/guide/quic-client-non-block.c new file mode 100644 index 0000000000000..743c2839c945f --- /dev/null +++ b/demos/guide/quic-client-non-block.c @@ -0,0 +1,388 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * NB: Changes to this file should also be reflected in + * doc/man7/ossl-guide-quic-client-non-block.pod + */ + +#include + +/* Include the appropriate header file for SOCK_DGRAM */ +#ifdef _WIN32 /* Windows */ +# include +#else /* Linux/Unix */ +# include +# include +#endif + +#include +#include +#include + +/* Helper function to create a BIO connected to the server */ +static BIO *create_socket_bio(const char *hostname, const char *port, + BIO_ADDR **peer_addr) +{ + int sock = -1; + BIO_ADDRINFO *res; + const BIO_ADDRINFO *ai = NULL; + BIO *bio; + + /* + * Lookup IP address info for the server. + */ + if (!BIO_lookup_ex(hostname, port, BIO_LOOKUP_CLIENT, 0, SOCK_DGRAM, 0, + &res)) + return NULL; + + /* + * Loop through all the possible addresses for the server and find one + * we can connect to. + */ + for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { + /* + * Create a TCP socket. We could equally use non-OpenSSL calls such + * as "socket" here for this and the subsequent connect and close + * functions. But for portability reasons and also so that we get + * errors on the OpenSSL stack in the event of a failure we use + * OpenSSL's versions of these functions. + */ + sock = BIO_socket(BIO_ADDRINFO_family(ai), SOCK_DGRAM, 0, 0); + if (sock == -1) + continue; + + /* Connect the socket to the server's address */ + if (!BIO_connect(sock, BIO_ADDRINFO_address(ai), 0)) { + BIO_closesocket(sock); + sock = -1; + continue; + } + + /* Set to nonblocking mode */ + if (!BIO_socket_nbio(sock, 1)) { + sock = -1; + continue; + } + + break; + } + + if (sock != -1) { + *peer_addr = BIO_ADDR_dup(BIO_ADDRINFO_address(ai)); + if (*peer_addr == NULL) { + BIO_closesocket(sock); + return NULL; + } + } + + /* Free the address information resources we allocated earlier */ + BIO_ADDRINFO_free(res); + + /* If sock is -1 then we've been unable to connect to the server */ + if (sock == -1) + return NULL; + + /* Create a BIO to wrap the socket*/ + bio = BIO_new(BIO_s_datagram()); + if (bio == NULL) + BIO_closesocket(sock); + + /* + * Associate the newly created BIO with the underlying socket. By + * passing BIO_CLOSE here the socket will be automatically closed when + * the BIO is freed. Alternatively you can use BIO_NOCLOSE, in which + * case you must close the socket explicitly when it is no longer + * needed. + */ + BIO_set_fd(bio, sock, BIO_CLOSE); + + return bio; +} + +static void wait_for_activity(SSL *ssl) +{ + fd_set wfds, rfds; + int width, sock, isinfinite; + struct timeval tv; + struct timeval *tvp = NULL; + + /* Get hold of the underlying file descriptor for the socket */ + sock = SSL_get_fd(ssl); + + FD_ZERO(&wfds); + FD_ZERO(&rfds); + + /* + * Find out if we would like to write to the socket, or read from it (or + * both) + */ + if (SSL_net_write_desired(ssl)) + FD_SET(sock, &wfds); + if (SSL_net_read_desired(ssl)) + FD_SET(sock, &rfds); + width = sock + 1; + + /* + * Find out when OpenSSL would next like to be called, regardless of + * whether the state of the underlying socket has changed or not. + */ + if (SSL_get_event_timeout(ssl, &tv, &isinfinite) && !isinfinite) + tvp = &tv; + + /* + * Wait until the socket is writeable or readable. We use select here + * for the sake of simplicity and portability, but you could equally use + * poll/epoll or similar functions. If we have a timeout we use it to + * ensure that OpenSSL is called when it wants to be. + */ + + select(width, &rfds, &wfds, NULL, tvp); +} + +static int handle_io_failure(SSL *ssl, int res) +{ + switch (SSL_get_error(ssl, res)) { + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + /* Temporary failure. Wait until we can read/write and try again */ + wait_for_activity(ssl); + return 1; + + case SSL_ERROR_ZERO_RETURN: + /* EOF */ + return 0; + + case SSL_ERROR_SYSCALL: + return -1; + + case SSL_ERROR_SSL: + /* + * Some stream fatal error occurred. This could be because of a stream + * reset - or some failure occurred on the underlying connection. + */ + switch (SSL_get_stream_read_state(ssl)) { + case SSL_STREAM_STATE_RESET_REMOTE: + printf("Stream reset occurred\n"); + /* The stream has been reset but the connection is still healthy. */ + break; + + case SSL_STREAM_STATE_CONN_CLOSED: + printf("Connection closed\n"); + /* Connection is already closed. */ + break; + + default: + printf("Unknown stream failure\n"); + break; + } + /* + * If the failure is due to a verification error we can get more + * information about it from SSL_get_verify_result(). + */ + if (SSL_get_verify_result(ssl) != X509_V_OK) + printf("Verify error: %s\n", + X509_verify_cert_error_string(SSL_get_verify_result(ssl))); + return -1; + + default: + return -1; + } +} + +/* Server hostname and port details. Must be in quotes */ +#ifndef HOSTNAME +# define HOSTNAME "www.example.com" +#endif +#ifndef PORT +# define PORT "443" +#endif + +/* + * Simple application to send a basic HTTP/1.0 request to a server and + * print the response on the screen. Note that HTTP/1.0 over QUIC is + * non-standard and will not typically be supported by real world servers. This + * is for demonstration purposes only. + */ +int main(void) +{ + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + BIO *bio = NULL; + int res = EXIT_FAILURE; + int ret; + unsigned char alpn[] = { 8, 'h', 't', 't', 'p', '/', '1', '.', '0' }; + const char *request = + "GET / HTTP/1.0\r\nConnection: close\r\nHost: "HOSTNAME"\r\n\r\n"; + size_t written, readbytes; + char buf[160]; + BIO_ADDR *peer_addr = NULL; + int eof = 0; + + /* + * Create an SSL_CTX which we can use to create SSL objects from. We + * want an SSL_CTX for creating clients so we use + * OSSL_QUIC_client_method() here. + */ + ctx = SSL_CTX_new(OSSL_QUIC_client_method()); + if (ctx == NULL) { + printf("Failed to create the SSL_CTX\n"); + goto end; + } + + /* + * Configure the client to abort the handshake if certificate + * verification fails. Virtually all clients should do this unless you + * really know what you are doing. + */ + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + + /* Use the default trusted certificate store */ + if (!SSL_CTX_set_default_verify_paths(ctx)) { + printf("Failed to set the default trusted certificate store\n"); + goto end; + } + + /* Create an SSL object to represent the TLS connection */ + ssl = SSL_new(ctx); + if (ssl == NULL) { + printf("Failed to create the SSL object\n"); + goto end; + } + + /* + * Create the underlying transport socket/BIO and associate it with the + * connection. + */ + bio = create_socket_bio(HOSTNAME, PORT, &peer_addr); + if (bio == NULL) { + printf("Failed to crete the BIO\n"); + goto end; + } + SSL_set_bio(ssl, bio, bio); + + /* + * Tell the server during the handshake which hostname we are attempting + * to connect to in case the server supports multiple hosts. + */ + if (!SSL_set_tlsext_host_name(ssl, HOSTNAME)) { + printf("Failed to set the SNI hostname\n"); + goto end; + } + + /* + * Ensure we check during certificate verification that the server has + * supplied a certificate for the hostname that we were expecting. + * Virtually all clients should do this unless you really know what you + * are doing. + */ + if (!SSL_set1_host(ssl, HOSTNAME)) { + printf("Failed to set the certificate verification hostname"); + goto end; + } + + /* SSL_set_alpn_protos returns 0 for success! */ + if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn)) != 0) { + printf("Failed to set the ALPN for the connection\n"); + goto end; + } + + /* Set the IP address of the remote peer */ + if (!SSL_set1_initial_peer_addr(ssl, peer_addr)) { + printf("Failed to set the initial peer address\n"); + goto end; + } + + /* + * The underlying socket is always non-blocking with QUIC, but the default + * behaviour of the SSL object is still to block. We set it for non-blocking + * mode in this demo. + */ + if (!SSL_set_blocking_mode(ssl, 0)) { + printf("Failed to turn off blocking mode\n"); + goto end; + } + + /* Do the handshake with the server */ + while ((ret = SSL_connect(ssl)) != 1) { + if (handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + printf("Failed to connect to server\n"); + goto end; /* Cannot retry: error */ + } + + /* Write an HTTP GET request to the peer */ + while (!SSL_write_ex(ssl, request, strlen(request), &written)) { + if (handle_io_failure(ssl, 0) == 1) + continue; /* Retry */ + printf("Failed to write HTTP request\n"); + goto end; /* Cannot retry: error */ + } + + do { + /* + * Get up to sizeof(buf) bytes of the response. We keep reading until + * the server closes the connection. + */ + while (!eof && !SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) { + switch (handle_io_failure(ssl, 0)) { + case 1: + continue; /* Retry */ + case 0: + eof = 1; + continue; + case -1: + default: + printf("Failed reading remaining data\n"); + goto end; /* Cannot retry: error */ + } + } + /* + * OpenSSL does not guarantee that the returned data is a string or + * that it is NUL terminated so we use fwrite() to write the exact + * number of bytes that we read. The data could be non-printable or + * have NUL characters in the middle of it. For this simple example + * we're going to print it to stdout anyway. + */ + if (!eof) + fwrite(buf, 1, readbytes, stdout); + } while (!eof); + /* In case the response didn't finish with a newline we add one now */ + printf("\n"); + + /* + * Repeatedly call SSL_shutdown() until the connection is fully + * closed. + */ + while ((ret = SSL_shutdown(ssl)) != 1) { + if (ret < 0 && handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + } + + /* Success! */ + res = EXIT_SUCCESS; + end: + /* + * If something bad happened then we will dump the contents of the + * OpenSSL error stack to stderr. There might be some useful diagnostic + * information there. + */ + if (res == EXIT_FAILURE) + ERR_print_errors_fp(stderr); + + /* + * Free the resources we allocated. We do not free the BIO object here + * because ownership of it was immediately transferred to the SSL object + * via SSL_set_bio(). The BIO will be freed when we free the SSL object. + */ + SSL_free(ssl); + SSL_CTX_free(ctx); + BIO_ADDR_free(peer_addr); + return res; +} From 5bd2f66a848049d34fe5852e68b67e6c4e06b524 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 25 Aug 2023 18:05:32 +0100 Subject: [PATCH 149/324] Add a new guide page on writing a non-blocking TLS client Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21950) --- doc/build.info | 6 + doc/man7/ossl-guide-introduction.pod | 2 + doc/man7/ossl-guide-tls-client-block.pod | 6 +- doc/man7/ossl-guide-tls-client-non-block.pod | 357 +++++++++++++++++++ 4 files changed, 370 insertions(+), 1 deletion(-) create mode 100644 doc/man7/ossl-guide-tls-client-non-block.pod diff --git a/doc/build.info b/doc/build.info index 5af90ed5b291d..7e819cfe310b8 100644 --- a/doc/build.info +++ b/doc/build.info @@ -4791,6 +4791,10 @@ DEPEND[html/man7/ossl-guide-tls-client-block.html]=man7/ossl-guide-tls-client-bl GENERATE[html/man7/ossl-guide-tls-client-block.html]=man7/ossl-guide-tls-client-block.pod DEPEND[man/man7/ossl-guide-tls-client-block.7]=man7/ossl-guide-tls-client-block.pod GENERATE[man/man7/ossl-guide-tls-client-block.7]=man7/ossl-guide-tls-client-block.pod +DEPEND[html/man7/ossl-guide-tls-client-non-block.html]=man7/ossl-guide-tls-client-non-block.pod +GENERATE[html/man7/ossl-guide-tls-client-non-block.html]=man7/ossl-guide-tls-client-non-block.pod +DEPEND[man/man7/ossl-guide-tls-client-non-block.7]=man7/ossl-guide-tls-client-non-block.pod +GENERATE[man/man7/ossl-guide-tls-client-non-block.7]=man7/ossl-guide-tls-client-non-block.pod DEPEND[html/man7/ossl-guide-tls-introduction.html]=man7/ossl-guide-tls-introduction.pod GENERATE[html/man7/ossl-guide-tls-introduction.html]=man7/ossl-guide-tls-introduction.pod DEPEND[man/man7/ossl-guide-tls-introduction.7]=man7/ossl-guide-tls-introduction.pod @@ -5006,6 +5010,7 @@ html/man7/ossl-guide-quic-client-block.html \ html/man7/ossl-guide-quic-introduction.html \ html/man7/ossl-guide-quic-multi-stream.html \ html/man7/ossl-guide-tls-client-block.html \ +html/man7/ossl-guide-tls-client-non-block.html \ html/man7/ossl-guide-tls-introduction.html \ html/man7/ossl_store-file.html \ html/man7/ossl_store.html \ @@ -5146,6 +5151,7 @@ man/man7/ossl-guide-quic-client-block.7 \ man/man7/ossl-guide-quic-introduction.7 \ man/man7/ossl-guide-quic-multi-stream.7 \ man/man7/ossl-guide-tls-client-block.7 \ +man/man7/ossl-guide-tls-client-non-block.7 \ man/man7/ossl-guide-tls-introduction.7 \ man/man7/ossl_store-file.7 \ man/man7/ossl_store.7 \ diff --git a/doc/man7/ossl-guide-introduction.pod b/doc/man7/ossl-guide-introduction.pod index 9f39288f3b1d2..02d38de551576 100644 --- a/doc/man7/ossl-guide-introduction.pod +++ b/doc/man7/ossl-guide-introduction.pod @@ -77,6 +77,8 @@ The pages in the guide are as follows: =item L: Writing a simple blocking TLS client +=item L: Writing a simple nonblocking TLS client + =item L: An introduction to QUIC in OpenSSL =item L: Writing a simple blocking QUIC client diff --git a/doc/man7/ossl-guide-tls-client-block.pod b/doc/man7/ossl-guide-tls-client-block.pod index 8f04ec6428af7..236553fafd534 100644 --- a/doc/man7/ossl-guide-tls-client-block.pod +++ b/doc/man7/ossl-guide-tls-client-block.pod @@ -546,13 +546,17 @@ intermediate CAs, or the issuer is simply unrecognised). =head1 FURTHER READING +See L to read a tutorial on how to modify +the client devloped on this page to support a nonblocking socket. + See L to read a tutorial on how to modify the client developed on this page to support QUIC instead of TLS. =head1 SEE ALSO L, L, -L, L +L, L, +L, L =head1 COPYRIGHT diff --git a/doc/man7/ossl-guide-tls-client-non-block.pod b/doc/man7/ossl-guide-tls-client-non-block.pod new file mode 100644 index 0000000000000..8f31ac69fbf87 --- /dev/null +++ b/doc/man7/ossl-guide-tls-client-non-block.pod @@ -0,0 +1,357 @@ +=pod + +=begin comment + +NB: Changes to the source code samples in this file should also be reflected in +demos/guide/tls-client-non-block.c + +=end comment + +=head1 NAME + +ossl-guide-tls-client-non-block +- OpenSSL Guide: Writing a simple nonblocking TLS client + +=head1 SIMPLE NONBLOCKING TLS CLIENT EXAMPLE + +This page will build on the example developed on the +L page which demonstrates how to write a simple +blocking TLS client. On this page we will amend that demo code so that it +supports a nonblocking socket. + +The complete source code for this example nonblocking TLS client is available +in the B directory of the OpenSSL source distribution in the file +B. It is also available online at +L. + +As we saw in the previous example a blocking socket is one which waits (blocks) +until data is available to read if you attempt to read from it when there is no +data yet. Similarly it waits when writing if the socket is currently unable to +write at the moment. This can simplify the development of code because you do +not have to worry about what to do in these cases. The execution of the code +will simply stop until it is able to continue. However in many cases you do not +want this behaviour. Rather than stopping and waiting your application may need +to go and do other tasks whilst the socket is unable to read/write, for example +updating a GUI or performing operations on some other socket. + +With a nonblocking socket attempting to read or write to a socket that is +currently unable to read or write will return immediately with a non-fatal +error. Although OpenSSL does the reading/writing to the socket this nonblocking +behaviour is propagated up to the application so that OpenSSL I/O functions such +as L or L will not block. + +Since this page is building on the example developed on the +L page we assume that you are familar with it +and we only explain how this example differs. + +=head2 Setting the socket to be nonblocking + +The first step in writing an application that supports nonblocking is to set +the socket into nonblocking mode. A socket will be default be blocking. The +exact details on how to do this can differ from one platform to another. +Fortunately OpenSSL offers a portable function that will do this for you: + + /* Set to nonblocking mode */ + if (!BIO_socket_nbio(sock, 1)) { + sock = -1; + continue; + } + +You do not have to use OpenSSL's function for this. You can of course directly +call whatever functions that your Operating System provides for this purpose on +your platform. + +=head2 Performing work while waiting for the socket + +In a nonblocking application you will need work to perform in the event that +we want to read or write to the socket, but we are currently unable to. In fact +this is the whole point of using a nonblocking socket, i.e. to give the +application the opportunity to do something else. Whatever it is that the +application has to do, it must also be prepared to come back and retry the +operation that it previously attempted periodically to see if it can now +complete. Ideally it would only do this in the event that the state of the +underlying socket has actually changed (e.g. become readable where it wasn't +before), but this does not have to be the case. It can retry at any time. + +Note that it is important that you retry exactly the same operation that you +tried last time. You cannot start something new. For example if you were +attempting to write the text "Hello World" and the operation failed because the +socket is currently unable to write, then you cannot then attempt to write +some other text when you retry the operation. + +In this demo application we will create a helper function which simulates doing +other work. In fact, for the sake of simplicity, it will do nothing except wait +for the state of the socket to change. + +We call our function C because all it does is wait until +the underlying socket has become readable or writeable when it wasn't before. + + static void wait_for_activity(SSL *ssl, int write) + { + fd_set fds; + int width, sock; + + /* Get hold of the underlying file descriptor for the socket */ + sock = SSL_get_fd(ssl); + + FD_ZERO(&fds); + FD_SET(sock, &fds); + width = sock + 1; + + /* + * Wait until the socket is writeable or readable. We use select here for + * the sake of simplicity and portability, but you could equally use + * poll/epoll or similar functions + */ + if (write) + select(width, NULL, &fds, NULL, NULL); + else + select(width, &fds, NULL, NULL, NULL); + } + +In this example we are using the C waits for the state of +the underlying socket(s) to become readable/writeable before returning. It also +supports a "timeout" (as do most other similar functions) so in your own +applications you can make use of this to periodically wake up and perform work +while waiting for the socket state to change. But we don't use that timeout +capability in this example. + +=head2 Handling errors from OpenSSL I/O functions + +An application that uses a nonblocking socket will need to be prepared to +handle errors returned from OpenSSL I/O functions such as L or +L. Errors may be fatal (for example because the underlying +connection has failed), or non-fatal (for example because we are trying to read +from the underlying socket but the data has not yet arrived from the peer). + +L and L will return 0 to indicate an error and +L and L will return 0 or a negative value to indicate +an error. L will return a negative value to incidate an error. + +In the event of an error an application should call L to find +out what type of error has occurred. If the error is non-fatal and can be +retried then L will return B or +B depending on whether OpenSSL wanted to read to or write +from the socket but was unable to. Note that a call to L or +L can still generate B because OpenSSL +may need to write protocol messages (such as to update cryptographic keys) even +if the application is only trying to read data. Similarly calls to +L or L might generate B. + +Another type of non-fatal error that may occur is B. This +indicates an EOF (End-Of-File) which can occur if you attempt to read data from +an B object but the peer has indicated that it will not send any more data +on it. In this case you may still want to write data to the connection but you +will not receive any more data. + +Fatal errors that may occur are B and B. These +indicate that the underlying connection has failed. You should not attempt to +shut it down with L. B indicates that +OpenSSL attempted to make a syscall that failed. You can consult B for +further details. B indicates that some OpenSSL error occured. You +can consult the OpenSSL error stack for further details (for example by calling +L to print out details of errors that have occurred). + +In our demo application we will write a function to handle these errors from +OpenSSL I/O functions: + + static int handle_io_failure(SSL *ssl, int res) + { + switch (SSL_get_error(ssl, res)) { + case SSL_ERROR_WANT_READ: + /* Temporary failure. Wait until we can read and try again */ + wait_for_activity(ssl, 0); + return 1; + + case SSL_ERROR_WANT_WRITE: + /* Temporary failure. Wait until we can write and try again */ + wait_for_activity(ssl, 1); + return 1; + + case SSL_ERROR_ZERO_RETURN: + /* EOF */ + return 0; + + case SSL_ERROR_SYSCALL: + return -1; + + case SSL_ERROR_SSL: + /* + * If the failure is due to a verification error we can get more + * information about it from SSL_get_verify_result(). + */ + if (SSL_get_verify_result(ssl) != X509_V_OK) + printf("Verify error: %s\n", + X509_verify_cert_error_string(SSL_get_verify_result(ssl))); + return -1; + + default: + return -1; + } + } + +This function takes as arguments the B object that represents the +connection, as well as the return code from the I/O function that failed. In +the event of a non-fatal failure, it waits until a retry of the I/O operation +might succeed (by using the C function that we developed +in the previous section). It returns 1 in the event of a non-fatal error +(except EOF), 0 in the event of EOF, or -1 if a fatal error occurred. + +=head2 Creating the SSL_CTX and SSL objects + +In order to connect to a server we must create B and B objects for +this. The steps do this are the same as for a blocking client and are explained +on the L page. We won't repeat that information +here. + +=head2 Performing the handshake + +As in the demo for a blocking TLS client we use the L function +to perform the TLS handshake with the server. Since we are using a nonblocking +socket it is very likely that calls to this function will fail with a non-fatal +error while we are waiting for the server to respond to our handshake messages. +In such a case we must retry the same L call at a later time. +In this demo we this in a loop: + + /* Do the handshake with the server */ + while ((ret = SSL_connect(ssl)) != 1) { + if (handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + printf("Failed to connect to server\n"); + goto end; /* Cannot retry: error */ + } + +We continually call L until it gives us a success response. +Otherwise we use the C function that we created earlier to +work out what we should do next. Note that we do not expect an EOF to occur at +this stage, so such a response is treated in the same way as a fatal error. + +=head2 Sending and receiving data + +As with the blocking TLS client demo we use the L function to +send data to the server. As with L above, because we are using +a nonblocking socket, this call could fail with a non-fatal error. In that case +we should retry exactly the same L call again. Note that the +parameters must be I the same, i.e. the same pointer to the buffer to +write with the same length. You must not attempt to send different data on a +retry. An optional mode does exist (B) +which will configure OpenSSL to allow the buffer being written to change from +one retry to the next. However, in this case, you must still retry exactly the +same data - even though the buffer that contains that data may change location. +See L for further details. + + /* Write an HTTP GET request to the peer */ + while (!SSL_write_ex(ssl, request, strlen(request), &written)) { + if (handle_io_failure(ssl, 0) == 1) + continue; /* Retry */ + printf("Failed to write HTTP request\n"); + goto end; /* Cannot retry: error */ + } + +On a write we do not expect to see an EOF response so we treat that case in the +same way as a fatal error. + +Reading a response back from the server is similar: + + do { + /* + * Get up to sizeof(buf) bytes of the response. We keep reading until + * the server closes the connection. + */ + while (!eof && !SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) { + switch (handle_io_failure(ssl, 0)) { + case 1: + continue; /* Retry */ + case 0: + eof = 1; + continue; + case -1: + default: + printf("Failed reading remaining data\n"); + goto end; /* Cannot retry: error */ + } + } + /* + * OpenSSL does not guarantee that the returned data is a string or + * that it is NUL terminated so we use fwrite() to write the exact + * number of bytes that we read. The data could be non-printable or + * have NUL characters in the middle of it. For this simple example + * we're going to print it to stdout anyway. + */ + if (!eof) + fwrite(buf, 1, readbytes, stdout); + } while (!eof); + /* In case the response didn't finish with a newline we add one now */ + printf("\n"); + +The main difference this time is that it is valid for us to receive an EOF +response when trying to read data from the server. This will occur when the +server closes down the connection after sending all the data in its response. + +In this demo we just print out all the data we've received back in the response +from the server. We continue going around the loop until we either encounter a +fatal error, or we receive an EOF (indicating a graceful finish). + +=head2 Shutting down the connection + +As in the TLS blocking example we must shutdown the connection when we are +finished with it. + +If our application was initiating the shutdown then we would expect to see +L give a return value of 0, and then we would continue to call +it until we recieved a return value of 1 (meaning we have successfully completed +the shutdown). In this particular example we don't expect SSL_shutdown() to +return 0 because we have already received EOF from the server indicating that it +has shutdown already. So we just keep calling it until SSL_shutdown() returns 1. +Since we are using a nonblocking socket we might expect to have to retry this +operation several times. If L returns a negative result then we +must call L to work out what to do next. We use our +handle_io_failure() function that we developed earlier for this: + + /* + * The peer already shutdown gracefully (we know this because of the + * SSL_ERROR_ZERO_RETURN (i.e. EOF) above). We should do the same back. + */ + while ((ret = SSL_shutdown(ssl)) != 1) { + if (ret < 0 && handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + /* + * ret == 0 is unexpected here because that means "we've sent a + * close_notify and we're waiting for one back". But we already know + * we got one from the peer because of the SSL_ERROR_ZERO_RETURN + * (i.e. EOF) above. + */ + printf("Error shutting down\n"); + goto end; /* Cannot retry: error */ + } + +=head2 Final clean up + +As with the blocking TLS client example, once our connection is finished with we +must free it. The steps to do this for this example are the same as for the +blocking example, so we won't repeat it here. + +=head1 FURTHER READING + +See L to read a tutorial on how to write a +blocking TLS client. See L to see how to do the +same thing for a QUIC client. + +=head1 SEE ALSO + +L, L, +L, L, +L, L + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut From e8a5b06bdc280355f5c6703849868708ba83454c Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 1 Sep 2023 17:41:48 +0100 Subject: [PATCH 150/324] Add a new guide page on writing a non-blocking QUIC client Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21950) --- demos/guide/quic-client-non-block.c | 20 +- doc/build.info | 6 + doc/man7/ossl-guide-introduction.pod | 2 + doc/man7/ossl-guide-quic-client-non-block.pod | 440 ++++++++++++++++++ doc/man7/ossl-guide-quic-multi-stream.pod | 5 +- 5 files changed, 464 insertions(+), 9 deletions(-) create mode 100644 doc/man7/ossl-guide-quic-client-non-block.pod diff --git a/demos/guide/quic-client-non-block.c b/demos/guide/quic-client-non-block.c index 743c2839c945f..870dd1c4fe6ec 100644 --- a/demos/guide/quic-client-non-block.c +++ b/demos/guide/quic-client-non-block.c @@ -164,13 +164,17 @@ static int handle_io_failure(SSL *ssl, int res) case SSL_ERROR_SSL: /* - * Some stream fatal error occurred. This could be because of a stream - * reset - or some failure occurred on the underlying connection. + * Some stream fatal error occurred. This could be because of a + * stream reset - or some failure occurred on the underlying + * connection. */ switch (SSL_get_stream_read_state(ssl)) { case SSL_STREAM_STATE_RESET_REMOTE: printf("Stream reset occurred\n"); - /* The stream has been reset but the connection is still healthy. */ + /* + * The stream has been reset but the connection is still + * healthy. + */ break; case SSL_STREAM_STATE_CONN_CLOSED: @@ -183,9 +187,9 @@ static int handle_io_failure(SSL *ssl, int res) break; } /* - * If the failure is due to a verification error we can get more - * information about it from SSL_get_verify_result(). - */ + * If the failure is due to a verification error we can get more + * information about it from SSL_get_verify_result(). + */ if (SSL_get_verify_result(ssl) != X509_V_OK) printf("Verify error: %s\n", X509_verify_cert_error_string(SSL_get_verify_result(ssl))); @@ -300,8 +304,8 @@ int main(void) } /* - * The underlying socket is always non-blocking with QUIC, but the default - * behaviour of the SSL object is still to block. We set it for non-blocking + * The underlying socket is always nonblocking with QUIC, but the default + * behaviour of the SSL object is still to block. We set it for nonblocking * mode in this demo. */ if (!SSL_set_blocking_mode(ssl, 0)) { diff --git a/doc/build.info b/doc/build.info index 7e819cfe310b8..aec4ae616fb40 100644 --- a/doc/build.info +++ b/doc/build.info @@ -4779,6 +4779,10 @@ DEPEND[html/man7/ossl-guide-quic-client-block.html]=man7/ossl-guide-quic-client- GENERATE[html/man7/ossl-guide-quic-client-block.html]=man7/ossl-guide-quic-client-block.pod DEPEND[man/man7/ossl-guide-quic-client-block.7]=man7/ossl-guide-quic-client-block.pod GENERATE[man/man7/ossl-guide-quic-client-block.7]=man7/ossl-guide-quic-client-block.pod +DEPEND[html/man7/ossl-guide-quic-client-non-block.html]=man7/ossl-guide-quic-client-non-block.pod +GENERATE[html/man7/ossl-guide-quic-client-non-block.html]=man7/ossl-guide-quic-client-non-block.pod +DEPEND[man/man7/ossl-guide-quic-client-non-block.7]=man7/ossl-guide-quic-client-non-block.pod +GENERATE[man/man7/ossl-guide-quic-client-non-block.7]=man7/ossl-guide-quic-client-non-block.pod DEPEND[html/man7/ossl-guide-quic-introduction.html]=man7/ossl-guide-quic-introduction.pod GENERATE[html/man7/ossl-guide-quic-introduction.html]=man7/ossl-guide-quic-introduction.pod DEPEND[man/man7/ossl-guide-quic-introduction.7]=man7/ossl-guide-quic-introduction.pod @@ -5007,6 +5011,7 @@ html/man7/ossl-guide-libraries-introduction.html \ html/man7/ossl-guide-libssl-introduction.html \ html/man7/ossl-guide-migration.html \ html/man7/ossl-guide-quic-client-block.html \ +html/man7/ossl-guide-quic-client-non-block.html \ html/man7/ossl-guide-quic-introduction.html \ html/man7/ossl-guide-quic-multi-stream.html \ html/man7/ossl-guide-tls-client-block.html \ @@ -5148,6 +5153,7 @@ man/man7/ossl-guide-libraries-introduction.7 \ man/man7/ossl-guide-libssl-introduction.7 \ man/man7/ossl-guide-migration.7 \ man/man7/ossl-guide-quic-client-block.7 \ +man/man7/ossl-guide-quic-client-non-block.7 \ man/man7/ossl-guide-quic-introduction.7 \ man/man7/ossl-guide-quic-multi-stream.7 \ man/man7/ossl-guide-tls-client-block.7 \ diff --git a/doc/man7/ossl-guide-introduction.pod b/doc/man7/ossl-guide-introduction.pod index 02d38de551576..b6c1f955bb4f2 100644 --- a/doc/man7/ossl-guide-introduction.pod +++ b/doc/man7/ossl-guide-introduction.pod @@ -85,6 +85,8 @@ The pages in the guide are as follows: =item L: Writing a simple multi-stream QUIC client +=item L: Writing a simple nonblocking QUIC client + =item L: Migrating from older OpenSSL versions =back diff --git a/doc/man7/ossl-guide-quic-client-non-block.pod b/doc/man7/ossl-guide-quic-client-non-block.pod new file mode 100644 index 0000000000000..b015a6fbf1d1a --- /dev/null +++ b/doc/man7/ossl-guide-quic-client-non-block.pod @@ -0,0 +1,440 @@ +=pod + +=begin comment + +NB: Changes to the source code samples in this file should also be reflected in +demos/guide/quic-client-non-block.c + +=end comment + +=head1 NAME + +ossl-guide-quic-client-non-block +- OpenSSL Guide: Writing a simple nonblocking QUIC client + +=head1 SIMPLE NONBLOCKING QUIC CLIENT EXAMPLE + +This page will build on the example developed on the +L page which demonstrates how to write a simple +blocking QUIC client. On this page we will amend that demo code so that it +supports nonblocking functionality. + +The complete source code for this example nonblocking QUIC client is available +in the B directory of the OpenSSL source distribution in the file +B. It is also available online at +L. + +As we saw in the previous example an OpenSSL QUIC application always uses a +nonblocking socket. However, despite this, the B object still has blocking +behaviour. When the B object has blocking behaviour then this means that +it waits (blocks) until data is available to read if you attempt to read from +it when there is no data yet. Similarly it waits when writing if the B +object is currently unable to write at the moment. This can simplify the +development of code because you do not have to worry about what to do in these +cases. The execution of the code will simply stop until it is able to continue. +However in many cases you do not want this behaviour. Rather than stopping and +waiting your application may need to go and do other tasks whilst the B +object is unable to read/write, for example updating a GUI or performing +operations on some other connection or stream. + +We will see later in this tutorial how to change the B object so that it +has nonblocking behaviour. With a nonblocking B object, functions such as +L or L will return immediately with a non-fatal +error if they are currently unable to read or write respectively. + +Since this page is building on the example developed on the +L page we assume that you are familar with it +and we only explain how this example differs. + +=head2 Performing work while waiting for the socket + +In a nonblocking application you will need work to perform in the event that +we want to read or write to the B object but we are currently unable to. +In fact this is the whole point of using a nonblocking B object, i.e. to +give the application the opportunity to do something else. Whatever it is that +the application has to do, it must also be prepared to come back and retry the +operation that it previously attempted periodically to see if it can now +complete. Ideally it would only do this in the event that something has changed +such that it might succeed on the retry attempt, but this does not have to be +the case. It can retry at any time. + +Note that it is important that you retry exactly the same operation that you +tried last time. You cannot start something new. For example if you were +attempting to write the text "Hello World" and the operation failed because the +B object is currently unable to write, then you cannot then attempt to +write some other text when you retry the operation. + +In this demo application we will create a helper function which simulates doing +other work. In fact, for the sake of simplicity, it will do nothing except wait +for the state of the underlying socket to change or until a timeout expires +after which the state of the B object might have changed. We will call our +function C. + + static void wait_for_activity(SSL *ssl) + { + fd_set wfds, rfds; + int width, sock, isinfinite; + struct timeval tv; + struct timeval *tvp = NULL; + + /* Get hold of the underlying file descriptor for the socket */ + sock = SSL_get_fd(ssl); + + FD_ZERO(&wfds); + FD_ZERO(&rfds); + + /* + * Find out if we would like to write to the socket, or read from it (or + * both) + */ + if (SSL_net_write_desired(ssl)) + FD_SET(sock, &wfds); + if (SSL_net_read_desired(ssl)) + FD_SET(sock, &rfds); + width = sock + 1; + + /* + * Find out when OpenSSL would next like to be called, regardless of + * whether the state of the underlying socket has changed or not. + */ + if (SSL_get_event_timeout(ssl, &tv, &isinfinite) && !isinfinite) + tvp = &tv; + + /* + * Wait until the socket is writeable or readable. We use select here + * for the sake of simplicity and portability, but you could equally use + * poll/epoll or similar functions. If we have a timeout we use it to + * ensure that OpenSSL is called when it wants to be. + */ + + select(width, &rfds, &wfds, NULL, tvp); +} + +If you are familiar with how to write nonblocking applications in OpenSSL for +TLS (see L) then you should note that there +is an important difference here between the way a QUIC application and a TLS +application works. With a TLS application if we try to read or write something +to the B object and we get a "retry" response (B or +B) then we can assume that is because OpenSSL attempted to +read or write to the underlying socket and the socket signalled the "retry". +With QUIC that is not the case. OpenSSL may signal retry as a result of an +L or L (or similar) call which indicates the +state of the stream. This is entirely independent of whether the underlying +socket needs to retry or not. + +To determine whether OpenSSL currently wants to read or write to the underlying +socket for a QUIC application we must call the L and +L functions. + +It is also important with QUIC that we periodically call an I/O function (or +otherwise call the L function) to ensure that the QUIC +connection remains healthy. This is particularly important with a nonblocking +application because you are likely to leave the B object idle for a while +while the application goes off to do other work. The L +function can be used to determine what the deadline is for the next time we need +to call an I/O function (or call L). + +An alternative to using L to find the next deadline +that OpenSSL must be called again by is to use "thread assisted" mode. In +"thread assisted" mode OpenSSL spawns an additional thread which will +periodically call L automatically, meaning that the +application can leave the connection idle safe in the knowledge that the +connection will still be maintained in a healthy state. See +L below for further details about this. + +In this example we are using the C waits for the state of the underlying +socket(s) to become readable/writeable or until the timeout has expired before +returning. + +=head2 Handling errors from OpenSSL I/O functions + +A QUIC application that has been configured for nonblocking behaviour will need +to be prepared to handle errors returned from OpenSSL I/O functions such as +L or L. Errors may be fatal for the stream (for +example because the stream has been reset or because the underlying connection +has failed), or non-fatal (for example because we are trying to read from the +stream but no data has not yet arrived from the peer for that stream). + +L and L will return 0 to indicate an error and +L and L will return 0 or a negative value to indicate +an error. L will return a negative value to incidate an error. + +In the event of an error an application should call L to find +out what type of error has occurred. If the error is non-fatal and can be +retried then L will return B or +B depending on whether OpenSSL wanted to read to or write +from the stream but was unable to. Note that a call to L or +L can still generate B. Similarly calls to +L or L might generate B. + +Another type of non-fatal error that may occur is B. This +indicates an EOF (End-Of-File) which can occur if you attempt to read data from +an B object but the peer has indicated that it will not send any more data +on the stream. In this case you may still want to write data to the stream but +you will not receive any more data. + +Fatal errors that may occur are B and B. These +indicate that the stream is no longer usable. For example, this could be because +the stream has been reset by the peer, or because the underlying connection has +failed. You can consult the OpenSSL error stack for further details (for example +by calling L to print out details of errors that have +occurred). You can also consult the return value of +L to determine whether the error is local to the +stream, or whether the underlying connection has also failed. A return value +of B tells you that the stream has been reset by +the peer and B tells you that the underlying +connection has closed. + +In our demo application we will write a function to handle these errors from +OpenSSL I/O functions: + + static int handle_io_failure(SSL *ssl, int res) + { + switch (SSL_get_error(ssl, res)) { + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + /* Temporary failure. Wait until we can read/write and try again */ + wait_for_activity(ssl); + return 1; + + case SSL_ERROR_ZERO_RETURN: + /* EOF */ + return 0; + + case SSL_ERROR_SYSCALL: + return -1; + + case SSL_ERROR_SSL: + /* + * Some stream fatal error occurred. This could be because of a + * stream reset - or some failure occurred on the underlying + * connection. + */ + switch (SSL_get_stream_read_state(ssl)) { + case SSL_STREAM_STATE_RESET_REMOTE: + printf("Stream reset occurred\n"); + /* + * The stream has been reset but the connection is still + * healthy. + */ + break; + + case SSL_STREAM_STATE_CONN_CLOSED: + printf("Connection closed\n"); + /* Connection is already closed. */ + break; + + default: + printf("Unknown stream failure\n"); + break; + } + /* + * If the failure is due to a verification error we can get more + * information about it from SSL_get_verify_result(). + */ + if (SSL_get_verify_result(ssl) != X509_V_OK) + printf("Verify error: %s\n", + X509_verify_cert_error_string(SSL_get_verify_result(ssl))); + return -1; + + default: + return -1; + } + } + +This function takes as arguments the B object that represents the +connection, as well as the return code from the I/O function that failed. In +the event of a non-fatal failure, it waits until a retry of the I/O operation +might succeed (by using the C function that we developed +in the previous section). It returns 1 in the event of a non-fatal error +(except EOF), 0 in the event of EOF, or -1 if a fatal error occurred. + +=head2 Creating the SSL_CTX and SSL objects + +In order to connect to a server we must create B and B objects for +this. Most of the steps to do this are the same as for a blocking client and are +explained on the L page. We won't repeat that +information here. + +One key difference is that we must put the B object into nonblocking mode +(the default is blocking mode). To do that we use the +L function: + + /* + * The underlying socket is always nonblocking with QUIC, but the default + * behaviour of the SSL object is still to block. We set it for nonblocking + * mode in this demo. + */ + if (!SSL_set_blocking_mode(ssl, 0)) { + printf("Failed to turn off blocking mode\n"); + goto end; + } + +Although the demo application that we are developing here does not use it, it is +possible to use "thread assisted mode" when developing QUIC applications. +Normally, when writing an OpenSSL QUIC application, it is important that +L (or alternatively any I/O function) is called on the +connection B object periodically to maintain the connection in a healthy +state. See L for more discussion +on this. This is particularly important to keep in mind when writing a +nonblocking QUIC application because it is common to leave the B connection +object idle for some time when using nonblocking mode. By using "thread assisted +mode" a separate thread is created by OpenSSL to do this automatically which +means that the application developer does not need to handle this aspect. To do +this we must use L when we construct the +B as shown below: + + ctx = SSL_CTX_new(OSSL_QUIC_client_thread_method()); + if (ctx == NULL) { + printf("Failed to create the SSL_CTX\n"); + goto end; + } + +=head2 Performing the handshake + +As in the demo for a blocking QUIC client we use the L function +to perform the handshake with the server. Since we are using a nonblocking +B object it is very likely that calls to this function will fail with a +non-fatal error while we are waiting for the server to respond to our handshake +messages. In such a case we must retry the same L call at a +later time. In this demo we do this in a loop: + + /* Do the handshake with the server */ + while ((ret = SSL_connect(ssl)) != 1) { + if (handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + printf("Failed to connect to server\n"); + goto end; /* Cannot retry: error */ + } + +We continually call L until it gives us a success response. +Otherwise we use the C function that we created earlier to +work out what we should do next. Note that we do not expect an EOF to occur at +this stage, so such a response is treated in the same way as a fatal error. + +=head2 Sending and receiving data + +As with the blocking QUIC client demo we use the L function to +send data to the server. As with L above, because we are using +a nonblocking B object, this call could fail with a non-fatal error. In +that case we should retry exactly the same L call again. Note +that the parameters must be I the same, i.e. the same pointer to the +buffer to write with the same length. You must not attempt to send different +data on a retry. An optional mode does exist +(B) which will configure OpenSSL to allow +the buffer being written to change from one retry to the next. However, in this +case, you must still retry exactly the same data - even though the buffer that +contains that data may change location. See L for further +details. + + /* Write an HTTP GET request to the peer */ + while (!SSL_write_ex(ssl, request, strlen(request), &written)) { + if (handle_io_failure(ssl, 0) == 1) + continue; /* Retry */ + printf("Failed to write HTTP request\n"); + goto end; /* Cannot retry: error */ + } + +On a write we do not expect to see an EOF response so we treat that case in the +same way as a fatal error. + +Reading a response back from the server is similar: + + do { + /* + * Get up to sizeof(buf) bytes of the response. We keep reading until + * the server closes the connection. + */ + while (!eof && !SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) { + switch (handle_io_failure(ssl, 0)) { + case 1: + continue; /* Retry */ + case 0: + eof = 1; + continue; + case -1: + default: + printf("Failed reading remaining data\n"); + goto end; /* Cannot retry: error */ + } + } + /* + * OpenSSL does not guarantee that the returned data is a string or + * that it is NUL terminated so we use fwrite() to write the exact + * number of bytes that we read. The data could be non-printable or + * have NUL characters in the middle of it. For this simple example + * we're going to print it to stdout anyway. + */ + if (!eof) + fwrite(buf, 1, readbytes, stdout); + } while (!eof); + /* In case the response didn't finish with a newline we add one now */ + printf("\n"); + +The main difference this time is that it is valid for us to receive an EOF +response when trying to read data from the server. This will occur when the +server closes down the connection after sending all the data in its response. + +In this demo we just print out all the data we've received back in the response +from the server. We continue going around the loop until we either encounter a +fatal error, or we receive an EOF (indicating a graceful finish). + +=head2 Shutting down the connection + +As in the QUIC blocking example we must shutdown the connection when we are +finished with it. + +Even though we have received EOF on the stream that we were reading from above, +this tell us nothing about the state of the underlying connection. Our demo +applicaiton will initiate the connection shutdown process via +L. + +Since our application is initiating the shutdown then we might expect to see +L give a return value of 0, and then we should continue to call +it until we recieve a return value of 1 (meaning we have successfully completed +the shutdown). Since we are using a nonblocking B object we might expect to +have to retry this operation several times. If L returns a +negative result then we must call L to work out what to do +next. We use our handle_io_failure() function that we developed earlier for +this: + + /* + * Repeatedly call SSL_shutdown() until the connection is fully + * closed. + */ + while ((ret = SSL_shutdown(ssl)) != 1) { + if (ret < 0 && handle_io_failure(ssl, ret) == 1) + continue; /* Retry */ + } + +=head2 Final clean up + +As with the blocking QUIC client example, once our connection is finished with +we must free it. The steps to do this for this example are the same as for the +blocking example, so we won't repeat it here. + +=head1 FURTHER READING + +See L to read a tutorial on how to write a +blocking QUIC client. See L to see how to write +a multi-stream QUIC client. + +=head1 SEE ALSO + +L, L, +L, L, +L, L + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/ossl-guide-quic-multi-stream.pod b/doc/man7/ossl-guide-quic-multi-stream.pod index 4291c30fa72ce..4e4d852b035e2 100644 --- a/doc/man7/ossl-guide-quic-multi-stream.pod +++ b/doc/man7/ossl-guide-quic-multi-stream.pod @@ -166,7 +166,10 @@ is for demonstration purposes only. We will build on the example code for the simple blocking QUIC client that is covered on the L page and we assume that you are familiar with it. We will only describe the differences between the simple -blocking QUIC client and the multi-stream QUIC client. +blocking QUIC client and the multi-stream QUIC client. Although the example code +uses blocking B objects, you can equally use nonblocking B objects. +See L for more information about writing a +nonblocking QUIC client. The complete source code for this example multi-stream QUIC client is available in the C directory of the OpenSSL source distribution in the file From 38c3c1dbefa8b8333e78e0d9d38fac7c4359f826 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 5 Sep 2023 15:17:29 +0100 Subject: [PATCH 151/324] Expand the explanation of how to go and do useful work in non-blocking Add additional commentary to the non-blocking examples explaining where to add code to go and do other useful work. Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21950) --- demos/guide/quic-client-block.c | 2 +- demos/guide/quic-client-non-block.c | 19 ++++++++++++++++--- demos/guide/tls-client-non-block.c | 16 ++++++++++++++-- doc/man7/ossl-guide-quic-client-non-block.pod | 19 ++++++++++++++++--- doc/man7/ossl-guide-tls-client-non-block.pod | 18 +++++++++++++++--- 5 files changed, 62 insertions(+), 12 deletions(-) diff --git a/demos/guide/quic-client-block.c b/demos/guide/quic-client-block.c index 3d5a56a8dfb26..b63012829f185 100644 --- a/demos/guide/quic-client-block.c +++ b/demos/guide/quic-client-block.c @@ -47,7 +47,7 @@ static BIO *create_socket_bio(const char *hostname, const char *port, */ for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { /* - * Create a TCP socket. We could equally use non-OpenSSL calls such + * Create a UDP socket. We could equally use non-OpenSSL calls such * as "socket" here for this and the subsequent connect and close * functions. But for portability reasons and also so that we get * errors on the OpenSSL stack in the event of a failure we use diff --git a/demos/guide/quic-client-non-block.c b/demos/guide/quic-client-non-block.c index 870dd1c4fe6ec..be4c9b19676ac 100644 --- a/demos/guide/quic-client-non-block.c +++ b/demos/guide/quic-client-non-block.c @@ -48,7 +48,7 @@ static BIO *create_socket_bio(const char *hostname, const char *port, */ for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { /* - * Create a TCP socket. We could equally use non-OpenSSL calls such + * Create a UDP socket. We could equally use non-OpenSSL calls such * as "socket" here for this and the subsequent connect and close * functions. But for portability reasons and also so that we get * errors on the OpenSSL stack in the event of a failure we use @@ -139,8 +139,21 @@ static void wait_for_activity(SSL *ssl) /* * Wait until the socket is writeable or readable. We use select here * for the sake of simplicity and portability, but you could equally use - * poll/epoll or similar functions. If we have a timeout we use it to - * ensure that OpenSSL is called when it wants to be. + * poll/epoll or similar functions + * + * NOTE: For the purposes of this demonstration code this effectively + * makes this demo block until it has something more useful to do. In a + * real application you probably want to go and do other work here (e.g. + * update a GUI, or service other connections). + * + * Let's say for example that you want to update the progress counter on + * a GUI every 100ms. One way to do that would be to use the timeout in + * the last parameter to "select" below. If the tvp value is greater + * than 100ms then use 100ms instead. Then, when select returns, you + * check if it did so because of activity on the file descriptors or + * because of the timeout. If the 100ms GUI timeout has expired but the + * tvp timeout has not then go and update the GUI and then restart the + * "select" (with updated timeouts). */ select(width, &rfds, &wfds, NULL, tvp); diff --git a/demos/guide/tls-client-non-block.c b/demos/guide/tls-client-non-block.c index 05db0f529e66b..dc6ee4dce8985 100644 --- a/demos/guide/tls-client-non-block.c +++ b/demos/guide/tls-client-non-block.c @@ -111,9 +111,21 @@ static void wait_for_activity(SSL *ssl, int write) width = sock + 1; /* - * Wait until the socket is writeable or readable. We use select here for - * the sake of simplicity and portability, but you could equally use + * Wait until the socket is writeable or readable. We use select here + * for the sake of simplicity and portability, but you could equally use * poll/epoll or similar functions + * + * NOTE: For the purposes of this demonstration code this effectively + * makes this demo block until it has something more useful to do. In a + * real application you probably want to go and do other work here (e.g. + * update a GUI, or service other connections). + * + * Let's say for example that you want to update the progress counter on + * a GUI every 100ms. One way to do that would be to add a 100ms timeout + * in the last parameter to "select" below. Then, when select returns, + * you check if it did so because of activity on the file descriptors or + * because of the timeout. If it is due to the timeout then update the + * GUI and then restart the "select". */ if (write) select(width, NULL, &fds, NULL, NULL); diff --git a/doc/man7/ossl-guide-quic-client-non-block.pod b/doc/man7/ossl-guide-quic-client-non-block.pod index b015a6fbf1d1a..8187bb9b77d54 100644 --- a/doc/man7/ossl-guide-quic-client-non-block.pod +++ b/doc/man7/ossl-guide-quic-client-non-block.pod @@ -103,8 +103,21 @@ function C. /* * Wait until the socket is writeable or readable. We use select here * for the sake of simplicity and portability, but you could equally use - * poll/epoll or similar functions. If we have a timeout we use it to - * ensure that OpenSSL is called when it wants to be. + * poll/epoll or similar functions + * + * NOTE: For the purposes of this demonstration code this effectively + * makes this demo block until it has something more useful to do. In a + * real application you probably want to go and do other work here (e.g. + * update a GUI, or service other connections). + * + * Let's say for example that you want to update the progress counter on + * a GUI every 100ms. One way to do that would be to use the timeout in + * the last parameter to "select" below. If the tvp value is greater + * than 100ms then use 100ms instead. Then, when select returns, you + * check if it did so because of activity on the file descriptors or + * because of the timeout. If the 100ms GUI timeout has expired but the + * tvp timeout has not then go and update the GUI and then restart the + * "select" (with updated timeouts). */ select(width, &rfds, &wfds, NULL, tvp); @@ -389,7 +402,7 @@ finished with it. Even though we have received EOF on the stream that we were reading from above, this tell us nothing about the state of the underlying connection. Our demo -applicaiton will initiate the connection shutdown process via +application will initiate the connection shutdown process via L. Since our application is initiating the shutdown then we might expect to see diff --git a/doc/man7/ossl-guide-tls-client-non-block.pod b/doc/man7/ossl-guide-tls-client-non-block.pod index 8f31ac69fbf87..ea5e40bd1cadb 100644 --- a/doc/man7/ossl-guide-tls-client-non-block.pod +++ b/doc/man7/ossl-guide-tls-client-non-block.pod @@ -99,9 +99,21 @@ the underlying socket has become readable or writeable when it wasn't before. width = sock + 1; /* - * Wait until the socket is writeable or readable. We use select here for - * the sake of simplicity and portability, but you could equally use + * Wait until the socket is writeable or readable. We use select here + * for the sake of simplicity and portability, but you could equally use * poll/epoll or similar functions + * + * NOTE: For the purposes of this demonstration code this effectively + * makes this demo block until it has something more useful to do. In a + * real application you probably want to go and do other work here (e.g. + * update a GUI, or service other connections). + * + * Let's say for example that you want to update the progress counter on + * a GUI every 100ms. One way to do that would be to add a 100ms timeout + * in the last parameter to "select" below. Then, when select returns, + * you check if it did so because of activity on the file descriptors or + * because of the timeout. If it is due to the timeout then update the + * GUI and then restart the "select". */ if (write) select(width, NULL, &fds, NULL, NULL); @@ -116,7 +128,7 @@ the underlying socket(s) to become readable/writeable before returning. It also supports a "timeout" (as do most other similar functions) so in your own applications you can make use of this to periodically wake up and perform work while waiting for the socket state to change. But we don't use that timeout -capability in this example. +capability in this example for the sake of simplicity. =head2 Handling errors from OpenSSL I/O functions From cdedecd50351a3624b074e6a425d8dfb3af5fa6a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 6 Sep 2023 12:14:33 +0100 Subject: [PATCH 152/324] Add a missing call to BIO_closesocket() A couple of the demos missed a call to this function in an error case. Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21950) --- demos/guide/quic-client-block.c | 1 + demos/guide/quic-client-non-block.c | 1 + demos/guide/quic-multi-stream.c | 1 + doc/man7/ossl-guide-quic-client-block.pod | 1 + 4 files changed, 4 insertions(+) diff --git a/demos/guide/quic-client-block.c b/demos/guide/quic-client-block.c index b63012829f185..2c177b4f187fb 100644 --- a/demos/guide/quic-client-block.c +++ b/demos/guide/quic-client-block.c @@ -66,6 +66,7 @@ static BIO *create_socket_bio(const char *hostname, const char *port, /* Set to nonblocking mode */ if (!BIO_socket_nbio(sock, 1)) { + BIO_closesocket(sock); sock = -1; continue; } diff --git a/demos/guide/quic-client-non-block.c b/demos/guide/quic-client-non-block.c index be4c9b19676ac..e1735c0c5d261 100644 --- a/demos/guide/quic-client-non-block.c +++ b/demos/guide/quic-client-non-block.c @@ -67,6 +67,7 @@ static BIO *create_socket_bio(const char *hostname, const char *port, /* Set to nonblocking mode */ if (!BIO_socket_nbio(sock, 1)) { + BIO_closesocket(sock); sock = -1; continue; } diff --git a/demos/guide/quic-multi-stream.c b/demos/guide/quic-multi-stream.c index 5b7c8581eb7b9..8b6567aa83776 100644 --- a/demos/guide/quic-multi-stream.c +++ b/demos/guide/quic-multi-stream.c @@ -66,6 +66,7 @@ static BIO *create_socket_bio(const char *hostname, const char *port, /* Set to nonblocking mode */ if (!BIO_socket_nbio(sock, 1)) { + BIO_closesocket(sock); sock = -1; continue; } diff --git a/doc/man7/ossl-guide-quic-client-block.pod b/doc/man7/ossl-guide-quic-client-block.pod index 595135c69668b..4cf8bdd3b8289 100644 --- a/doc/man7/ossl-guide-quic-client-block.pod +++ b/doc/man7/ossl-guide-quic-client-block.pod @@ -123,6 +123,7 @@ for TCP). /* Set to nonblocking mode */ if (!BIO_socket_nbio(sock, 1)) { + BIO_closesocket(sock); sock = -1; continue; } From 11b7d46fa7e2684e0ad0f12a7806163dba99983d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 6 Sep 2023 12:36:43 +0100 Subject: [PATCH 153/324] Return NULL if we fail to create a BIO in the demos/quicserver Strictly speaking the previous code was still correct since BIO_set_fd is tolerant of a NULL BIO. But this way is more clear. Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/21950) --- demos/guide/quic-client-block.c | 6 ++++-- demos/guide/quic-client-non-block.c | 6 ++++-- demos/guide/quic-multi-stream.c | 7 ++++--- demos/guide/tls-client-block.c | 4 +++- demos/guide/tls-client-non-block.c | 6 ++++-- doc/man7/ossl-guide-quic-client-block.pod | 6 ++++-- doc/man7/ossl-guide-tls-client-block.pod | 6 ++++-- util/quicserver.c | 6 ++++-- 8 files changed, 31 insertions(+), 16 deletions(-) diff --git a/demos/guide/quic-client-block.c b/demos/guide/quic-client-block.c index 2c177b4f187fb..e6cabfef260a8 100644 --- a/demos/guide/quic-client-block.c +++ b/demos/guide/quic-client-block.c @@ -89,10 +89,12 @@ static BIO *create_socket_bio(const char *hostname, const char *port, if (sock == -1) return NULL; - /* Create a BIO to wrap the socket*/ + /* Create a BIO to wrap the socket */ bio = BIO_new(BIO_s_datagram()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By diff --git a/demos/guide/quic-client-non-block.c b/demos/guide/quic-client-non-block.c index e1735c0c5d261..61d339c79ca57 100644 --- a/demos/guide/quic-client-non-block.c +++ b/demos/guide/quic-client-non-block.c @@ -90,10 +90,12 @@ static BIO *create_socket_bio(const char *hostname, const char *port, if (sock == -1) return NULL; - /* Create a BIO to wrap the socket*/ + /* Create a BIO to wrap the socket */ bio = BIO_new(BIO_s_datagram()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By diff --git a/demos/guide/quic-multi-stream.c b/demos/guide/quic-multi-stream.c index 8b6567aa83776..56db5a98a8b40 100644 --- a/demos/guide/quic-multi-stream.c +++ b/demos/guide/quic-multi-stream.c @@ -90,11 +90,12 @@ static BIO *create_socket_bio(const char *hostname, const char *port, if (sock == -1) return NULL; - /* Create a BIO to wrap the socket*/ + /* Create a BIO to wrap the socket */ bio = BIO_new(BIO_s_datagram()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); - + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By * passing BIO_CLOSE here the socket will be automatically closed when diff --git a/demos/guide/tls-client-block.c b/demos/guide/tls-client-block.c index b2d2a89dd139f..75ce7ebcc2458 100644 --- a/demos/guide/tls-client-block.c +++ b/demos/guide/tls-client-block.c @@ -76,8 +76,10 @@ static BIO *create_socket_bio(const char *hostname, const char *port) /* Create a BIO to wrap the socket*/ bio = BIO_new(BIO_s_socket()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By diff --git a/demos/guide/tls-client-non-block.c b/demos/guide/tls-client-non-block.c index dc6ee4dce8985..14448c968523e 100644 --- a/demos/guide/tls-client-non-block.c +++ b/demos/guide/tls-client-non-block.c @@ -81,10 +81,12 @@ static BIO *create_socket_bio(const char *hostname, const char *port) if (sock == -1) return NULL; - /* Create a BIO to wrap the socket*/ + /* Create a BIO to wrap the socket */ bio = BIO_new(BIO_s_socket()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By diff --git a/doc/man7/ossl-guide-quic-client-block.pod b/doc/man7/ossl-guide-quic-client-block.pod index 4cf8bdd3b8289..fc8912086dae6 100644 --- a/doc/man7/ossl-guide-quic-client-block.pod +++ b/doc/man7/ossl-guide-quic-client-block.pod @@ -165,10 +165,12 @@ associate it with a BIO object: BIO *bio; - /* Create a BIO to wrap the socket*/ + /* Create a BIO to wrap the socket */ bio = BIO_new(BIO_s_datagram()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By diff --git a/doc/man7/ossl-guide-tls-client-block.pod b/doc/man7/ossl-guide-tls-client-block.pod index 236553fafd534..865a5353b3fa3 100644 --- a/doc/man7/ossl-guide-tls-client-block.pod +++ b/doc/man7/ossl-guide-tls-client-block.pod @@ -222,10 +222,12 @@ BIO object: BIO *bio; - /* Create a BIO to wrap the socket*/ + /* Create a BIO to wrap the socket */ bio = BIO_new(BIO_s_socket()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By diff --git a/util/quicserver.c b/util/quicserver.c index 5a51b240ffdf7..fd9f9399bd6e2 100644 --- a/util/quicserver.c +++ b/util/quicserver.c @@ -113,10 +113,12 @@ static BIO *create_dgram_bio(int family, const char *hostname, const char *port) if (sock == -1) return NULL; - /* Create a BIO to wrap the socket*/ + /* Create a BIO to wrap the socket */ bio = BIO_new(BIO_s_datagram()); - if (bio == NULL) + if (bio == NULL) { BIO_closesocket(sock); + return NULL; + } /* * Associate the newly created BIO with the underlying socket. By From e9f8e92645361e3596ccc43fa7cbca5245492cd2 Mon Sep 17 00:00:00 2001 From: "Randall S. Becker" Date: Thu, 7 Sep 2023 15:00:19 +0100 Subject: [PATCH 154/324] Modify 50-nonstop.conf to enable c99 extensions for uintptr_t. This is done using the define __NSK_OPTIONAL_TYPES__ and is specific to the NonStop platform builds. Fixes: #22002 Signed-off-by: Randall S. Becker Reviewed-by: Hugo Landau Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22005) --- Configurations/50-nonstop.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Configurations/50-nonstop.conf b/Configurations/50-nonstop.conf index 3264bc9b8599b..53081576cc68c 100644 --- a/Configurations/50-nonstop.conf +++ b/Configurations/50-nonstop.conf @@ -14,6 +14,7 @@ '_XOPEN_SOURCE', '_XOPEN_SOURCE_EXTENDED=1', '_TANDEM_SOURCE', + '__NSK_OPTIONAL_TYPES__', 'B_ENDIAN'), perl => '/usr/bin/perl', shared_target => 'nonstop-shared', From aff99225f946d8f538b5e0cb95fc65d5cd36b99b Mon Sep 17 00:00:00 2001 From: "Randall S. Becker" Date: Thu, 7 Sep 2023 15:15:21 +0100 Subject: [PATCH 155/324] Exclude include of poll.h from NonStop builds - not defined on platform. socket.h has been modified so that poll.h is omitted for OPENSSL_SYS_NONSTOP builds. The platform configuration is derived from UNIX so the include is only omitted for NonStop but kept in the OPENSSL_SYS_UNIX include block. Fixes: #22001 Signed-off-by: Randall S. Becker Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22006) --- include/internal/sockets.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/internal/sockets.h b/include/internal/sockets.h index 27a26184f09d6..2550c56bd0ed9 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -117,7 +117,9 @@ typedef size_t socklen_t; /* Currently appears to be missing on VMS */ # endif # ifdef OPENSSL_SYS_UNIX -# include +# ifndef OPENSSL_SYS_TANDEM +# include +# endif # include # endif From d2873946dfaff5537ea3d1adf3890e33a3f276ff Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Fri, 8 Sep 2023 10:33:24 +0200 Subject: [PATCH 156/324] Fix output corruption in req command when used in conjunction with -out and -modulus options. Fixes #21403 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22026) --- apps/req.c | 8 ++++---- test/recipes/25-test_req.t | 13 ++++++++++++- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/apps/req.c b/apps/req.c index e65bdad9b6fe9..c4c9ba292cb05 100644 --- a/apps/req.c +++ b/apps/req.c @@ -973,10 +973,10 @@ int req_main(int argc, char **argv) else tpubkey = X509_REQ_get0_pubkey(req); if (tpubkey == NULL) { - fprintf(stdout, "Modulus is unavailable\n"); + BIO_puts(bio_err, "Modulus is unavailable\n"); goto end; } - fprintf(stdout, "Modulus="); + BIO_puts(out, "Modulus="); if (EVP_PKEY_is_a(tpubkey, "RSA") || EVP_PKEY_is_a(tpubkey, "RSA-PSS")) { BIGNUM *n = NULL; @@ -985,9 +985,9 @@ int req_main(int argc, char **argv) BN_print(out, n); BN_free(n); } else { - fprintf(stdout, "Wrong Algorithm type"); + BIO_puts(out, "Wrong Algorithm type"); } - fprintf(stdout, "\n"); + BIO_puts(out, "\n"); } if (!noout && !gen_x509) { diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 07a5975655a52..32dc4ded8c899 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 102; +plan tests => 104; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -590,3 +590,14 @@ $cert = "self-signed_CA_with_keyUsages.pem"; generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), "-copy_extensions", "copy"); has_keyUsage($cert, 1); + +# Generate cert using req with '-modulus' +ok(run(app(["openssl", "req", "-x509", "-new", "-days", "365", + "-key", srctop_file("test", "testrsa.pem"), + "-config", srctop_file('test', 'test.cnf'), + "-out", "testreq-cert.pem", + "-modulus"])), "cert req creation - with -modulus"); + +# Verify cert +ok(run(app(["openssl", "x509", "-in", "testreq-cert.pem", + "-noout", "-text"])), "cert verification"); From d30695ba4de494a8554c05afbfc0f984315a6306 Mon Sep 17 00:00:00 2001 From: Rainer Jung Date: Fri, 8 Sep 2023 00:27:07 +0200 Subject: [PATCH 157/324] Regexp modifier "r" needs perl 5.14; OpenSSL should build with 5.11, so do not use the "r" shortcut. Reviewed-by: Hugo Landau Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22019) --- Configurations/50-win-hybridcrt.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Configurations/50-win-hybridcrt.conf b/Configurations/50-win-hybridcrt.conf index 2ddd25a42a469..242583c728171 100644 --- a/Configurations/50-win-hybridcrt.conf +++ b/Configurations/50-win-hybridcrt.conf @@ -11,7 +11,8 @@ sub remove_from_flags { my ($toRemove, $flags) = @_; - return $flags =~ s/$toRemove//r; + $flags =~ s/$toRemove//; + return $flags; } my %targets = ( From 9a41a3c6a453a90d6c6cf106480a4a72b08b14f9 Mon Sep 17 00:00:00 2001 From: Min Zhou Date: Thu, 7 Sep 2023 11:07:53 +0800 Subject: [PATCH 158/324] LoongArch64 assembly pack: add ChaCha20 modules This assembly implementation for ChaCha20 includes three code paths: scalar path, 128-bit LSX path and 256-bit LASX path. We prefer the LASX path or LSX path if the hardware and system support these extensions. There are 32 vector registers avaialable in the LSX and LASX extensions. So, we can load the 16 initial states and the 16 intermediate states of ChaCha into the 32 vector registers for calculating in the implementation. The test results on the 3A5000 and 3A6000 show that this assembly implementation significantly improves the performance of ChaCha20 on LoongArch based machines. The detailed test results are as following. Test with: $ openssl speed -evp chacha20 3A5000 type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes C code 178484.53k 282789.93k 311793.70k 322234.99k 324405.93k 324659.88k assembly code 223152.28k 407863.65k 989520.55k 2049192.96k 2127248.70k 2131749.55k +25% +44% +217% +536% +556% +557% 3A6000 type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes C code 214945.33k 310041.75k 340724.22k 349949.27k 352925.01k 353140.74k assembly code 299151.34k 492766.34k 2070166.02k 4300909.91k 4473978.88k 4499084.63k +39% +59% +508% +1129% +1168% +1174% Signed-off-by: Min Zhou Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21998) --- crypto/chacha/asm/chacha-loongarch64.pl | 1413 +++++++++++++++++++++++ crypto/chacha/build.info | 4 + 2 files changed, 1417 insertions(+) create mode 100644 crypto/chacha/asm/chacha-loongarch64.pl diff --git a/crypto/chacha/asm/chacha-loongarch64.pl b/crypto/chacha/asm/chacha-loongarch64.pl new file mode 100644 index 0000000000000..ea9cc7ecce237 --- /dev/null +++ b/crypto/chacha/asm/chacha-loongarch64.pl @@ -0,0 +1,1413 @@ +#! /usr/bin/env perl +# Author: Min Zhou +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; + +my $code; + +# Here is the scalar register layout for LoongArch. +my ($zero,$ra,$tp,$sp,$fp)=map("\$r$_",(0..3,22)); +my ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$r$_",(4..11)); +my ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$x)=map("\$r$_",(12..21)); +my ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8)=map("\$r$_",(23..31)); + +# Here is the 128-bit vector register layout for LSX extension. +my ($vr0,$vr1,$vr2,$vr3,$vr4,$vr5,$vr6,$vr7,$vr8,$vr9,$vr10, + $vr11,$vr12,$vr13,$vr14,$vr15,$vr16,$vr17,$vr18,$vr19, + $vr20,$vr21,$vr22,$vr23,$vr24,$vr25,$vr26,$vr27,$vr28, + $vr29,$vr30,$vr31)=map("\$vr$_",(0..31)); + +# Here is the 256-bit vector register layout for LASX extension. +my ($xr0,$xr1,$xr2,$xr3,$xr4,$xr5,$xr6,$xr7,$xr8,$xr9,$xr10, + $xr11,$xr12,$xr13,$xr14,$xr15,$xr16,$xr17,$xr18,$xr19, + $xr20,$xr21,$xr22,$xr23,$xr24,$xr25,$xr26,$xr27,$xr28, + $xr29,$xr30,$xr31)=map("\$xr$_",(0..31)); + +my $output; +for (@ARGV) { $output=$_ if (/\w[\w\-]*\.\w+$/); } +open STDOUT,">$output"; + +# Input parameter block +my ($out, $inp, $len, $key, $counter) = ($a0, $a1, $a2, $a3, $a4); + +$code .= < Date: Thu, 7 Sep 2023 20:42:10 +0100 Subject: [PATCH 159/324] Prevent 80-test_cmp_http from accidentally killing perl in error. If there is an issue with setting up the test environment in this test, pid is not set so stop_server kills the perl process. A guard has been added to prevent this situation. Fixes: #22014 Signed-off-by: Randall S. Becker Reviewed-by: Richard Levitte Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22015) --- test/recipes/80-test_cmp_http.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index bd4df0dd0dc2c..62ce1bd169063 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -314,7 +314,7 @@ sub start_server { $server_host = "127.0.0.1" if $server_host eq "0.0.0.0"; } unless ($server_port > 0) { - stop_server($server_name, $pid); + stop_server($server_name, $pid) if $pid; print "Cannot get expected output from the $server_name server"; return 0; } From 5d96106c43d5b4e2d97406e5d3934323ae5bd1b4 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 8 Sep 2023 15:26:40 +0100 Subject: [PATCH 160/324] Fix a build failure where recvmmsg is available but not sendmmsg Some old glibc versions have recvmmsg but not sendmmsg. We require both to use that functionality. Introduce a test to check we have a sufficiently recent version of glibc. Fixes #22021 Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22036) --- crypto/bio/bss_dgram.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index b0c08b362a70a..3f57de539f451 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -50,6 +50,17 @@ # define M_METHOD_RECVFROM 3 # define M_METHOD_WSARECVMSG 4 +# if defined(__GLIBC__) && defined(__GLIBC_PREREQ) +# if !(__GLIBC_PREREQ(2, 14)) +# undef NO_RECVMMSG + /* + * Some old glibc versions may have recvmmsg and MSG_WAITFORONE flag, but + * not sendmmsg. We need both so force this to be disabled on these old + * versions + */ +# define NO_RECVMMSG +# endif +# endif # if !defined(M_METHOD) # if defined(OPENSSL_SYS_WINDOWS) && defined(BIO_HAVE_WSAMSG) && !defined(NO_WSARECVMSG) # define M_METHOD M_METHOD_WSARECVMSG From 84f371a130dbe7a46595fbabd274f152a0e6385f Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 8 Sep 2023 08:20:02 +0200 Subject: [PATCH 161/324] Fix test_quic_multistream to allow multiple concurrent tests The server port was hard coded to 8186. That could make for some "interesting" effects if two instances of this same test was running on the same machine. This change binds the server interface with port 0, and captures the resulting random port. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22025) --- test/quic_multistream_test.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index e8a145726cd98..bc0ae12cdb17e 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -48,7 +48,11 @@ DEFINE_LHASH_OF_EX(STREAM_INFO); struct helper { int s_fd; BIO *s_net_bio, *s_net_bio_own, *s_qtf_wbio, *s_qtf_wbio_own; + /* The BIO_ADDR used for BIO_bind() */ + BIO_ADDR *s_net_bio_orig_addr; + /* The resulting address, which is the one to connect to */ BIO_ADDR *s_net_bio_addr; + /* * When doing a blocking mode test run, s_priv always points to the TSERVER * and s is NULL when the main thread should not be touching s_priv. @@ -633,6 +637,8 @@ static void helper_cleanup(struct helper *h) BIO_ADDR_free(h->s_net_bio_addr); h->s_net_bio_addr = NULL; + BIO_ADDR_free(h->s_net_bio_orig_addr); + h->s_net_bio_orig_addr = NULL; SSL_CTX_free(h->c_ctx); h->c_ctx = NULL; @@ -651,9 +657,9 @@ static void helper_cleanup(struct helper *h) static int helper_init(struct helper *h, int free_order, int blocking, int need_injector) { - short port = 8186; struct in_addr ina = {0}; QUIC_TSERVER_ARGS s_args = {0}; + union BIO_sock_info_u info; memset(h, 0, sizeof(*h)); h->c_fd = -1; @@ -683,14 +689,19 @@ static int helper_init(struct helper *h, int free_order, int blocking, if (!TEST_true(BIO_socket_nbio(h->s_fd, 1))) goto err; - if (!TEST_ptr(h->s_net_bio_addr = BIO_ADDR_new())) + if (!TEST_ptr(h->s_net_bio_orig_addr = BIO_ADDR_new()) + || !TEST_ptr(h->s_net_bio_addr = BIO_ADDR_new())) + goto err; + + if (!TEST_true(BIO_ADDR_rawmake(h->s_net_bio_orig_addr, AF_INET, + &ina, sizeof(ina), 0))) goto err; - if (!TEST_true(BIO_ADDR_rawmake(h->s_net_bio_addr, AF_INET, &ina, sizeof(ina), - htons(port)))) + if (!TEST_true(BIO_bind(h->s_fd, h->s_net_bio_orig_addr, 0))) goto err; - if (!TEST_true(BIO_bind(h->s_fd, h->s_net_bio_addr, 0))) + info.addr = h->s_net_bio_addr; + if (!TEST_true(BIO_sock_info(h->s_fd, BIO_SOCK_INFO_ADDRESS, &info))) goto err; if (!TEST_int_gt(BIO_ADDR_rawport(h->s_net_bio_addr), 0)) From ad31628cfef5893b2198077752302a7d9b58135c Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 16 Jul 2023 09:09:31 +0200 Subject: [PATCH 162/324] Remove repeated words Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21468) --- apps/cmp.c | 2 +- crypto/cpuid.c | 4 ++-- crypto/ec/ecp_s390x_nistp.c | 2 +- crypto/http/http_client.c | 2 +- crypto/pem/pvkfmt.c | 2 +- crypto/rsa/rsa_sp800_56b_gen.c | 2 +- crypto/store/store_lib.c | 2 +- crypto/x509/x509_trust.c | 2 +- include/internal/bio_tfo.h | 4 ++-- include/internal/quic_ackm.h | 2 +- include/internal/recordmethod.h | 2 +- include/openssl/ec.h | 2 +- providers/implementations/keymgmt/dh_kmgmt.c | 2 +- ssl/quic/quic_txp.c | 4 ++-- ssl/statem/statem_srvr.c | 2 +- test/provider_pkey_test.c | 2 +- test/sslapitest.c | 2 +- test/tls-provider.c | 2 +- 18 files changed, 21 insertions(+), 21 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index eb14f1f404800..e38f0010a095c 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1571,7 +1571,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_csr != NULL) { CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s", opt_key == NULL ? "" : - ", and -key option superseded by by -csr"); + ", and -key option superseded by -csr"); return 0; } if (opt_key == NULL) { diff --git a/crypto/cpuid.c b/crypto/cpuid.c index f3d966dbf0b53..a7c4f97fb4b3f 100644 --- a/crypto/cpuid.c +++ b/crypto/cpuid.c @@ -34,7 +34,7 @@ static variant_char *ossl_getenv(const char *name) { /* * Since we pull only one environment variable, it's simpler to - * to just ignore |name| and use equivalent wide-char L-literal. + * just ignore |name| and use equivalent wide-char L-literal. * As well as to ignore excessively long values... */ static WCHAR value[48]; @@ -173,7 +173,7 @@ void OPENSSL_cpuid_setup(void) */ /* - * The volatile is used to to ensure that the compiler generates code that reads + * The volatile is used to ensure that the compiler generates code that reads * all values from the array and doesn't try to optimize this away. The standard * doesn't actually require this behavior if the original data pointed to is * not volatile, but compilers do this in practice anyway. diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c index 6bf2da9b4bb14..eae0b52c4e69b 100644 --- a/crypto/ec/ecp_s390x_nistp.c +++ b/crypto/ec/ecp_s390x_nistp.c @@ -178,7 +178,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, goto ret; } /* - * Generate random k and copy to param param block. RAND_priv_bytes_ex + * Generate random k and copy to param block. RAND_priv_bytes_ex * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce * because kdsa instruction constructs an in-range, invertible nonce * internally implementing counter-measures for RNG weakness. diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 615d48a72444f..474a6e59e3eb1 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -1473,7 +1473,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port, do { /* * This does not necessarily catch the case when the full - * HTTP response came in in more than a single TCP message. + * HTTP response came in more than a single TCP message. */ read_len = BIO_gets(fbio, mbuf, BUF_SIZE); } while (read_len > 2); diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 8931386fae554..d8aaebe72f586 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -150,7 +150,7 @@ static EVP_PKEY *evp_pkey_new0_key(void *key, int evp_type) * Read the MSBLOB header and get relevant data from it. * * |pisdss| and |pispub| have a double role, as they can be used for - * discovery as well as to check the the blob meets expectations. + * discovery as well as to check the blob meets expectations. * |*pisdss| is the indicator for whether the key is a DSA key or not. * |*pispub| is the indicator for whether the key is public or not. * In both cases, the following input values apply: diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c index 04fbe5e86ef44..9fa85bfdf3b69 100644 --- a/crypto/rsa/rsa_sp800_56b_gen.c +++ b/crypto/rsa/rsa_sp800_56b_gen.c @@ -423,7 +423,7 @@ int ossl_rsa_sp800_56b_generate_key(RSA *rsa, int nbits, const BIGNUM *efixed, * See SP800-56Br1 6.3.1.3 (Step 6) Perform a pair-wise consistency test by * verifying that: k = (k^e)^d mod n for some integer k where 1 < k < n-1. * - * Returns 1 if the RSA key passes the pairwise test or 0 it it fails. + * Returns 1 if the RSA key passes the pairwise test or 0 if it fails. */ int ossl_rsa_sp800_56b_pairwise_test(RSA *rsa, BN_CTX *ctx) { diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 0e805062ac0c0..df3180c04847c 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -1013,7 +1013,7 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, ctx->post_process_data = post_process_data; /* - * ossl_store_get0_loader_int will raise an error if the loader for the + * ossl_store_get0_loader_int will raise an error if the loader for * the scheme cannot be retrieved. But if a loader was successfully * fetched then we remove this error from the error stack. */ diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c index 3143de0d74d07..1a4345f2fec0a 100644 --- a/crypto/x509/x509_trust.c +++ b/crypto/x509/x509_trust.c @@ -275,7 +275,7 @@ static int obj_trust(int id, X509 *x, int flags) /* * Reject when explicit trust EKU are set and none match. * - * Returning untrusted is enough for for full chains that end in + * Returning untrusted is enough for full chains that end in * self-signed roots, because when explicit trust is specified it * suppresses the default blanket trust of self-signed objects. * diff --git a/include/internal/bio_tfo.h b/include/internal/bio_tfo.h index 6351443933b77..64c0d4c327243 100644 --- a/include/internal/bio_tfo.h +++ b/include/internal/bio_tfo.h @@ -54,7 +54,7 @@ * Some options are purposely NOT defined per-platform * * OSSL_TFO_SYSCTL - * Defined as a sysctlbyname() option to to determine if + * Defined as a sysctlbyname() option to determine if * TFO is enabled in the kernel (macOS, FreeBSD) * * OSSL_TFO_SERVER_SOCKOPT @@ -86,7 +86,7 @@ /* * NO WINDOWS SUPPORT * - * But this is is what would be used on the server: + * But this is what would be used on the server: * * define OSSL_TFO_SERVER_SOCKOPT TCP_FASTOPEN * define OSSL_TFO_SERVER_SOCKOPT_VALUE 1 diff --git a/include/internal/quic_ackm.h b/include/internal/quic_ackm.h index f92f0ebaf28d4..03fc608867845 100644 --- a/include/internal/quic_ackm.h +++ b/include/internal/quic_ackm.h @@ -225,7 +225,7 @@ int ossl_ackm_is_ack_desired(OSSL_ACKM *ackm, int pkt_space); * the RFC. * * The return value of this function transitions from 1 to 0 for a given PN once - * that PN is passed to ossl_ackm_on_rx_packet, thus thus function must be used + * that PN is passed to ossl_ackm_on_rx_packet, thus this function must be used * before calling ossl_ackm_on_rx_packet. */ int ossl_ackm_is_rx_pn_processable(OSSL_ACKM *ackm, QUIC_PN pn, int pkt_space); diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h index e0bc0f3231a9d..53bd4ca6d2b11 100644 --- a/include/internal/recordmethod.h +++ b/include/internal/recordmethod.h @@ -228,7 +228,7 @@ struct ossl_record_method_st { * remain available until all the bytes from record are released via one or * more release_record calls. * - * Internally the the OSSL_RECORD_METHOD the implementation may read/process + * Internally the OSSL_RECORD_METHOD implementation may read/process * multiple records in one go and buffer them. */ int (*read_record)(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 2fe819c462f1b..e1cbe982287b6 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -1127,7 +1127,7 @@ OSSL_DEPRECATEDIN_3_0 int EC_KEY_check_key(const EC_KEY *key); /** Indicates if an EC_KEY can be used for signing. * \param eckey the EC_KEY object - * \return 1 if can can sign and 0 otherwise. + * \return 1 if can sign and 0 otherwise. */ OSSL_DEPRECATEDIN_3_0 int EC_KEY_can_sign(const EC_KEY *eckey); diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c index a16817d2036ba..1d6b1f3730277 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c @@ -699,7 +699,7 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) return NULL; /* - * If a group name is selected then the type is group regardless of what the + * If a group name is selected then the type is group regardless of what * the user selected. This overrides rather than errors for backwards * compatibility. */ diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c index 8a825b5bfe9d6..0f1e9b8f25618 100644 --- a/ssl/quic/quic_txp.c +++ b/ssl/quic/quic_txp.c @@ -1984,7 +1984,7 @@ static int txp_generate_crypto_frames(OSSL_QUIC_TX_PACKETISER *txp, /* * Ensure we have enough iovecs allocated (1 for the header, up to 2 for - * the the stream data.) + * the stream data.) */ if (!txp_el_ensure_iovec(&txp->el[enc_level], h->num_iovec + 3)) return 0; /* alloc error */ @@ -2234,7 +2234,7 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp, /* * Ensure we have enough iovecs allocated (1 for the header, up to 2 for - * the the stream data.) + * the stream data.) */ if (!txp_el_ensure_iovec(&txp->el[enc_level], h->num_iovec + 3)) goto err; /* alloc error */ diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 67865b85fa0bb..853af8c0aa9f9 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2353,7 +2353,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) * we now have the following setup. * client_random * cipher_list - our preferred list of ciphers - * ciphers - the clients preferred list of ciphers + * ciphers - the client's preferred list of ciphers * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c index 3b190baa5e655..7e69f4bbd50b0 100644 --- a/test/provider_pkey_test.c +++ b/test/provider_pkey_test.c @@ -93,7 +93,7 @@ static int test_pkey_sig(void) /* * If this picks the wrong signature without realizing it * we can get a segfault or some internal error. At least watch - * whether fake-rsa sign_init is is exercised by calling sign. + * whether fake-rsa sign_init is exercised by calling sign. */ if (!TEST_int_eq(EVP_PKEY_sign_init(ctx), 1)) goto end; diff --git a/test/sslapitest.c b/test/sslapitest.c index 75fbd3bd3b575..ed8eb2514b9bd 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -9054,7 +9054,7 @@ static int test_session_timeout(int test) * Test session ordering and timeout * Can't explicitly test performance of the new code, * but can test to see if the ordering of the sessions - * are correct, and they they are removed as expected + * are correct, and they are removed as expected */ SSL_SESSION *early = NULL; SSL_SESSION *middle = NULL; diff --git a/test/tls-provider.c b/test/tls-provider.c index a914620cd22b8..5f1479435f78a 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -2152,7 +2152,7 @@ struct keytype_desc_st { /* * Start blatant code steal. Alternative: Open up d2i_X509_PUBKEY_INTERNAL * as per https://github.com/openssl/openssl/issues/16697 (TBD) - * Code from from openssl/crypto/x509/x_pubkey.c as + * Code from openssl/crypto/x509/x_pubkey.c as * ossl_d2i_X509_PUBKEY_INTERNAL is presently not public */ struct X509_pubkey_st { From bbaeadb068c3289c7df3b7bea0049f70a648ba00 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 16 Jul 2023 20:03:40 +0200 Subject: [PATCH 163/324] "foo * bar" should be "foo *bar" Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21468) --- apps/dgst.c | 2 +- apps/include/opt.h | 6 ++--- apps/lib/apps.c | 8 +++---- apps/openssl.c | 4 ++-- apps/speed.c | 4 ++-- crypto/conf/conf_def.c | 2 +- crypto/cpuid.c | 2 +- crypto/ec/curve448/curve448.c | 6 ++--- crypto/ec/curve448/point_448.h | 2 +- crypto/evp/e_chacha20_poly1305.c | 2 +- crypto/pem/pem_lib.c | 2 +- crypto/trace.c | 2 +- crypto/x509/v3_admis.c | 4 ++-- demos/digest/BIO_f_md.c | 2 +- demos/digest/EVP_MD_demo.c | 4 ++-- demos/digest/EVP_MD_stdin.c | 2 +- engines/e_dasync.c | 2 +- include/crypto/aes_platform.h | 24 +++++++++---------- include/crypto/asn1.h | 6 ++--- include/openssl/store.h | 2 +- .../ciphers/cipher_aes_gcm_siv.c | 2 +- .../implementations/ciphers/cipher_aes_siv.c | 2 +- .../implementations/ciphers/cipher_rc2.c | 2 +- .../implementations/ciphers/cipher_rc4.c | 2 +- .../implementations/ciphers/cipher_rc5.c | 2 +- .../implementations/rands/seeding/rand_unix.c | 6 ++--- ssl/d1_lib.c | 2 +- ssl/ssl_ciph.c | 2 +- ssl/ssl_conf.c | 4 ++-- ssl/ssl_init.c | 2 +- ssl/ssl_lib.c | 6 ++--- ssl/statem/statem_clnt.c | 2 +- test/afalgtest.c | 2 +- test/drbgtest.c | 4 ++-- test/ectest.c | 2 +- test/evp_test.c | 8 +++---- test/ocspapitest.c | 2 +- test/sslapitest.c | 2 +- 38 files changed, 71 insertions(+), 71 deletions(-) diff --git a/apps/dgst.c b/apps/dgst.c index c983da80f9884..fe05b312d7b2d 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -513,7 +513,7 @@ static void show_digests(const OBJ_NAME *name, void *arg) * in the '*sum' checksum programs. This aims to preserve backward * compatibility. */ -static const char *newline_escape_filename(const char *file, int * backslash) +static const char *newline_escape_filename(const char *file, int *backslash) { size_t i, e = 0, length = strlen(file), newline_count = 0, mem_len = 0; char *file_cpy = NULL; diff --git a/apps/include/opt.h b/apps/include/opt.h index 82b383c2691ca..5a2faa150b409 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -387,11 +387,11 @@ typedef struct string_int_pair_st { #define OPT_PARAMETERS() { OPT_PARAM_STR, 1, '-', "Parameters:\n" } const char *opt_path_end(const char *filename); -char *opt_init(int ac, char **av, const OPTIONS * o); +char *opt_init(int ac, char **av, const OPTIONS *o); char *opt_progname(const char *argv0); char *opt_appname(const char *argv0); char *opt_getprog(void); -void opt_help(const OPTIONS * list); +void opt_help(const OPTIONS *list); void opt_begin(void); int opt_next(void); @@ -419,7 +419,7 @@ int opt_format(const char *s, unsigned long flags, int *result); void print_format_error(int format, unsigned long flags); int opt_printf_stderr(const char *fmt, ...); int opt_string(const char *name, const char **options); -int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result); +int opt_pair(const char *arg, const OPT_PAIR *pairs, int *result); int opt_verify(int i, X509_VERIFY_PARAM *vpm); int opt_rand(int i); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 79617c0db7aba..8aad9a1ef7cf9 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -75,9 +75,9 @@ typedef struct { } NAME_EX_TBL; static int set_table_opts(unsigned long *flags, const char *arg, - const NAME_EX_TBL * in_tbl); + const NAME_EX_TBL *in_tbl); static int set_multi_opts(unsigned long *flags, const char *arg, - const NAME_EX_TBL * in_tbl); + const NAME_EX_TBL *in_tbl); int app_init(long mesgwin); int chopup_args(ARGS *arg, char *buf) @@ -1270,7 +1270,7 @@ int copy_extensions(X509 *x, X509_REQ *req, int copy_type) } static int set_multi_opts(unsigned long *flags, const char *arg, - const NAME_EX_TBL * in_tbl) + const NAME_EX_TBL *in_tbl) { STACK_OF(CONF_VALUE) *vals; CONF_VALUE *val; @@ -1289,7 +1289,7 @@ static int set_multi_opts(unsigned long *flags, const char *arg, } static int set_table_opts(unsigned long *flags, const char *arg, - const NAME_EX_TBL * in_tbl) + const NAME_EX_TBL *in_tbl) { char c; const NAME_EX_TBL *ptbl; diff --git a/apps/openssl.c b/apps/openssl.c index 0122117ce262e..dd41ac3a84e44 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -446,12 +446,12 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) return 1; } -static int function_cmp(const FUNCTION * a, const FUNCTION * b) +static int function_cmp(const FUNCTION *a, const FUNCTION *b) { return strncmp(a->name, b->name, 8); } -static unsigned long function_hash(const FUNCTION * a) +static unsigned long function_hash(const FUNCTION *a) { return OPENSSL_LH_strhash(a->name); } diff --git a/apps/speed.c b/apps/speed.c index 367e2e08c7b85..88d389523b378 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -566,7 +566,7 @@ typedef struct loopargs_st { unsigned char *sig_sig[MAX_KEM_NUM]; } loopargs_t; static int run_benchmark(int async_jobs, int (*loop_function) (void *), - loopargs_t * loopargs); + loopargs_t *loopargs); static unsigned int testnum; @@ -1363,7 +1363,7 @@ static int SIG_verify_loop(void *args) } static int run_benchmark(int async_jobs, - int (*loop_function) (void *), loopargs_t * loopargs) + int (*loop_function) (void *), loopargs_t *loopargs) { int job_op_count = 0; int total_op_count = 0; diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 0a6de477e32d9..e047746f67642 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -892,7 +892,7 @@ static BIO *get_next_file(const char *path, OPENSSL_DIR_CTX **dirctx) static int is_keytype(const CONF *conf, char c, unsigned short type) { - const unsigned short * keytypes = (const unsigned short *) conf->meth_data; + const unsigned short *keytypes = (const unsigned short *) conf->meth_data; unsigned char key = (unsigned char)c; #ifdef CHARSET_EBCDIC diff --git a/crypto/cpuid.c b/crypto/cpuid.c index a7c4f97fb4b3f..e5db03f3f6af2 100644 --- a/crypto/cpuid.c +++ b/crypto/cpuid.c @@ -181,7 +181,7 @@ void OPENSSL_cpuid_setup(void) * There are also assembler versions of this function. */ # undef CRYPTO_memcmp -int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len) +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) { size_t i; const volatile unsigned char *a = in_a; diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index f9cc0b9732713..2422d068a0364 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -221,7 +221,7 @@ ossl_curve448_point_valid(const curve448_point_t p) } static ossl_inline void constant_time_lookup_niels(niels_s * RESTRICT ni, - const niels_t * table, + const niels_t *table, int nelts, int idx) { constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx); @@ -229,7 +229,7 @@ static ossl_inline void constant_time_lookup_niels(niels_s * RESTRICT ni, void ossl_curve448_precomputed_scalarmul(curve448_point_t out, - const curve448_precomputed_s * table, + const curve448_precomputed_s *table, const curve448_scalar_t scalar) { unsigned int i, j, k; @@ -612,7 +612,7 @@ static int recode_wnaf(struct smvt_control *control, return n - 1; } -static void prepare_wnaf_table(pniels_t * output, +static void prepare_wnaf_table(pniels_t *output, const curve448_point_t working, unsigned int tbits) { diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index e67ea68044eba..597ded4211409 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -271,7 +271,7 @@ ossl_x448_derive_public_key(uint8_t out[X448_PUBLIC_BYTES], */ void ossl_curve448_precomputed_scalarmul(curve448_point_t scaled, - const curve448_precomputed_s * base, + const curve448_precomputed_s *base, const curve448_scalar_t scalar); /* diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index fad7682328b62..68b216f10cb45 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -55,7 +55,7 @@ static int chacha_init_key(EVP_CIPHER_CTX *ctx, return 1; } -static int chacha_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out, +static int chacha_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *inp, size_t len) { EVP_CHACHA_KEY *key = data(ctx); diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index f9256c8565d66..9d8ad35ad39ff 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -929,7 +929,7 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, BIO *headerB = NULL, *dataB = NULL; char *name = NULL; int len, taillen, headerlen, ret = 0; - BUF_MEM * buf_mem; + BUF_MEM *buf_mem; *len_out = 0; *name_out = *header = NULL; diff --git a/crypto/trace.c b/crypto/trace.c index 76f1fc98aa1b0..51387641de948 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -502,7 +502,7 @@ BIO *OSSL_trace_begin(int category) return channel; } -void OSSL_trace_end(int category, BIO * channel) +void OSSL_trace_end(int category, BIO *channel) { #ifndef OPENSSL_NO_TRACE char *suffix = NULL; diff --git a/crypto/x509/v3_admis.c b/crypto/x509/v3_admis.c index 3316e93bf2294..c3182a71db87f 100644 --- a/crypto/x509/v3_admis.c +++ b/crypto/x509/v3_admis.c @@ -71,7 +71,7 @@ const X509V3_EXT_METHOD ossl_v3_ext_admission = { static int i2r_NAMING_AUTHORITY(const struct v3_ext_method *method, void *in, BIO *bp, int ind) { - NAMING_AUTHORITY * namingAuthority = (NAMING_AUTHORITY*) in; + NAMING_AUTHORITY *namingAuthority = (NAMING_AUTHORITY*) in; if (namingAuthority == NULL) return 0; @@ -118,7 +118,7 @@ static int i2r_NAMING_AUTHORITY(const struct v3_ext_method *method, void *in, static int i2r_ADMISSION_SYNTAX(const struct v3_ext_method *method, void *in, BIO *bp, int ind) { - ADMISSION_SYNTAX * admission = (ADMISSION_SYNTAX *)in; + ADMISSION_SYNTAX *admission = (ADMISSION_SYNTAX *)in; int i, j, k; if (admission->admissionAuthority != NULL) { diff --git a/demos/digest/BIO_f_md.c b/demos/digest/BIO_f_md.c index 14697c3a8a9a6..119bdecf3cde1 100644 --- a/demos/digest/BIO_f_md.c +++ b/demos/digest/BIO_f_md.c @@ -34,7 +34,7 @@ * The default digest is SHA3-512 */ -int main(int argc, char * argv[]) +int main(int argc, char *argv[]) { int ret = EXIT_FAILURE; OSSL_LIB_CTX *library_context = NULL; diff --git a/demos/digest/EVP_MD_demo.c b/demos/digest/EVP_MD_demo.c index e525eaa7b090a..8cf3bd8e7b866 100644 --- a/demos/digest/EVP_MD_demo.c +++ b/demos/digest/EVP_MD_demo.c @@ -24,7 +24,7 @@ * more than once. */ -const char * hamlet_1 = +const char *hamlet_1 = "To be, or not to be, that is the question,\n" "Whether tis nobler in the minde to suffer\n" "The ſlings and arrowes of outragious fortune,\n" @@ -43,7 +43,7 @@ const char * hamlet_1 = "The oppressor's wrong, the proud man's Contumely,\n" "The pangs of dispised love, the Law's delay,\n" ; -const char * hamlet_2 = +const char *hamlet_2 = "The insolence of Office, and the spurns\n" "That patient merit of the'unworthy takes,\n" "When he himself might his Quietas make\n" diff --git a/demos/digest/EVP_MD_stdin.c b/demos/digest/EVP_MD_stdin.c index 534c723d57554..11bffb6bcca88 100644 --- a/demos/digest/EVP_MD_stdin.c +++ b/demos/digest/EVP_MD_stdin.c @@ -35,7 +35,7 @@ int demonstrate_digest(BIO *input) { OSSL_LIB_CTX *library_context = NULL; int ret = 0; - const char * option_properties = NULL; + const char *option_properties = NULL; EVP_MD *message_digest = NULL; EVP_MD_CTX *digest_context = NULL; unsigned int digest_length; diff --git a/engines/e_dasync.c b/engines/e_dasync.c index 92be34d427ae4..63b13d3d45035 100644 --- a/engines/e_dasync.c +++ b/engines/e_dasync.c @@ -519,7 +519,7 @@ static void dummy_pause_job(void) { ASYNC_JOB *job; ASYNC_WAIT_CTX *waitctx; ASYNC_callback_fn callback; - void * callback_arg; + void *callback_arg; OSSL_ASYNC_FD pipefds[2] = {0, 0}; OSSL_ASYNC_FD *writefd; #if defined(ASYNC_WIN) diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index 5d90ddaf1fe2c..cbc035926e036 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -121,29 +121,29 @@ void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); (gctx)->gcm.funcs.ghash==gcm_ghash_v8) /* The [unroll8_eor3_]aes_gcm_(enc|dec)_(128|192|256)_kernel() functions * take input length in BITS and return number of BYTES processed */ -size_t aes_gcm_enc_128_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, +size_t aes_gcm_enc_128_kernel(const uint8_t *plaintext, uint64_t plaintext_length, uint8_t *ciphertext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t aes_gcm_enc_192_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, +size_t aes_gcm_enc_192_kernel(const uint8_t *plaintext, uint64_t plaintext_length, uint8_t *ciphertext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t aes_gcm_enc_256_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, +size_t aes_gcm_enc_256_kernel(const uint8_t *plaintext, uint64_t plaintext_length, uint8_t *ciphertext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t aes_gcm_dec_128_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, +size_t aes_gcm_dec_128_kernel(const uint8_t *ciphertext, uint64_t plaintext_length, uint8_t *plaintext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t aes_gcm_dec_192_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, +size_t aes_gcm_dec_192_kernel(const uint8_t *ciphertext, uint64_t plaintext_length, uint8_t *plaintext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t aes_gcm_dec_256_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, +size_t aes_gcm_dec_256_kernel(const uint8_t *ciphertext, uint64_t plaintext_length, uint8_t *plaintext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t unroll8_eor3_aes_gcm_enc_128_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, +size_t unroll8_eor3_aes_gcm_enc_128_kernel(const uint8_t *plaintext, uint64_t plaintext_length, uint8_t *ciphertext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t unroll8_eor3_aes_gcm_enc_192_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, +size_t unroll8_eor3_aes_gcm_enc_192_kernel(const uint8_t *plaintext, uint64_t plaintext_length, uint8_t *ciphertext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t unroll8_eor3_aes_gcm_enc_256_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, +size_t unroll8_eor3_aes_gcm_enc_256_kernel(const uint8_t *plaintext, uint64_t plaintext_length, uint8_t *ciphertext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t unroll8_eor3_aes_gcm_dec_128_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, +size_t unroll8_eor3_aes_gcm_dec_128_kernel(const uint8_t *ciphertext, uint64_t plaintext_length, uint8_t *plaintext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t unroll8_eor3_aes_gcm_dec_192_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, +size_t unroll8_eor3_aes_gcm_dec_192_kernel(const uint8_t *ciphertext, uint64_t plaintext_length, uint8_t *plaintext, uint64_t *Xi, unsigned char ivec[16], const void *key); -size_t unroll8_eor3_aes_gcm_dec_256_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, +size_t unroll8_eor3_aes_gcm_dec_256_kernel(const uint8_t *ciphertext, uint64_t plaintext_length, uint8_t *plaintext, uint64_t *Xi, unsigned char ivec[16], const void *key); size_t armv8_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, const void *key, unsigned char ivec[16], u64 *Xi); diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h index 7636510c12d85..180238526b92d 100644 --- a/include/crypto/asn1.h +++ b/include/crypto/asn1.h @@ -142,9 +142,9 @@ X509_ALGOR *ossl_x509_algor_mgf1_decode(X509_ALGOR *alg); int ossl_x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md); int ossl_asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm, unsigned long flags); -EVP_PKEY * ossl_d2i_PrivateKey_legacy(int keytype, EVP_PKEY **a, - const unsigned char **pp, long length, - OSSL_LIB_CTX *libctx, const char *propq); +EVP_PKEY *ossl_d2i_PrivateKey_legacy(int keytype, EVP_PKEY **a, + const unsigned char **pp, long length, + OSSL_LIB_CTX *libctx, const char *propq); X509_ALGOR *ossl_X509_ALGOR_from_nid(int nid, int ptype, void *pval); time_t ossl_asn1_string_to_time_t(const char *asn1_string); diff --git a/include/openssl/store.h b/include/openssl/store.h index 3c1445e0e6ac5..dafb16fd90d3e 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -345,7 +345,7 @@ int OSSL_STORE_LOADER_set_close(OSSL_STORE_LOADER *loader, OSSL_DEPRECATEDIN_3_0 const ENGINE *OSSL_STORE_LOADER_get0_engine(const OSSL_STORE_LOADER *loader); OSSL_DEPRECATEDIN_3_0 -const char * OSSL_STORE_LOADER_get0_scheme(const OSSL_STORE_LOADER *loader); +const char *OSSL_STORE_LOADER_get0_scheme(const OSSL_STORE_LOADER *loader); OSSL_DEPRECATEDIN_3_0 int OSSL_STORE_register_loader(OSSL_STORE_LOADER *loader); OSSL_DEPRECATEDIN_3_0 diff --git a/providers/implementations/ciphers/cipher_aes_gcm_siv.c b/providers/implementations/ciphers/cipher_aes_gcm_siv.c index 3f3606cc79b03..64f7f95039b66 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_siv.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_siv.c @@ -296,7 +296,7 @@ static int ossl_##alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[]) return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ flags, kbits, blkbits, ivbits); \ } \ -static void * ossl_##alg##kbits##_##lc##_newctx(void *provctx) \ +static void *ossl_##alg##kbits##_##lc##_newctx(void *provctx) \ { \ return ossl_##alg##_##lc##_newctx(provctx, kbits); \ } \ diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c index e780cfa44c734..bcbc17a48a93d 100644 --- a/providers/implementations/ciphers/cipher_aes_siv.c +++ b/providers/implementations/ciphers/cipher_aes_siv.c @@ -271,7 +271,7 @@ static int alg##_##kbits##_##lc##_get_params(OSSL_PARAM params[]) \ return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ flags, 2*kbits, blkbits, ivbits); \ } \ -static void * alg##kbits##lc##_newctx(void *provctx) \ +static void *alg##kbits##lc##_newctx(void *provctx) \ { \ return alg##_##lc##_newctx(provctx, 2*kbits, EVP_CIPH_##UCMODE##_MODE, \ flags); \ diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c index 5c2301e86610b..a4cd6bd533b39 100644 --- a/providers/implementations/ciphers/cipher_rc2.c +++ b/providers/implementations/ciphers/cipher_rc2.c @@ -226,7 +226,7 @@ static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \ flags, kbits, blkbits, ivbits); \ } \ static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx; \ -static void * alg##_##kbits##_##lcmode##_newctx(void *provctx) \ +static void *alg##_##kbits##_##lcmode##_newctx(void *provctx) \ { \ PROV_##UCALG##_CTX *ctx; \ if (!ossl_prov_is_running()) \ diff --git a/providers/implementations/ciphers/cipher_rc4.c b/providers/implementations/ciphers/cipher_rc4.c index 9107500a14dad..733524d36f5a2 100644 --- a/providers/implementations/ciphers/cipher_rc4.c +++ b/providers/implementations/ciphers/cipher_rc4.c @@ -76,7 +76,7 @@ static int alg##_##kbits##_get_params(OSSL_PARAM params[]) \ kbits, blkbits, ivbits); \ } \ static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_newctx; \ -static void * alg##_##kbits##_newctx(void *provctx) \ +static void *alg##_##kbits##_newctx(void *provctx) \ { \ PROV_##UCALG##_CTX *ctx; \ if (!ossl_prov_is_running()) \ diff --git a/providers/implementations/ciphers/cipher_rc5.c b/providers/implementations/ciphers/cipher_rc5.c index 5b68b25938f08..090b0488e5ff9 100644 --- a/providers/implementations/ciphers/cipher_rc5.c +++ b/providers/implementations/ciphers/cipher_rc5.c @@ -136,7 +136,7 @@ static int alg##_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \ flags, kbits, blkbits, ivbits); \ } \ static OSSL_FUNC_cipher_newctx_fn alg##_##kbits##_##lcmode##_newctx; \ -static void * alg##_##kbits##_##lcmode##_newctx(void *provctx) \ +static void *alg##_##kbits##_##lcmode##_newctx(void *provctx) \ { \ PROV_##UCALG##_CTX *ctx; \ if (!ossl_prov_is_running()) \ diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c index ab77814a7466b..9a936d800d418 100644 --- a/providers/implementations/rands/seeding/rand_unix.c +++ b/providers/implementations/rands/seeding/rand_unix.c @@ -510,7 +510,7 @@ static int wait_random_seeded(void) * So the handle might have been closed or even reused for opening * another file. */ -static int check_random_device(struct random_device * rd) +static int check_random_device(struct random_device *rd) { struct stat st; @@ -528,7 +528,7 @@ static int check_random_device(struct random_device * rd) static int get_random_device(size_t n) { struct stat st; - struct random_device * rd = &random_devices[n]; + struct random_device *rd = &random_devices[n]; /* reuse existing file descriptor if it is (still) valid */ if (check_random_device(rd)) @@ -557,7 +557,7 @@ static int get_random_device(size_t n) */ static void close_random_device(size_t n) { - struct random_device * rd = &random_devices[n]; + struct random_device *rd = &random_devices[n]; if (check_random_device(rd)) close(rd->fd); diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index a217480b08058..8bbabd8f413ef 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -256,7 +256,7 @@ long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg) return ret; } -static void dtls1_bio_set_next_timeout(BIO * bio, const DTLS1_STATE *d1) +static void dtls1_bio_set_next_timeout(BIO *bio, const DTLS1_STATE *d1) { struct timeval tv = ossl_time_to_timeval(d1->next_timeout); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 66bff8b2391b6..35949f2dcc3c8 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -114,7 +114,7 @@ static const ssl_cipher_table ssl_cipher_table_auth[] = { /* *INDENT-ON* */ /* Utility function for table lookup */ -static int ssl_cipher_info_find(const ssl_cipher_table * table, +static int ssl_cipher_info_find(const ssl_cipher_table *table, size_t table_cnt, uint32_t mask) { size_t i; diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 442e852c1b13f..3142370016846 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -855,7 +855,7 @@ static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) } /* Determine if a command is allowed according to cctx flags */ -static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t) +static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *t) { unsigned int tfl = t->flags; unsigned int cfl = cctx->flags; @@ -893,7 +893,7 @@ static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, return NULL; } -static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) +static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl *cmd) { /* Find index of command in table */ size_t idx = cmd - ssl_conf_cmds; diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index cef57356c592e..a2d7595089559 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -88,7 +88,7 @@ static void ssl_library_stop(void) * called prior to any threads making calls to any OpenSSL functions, * i.e. passing a non-null settings value is assumed to be single-threaded. */ -int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings) +int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { static int stoperrset = 0; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5bfd8cc4cef0f..b7fa9d78f70a9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -6197,13 +6197,13 @@ const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s) return NULL; } -static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx, +static int ct_permissive(const CT_POLICY_EVAL_CTX *ctx, const STACK_OF(SCT) *scts, void *unused_arg) { return 1; } -static int ct_strict(const CT_POLICY_EVAL_CTX * ctx, +static int ct_strict(const CT_POLICY_EVAL_CTX *ctx, const STACK_OF(SCT) *scts, void *unused_arg) { int count = scts != NULL ? sk_SCT_num(scts) : 0; @@ -6424,7 +6424,7 @@ int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path) return CTLOG_STORE_load_file(ctx->ctlog_store, path); } -void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs) +void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs) { CTLOG_STORE_free(ctx->ctlog_store); ctx->ctlog_store = logs; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index f2dec2fc0fd44..92c00ce4ae5aa 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -3373,7 +3373,7 @@ int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION *s) int ossl_gost_ukm(const SSL_CONNECTION *s, unsigned char *dgst_buf) { - EVP_MD_CTX * hash = NULL; + EVP_MD_CTX *hash = NULL; unsigned int md_len; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); const EVP_MD *md = ssl_evp_md_fetch(sctx->libctx, NID_id_GostR3411_2012_256, diff --git a/test/afalgtest.c b/test/afalgtest.c index 02947c1ed3655..429e2da3c9e46 100644 --- a/test/afalgtest.c +++ b/test/afalgtest.c @@ -112,7 +112,7 @@ static int test_afalg_aes_cbc(int keysize_idx) static int test_pr16743(void) { int ret = 0; - const EVP_CIPHER * cipher; + const EVP_CIPHER *cipher; EVP_CIPHER_CTX *ctx; if (!TEST_true(ENGINE_init(e))) diff --git a/test/drbgtest.c b/test/drbgtest.c index 29583b568f0e5..bb2a9f1b99a68 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -299,7 +299,7 @@ typedef struct drbg_fork_result_st { * This simplifies finding duplicate random output and makes * the printout in case of an error more readable. */ -static int compare_drbg_fork_result(const void * left, const void * right) +static int compare_drbg_fork_result(const void *left, const void *right) { int result; const drbg_fork_result *l = left; @@ -322,7 +322,7 @@ static int compare_drbg_fork_result(const void * left, const void * right) * * Used for finding collisions in two-byte chunks */ -static int compare_rand_chunk(const void * left, const void * right) +static int compare_rand_chunk(const void *left, const void *right) { return memcmp(left, right, 2); } diff --git a/test/ectest.c b/test/ectest.c index 87d81741b8e7e..70df89ee2f877 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -2457,7 +2457,7 @@ static int ec_point_hex2point_test(int id) EC_GROUP *group = NULL; const EC_POINT *G = NULL; EC_POINT *P = NULL; - BN_CTX * bnctx = NULL; + BN_CTX *bnctx = NULL; /* Do some setup */ nid = curves[id].nid; diff --git a/test/evp_test.c b/test/evp_test.c index 5a6cdd876d69c..ea1ca65bcde1e 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -52,13 +52,13 @@ struct evp_test_method_st { /* Name of test as it appears in file */ const char *name; /* Initialise test for "alg" */ - int (*init) (EVP_TEST * t, const char *alg); + int (*init) (EVP_TEST *t, const char *alg); /* Clean up method */ - void (*cleanup) (EVP_TEST * t); + void (*cleanup) (EVP_TEST *t); /* Test specific name value pair processing */ - int (*parse) (EVP_TEST * t, const char *name, const char *value); + int (*parse) (EVP_TEST *t, const char *name, const char *value); /* Run the test itself */ - int (*run_test) (EVP_TEST * t); + int (*run_test) (EVP_TEST *t); }; /* Linked list of named keys. */ diff --git a/test/ocspapitest.c b/test/ocspapitest.c index bc0c965d853b9..a448731380ecc 100644 --- a/test/ocspapitest.c +++ b/test/ocspapitest.c @@ -193,7 +193,7 @@ static int test_ocsp_url_svcloc_new(void) }; X509 *issuer = NULL; - X509_EXTENSION * ext = NULL; + X509_EXTENSION *ext = NULL; int ret = 0; if (!TEST_true(get_cert(&issuer))) diff --git a/test/sslapitest.c b/test/sslapitest.c index ed8eb2514b9bd..756675c1dce6a 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -9549,7 +9549,7 @@ static int test_pluggable_group(int idx) */ static int create_cert_key(int idx, char *certfilename, char *privkeyfilename) { - EVP_PKEY_CTX * evpctx = EVP_PKEY_CTX_new_from_name(libctx, + EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx, (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL); EVP_PKEY *pkey = NULL; X509 *x509 = X509_new(); From e22ebb893e2f44bd08f69f9ce4ccfc5e4d2990e2 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 6 Aug 2023 19:44:37 +0200 Subject: [PATCH 164/324] Bad function definition void f() should probably be void f(void) Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21468) --- apps/s_server.c | 2 +- crypto/sha/keccak1600.c | 2 +- demos/sslecho/main.c | 2 +- include/internal/e_os.h | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index 1dc04d0060d4b..93f6cb2983f7d 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -266,7 +266,7 @@ typedef struct { char buff[1]; } EBCDIC_OUTBUFF; -static const BIO_METHOD *BIO_f_ebcdic_filter() +static const BIO_METHOD *BIO_f_ebcdic_filter(void) { if (methods_ebcdic == NULL) { methods_ebcdic = BIO_meth_new(BIO_TYPE_EBCDIC_FILTER, diff --git a/crypto/sha/keccak1600.c b/crypto/sha/keccak1600.c index 17909a769b2e0..062111b6380ca 100644 --- a/crypto/sha/keccak1600.c +++ b/crypto/sha/keccak1600.c @@ -1153,7 +1153,7 @@ void SHA3_sponge(const unsigned char *inp, size_t len, # include -int main() +int main(void) { /* * This is 5-bit SHAKE128 test from http://csrc.nist.gov/groups/ST/toolkit/examples.html#aHashing diff --git a/demos/sslecho/main.c b/demos/sslecho/main.c index bdc824f2c785e..8cf774450171c 100644 --- a/demos/sslecho/main.c +++ b/demos/sslecho/main.c @@ -118,7 +118,7 @@ void configure_client_context(SSL_CTX *ctx) } } -void usage() +void usage(void) { printf("Usage: sslecho s\n"); printf(" --or--\n"); diff --git a/include/internal/e_os.h b/include/internal/e_os.h index 6d15bc55ee6e0..d0e903f653ed6 100644 --- a/include/internal/e_os.h +++ b/include/internal/e_os.h @@ -152,7 +152,7 @@ static __inline unsigned int _strlen31(const char *str) # undef stdin # undef stdout # undef stderr -FILE *__iob_func(); +FILE *__iob_func(void); # define stdin (&__iob_func()[0]) # define stdout (&__iob_func()[1]) # define stderr (&__iob_func()[2]) @@ -304,12 +304,12 @@ struct servent *getservbyname(const char *name, const char *proto); # define gethostbyname(name) gethostbyname((char*)name) # define ioctlsocket(a,b,c) ioctl(a,b,c) # ifdef NO_GETPID -inline int nssgetpid(); +inline int nssgetpid(void); # ifndef NSSGETPID_MACRO # define NSSGETPID_MACRO # include # include - inline int nssgetpid() + inline int nssgetpid(void) { short phandle[10]={0}; union pseudo_pid { From 8ac32e1e1b1a786366333acf897d332339610e6b Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 7 Sep 2023 13:52:46 +0200 Subject: [PATCH 165/324] remove unused Appveyour config Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22000) --- appveyor.yml | 82 ---------------------------------------------------- 1 file changed, 82 deletions(-) delete mode 100644 appveyor.yml diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index 9bb6f04e0a44c..0000000000000 --- a/appveyor.yml +++ /dev/null @@ -1,82 +0,0 @@ -image: - - Visual Studio 2017 - -platform: - - x64 - - x86 - -environment: - fast_finish: true - matrix: - - VSVER: 15 - -configuration: - - shared - - minimal - -for: - - - branches: - only: - - master - configuration: - - shared - - plain - - minimal - -before_build: - - ps: >- - Install-Module VSSetup -Scope CurrentUser - - ps: >- - Get-VSSetupInstance -All - - ps: >- - If ($env:Platform -Match "x86") { - $env:VCVARS_PLATFORM="x86" - $env:TARGET="VC-WIN32 no-asm --strict-warnings" - } Else { - $env:VCVARS_PLATFORM="amd64" - $env:TARGET="VC-WIN64A-masm" - } - - ps: >- - If ($env:Configuration -Match "shared") { - $env:CONFIG_OPTS="enable-fips" - } ElseIf ($env:Configuration -Match "minimal") { - $env:CONFIG_OPTS="no-bulk no-asm -DOPENSSL_SMALL_FOOTPRINT" - } Else { - $env:CONFIG_OPTS="no-fips no-shared" - } - - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM% - - mkdir _build - - cd _build - - perl ..\Configure %TARGET% no-makedepend %CONFIG_OPTS% - - perl configdata.pm --dump - - cd .. - - ps: >- - If ($env:BUILDONLY -or $env:MAKEVERBOSE) { - $env:NMAKE="nmake" - } Else { - $env:NMAKE="nmake /S" - } - - ps: >- - gci env:* | sort-object name - -build_script: - - cd _build - - "%NMAKE% build_all_generated" - - "%NMAKE% PERL=no-perl" - - cd .. - -test_script: - - cd _build - - ps: >- - if ($env:Configuration -Match "plain") { - cmd /c "%NMAKE% test VERBOSE_FAILURE=yes 2>&1" - } Else { - cmd /c "%NMAKE% test VERBOSE_FAILURE=yes TESTS=-test_fuzz 2>&1" - } - - ps: >- - if ($env:Configuration -Match "shared") { - mkdir ..\_install - cmd /c "%NMAKE% install DESTDIR=..\_install 2>&1" - } - - cd .. From 285eb1688f05ad477fefc681bf05d0afedc46d40 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Thu, 7 Sep 2023 19:22:25 +0200 Subject: [PATCH 166/324] Fix a possible memleak in rsa_pub_encode That seems to be only an issue for RSA-PSS with parameters. Spotted by code review, so it looks like there is no test coverage for this. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22032) --- crypto/rsa/rsa_ameth.c | 5 ++++- test/recipes/15-test_rsapss.t | 10 +++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index a84adb608eff5..148d0bbbd153b 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -60,13 +60,16 @@ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) if (!rsa_param_encode(pkey, &str, &strtype)) return 0; penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); - if (penclen <= 0) + if (penclen <= 0) { + ASN1_STRING_free(str); return 0; + } if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), strtype, str, penc, penclen)) return 1; OPENSSL_free(penc); + ASN1_STRING_free(str); return 0; } diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index 56e3b3c60c04e..35be4784fce89 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; setup("test_rsapss"); -plan tests => 16; +plan tests => 18; #using test/testrsa.pem which happens to be a 512 bit RSA ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', @@ -124,3 +124,11 @@ ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), ok(!run(app([ 'openssl', 'rsa', '-in' => data_file('negativesaltlen.pem')], '-out' => 'badout'))); + +ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024', + '-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10', + '-out', 'testrsapss.pem'])), + "openssl genpkey RSA-PSS with pss parameters"); +ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])), + "openssl pkey, execute rsa_pub_encode with pss parameters"); +unlink 'testrsapss.pem'; From 02f84b02e889fce0033174238cbd0b653ee9af2c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Sep 2023 15:21:23 +0200 Subject: [PATCH 167/324] Sync changes between 3.2 and 3.1 branches Reviewed-by: Matt Caswell Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22033) --- CHANGES.md | 4 ++++ NEWS.md | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 974e549486017..c187fe9e05e85 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -455,6 +455,10 @@ OpenSSL 3.2 OpenSSL 3.1 ----------- +### Changes between 3.1.2 and 3.1.3 [xx XXX xxxx] + + * none yet + ### Changes between 3.1.1 and 3.1.2 [1 Aug 2023] * Fix excessive time spent checking DH q parameter value. diff --git a/NEWS.md b/NEWS.md index 8a1ca6b97305c..d8de7c8b2bd07 100644 --- a/NEWS.md +++ b/NEWS.md @@ -52,7 +52,11 @@ OpenSSL 3.2 OpenSSL 3.1 ----------- -### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [under development] +### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [under development] + + * none + +### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) From 0be7510f49e498532708fd03628fc3fc62ee7875 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 8 Sep 2023 15:28:45 +0200 Subject: [PATCH 168/324] Add CVE-2023-4807 fix to CHANGES.md and NEWS.md Reviewed-by: Matt Caswell Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22033) --- CHANGES.md | 23 ++++++++++++++++++++++- NEWS.md | 4 +++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c187fe9e05e85..f0b6898511ce1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -457,7 +457,27 @@ OpenSSL 3.1 ### Changes between 3.1.2 and 3.1.3 [xx XXX xxxx] - * none yet + * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + ([CVE-2023-4807]) + + *Bernd Edlinger* ### Changes between 3.1.1 and 3.1.2 [1 Aug 2023] @@ -20253,6 +20273,7 @@ ndif +[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 diff --git a/NEWS.md b/NEWS.md index d8de7c8b2bd07..6c440b68eb817 100644 --- a/NEWS.md +++ b/NEWS.md @@ -54,7 +54,8 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [under development] - * none + * Fix POLY1305 MAC implementation corrupting XMM registers on Windows + ([CVE-2023-4807]) ### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] @@ -1501,6 +1502,7 @@ OpenSSL 0.9.x +[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 From 4ee8c1fb51687ea811fc2abf87e173c70d018bc2 Mon Sep 17 00:00:00 2001 From: Vladimir Kotal Date: Tue, 5 Sep 2023 11:13:47 +0200 Subject: [PATCH 169/324] augment man pages with information about PKCS12KDF in FIPS mode Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21965) --- doc/man3/PKCS12_create.pod | 7 ++++++- doc/man3/PKCS12_gen_mac.pod | 2 ++ doc/man7/EVP_KDF-PKCS12KDF.pod | 6 +++++- doc/man7/ossl-guide-migration.pod | 9 +++++++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index 224ae6418063a..993e50777e1d9 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -57,7 +57,8 @@ can all be set to zero and sensible defaults will be used. These defaults are: AES password based encryption (PBES2 with PBKDF2 and AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key derivation iteration count of B (currently 2048), and -MAC algorithm HMAC with SHA2-256. +MAC algorithm HMAC with SHA2-256. The MAC key derivation algorithm used +for the outer PKCS#12 structure is PKCS12KDF. The default MAC iteration count is 1 in order to retain compatibility with old software which did not interpret MAC iteration counts. If such compatibility @@ -83,6 +84,8 @@ I or I can be set to -1 indicating that no encryption should be used. I can be set to -1 and the MAC will then be omitted entirely. +This can be useful when running with the FIPS provider as the PKCS12KDF +is not a FIPS approvable algorithm. PKCS12_create() makes assumptions regarding the encoding of the given pass phrase. @@ -101,7 +104,9 @@ IETF RFC 7292 (L) =head1 SEE ALSO +L, L, +L, L =head1 HISTORY diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index c4610ecaa47fe..07f8855ecf7f6 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -22,6 +22,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the supplied password along with a set of already configured parameters. +The default key generation mechanism used is PKCS12KDF. PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied password. @@ -57,6 +58,7 @@ IETF RFC 7292 (L) =head1 SEE ALSO L, +L, L, L diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 7edde1dc9bf7f..05d4e902bd30f 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -46,6 +46,9 @@ RFC 7292 section B.3. =head1 NOTES +This algorithm is not available in the FIPS provider as it is not FIPS +approvable. + A typical application of this algorithm is to derive keying material for an encryption algorithm from a password in the "pass", a salt in "salt", and an iteration count. @@ -68,7 +71,8 @@ L, L, L, L, -L +L, +L =head1 HISTORY diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod index 064ad21789511..fc3acef6d9413 100644 --- a/doc/man7/ossl-guide-migration.pod +++ b/doc/man7/ossl-guide-migration.pod @@ -327,6 +327,15 @@ context and property query and will call an extended version of the key/IV derivation function which supports these parameters. This includes L, L and L. +=head4 PKCS#12 KDF versus FIPS + +Unlike in 1.x.y, the PKCS12KDF algorithm used when a PKCS#12 structure +is created with a MAC that does not work with the FIPS provider as the PKCS12KDF +is not a FIPS approvable mechanism. + +See L, L, L, +L. + =head4 Windows thread synchronization changes Windows thread synchronization uses read/write primitives (SRWLock) when From 1e4fc0b2e57d08a90a6d8e30981fce2007d21109 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 7 Sep 2023 17:36:13 +0100 Subject: [PATCH 170/324] Add a test for using a PSK with QUIC Check that we can set and use a PSK when establishing a QUIC connection. Fixes openssl/project#83 Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22011) --- include/internal/quic_tserver.h | 4 ++ ssl/quic/quic_tserver.c | 12 ++++- test/helpers/ssltestlib.c | 38 ++++++++++++++ test/helpers/ssltestlib.h | 8 +++ test/quicapitest.c | 87 +++++++++++++++++++++++++++++++++ test/sslapitest.c | 47 ------------------ 6 files changed, 147 insertions(+), 49 deletions(-) diff --git a/include/internal/quic_tserver.h b/include/internal/quic_tserver.h index 9213f60666aa6..4f358dd4e87c5 100644 --- a/include/internal/quic_tserver.h +++ b/include/internal/quic_tserver.h @@ -211,6 +211,10 @@ int ossl_quic_tserver_new_ticket(QUIC_TSERVER *srv); int ossl_quic_tserver_set_max_early_data(QUIC_TSERVER *srv, uint32_t max_early_data); +/* Set the find session callback for getting a server PSK */ +void ossl_quic_tserver_set_psk_find_session_cb(QUIC_TSERVER *srv, + SSL_psk_find_session_cb_func cb); + # endif #endif diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c index 788d4780d8e38..92c17d10f3c64 100644 --- a/ssl/quic/quic_tserver.c +++ b/ssl/quic/quic_tserver.c @@ -99,10 +99,12 @@ QUIC_TSERVER *ossl_quic_tserver_new(const QUIC_TSERVER_ARGS *args, if (srv->ctx == NULL) goto err; - if (SSL_CTX_use_certificate_file(srv->ctx, certfile, SSL_FILETYPE_PEM) <= 0) + if (certfile != NULL + && SSL_CTX_use_certificate_file(srv->ctx, certfile, SSL_FILETYPE_PEM) <= 0) goto err; - if (SSL_CTX_use_PrivateKey_file(srv->ctx, keyfile, SSL_FILETYPE_PEM) <= 0) + if (keyfile != NULL + && SSL_CTX_use_PrivateKey_file(srv->ctx, keyfile, SSL_FILETYPE_PEM) <= 0) goto err; SSL_CTX_set_alpn_select_cb(srv->ctx, alpn_select_cb, srv); @@ -556,3 +558,9 @@ int ossl_quic_tserver_set_max_early_data(QUIC_TSERVER *srv, { return SSL_set_max_early_data(srv->tls, max_early_data); } + +void ossl_quic_tserver_set_psk_find_session_cb(QUIC_TSERVER *srv, + SSL_psk_find_session_cb_func cb) +{ + SSL_set_psk_find_session_callback(srv->tls, cb); +} diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 94a170b9a52f4..0b1e56f064ca6 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -1247,3 +1247,41 @@ void shutdown_ssl_connection(SSL *serverssl, SSL *clientssl) SSL_free(serverssl); SSL_free(clientssl); } + +SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize) +{ + const SSL_CIPHER *cipher = NULL; + const unsigned char key[SHA384_DIGEST_LENGTH] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, + 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, + 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, + 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, + 0x2c, 0x2d, 0x2e, 0x2f + }; + SSL_SESSION *sess = NULL; + + if (mdsize == SHA384_DIGEST_LENGTH) { + cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); + } else if (mdsize == SHA256_DIGEST_LENGTH) { + /* + * Any ciphersuite using SHA256 will do - it will be compatible with + * the actual ciphersuite selected as long as it too is based on SHA256 + */ + cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES); + } else { + /* Should not happen */ + return NULL; + } + sess = SSL_SESSION_new(); + if (!TEST_ptr(sess) + || !TEST_ptr(cipher) + || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize)) + || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)) + || !TEST_true( + SSL_SESSION_set_protocol_version(sess, + TLS1_3_VERSION))) { + SSL_SESSION_free(sess); + return NULL; + } + return sess; +} diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h index c8dcb8a82d28d..c513769ddd956 100644 --- a/test/helpers/ssltestlib.h +++ b/test/helpers/ssltestlib.h @@ -12,6 +12,12 @@ # include +#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") +#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") +#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") +#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") +#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") + int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm, const SSL_METHOD *cm, int min_proto_version, int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, @@ -60,4 +66,6 @@ typedef struct mempacket_st MEMPACKET; DEFINE_STACK_OF(MEMPACKET) +SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize); + #endif /* OSSL_TEST_SSLTESTLIB_H */ diff --git a/test/quicapitest.c b/test/quicapitest.c index 87c134eb88bf3..a24946a649ef4 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1061,6 +1061,92 @@ static int test_non_io_retry(int idx) return testresult; } +static int use_session_cb_cnt = 0; +static int find_session_cb_cnt = 0; +static const char *pskid = "Identity"; +static SSL_SESSION *serverpsk = NULL, *clientpsk = NULL; + +static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, + size_t *idlen, SSL_SESSION **sess) +{ + use_session_cb_cnt++; + + if (clientpsk == NULL) + return 0; + + SSL_SESSION_up_ref(clientpsk); + + *sess = clientpsk; + *id = (const unsigned char *)pskid; + *idlen = strlen(pskid); + + return 1; +} + +static int find_session_cb(SSL *ssl, const unsigned char *identity, + size_t identity_len, SSL_SESSION **sess) +{ + find_session_cb_cnt++; + + if (serverpsk == NULL) + return 0; + + /* Identity should match that set by the client */ + if (strlen(pskid) != identity_len + || strncmp(pskid, (const char *)identity, identity_len) != 0) + return 0; + + SSL_SESSION_up_ref(serverpsk); + *sess = serverpsk; + + return 1; +} + +static int test_quic_psk(void) +{ + SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + SSL *clientquic = NULL; + QUIC_TSERVER *qtserv = NULL; + int testresult = 0; + + if (!TEST_ptr(cctx) + /* No cert or private key for the server, i.e. PSK only */ + || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, NULL, + NULL, 0, &qtserv, + &clientquic, NULL))) + goto end; + + SSL_set_psk_use_session_callback(clientquic, use_session_cb); + ossl_quic_tserver_set_psk_find_session_cb(qtserv, find_session_cb); + use_session_cb_cnt = 0; + find_session_cb_cnt = 0; + + clientpsk = serverpsk = create_a_psk(clientquic, SHA384_DIGEST_LENGTH); + if (!TEST_ptr(clientpsk)) + goto end; + /* We already had one ref. Add another one */ + SSL_SESSION_up_ref(clientpsk); + + if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic)) + || !TEST_int_eq(1, find_session_cb_cnt) + || !TEST_int_eq(1, use_session_cb_cnt) + /* Check that we actually used the PSK */ + || !TEST_true(SSL_session_reused(clientquic))) + goto end; + + testresult = 1; + + end: + SSL_free(clientquic); + ossl_quic_tserver_free(qtserv); + SSL_CTX_free(cctx); + SSL_SESSION_free(clientpsk); + SSL_SESSION_free(serverpsk); + clientpsk = serverpsk = NULL; + + return testresult; +} + OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n") int setup_tests(void) @@ -1131,6 +1217,7 @@ int setup_tests(void) ADD_TEST(test_back_pressure); ADD_TEST(test_multiple_dgrams); ADD_ALL_TESTS(test_non_io_retry, 2); + ADD_TEST(test_quic_psk); return 1; err: cleanup_tests(); diff --git a/test/sslapitest.c b/test/sslapitest.c index 756675c1dce6a..ec29157007c74 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -77,8 +77,6 @@ static int find_session_cb(SSL *ssl, const unsigned char *identity, static int use_session_cb_cnt = 0; static int find_session_cb_cnt = 0; - -static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize); #endif static char *certsdir = NULL; @@ -3385,51 +3383,6 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, #define MSG6 "test" #define MSG7 "message." -#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") -#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") -#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") -#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") -#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") - - -static SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize) -{ - const SSL_CIPHER *cipher = NULL; - const unsigned char key[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, - 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, - 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, - 0x2c, 0x2d, 0x2e, 0x2f /* SHA384_DIGEST_LENGTH bytes */ - }; - SSL_SESSION *sess = NULL; - - if (mdsize == SHA384_DIGEST_LENGTH) { - cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); - } else if (mdsize == SHA256_DIGEST_LENGTH) { - /* - * Any ciphersuite using SHA256 will do - it will be compatible with - * the actual ciphersuite selected as long as it too is based on SHA256 - */ - cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES); - } else { - /* Should not happen */ - return NULL; - } - sess = SSL_SESSION_new(); - if (!TEST_ptr(sess) - || !TEST_ptr(cipher) - || !TEST_true(SSL_SESSION_set1_master_key(sess, key, mdsize)) - || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)) - || !TEST_true( - SSL_SESSION_set_protocol_version(sess, - TLS1_3_VERSION))) { - SSL_SESSION_free(sess); - return NULL; - } - return sess; -} - static int artificial_ticket_time = 0; static int ed_gen_cb(SSL *s, void *arg) From 547ea58821644bdc9089b2dcb163286d789f732a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 7 Sep 2023 17:45:49 +0100 Subject: [PATCH 171/324] Fix the SSL_CIPHER_find() function when used with a QCSO Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22011) --- include/internal/quic_ssl.h | 1 + ssl/quic/quic_impl.c | 10 ++++++++++ ssl/quic/quic_local.h | 2 +- ssl/s3_lib.c | 6 +++--- ssl/ssl_local.h | 3 +++ 5 files changed, 18 insertions(+), 4 deletions(-) diff --git a/include/internal/quic_ssl.h b/include/internal/quic_ssl.h index 260cef87b9763..66cea1bfe12ce 100644 --- a/include/internal/quic_ssl.h +++ b/include/internal/quic_ssl.h @@ -36,6 +36,7 @@ __owur long ossl_quic_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void) __owur size_t ossl_quic_pending(const SSL *s); __owur int ossl_quic_key_update(SSL *s, int update_type); __owur int ossl_quic_get_key_update_type(const SSL *s); +__owur const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p); __owur int ossl_quic_num_ciphers(void); __owur const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u); int ossl_quic_renegotiate_check(SSL *ssl, int initok); diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index ca4ef0ebbbbda..b632ad22db2f8 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -3535,6 +3535,16 @@ int ossl_quic_renegotiate_check(SSL *ssl, int initok) return 0; } +const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p) +{ + const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p); + + if ((ciph->algorithm2 & SSL_QUIC) == 0) + return NULL; + + return ciph; +} + /* * These functions define the TLSv1.2 (and below) ciphers that are supported by * the SSL_METHOD. Since QUIC only supports TLSv1.3 we don't support any. diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index 517904d90f775..063df7796a241 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -321,7 +321,7 @@ const SSL_METHOD *func_name(void) \ NULL /* dispatch_alert */, \ ossl_quic_ctrl, \ ossl_quic_ctx_ctrl, \ - NULL /* get_cipher_by_char */, \ + ossl_quic_get_cipher_by_char, \ NULL /* put_cipher_by_char */, \ ossl_quic_pending, \ ossl_quic_num_ciphers, \ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 29af55bc61e8f..1f778c3423473 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -47,7 +47,7 @@ static SSL_CIPHER tls13_ciphers[] = { TLS1_3_VERSION, TLS1_3_VERSION, 0, 0, SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, + SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC, 128, 128, }, { @@ -62,7 +62,7 @@ static SSL_CIPHER tls13_ciphers[] = { TLS1_3_VERSION, TLS1_3_VERSION, 0, 0, SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA384, + SSL_HANDSHAKE_MAC_SHA384 | SSL_QUIC, 256, 256, }, @@ -78,7 +78,7 @@ static SSL_CIPHER tls13_ciphers[] = { TLS1_3_VERSION, TLS1_3_VERSION, 0, 0, SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256, + SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC, 256, 256, }, diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 29715781ee90e..d1ef358932e00 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -236,6 +236,9 @@ */ # define TLS1_TLSTREE 0x20000 +/* Ciphersuite supported in QUIC */ +# define SSL_QUIC 0x00040000U + # define SSL_STRONG_MASK 0x0000001FU # define SSL_DEFAULT_MASK 0X00000020U From 9912dfb98c9c2b10c83c5ca4b5136232568ad664 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 8 Sep 2023 11:22:36 +0100 Subject: [PATCH 172/324] Add a test for SSL_CIPHER_find() when used with a QUIC SSL object Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22011) --- test/quicapitest.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/test/quicapitest.c b/test/quicapitest.c index a24946a649ef4..8c78e14de9c32 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -321,6 +321,49 @@ static int test_ciphersuites(void) return testresult; } +static int test_cipher_find(void) +{ + SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + SSL *clientquic = NULL; + struct { + const unsigned char *cipherbytes; + int ok; + } testciphers[] = { + { TLS13_AES_128_GCM_SHA256_BYTES, 1 }, + { TLS13_AES_256_GCM_SHA384_BYTES, 1 }, + { TLS13_CHACHA20_POLY1305_SHA256_BYTES, 1 }, + { TLS13_AES_128_CCM_SHA256_BYTES, 0 }, + { TLS13_AES_128_CCM_8_SHA256_BYTES, 0 } + }; + size_t i; + int testresult = 0; + + if (!TEST_ptr(cctx)) + goto err; + + clientquic = SSL_new(cctx); + if (!TEST_ptr(clientquic)) + goto err; + + for (i = 0; i < OSSL_NELEM(testciphers); i++) + if (testciphers[i].ok) { + if (!TEST_ptr(SSL_CIPHER_find(clientquic, + testciphers[i].cipherbytes))) + goto err; + } else { + if (!TEST_ptr_null(SSL_CIPHER_find(clientquic, + testciphers[i].cipherbytes))) + goto err; + } + + testresult = 1; + err: + SSL_free(clientquic); + SSL_CTX_free(cctx); + + return testresult; +} + /* * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and * SSL_is_dtls return the expected results for a QUIC connection. Compare with @@ -1205,6 +1248,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_quic_write_read, 3); ADD_TEST(test_fin_only_blocking); ADD_TEST(test_ciphersuites); + ADD_TEST(test_cipher_find); ADD_TEST(test_version); #if defined(DO_SSL_TRACE_TEST) ADD_TEST(test_ssl_trace); From 39d857bb610d25b3de4e414264246ec41753c446 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 29 Aug 2023 15:42:48 -0400 Subject: [PATCH 173/324] make inability to dup/clone ciphers an error There should be no reason that a cipher can't be duplicated Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) --- test/evp_test.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index ea1ca65bcde1e..7447435f06045 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -735,6 +735,9 @@ static int cipher_test_enc(EVP_TEST *t, int enc, size_t out_misalign, int ok = 0, tmplen, chunklen, tmpflen, i; EVP_CIPHER_CTX *ctx_base = NULL; EVP_CIPHER_CTX *ctx = NULL, *duped; + int fips_dupctx_supported = (fips_provider_version_ge(libctx, 3, 0, 11) + && fips_provider_version_lt(libctx, 3, 1, 0)) + || fips_provider_version_ge(libctx, 3, 1, 3); t->err = "TEST_FAILURE"; if (!TEST_ptr(ctx_base = EVP_CIPHER_CTX_new())) @@ -865,18 +868,30 @@ static int cipher_test_enc(EVP_TEST *t, int enc, size_t out_misalign, /* Test that the cipher dup functions correctly if it is supported */ ERR_set_mark(); - if (EVP_CIPHER_CTX_copy(ctx, ctx_base)) { - EVP_CIPHER_CTX_free(ctx_base); - ctx_base = NULL; - } else { - EVP_CIPHER_CTX_free(ctx); - ctx = ctx_base; + if (!EVP_CIPHER_CTX_copy(ctx, ctx_base)) { + if (fips_dupctx_supported) { + TEST_info("Doing a copy of Cipher %s Fails!\n", + EVP_CIPHER_get0_name(expected->cipher)); + ERR_print_errors_fp(stderr); + goto err; + } else { + TEST_info("Allowing copy fail as an old fips provider is in use."); + } } /* Likewise for dup */ duped = EVP_CIPHER_CTX_dup(ctx); if (duped != NULL) { EVP_CIPHER_CTX_free(ctx); ctx = duped; + } else { + if (fips_dupctx_supported) { + TEST_info("Doing a dup of Cipher %s Fails!\n", + EVP_CIPHER_get0_name(expected->cipher)); + ERR_print_errors_fp(stderr); + goto err; + } else { + TEST_info("Allowing dup fail as an old fips provider is in use."); + } } ERR_pop_to_mark(); @@ -1089,6 +1104,7 @@ static int cipher_test_run(EVP_TEST *t) int rv, frag, fragmax, in_place; size_t out_misalign, inp_misalign; + TEST_info("RUNNING TEST FOR CIPHER %s\n", EVP_CIPHER_get0_name(cdat->cipher)); if (!cdat->key) { t->err = "NO_KEY"; return 0; From 0239fb3db77e9de2031c5054854cba8e417c1b72 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 09:10:35 -0400 Subject: [PATCH 174/324] Add dupctx support to aead ciphers Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher This includes: aes--gcm aria--ccm aria--gcm sm4--gcm Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) --- .../implementations/ciphers/cipher_aes_ccm.c | 20 +++++++++++++++++++ .../implementations/ciphers/cipher_aes_gcm.c | 9 +++++++++ .../implementations/ciphers/cipher_aria_ccm.c | 9 +++++++++ .../implementations/ciphers/cipher_aria_gcm.c | 9 +++++++++ .../implementations/ciphers/cipher_sm4_ccm.c | 9 +++++++++ .../implementations/ciphers/cipher_sm4_gcm.c | 9 +++++++++ .../include/prov/ciphercommon_aead.h | 5 +++++ 7 files changed, 70 insertions(+) diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c index bb4b1e1e64907..3930f52d60650 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm.c +++ b/providers/implementations/ciphers/cipher_aes_ccm.c @@ -33,6 +33,26 @@ static void *aes_ccm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aes_ccm_dupctx(void *provctx) +{ + PROV_AES_CCM_CTX *ctx = provctx; + PROV_AES_CCM_CTX *dupctx = NULL; + + if (ctx == NULL) + return NULL; + dupctx = OPENSSL_memdup(provctx, sizeof(*ctx)); + if (dupctx == NULL) + return NULL; + /* + * ossl_cm_initctx, via the ossl_prov_aes_hw_ccm functions assign a + * provctx->ccm.ks.ks to the ccm context key so we need to point it to + * the memduped copy + */ + dupctx->base.ccm_ctx.key = &dupctx->ccm.ks.ks; + + return dupctx; +} + static OSSL_FUNC_cipher_freectx_fn aes_ccm_freectx; static void aes_ccm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index 0081ca6cd776f..0a15693cc1a4c 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -34,6 +34,15 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aes_gcm_dupctx(void *provctx) +{ + PROV_AES_GCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static OSSL_FUNC_cipher_freectx_fn aes_gcm_freectx; static void aes_gcm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c index d6b5517ee0965..39a96a6f1404d 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.c +++ b/providers/implementations/ciphers/cipher_aria_ccm.c @@ -28,6 +28,15 @@ static void *aria_ccm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aria_ccm_dupctx(void *provctx) +{ + PROV_ARIA_CCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void aria_ccm_freectx(void *vctx) { PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx; diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index b412bd3202f82..6ffa0910fa21d 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -27,6 +27,15 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits) return ctx; } +static void *aria_gcm_dupctx(void *provctx) +{ + PROV_ARIA_GCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static OSSL_FUNC_cipher_freectx_fn aria_gcm_freectx; static void aria_gcm_freectx(void *vctx) { diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c index f0295a5ca28ad..5fd7d1a114c13 100644 --- a/providers/implementations/ciphers/cipher_sm4_ccm.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -28,6 +28,15 @@ static void *sm4_ccm_newctx(void *provctx, size_t keybits) return ctx; } +static void *sm4_ccm_dupctx(void *provctx) +{ + PROV_SM4_CCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void sm4_ccm_freectx(void *vctx) { PROV_SM4_CCM_CTX *ctx = (PROV_SM4_CCM_CTX *)vctx; diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c index 7a936f00ee55a..79e1b556d4371 100644 --- a/providers/implementations/ciphers/cipher_sm4_gcm.c +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -29,6 +29,15 @@ static void *sm4_gcm_newctx(void *provctx, size_t keybits) return ctx; } +static void *sm4_gcm_dupctx(void *provctx) +{ + PROV_SM4_GCM_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void sm4_gcm_freectx(void *vctx) { PROV_SM4_GCM_CTX *ctx = (PROV_SM4_GCM_CTX *)vctx; diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h index 0dd63cbe5343d..8d709f10ea64e 100644 --- a/providers/implementations/include/prov/ciphercommon_aead.h +++ b/providers/implementations/include/prov/ciphercommon_aead.h @@ -27,9 +27,14 @@ static void * alg##kbits##lc##_newctx(void *provctx) \ { \ return alg##_##lc##_newctx(provctx, kbits); \ } \ +static void * alg##kbits##lc##_dupctx(void *src) \ +{ \ + return alg##_##lc##_dupctx(src); \ +} \ const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = { \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx }, \ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))alg##kbits##lc##_dupctx }, \ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_##lc##_einit }, \ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_##lc##_dinit }, \ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_##lc##_stream_update }, \ From 2c021e7d11f03ede2330398c4fd8e8c7bd8768ee Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 11:28:33 -0400 Subject: [PATCH 175/324] implement dupctx for aes_WRAP methods create a dupctx method for aes_WRAP implementations of all sizes Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) --- .../implementations/ciphers/cipher_aes_wrp.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index ecebf213e2631..912a47e3fe88c 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -66,6 +66,26 @@ static void *aes_wrap_newctx(size_t kbits, size_t blkbits, return wctx; } +static void *aes_wrap_dupctx(void *wctx) +{ + PROV_AES_WRAP_CTX *ctx = wctx; + PROV_AES_WRAP_CTX *dctx = wctx; + + if (ctx == NULL) + return NULL; + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + + if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) { + dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac, + dctx->base.tlsmacsize); + if (dctx->base.tlsmac == NULL) { + OPENSSL_free(dctx); + dctx = NULL; + } + } + return dctx; +} + static void aes_wrap_freectx(void *vctx) { PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx; @@ -281,6 +301,7 @@ static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher }, \ { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final }, \ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \ { OSSL_FUNC_CIPHER_GET_PARAMS, \ (void (*)(void))aes_##kbits##_##fname##_get_params }, \ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ From c32c3f2653e6c6ac42e09a83a2f51f8667827a04 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 12:13:19 -0400 Subject: [PATCH 176/324] Fix aes_gcm_siv dupctx function This cipher family has a dupctx function, but was failing because it was attempting to memdup a field only if it was null Fix the conditional check to get it working again Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) --- providers/implementations/ciphers/cipher_aes_gcm_siv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/ciphers/cipher_aes_gcm_siv.c b/providers/implementations/ciphers/cipher_aes_gcm_siv.c index 64f7f95039b66..2d4fd886583e5 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_siv.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_siv.c @@ -71,7 +71,7 @@ static void *ossl_aes_gcm_siv_dupctx(void *vctx) ret->aad = NULL; ret->ecb_ctx = NULL; - if (in->aad == NULL) { + if (in->aad != NULL) { if ((ret->aad = OPENSSL_memdup(in->aad, UP16(ret->aad_len))) == NULL) goto err; } From df93b3c9e72571876bd01e5a50a5ba8368c6c77f Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 13:22:03 -0400 Subject: [PATCH 177/324] implement dupctx for chacha20_poly1305 Same as chacha20 in the last commit, just clone the ctx and its underlying tlsmac array if its allocated Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) --- .../ciphers/cipher_chacha20_poly1305.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c index 662b4e03e5424..d5d4e1a251b1c 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c @@ -23,6 +23,7 @@ static OSSL_FUNC_cipher_newctx_fn chacha20_poly1305_newctx; static OSSL_FUNC_cipher_freectx_fn chacha20_poly1305_freectx; +static OSSL_FUNC_cipher_dupctx_fn chacha20_poly1305_dupctx; static OSSL_FUNC_cipher_encrypt_init_fn chacha20_poly1305_einit; static OSSL_FUNC_cipher_decrypt_init_fn chacha20_poly1305_dinit; static OSSL_FUNC_cipher_get_params_fn chacha20_poly1305_get_params; @@ -58,6 +59,25 @@ static void *chacha20_poly1305_newctx(void *provctx) return ctx; } +static void *chacha20_poly1305_dupctx(void *provctx) +{ + PROV_CHACHA20_POLY1305_CTX *ctx = provctx; + PROV_CHACHA20_POLY1305_CTX *dctx = NULL; + + if (ctx == NULL) + return NULL; + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) { + dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac, + dctx->base.tlsmacsize); + if (dctx->base.tlsmac == NULL) { + OPENSSL_free(dctx); + dctx = NULL; + } + } + return dctx; +} + static void chacha20_poly1305_freectx(void *vctx) { PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)vctx; @@ -310,6 +330,7 @@ static int chacha20_poly1305_final(void *vctx, unsigned char *out, size_t *outl, const OSSL_DISPATCH ossl_chacha20_ossl_poly1305_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_poly1305_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_poly1305_freectx }, + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_poly1305_dupctx }, { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))chacha20_poly1305_einit }, { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))chacha20_poly1305_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_poly1305_update }, From 123c85864fa7fe97d8ae3a09989d410501d957a5 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 1 Sep 2023 13:47:15 -0400 Subject: [PATCH 178/324] Add dupctx support to rc4_hmac_md5 algo Pretty straightforward, just clone the requested context, no pointers to fixup Fixes #21887 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21933) --- .../ciphers/cipher_aes_cbc_hmac_sha.c | 18 ++++++++++++++++++ .../ciphers/cipher_rc4_hmac_md5.c | 11 +++++++++++ 2 files changed, 29 insertions(+) diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index f0ebfb6836732..28d3909c4d689 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -334,6 +334,16 @@ static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits, return ctx; } +static void *aes_cbc_hmac_sha1_dupctx(void *provctx) +{ + PROV_AES_HMAC_SHA1_CTX *ctx = provctx; + + if (ctx == NULL) + return NULL; + + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void aes_cbc_hmac_sha1_freectx(void *vctx) { PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx; @@ -361,6 +371,13 @@ static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits, return ctx; } +static void *aes_cbc_hmac_sha256_dupctx(void *provctx) +{ + PROV_AES_HMAC_SHA256_CTX *ctx = provctx; + + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static void aes_cbc_hmac_sha256_freectx(void *vctx) { PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx; @@ -386,6 +403,7 @@ static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[]) \ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))nm##_##sub##_freectx }, \ + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))nm##_##sub##_dupctx}, \ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))nm##_einit }, \ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))nm##_dinit }, \ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))nm##_update }, \ diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index 99d5dd716926f..82ef7890b54d6 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -34,6 +34,7 @@ static OSSL_FUNC_cipher_encrypt_init_fn rc4_hmac_md5_einit; static OSSL_FUNC_cipher_decrypt_init_fn rc4_hmac_md5_dinit; static OSSL_FUNC_cipher_newctx_fn rc4_hmac_md5_newctx; static OSSL_FUNC_cipher_freectx_fn rc4_hmac_md5_freectx; +static OSSL_FUNC_cipher_dupctx_fn rc4_hmac_md5_dupctx; static OSSL_FUNC_cipher_get_ctx_params_fn rc4_hmac_md5_get_ctx_params; static OSSL_FUNC_cipher_gettable_ctx_params_fn rc4_hmac_md5_gettable_ctx_params; static OSSL_FUNC_cipher_set_ctx_params_fn rc4_hmac_md5_set_ctx_params; @@ -71,6 +72,15 @@ static void rc4_hmac_md5_freectx(void *vctx) OPENSSL_clear_free(ctx, sizeof(*ctx)); } +static void *rc4_hmac_md5_dupctx(void *vctx) +{ + PROV_RC4_HMAC_MD5_CTX *ctx = vctx; + + if (ctx == NULL) + return NULL; + return OPENSSL_memdup(ctx, sizeof(*ctx)); +} + static int rc4_hmac_md5_einit(void *ctx, const unsigned char *key, size_t keylen, const unsigned char *iv, size_t ivlen, const OSSL_PARAM params[]) @@ -214,6 +224,7 @@ static int rc4_hmac_md5_get_params(OSSL_PARAM params[]) const OSSL_DISPATCH ossl_rc4_hmac_ossl_md5_functions[] = { { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))rc4_hmac_md5_newctx }, { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))rc4_hmac_md5_freectx }, + { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))rc4_hmac_md5_dupctx }, { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))rc4_hmac_md5_einit }, { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))rc4_hmac_md5_dinit }, { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))rc4_hmac_md5_update }, From 46def829afa4d8bed8f53d484bdf842d65f0e176 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 12:34:02 +0200 Subject: [PATCH 179/324] Fix a memleak in prepare_rsa_params This affects only RSA-PSS keys with params using negative salt legth, or in case of out of memory. This fixes a memory leak reported in #22049. Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22061) --- providers/implementations/encode_decode/encode_key2any.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index c1b0dea7803e4..ae6d7d0a681d3 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -856,14 +856,17 @@ static int prepare_rsa_params(const void *rsa, int nid, int save, case 1: if ((str = OPENSSL_malloc(str_sz)) == NULL || !WPACKET_init_der(&pkt, str, str_sz)) { + WPACKET_cleanup(&pkt); goto err; } break; } if (!ossl_DER_w_RSASSA_PSS_params(&pkt, -1, pss) || !WPACKET_finish(&pkt) - || !WPACKET_get_total_written(&pkt, &str_sz)) + || !WPACKET_get_total_written(&pkt, &str_sz)) { + WPACKET_cleanup(&pkt); goto err; + } WPACKET_cleanup(&pkt); /* From 23def9d37156cc3b2c00fb45ec3b8e271a5d4563 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Mon, 11 Sep 2023 13:27:05 +0200 Subject: [PATCH 180/324] Fix typos found by codespell Reviewed-by: Hugo Landau Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22063) --- apps/progs.pl | 2 +- crypto/bio/bio_print.c | 2 +- crypto/err/err.c | 2 +- crypto/evp/pmeth_gn.c | 2 +- doc/internal/man3/ossl_provider_new.pod | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_SIGNATURE.pod | 2 +- doc/man5/x509v3_config.pod | 2 +- doc/man7/ossl-guide-quic-client-non-block.pod | 4 ++-- doc/man7/ossl-guide-quic-multi-stream.pod | 2 +- doc/man7/ossl-guide-tls-client-block.pod | 4 ++-- doc/man7/ossl-guide-tls-client-non-block.pod | 6 +++--- ssl/statem/statem_clnt.c | 2 +- 13 files changed, 17 insertions(+), 17 deletions(-) diff --git a/apps/progs.pl b/apps/progs.pl index f27ccfbba3cad..120ae05f07388 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -104,7 +104,7 @@ # The format of this table is: # [0] = alternative command to use instead # [1] = deprecented in this version -# [2] = preprocessor conditional for exclusing irrespective of deprecation +# [2] = preprocessor conditional for excluding irrespective of deprecation # rsa => [ "pkey", "3_0", "rsa" ], # genrsa => [ "genpkey", "3_0", "rsa" ], rsautl => [ "pkeyutl", "3_0", "rsa" ], diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c index e5397c8b7a071..5f2543030e54d 100644 --- a/crypto/bio/bio_print.c +++ b/crypto/bio/bio_print.c @@ -62,7 +62,7 @@ static int _dopr(char **sbuffer, char **buffer, #define DP_F_NUM (1 << 3) /* print leading zeroes */ #define DP_F_ZERO (1 << 4) -/* print HEX in UPPPERcase */ +/* print HEX in UPPERcase */ #define DP_F_UP (1 << 5) /* treat value as unsigned */ #define DP_F_UNSIGNED (1 << 6) diff --git a/crypto/err/err.c b/crypto/err/err.c index 3fc296929c5f6..7b7f309951554 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -831,7 +831,7 @@ void ERR_add_error_vdata(int num, va_list args) i = es->top; /* - * If err_data is allocated already, re-use the space. + * If err_data is allocated already, reuse the space. * Otherwise, allocate a small new buffer. */ if ((es->err_data_flags[i] & flags) == flags) { diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index c8981227d40f1..6a38fe511a636 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -153,7 +153,7 @@ int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) goto legacy; /* - * Asssigning gentmp to ctx->keygen_info is something our legacy + * Assigning gentmp to ctx->keygen_info is something our legacy * implementations do. Because the provider implementations aren't * allowed to reach into our EVP_PKEY_CTX, we need to provide similar * space for backward compatibility. It's ok that we attach a local diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index e170edf343af7..d30e400894376 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -291,7 +291,7 @@ in a bitstring that's internal to I. ossl_provider_test_operation_bit() checks if the bit operation I is set (1) or not (0) in the internal I bitstring, and sets -I<*result> to 1 or 0 accorddingly. +I<*result> to 1 or 0 accordingly. ossl_provider_init_as_child() stores in the library context I references to the necessary upcalls for managing child providers. The I and I diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 13482ac5e188e..8fd237599e29d 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -181,7 +181,7 @@ EVP_MAC_CTX_set_params() passes chosen parameters to the underlying context, given a context I. The set of parameters given with I determine exactly what parameters are passed down. -If I are NULL, the unterlying context should do nothing and return 1. +If I are NULL, the underlying context should do nothing and return 1. Note that a parameter that is unknown in the underlying context is simply ignored. Also, what happens when a needed parameter isn't passed down is diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index 600522085398c..a4ee9c4807d7a 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -61,7 +61,7 @@ EVP_SIGNATURE_get0_provider() returns the provider that I was fetched from. EVP_SIGNATURE_do_all_provided() traverses all SIGNATURE implemented by all -activated roviders in the given library context I, and for each of the +activated providers in the given library context I, and for each of the implementations, calls the given function I with the implementation method and the given I as argument. diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 2440f23dddc28..ab33b7e7afe03 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -93,7 +93,7 @@ numeric identifier, as shown here: email.2 = steve@example.org The syntax of raw extensions is defined by the source code that parses -the extension but should be documened. +the extension but should be documented. See L for an example of a raw extension. If an extension type is unsupported, then the I extension syntax diff --git a/doc/man7/ossl-guide-quic-client-non-block.pod b/doc/man7/ossl-guide-quic-client-non-block.pod index 8187bb9b77d54..0c2b916b803b0 100644 --- a/doc/man7/ossl-guide-quic-client-non-block.pod +++ b/doc/man7/ossl-guide-quic-client-non-block.pod @@ -43,7 +43,7 @@ L or L will return immediately with a non-fatal error if they are currently unable to read or write respectively. Since this page is building on the example developed on the -L page we assume that you are familar with it +L page we assume that you are familiar with it and we only explain how this example differs. =head2 Performing work while waiting for the socket @@ -407,7 +407,7 @@ L. Since our application is initiating the shutdown then we might expect to see L give a return value of 0, and then we should continue to call -it until we recieve a return value of 1 (meaning we have successfully completed +it until we receive a return value of 1 (meaning we have successfully completed the shutdown). Since we are using a nonblocking B object we might expect to have to retry this operation several times. If L returns a negative result then we must call L to work out what to do diff --git a/doc/man7/ossl-guide-quic-multi-stream.pod b/doc/man7/ossl-guide-quic-multi-stream.pod index 4e4d852b035e2..877d2208ae787 100644 --- a/doc/man7/ossl-guide-quic-multi-stream.pod +++ b/doc/man7/ossl-guide-quic-multi-stream.pod @@ -96,7 +96,7 @@ When using a default stream OpenSSL will prevent new streams from being accepted. To override this behaviour you must call L to set the policy to B. See the man page for further details. This -is not relevant if the default stream has been disabed as described in +is not relevant if the default stream has been disabled as described in L above. Any stream may be bi-directional or uni-directional. If it is uni-directional diff --git a/doc/man7/ossl-guide-tls-client-block.pod b/doc/man7/ossl-guide-tls-client-block.pod index 865a5353b3fa3..646b58081ad4c 100644 --- a/doc/man7/ossl-guide-tls-client-block.pod +++ b/doc/man7/ossl-guide-tls-client-block.pod @@ -124,7 +124,7 @@ function and passing the B we created as an argument. =head2 Creating the socket and BIO TLS data is transmitted over an underlying transport layer. Normally a TCP -socket. It is the application's resonsibility for ensuring that the socket is +socket. It is the application's responsibility for ensuring that the socket is created and associated with an SSL object (via a BIO). Socket creation for use by a client is typically a 2 step process, i.e. @@ -549,7 +549,7 @@ intermediate CAs, or the issuer is simply unrecognised). =head1 FURTHER READING See L to read a tutorial on how to modify -the client devloped on this page to support a nonblocking socket. +the client developed on this page to support a nonblocking socket. See L to read a tutorial on how to modify the client developed on this page to support QUIC instead of TLS. diff --git a/doc/man7/ossl-guide-tls-client-non-block.pod b/doc/man7/ossl-guide-tls-client-non-block.pod index ea5e40bd1cadb..1eabcc0b576be 100644 --- a/doc/man7/ossl-guide-tls-client-non-block.pod +++ b/doc/man7/ossl-guide-tls-client-non-block.pod @@ -41,7 +41,7 @@ behaviour is propagated up to the application so that OpenSSL I/O functions such as L or L will not block. Since this page is building on the example developed on the -L page we assume that you are familar with it +L page we assume that you are familiar with it and we only explain how this example differs. =head2 Setting the socket to be nonblocking @@ -162,7 +162,7 @@ Fatal errors that may occur are B and B. These indicate that the underlying connection has failed. You should not attempt to shut it down with L. B indicates that OpenSSL attempted to make a syscall that failed. You can consult B for -further details. B indicates that some OpenSSL error occured. You +further details. B indicates that some OpenSSL error occurred. You can consult the OpenSSL error stack for further details (for example by calling L to print out details of errors that have occurred). @@ -313,7 +313,7 @@ finished with it. If our application was initiating the shutdown then we would expect to see L give a return value of 0, and then we would continue to call -it until we recieved a return value of 1 (meaning we have successfully completed +it until we received a return value of 1 (meaning we have successfully completed the shutdown). In this particular example we don't expect SSL_shutdown() to return 0 because we have already received EOF from the server indicating that it has shutdown already. So we just keep calling it until SSL_shutdown() returns 1. diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 92c00ce4ae5aa..cbf5a57bebf47 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1793,7 +1793,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * If we're not doing early-data and we're not going to send a dummy CCS * (i.e. no middlebox compat mode) then we can change the write keys * immediately. Otherwise we have to defer this until after all possible - * early data is written. We could just alway defer until the last + * early data is written. We could just always defer until the last * moment except QUIC needs it done at the same time as the read keys * are changed. Since QUIC doesn't do TLS early data or need middlebox * compat this doesn't cause a problem. From d012319145b1c95ecb9ada29f4f03a3b30cf0f41 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 8 Sep 2023 17:36:38 +0100 Subject: [PATCH 181/324] Test we correctly handle missing ALPN from the server ALPN is a requirement for QUIC so it is an error if the server does not send it. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22066) --- test/quicfaultstest.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/test/quicfaultstest.c b/test/quicfaultstest.c index 3b80385584b65..a6ba0dc05340e 100644 --- a/test/quicfaultstest.c +++ b/test/quicfaultstest.c @@ -161,25 +161,27 @@ static int test_unknown_frame(void) * Test that a server that fails to provide transport params cannot be * connected to. */ -static int drop_transport_params_cb(QTEST_FAULT *fault, +static int drop_extensions_cb(QTEST_FAULT *fault, QTEST_ENCRYPTED_EXTENSIONS *ee, size_t eelen, void *encextcbarg) { - if (!qtest_fault_delete_extension(fault, - TLSEXT_TYPE_quic_transport_parameters, - ee->extensions, &ee->extensionslen)) + int *ext = (int *)encextcbarg; + + if (!qtest_fault_delete_extension(fault, *ext, ee->extensions, + &ee->extensionslen)) return 0; return 1; } -static int test_no_transport_params(void) +static int test_drop_extensions(int idx) { int testresult = 0; SSL_CTX *cctx = SSL_CTX_new(OSSL_QUIC_client_method()); QUIC_TSERVER *qtserv = NULL; SSL *cssl = NULL; QTEST_FAULT *fault = NULL; + int ext, err; if (!TEST_ptr(cctx)) goto err; @@ -188,9 +190,17 @@ static int test_no_transport_params(void) &qtserv, &cssl, &fault))) goto err; + if (idx == 0) { + ext = TLSEXT_TYPE_quic_transport_parameters; + err = QUIC_ERR_CRYPTO_MISSING_EXT; + } else { + ext = TLSEXT_TYPE_application_layer_protocol_negotiation; + err = QUIC_ERR_CRYPTO_NO_APP_PROTO; + } + if (!TEST_true(qtest_fault_set_hand_enc_ext_listener(fault, - drop_transport_params_cb, - NULL))) + drop_extensions_cb, + &ext))) goto err; /* @@ -200,8 +210,7 @@ static int test_no_transport_params(void) if (!TEST_false(qtest_create_quic_connection(qtserv, cssl))) goto err; - if (!TEST_true(qtest_check_server_transport_err(qtserv, - QUIC_ERR_CRYPTO_MISSING_EXT))) + if (!TEST_true(qtest_check_server_transport_err(qtserv, err))) goto err; testresult = 1; @@ -384,7 +393,7 @@ int setup_tests(void) ADD_TEST(test_basic); ADD_TEST(test_unknown_frame); - ADD_TEST(test_no_transport_params); + ADD_ALL_TESTS(test_drop_extensions, 2); ADD_ALL_TESTS(test_corrupted_data, 2); return 1; From 982dae89d8d19fcb9cc2c3b8ba74afef352ecc41 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 11 Sep 2023 13:55:41 +0100 Subject: [PATCH 182/324] Ensure QUIC-TLS errors raised during channel start are available to caller TLS misconfiguration errors should be shown to the application to enable diagnosis of the problem. Otherwise you just get a generical "internal error" message. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22066) --- ssl/quic/quic_channel.c | 13 ++++++++++++- ssl/quic/quic_impl.c | 1 + 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index ce938b70f06a6..7504f06dfc0c8 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -44,6 +44,7 @@ */ #define DEFAULT_MAX_ACK_DELAY QUIC_DEFAULT_MAX_ACK_DELAY +static void ch_save_err_state(QUIC_CHANNEL *ch); static void ch_rx_pre(QUIC_CHANNEL *ch); static int ch_rx(QUIC_CHANNEL *ch); static int ch_tx(QUIC_CHANNEL *ch); @@ -2702,6 +2703,10 @@ int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL *ch, BIO *net_wbio) */ int ossl_quic_channel_start(QUIC_CHANNEL *ch) { + uint64_t error_code; + const char *error_msg; + ERR_STATE *error_state = NULL; + if (ch->is_server) /* * This is not used by the server. The server moves to active @@ -2730,8 +2735,14 @@ int ossl_quic_channel_start(QUIC_CHANNEL *ch) ch->doing_proactive_ver_neg = 0; /* not currently supported */ /* Handshake layer: start (e.g. send CH). */ - if (!ossl_quic_tls_tick(ch->qtls)) + ossl_quic_tls_tick(ch->qtls); + + if (ossl_quic_tls_get_error(ch->qtls, &error_code, &error_msg, + &error_state)) { + ossl_quic_channel_raise_protocol_error_state(ch, error_code, 0, + error_msg, error_state); return 0; + } ossl_quic_reactor_tick(&ch->rtor, 0); /* best effort */ return 1; diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index b632ad22db2f8..beec26c019c1d 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1524,6 +1524,7 @@ static int ensure_channel_started(QCTX *ctx) } if (!ossl_quic_channel_start(qc->ch)) { + ossl_quic_channel_restore_err_state(qc->ch); QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR, "failed to start channel"); return 0; From 122d4e20cd2e88daa64d8bfcd7b8a6e39a0260e4 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 11 Sep 2023 13:57:35 +0100 Subject: [PATCH 183/324] Test that a client that does not supply ALPN fails as expected Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22066) --- test/quicapitest.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/test/quicapitest.c b/test/quicapitest.c index 8c78e14de9c32..c471495aa21bc 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1190,6 +1190,66 @@ static int test_quic_psk(void) return testresult; } +/* + * Test that we correctly handle ALPN supplied by the application + * Test 0: ALPN is provided + * Test 1: No ALPN is provided + */ +static int test_alpn(int idx) +{ + SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + SSL *clientquic = NULL; + QUIC_TSERVER *qtserv = NULL; + int testresult = 0; + int ret; + + /* + * Ensure we only configure ciphersuites that are available with both the + * default and fips providers to get the same output in both cases + */ + if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256"))) + goto err; + + if (!TEST_ptr(cctx) + || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, + privkey, + QTEST_FLAG_FAKE_TIME, + &qtserv, + &clientquic, NULL))) + goto err; + + if (idx == 0) { + /* + * Clear the ALPN we set in qtest_create_quic_objects. We use TEST_false + * because SSL_set_alpn_protos returns 0 for success. + */ + if (!TEST_false(SSL_set_alpn_protos(clientquic, NULL, 0))) + goto err; + } + + ret = SSL_connect(clientquic); + if (!TEST_int_le(ret, 0)) + goto err; + if (idx == 0) { + /* We expect an immediate error due to lack of ALPN */ + if (!TEST_int_eq(SSL_get_error(clientquic, ret), SSL_ERROR_SSL)) + goto err; + } else { + /* ALPN was provided so we expect the connection to succeed */ + if (!TEST_int_eq(SSL_get_error(clientquic, ret), SSL_ERROR_WANT_READ) + || !TEST_true(qtest_create_quic_connection(qtserv, clientquic))) + goto err; + } + + testresult = 1; + err: + ossl_quic_tserver_free(qtserv); + SSL_free(clientquic); + SSL_CTX_free(cctx); + + return testresult; +} + OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n") int setup_tests(void) @@ -1262,6 +1322,7 @@ int setup_tests(void) ADD_TEST(test_multiple_dgrams); ADD_ALL_TESTS(test_non_io_retry, 2); ADD_TEST(test_quic_psk); + ADD_ALL_TESTS(test_alpn, 2); return 1; err: cleanup_tests(); From 572f290c9c2d892d5f891c6b8dcebf4e1ac65aed Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 11 Sep 2023 10:03:22 +0100 Subject: [PATCH 184/324] Fix a failure in bio_dgram_test on the NonStop platform The size of the datagram header is significantly larger that we might expect on NonStop (probably driven by sizeof(BIO_ADDR)). We adjust the size of the default buffer to take into account the header size and the mtu. Fixes #22013 Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22058) --- crypto/bio/bss_dgram_pair.c | 3 ++- test/bio_dgram_test.c | 7 +++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/crypto/bio/bss_dgram_pair.c b/crypto/bio/bss_dgram_pair.c index 534a2216aa42a..08dd802d8fd42 100644 --- a/crypto/bio/bss_dgram_pair.c +++ b/crypto/bio/bss_dgram_pair.c @@ -279,8 +279,9 @@ static int dgram_pair_init(BIO *bio) if (b == NULL) return 0; - b->req_buf_len = 17*1024; /* default buffer size */ b->mtu = 1472; /* conservative default MTU */ + /* default buffer size */ + b->req_buf_len = 9 * (sizeof(struct dgram_hdr) + b->mtu); b->lock = CRYPTO_THREAD_lock_new(); if (b->lock == NULL) { diff --git a/test/bio_dgram_test.c b/test/bio_dgram_test.c index f6c3e30c14925..70157493f971a 100644 --- a/test/bio_dgram_test.c +++ b/test/bio_dgram_test.c @@ -559,8 +559,11 @@ static int test_bio_dgram_pair(int idx) goto err; /* - * Should be able to fit at least 9 datagrams in default write buffer size - * in worst case + * The number of datagrams we can fit depends on the size of the default + * write buffer size, the size of the datagram header and the size of the + * payload data we send in each datagram. The max payload data is based on + * the mtu. The default write buffer size is 9 * (sizeof(header) + mtu) so + * we expect at least 9 maximally sized datagrams to fit in the buffer. */ if (!TEST_int_ge(i, 9)) goto err; From 58165d8da493d4271b8a026ef4056ecaeefd3916 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 12 Sep 2023 10:39:51 +0100 Subject: [PATCH 185/324] Further fix in bio_dgram_test for BIO_s_dgram_mem() When setting an explicit buffer size using BIO_s_dgram_mem() make sure we take into account the size of the header (which may be large on NonStop) Reviewed-by: Tom Cosgrove Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22058) --- test/bio_dgram_test.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/test/bio_dgram_test.c b/test/bio_dgram_test.c index 70157493f971a..aca016ca95b07 100644 --- a/test/bio_dgram_test.c +++ b/test/bio_dgram_test.c @@ -12,6 +12,7 @@ #include #include "testutil.h" #include "internal/sockets.h" +#include "internal/bio_addr.h" #if !defined(OPENSSL_NO_DGRAM) && !defined(OPENSSL_NO_SOCK) @@ -519,14 +520,24 @@ static int test_bio_dgram_pair(int idx) } else { if (!TEST_ptr(bio1 = bio2 = BIO_new(BIO_s_dgram_mem()))) goto err; - if (idx == 1 && !TEST_true(BIO_set_write_buf_size(bio1, 20 * 1024))) - goto err; } mtu1 = BIO_dgram_get_mtu(bio1); if (!TEST_int_ge(mtu1, 1280)) goto err; + if (idx == 1) { + size_t bufsz; + + /* + * Assume the header contains 2 BIO_ADDR structures and a length. We + * set a buffer big enough for 9 full sized datagrams. + */ + bufsz = 9 * (mtu1 + (sizeof(BIO_ADDR) * 2) + sizeof(size_t)); + if (!TEST_true(BIO_set_write_buf_size(bio1, bufsz))) + goto err; + } + mtu2 = BIO_dgram_get_mtu(bio2); if (!TEST_int_ge(mtu2, 1280)) goto err; From 2508629765403375b3075300a0951705ec26fe27 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 11 Sep 2023 17:23:46 +0200 Subject: [PATCH 186/324] d2i_ECPKParameters and i2d_ECPKParameters are not deprecated So do not document them as such. Fixes #22068 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22069) --- doc/man3/d2i_RSAPrivateKey.pod | 2 -- doc/man3/d2i_X509.pod | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index b3ea95c692a0d..08cd2c85e5bd7 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -28,7 +28,6 @@ d2i_RSA_PUBKEY_fp, d2i_DHparams, d2i_DHparams_bio, d2i_DHparams_fp, -d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio, @@ -56,7 +55,6 @@ i2d_DSA_PUBKEY, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY_fp, i2d_DSAparams, -i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio, diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index c79a964e6d7f9..9226ef77c3946 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -53,6 +53,7 @@ d2i_DIST_POINT, d2i_DIST_POINT_NAME, d2i_DSA_SIG, d2i_ECDSA_SIG, +d2i_ECPKParameters, d2i_EDIPARTYNAME, d2i_ESS_CERT_ID, d2i_ESS_CERT_ID_V2, @@ -223,6 +224,7 @@ i2d_DIST_POINT, i2d_DIST_POINT_NAME, i2d_DSA_SIG, i2d_ECDSA_SIG, +i2d_ECPKParameters, i2d_EDIPARTYNAME, i2d_ESS_CERT_ID, i2d_ESS_CERT_ID_V2, From 21f0b80cd4b32ba80843b812b01a6056daf14093 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 12:26:46 +0200 Subject: [PATCH 187/324] Fix memory leaks in ssl_old_test.c This fixes a few memory leaks reported in #22049. If SSL_CTX_set0_tmp_dh_pkey rejects the temp dh key due to security restrictions (even when @SECLEVEL=0 is used!) then the caller has to delete the PKEY object. That is different to how the deprecated SSL_CTX_set_tmp_dh_pkey was designed to work. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22060) --- test/ssl_old_test.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 21834b1a36313..fe168472d3022 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1535,8 +1535,10 @@ int main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } - SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey); - SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey)) + EVP_PKEY_free(dhpkey); + if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey)) + EVP_PKEY_free(dhpkey); } #endif From 556f33837af8691f9b03c716e47d6d06186a6752 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 12 Sep 2023 15:07:29 +0200 Subject: [PATCH 188/324] Fix test/quic_tserver_test.c for slow machines OSSL_sleep(1) isn't enough of a wait for threads to process the next QUIC tick, so it gets increased to OSSL_sleep(100). This may be a tad much, perhaps, but for now, it gives a good margin. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22075) --- test/quic_tserver_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/quic_tserver_test.c b/test/quic_tserver_test.c index 3d1249863b2ae..980c9a83ff0ac 100644 --- a/test/quic_tserver_test.c +++ b/test/quic_tserver_test.c @@ -312,7 +312,7 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) ++idle_units_done; ossl_quic_conn_force_assist_thread_wake(c_ssl); - OSSL_sleep(1); /* Ensure CPU scheduling for test purposes */ + OSSL_sleep(100); /* Ensure CPU scheduling for test purposes */ } else { c_done_idle_test = 1; } From e501e8b606a2398d9b860eb10344113e9d1d375b Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Fri, 8 Sep 2023 13:08:10 +0100 Subject: [PATCH 189/324] QUIC MULTISTREAM TEST: Correct trivial bug Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22039) --- test/quic_multistream_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index bc0ae12cdb17e..b401e78e329ba 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -4329,7 +4329,7 @@ static int script_61_inject_plain(struct helper *h, QUIC_PKT_HDR *hdr, || !TEST_true(WPACKET_quic_write_vlint(&wpkt, /* stream ID */ h->inject_word1)) || !TEST_true(WPACKET_quic_write_vlint(&wpkt, 123)) - || (h->inject_word1 == OSSL_QUIC_FRAME_TYPE_RESET_STREAM + || (h->inject_word0 == OSSL_QUIC_FRAME_TYPE_RESET_STREAM && !TEST_true(WPACKET_quic_write_vlint(&wpkt, 0)))) /* final size */ goto err; From 70e809b08a3fe70fed7f7ecdad88e5bb9fc3af1c Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Fri, 8 Sep 2023 12:50:59 +0100 Subject: [PATCH 190/324] QUIC CHANNEL: Add missing duplicate TPARAM handling cases Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22039) --- ssl/quic/quic_channel.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index 7504f06dfc0c8..3da0caa4ea63b 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -1270,6 +1270,8 @@ static int ch_on_transport_params(const unsigned char *params, int got_initial_max_stream_data_uni = 0; int got_initial_max_streams_bidi = 0; int got_initial_max_streams_uni = 0; + int got_stateless_reset_token = 0; + int got_preferred_addr = 0; int got_ack_delay_exp = 0; int got_max_ack_delay = 0; int got_max_udp_payload_size = 0; @@ -1574,6 +1576,11 @@ static int ch_on_transport_params(const unsigned char *params, break; case QUIC_TPARAM_STATELESS_RESET_TOKEN: + if (got_stateless_reset_token) { + reason = TP_REASON_DUP("STATELESS_RESET_TOKEN"); + goto malformed; + } + /* * We must ensure a client doesn't send them because we don't have * processing for them. @@ -1595,12 +1602,17 @@ static int ch_on_transport_params(const unsigned char *params, goto malformed; } + got_stateless_reset_token = 1; break; case QUIC_TPARAM_PREFERRED_ADDR: { /* TODO(QUIC FUTURE): Handle preferred address. */ QUIC_PREFERRED_ADDR pfa; + if (got_preferred_addr) { + reason = TP_REASON_DUP("PREFERRED_ADDR"); + goto malformed; + } /* * RFC 9000 s. 18.2: "A server that chooses a zero-length @@ -1629,6 +1641,8 @@ static int ch_on_transport_params(const unsigned char *params, reason = "zero-length CID in PREFERRED_ADDR"; goto malformed; } + + got_preferred_addr = 1; } break; From df9ecd2ef3907ec0a7bf9c54d9273d5342329bf9 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 12 Sep 2023 14:58:03 +0200 Subject: [PATCH 191/324] Have legacy blake2 EVP structure use base blake2 implementation For some reason, the code here was made to got through the provider specific init functions. This is very very dangerous if the provider specific functions were to change in any way (such as changes to the implementation context structure). Instead, use the init functions from the base blake2 implementations directly. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22079) --- crypto/evp/legacy_blake2.c | 28 ++++++++++++++++--- .../implementations/digests/blake2_prov.c | 4 +-- .../implementations/include/prov/blake2.h | 3 -- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/crypto/evp/legacy_blake2.c b/crypto/evp/legacy_blake2.c index 6a18e5fe01b6a..4301ae4857913 100644 --- a/crypto/evp/legacy_blake2.c +++ b/crypto/evp/legacy_blake2.c @@ -11,11 +11,31 @@ #include "prov/blake2.h" /* diverse BLAKE2 macros */ #include "legacy_meth.h" -#define ossl_blake2b_init ossl_blake2b512_init -#define ossl_blake2s_init ossl_blake2s256_init +/* + * Local hack to adapt the BLAKE2 init functions to what the + * legacy function signatures demand. + */ +static int blake2s_init(BLAKE2S_CTX *C) +{ + BLAKE2S_PARAM P; + + ossl_blake2s_param_init(&P); + return ossl_blake2s_init(C, &P); +} +static int blake2b_init(BLAKE2B_CTX *C) +{ + BLAKE2B_PARAM P; + + ossl_blake2b_param_init(&P); + return ossl_blake2b_init(C, &P); +} +#define blake2s_update ossl_blake2s_update +#define blake2b_update ossl_blake2b_update +#define blake2s_final ossl_blake2s_final +#define blake2b_final ossl_blake2b_final -IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2s_int, ossl_blake2s) -IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2b_int, ossl_blake2b) +IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2s_int, blake2s) +IMPLEMENT_LEGACY_EVP_MD_METH_LC(blake2b_int, blake2b) static const EVP_MD blake2b_md = { NID_blake2b512, diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c index 2288286bbe44e..298bc66de65a5 100644 --- a/providers/implementations/digests/blake2_prov.c +++ b/providers/implementations/digests/blake2_prov.c @@ -12,7 +12,7 @@ #include "prov/digestcommon.h" #include "prov/implementations.h" -int ossl_blake2s256_init(void *ctx) +static int ossl_blake2s256_init(void *ctx) { BLAKE2S_PARAM P; @@ -20,7 +20,7 @@ int ossl_blake2s256_init(void *ctx) return ossl_blake2s_init((BLAKE2S_CTX *)ctx, &P); } -int ossl_blake2b512_init(void *ctx) +static int ossl_blake2b512_init(void *ctx) { struct blake2b_md_data_st *mdctx = ctx; diff --git a/providers/implementations/include/prov/blake2.h b/providers/implementations/include/prov/blake2.h index 4ec780c21f50b..bcd0bb9bcd4a4 100644 --- a/providers/implementations/include/prov/blake2.h +++ b/providers/implementations/include/prov/blake2.h @@ -88,9 +88,6 @@ struct blake2b_md_data_st { BLAKE2B_PARAM params; }; -int ossl_blake2s256_init(void *ctx); -int ossl_blake2b512_init(void *ctx); - int ossl_blake2b_init(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P); int ossl_blake2b_init_key(BLAKE2B_CTX *c, const BLAKE2B_PARAM *P, const void *key); From 8f51b2279eda1e0cffb3400c2e5b5c3771f62ea7 Mon Sep 17 00:00:00 2001 From: Pauli Date: Wed, 13 Sep 2023 12:06:20 +1000 Subject: [PATCH 192/324] Use correct version of 3.1 build for FIPS provider. We're (currently) intending to validate 3.1.2 against FIPS 140-3. Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/22088) --- .github/workflows/provider-compatibility.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index b675e426c173d..f118db1aee5f9 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -179,7 +179,7 @@ jobs: # later providers. Problems in these situations ought to be # caught by cross branch testing before the release. tree_a: [ branch-master, branch-3.1, branch-3.0, - openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.1 ] + openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ] tree_b: [ branch-master, branch-3.1, branch-3.0 ] steps: - name: early exit checks From 46b43c9f98771139735656e541c8f4c8018c2667 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 13 Sep 2023 08:29:17 +0200 Subject: [PATCH 193/324] Fix build of SHA3 on ARM64 with no-asm Fixes #22089 Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22090) --- providers/implementations/digests/sha3_prov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index 0c643f8238284..423bed7983e05 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -249,7 +249,7 @@ static PROV_SHA3_METHOD kmac_s390x_md = } else { \ ctx->meth = sha3_generic_md; \ } -#elif defined(__aarch64__) +#elif defined(__aarch64__) && defined(KECCAK1600_ASM) # include "arm_arch.h" static sha3_absorb_fn armsha3_sha3_absorb; From fc785a554cc37dfa94710b28ced45b03006f0300 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 13 Sep 2023 10:31:46 +0100 Subject: [PATCH 194/324] Remove use of _Static_assert We had some use of the C11 _Static_assert feature which can cause some problems on some platforms. Everywhere we were using it, it is not really required so remove it. Fixes #22017 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22091) --- include/internal/e_os.h | 9 --------- providers/implementations/kdfs/argon2.c | 11 +++-------- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/include/internal/e_os.h b/include/internal/e_os.h index d0e903f653ed6..d1ed62e890298 100644 --- a/include/internal/e_os.h +++ b/include/internal/e_os.h @@ -22,15 +22,6 @@ * outside; this file e_os.h is not part of the exported interface. */ -/* ossl_static_assert_type_eq: gcc-only variable type static assertion */ -# if defined(__GNUC__) && !defined(__clang__) -# define ossl_static_assert_type_eq(type, x) \ - _Static_assert((__builtin_types_compatible_p(type, __typeof__(x))), \ - #x " type check failed, expected: " #type) -# else -# define ossl_static_assert_type_eq(type, x) -# endif - # if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) # define NO_CHMOD # define NO_SYSLOG diff --git a/providers/implementations/kdfs/argon2.c b/providers/implementations/kdfs/argon2.c index 323b0f3ab6b87..d93381c410440 100644 --- a/providers/implementations/kdfs/argon2.c +++ b/providers/implementations/kdfs/argon2.c @@ -1185,8 +1185,7 @@ static int kdf_argon2_ctx_set_lanes(KDF_ARGON2 *ctx, uint32_t lanes) static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost) { - /* ARGON2_MAX_MEMORY == max m_cost value, skip check, enforce type */ - ossl_static_assert_type_eq(uint32_t, t_cost); + /* ARGON2_MAX_MEMORY == max m_cost value, so skip check */ if (t_cost < ARGON2_MIN_TIME) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_ITERATION_COUNT, @@ -1200,8 +1199,7 @@ static int kdf_argon2_ctx_set_t_cost(KDF_ARGON2 *ctx, uint32_t t_cost) static int kdf_argon2_ctx_set_m_cost(KDF_ARGON2 *ctx, uint32_t m_cost) { - /* ARGON2_MAX_MEMORY == max m_cost value, skip check, enforce type */ - ossl_static_assert_type_eq(uint32_t, m_cost); + /* ARGON2_MAX_MEMORY == max m_cost value, so skip check */ if (m_cost < ARGON2_MIN_MEMORY) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_MEMORY_SIZE, "min: %u", @@ -1218,11 +1216,8 @@ static int kdf_argon2_ctx_set_out_length(KDF_ARGON2 *ctx, uint32_t outlen) /* * ARGON2_MAX_OUT_LENGTH == max outlen value, so upper bounds checks * are always satisfied; to suppress compiler if statement tautology - * warnings, these checks are skipped; however, to ensure that these - * limits are met and implementation conforming to Argon2 RFC, we need - * to fix the type + * warnings, these checks are skipped. */ - ossl_static_assert_type_eq(uint32_t, outlen); if (outlen < ARGON2_MIN_OUT_LENGTH) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH, "min: %u", From 00f2efccf5b9671a7af2b12571068258e9c255a5 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 5 Sep 2023 16:59:45 +0200 Subject: [PATCH 195/324] Fix engine cleanup error handling Error handling in engine_cleanup_add_first/last was broken and caused memory leaks. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21971) --- crypto/engine/eng_lib.c | 24 +++++++++++++++--------- crypto/engine/eng_list.c | 10 +++++++--- crypto/engine/eng_local.h | 4 ++-- crypto/engine/eng_table.c | 8 +++++--- 4 files changed, 29 insertions(+), 17 deletions(-) diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 8345f684c813f..412363fa371e3 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -135,28 +135,34 @@ static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb) return item; } -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); - if (item != NULL) - if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0) - OPENSSL_free(item); + if (item != NULL) { + if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0)) + return 1; + OPENSSL_free(item); + } + return 0; } -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) { ENGINE_CLEANUP_ITEM *item; + if (!int_cleanup_check(1)) - return; + return 0; item = int_cleanup_item(cb); if (item != NULL) { - if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0) - OPENSSL_free(item); + if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) > 0) + return 1; + OPENSSL_free(item); } + return 0; } /* The API function that performs all cleanup */ diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 119e1c60459a8..a2c151d64a04a 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -89,12 +89,16 @@ static int engine_list_add(ENGINE *e) ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } - engine_list_head = e; - e->prev = NULL; /* * The first time the list allocates, we should register the cleanup. */ - engine_cleanup_add_last(engine_list_cleanup); + if (!engine_cleanup_add_last(engine_list_cleanup)) { + CRYPTO_DOWN_REF(&e->struct_ref, &ref); + ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR); + return 0; + } + engine_list_head = e; + e->prev = NULL; } else { /* We are adding to the tail of an existing list. */ if ((engine_list_tail == NULL) || (engine_list_tail->next != NULL)) { diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index 6f5d380d02a43..24920973e7b53 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -46,8 +46,8 @@ typedef struct st_engine_cleanup_item { ENGINE_CLEANUP_CB *cb; } ENGINE_CLEANUP_ITEM; DEFINE_STACK_OF(ENGINE_CLEANUP_ITEM) -void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); -void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb); +int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb); /* We need stacks of ENGINEs for use in eng_table.c */ DEFINE_STACK_OF(ENGINE) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index 17225d0ad44cb..3138a1526002a 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -93,9 +93,11 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, added = 1; if (!int_table_check(table, 1)) goto end; - if (added) - /* The cleanup callback needs to be added */ - engine_cleanup_add_first(cleanup); + /* The cleanup callback needs to be added */ + if (added && !engine_cleanup_add_first(cleanup)) { + lh_ENGINE_PILE_free(&(*table)->piles); + *table = NULL; + } while (num_nids--) { tmplate.nid = *nids; fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate); From 0a8807b4a838ec6e6a84b2a28781e821ede90480 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 28 Aug 2023 13:37:33 +0200 Subject: [PATCH 196/324] Store: API for deletion Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21901) --- crypto/store/store_lib.c | 47 +++++++++++++++++++++++++++++++++ crypto/store/store_local.h | 1 + crypto/store/store_meth.c | 6 ++++- include/openssl/core_dispatch.h | 4 +++ include/openssl/store.h | 8 ++++++ 5 files changed, 65 insertions(+), 1 deletion(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index df3180c04847c..a68e8e28b62de 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -480,6 +480,53 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) return v; } +int OSSL_STORE_delete(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[]) +{ + OSSL_STORE_LOADER *fetched_loader = NULL; + char scheme[256], *p; + int res = 0; + struct ossl_passphrase_data_st pwdata = {0}; + + OPENSSL_strlcpy(scheme, uri, sizeof(scheme)); + if ((p = strchr(scheme, ':')) != NULL) + *p++ = '\0'; + else /* We don't work without explicit scheme */ + return 0; + + if (ui_method != NULL + && (!ossl_pw_set_ui_method(&pwdata, ui_method, ui_data) + || !ossl_pw_enable_passphrase_caching(&pwdata))) { + ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB); + return 0; + } + + OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme); + fetched_loader = OSSL_STORE_LOADER_fetch(libctx, scheme, propq); + + if (fetched_loader != NULL && fetched_loader->p_delete != NULL) { + const OSSL_PROVIDER *provider = + OSSL_STORE_LOADER_get0_provider(fetched_loader); + void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); + + /* + * It's assumed that the loader's delete() method reports its own + * errors + */ + OSSL_TRACE1(STORE, "Performing URI delete %s\n", uri); + res = fetched_loader->p_delete(provctx, uri, params, + ossl_pw_passphrase_callback_dec, + &pwdata); + } + /* Clear any internally cached passphrase */ + (void)ossl_pw_clear_passphrase_cache(&pwdata); + + OSSL_STORE_LOADER_free(fetched_loader); + + return res; +} + int OSSL_STORE_error(OSSL_STORE_CTX *ctx) { int ret = 1; diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h index 223758ab2b718..06c8c9b218885 100644 --- a/crypto/store/store_local.h +++ b/crypto/store/store_local.h @@ -112,6 +112,7 @@ struct ossl_store_loader_st { OSSL_FUNC_store_eof_fn *p_eof; OSSL_FUNC_store_close_fn *p_close; OSSL_FUNC_store_export_object_fn *p_export_object; + OSSL_FUNC_store_delete_fn *p_delete; }; DEFINE_LHASH_OF_EX(OSSL_STORE_LOADER); diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index 7fc79e2989087..766777c3a0295 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -219,6 +219,10 @@ static void *loader_from_algorithm(int scheme_id, const OSSL_ALGORITHM *algodef, if (loader->p_export_object == NULL) loader->p_export_object = OSSL_FUNC_store_export_object(fns); break; + case OSSL_FUNC_STORE_DELETE: + if (loader->p_delete == NULL) + loader->p_delete = OSSL_FUNC_store_delete(fns); + break; } } @@ -226,7 +230,7 @@ static void *loader_from_algorithm(int scheme_id, const OSSL_ALGORITHM *algodef, || loader->p_load == NULL || loader->p_eof == NULL || loader->p_close == NULL) { - /* Only set_ctx_params is optionaal */ + /* Only set_ctx_params is optional */ OSSL_STORE_LOADER_free(loader); ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_LOADER_INCOMPLETE); return NULL; diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 7c48bd7f863d4..9631626ae36bf 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -936,6 +936,7 @@ OSSL_CORE_MAKE_FUNC(int, decoder_export_object, #define OSSL_FUNC_STORE_EOF 6 #define OSSL_FUNC_STORE_CLOSE 7 #define OSSL_FUNC_STORE_EXPORT_OBJECT 8 +#define OSSL_FUNC_STORE_DELETE 9 OSSL_CORE_MAKE_FUNC(void *, store_open, (void *provctx, const char *uri)) OSSL_CORE_MAKE_FUNC(void *, store_attach, (void *provctx, OSSL_CORE_BIO *in)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, store_settable_ctx_params, @@ -951,6 +952,9 @@ OSSL_CORE_MAKE_FUNC(int, store_close, (void *loaderctx)) OSSL_CORE_MAKE_FUNC(int, store_export_object, (void *loaderctx, const void *objref, size_t objref_sz, OSSL_CALLBACK *export_cb, void *export_cbarg)) +OSSL_CORE_MAKE_FUNC(int, store_delete, + (void *provctx, const char *uri, const OSSL_PARAM params[], + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)) # ifdef __cplusplus } diff --git a/include/openssl/store.h b/include/openssl/store.h index dafb16fd90d3e..46fb4d40f0fd4 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -98,6 +98,14 @@ OSSL_DEPRECATEDIN_3_0 int OSSL_STORE_vctrl(OSSL_STORE_CTX *ctx, int cmd, */ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx); +/* + * Deletes the object in the store by URI. + * Returns 1 on success, 0 otherwise. + */ +int OSSL_STORE_delete(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[]); + /* * Check if end of data (end of file) is reached * Returns 1 on end, 0 otherwise. From 1aac593600f9656170dd144ca1219fdcd8ee8322 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 28 Aug 2023 13:38:19 +0200 Subject: [PATCH 197/324] Store: API for deletion - make update Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21901) --- util/libcrypto.num | 1 + 1 file changed, 1 insertion(+) diff --git a/util/libcrypto.num b/util/libcrypto.num index 2656df5d908b9..e4265b4cef0b6 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5534,3 +5534,4 @@ OSSL_PROVIDER_try_load_ex ? 3_2_0 EXIST::FUNCTION: OSSL_ERR_STATE_save_to_mark ? 3_2_0 EXIST::FUNCTION: X509_STORE_CTX_set_get_crl ? 3_2_0 EXIST::FUNCTION: X509_STORE_CTX_set_current_reasons ? 3_2_0 EXIST::FUNCTION: +OSSL_STORE_delete ? 3_2_0 EXIST::FUNCTION: From b8aca10d8efac1611cfcb739202c34da39f7e3d0 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 28 Aug 2023 13:38:33 +0200 Subject: [PATCH 198/324] Store: API for deletion - tests Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21901) --- test/fake_rsaprov.c | 23 ++++++++++++- test/fake_rsaprov.h | 1 + test/provider_pkey_test.c | 72 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 1 deletion(-) diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c index a4f81be0232ea..9bc463b2c8554 100644 --- a/test/fake_rsaprov.c +++ b/test/fake_rsaprov.c @@ -30,12 +30,18 @@ static int has_selection; static int imptypes_selection; static int exptypes_selection; static int query_id; +static int key_deleted; struct fake_rsa_keydata { int selection; int status; }; +void fake_rsa_restore_store_state(void) +{ + key_deleted = 0; +} + static void *fake_rsa_keymgmt_new(void *provctx) { struct fake_rsa_keydata *key; @@ -524,6 +530,7 @@ static OSSL_FUNC_store_set_ctx_params_fn fake_rsa_st_set_ctx_params; static OSSL_FUNC_store_load_fn fake_rsa_st_load; static OSSL_FUNC_store_eof_fn fake_rsa_st_eof; static OSSL_FUNC_store_close_fn fake_rsa_st_close; +static OSSL_FUNC_store_delete_fn fake_rsa_st_delete; static const char fake_rsa_scheme[] = "fake_rsa:"; @@ -570,6 +577,11 @@ static int fake_rsa_st_load(void *loaderctx, switch (*storectx) { case 0: + if (key_deleted == 1) { + *storectx = 1; + break; + } + /* Construct a new key using our keymgmt functions */ if (!TEST_ptr(key = fake_rsa_keymgmt_new(NULL))) break; @@ -600,13 +612,21 @@ static int fake_rsa_st_load(void *loaderctx, TEST_info("fake_rsa_load called - rv: %d", rv); - if (rv == 0) { + if (rv == 0 && key_deleted == 0) { fake_rsa_keymgmt_free(key); *storectx = 2; } return rv; } +static int fake_rsa_st_delete(void *loaderctx, const char *uri, + const OSSL_PARAM params[], + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) +{ + key_deleted = 1; + return 1; +} + static int fake_rsa_st_eof(void *loaderctx) { unsigned char *storectx = loaderctx; @@ -629,6 +649,7 @@ static const OSSL_DISPATCH fake_rsa_store_funcs[] = { { OSSL_FUNC_STORE_LOAD, (void (*)(void))fake_rsa_st_load }, { OSSL_FUNC_STORE_EOF, (void (*)(void))fake_rsa_st_eof }, { OSSL_FUNC_STORE_CLOSE, (void (*)(void))fake_rsa_st_close }, + { OSSL_FUNC_STORE_DELETE, (void (*)(void))fake_rsa_st_delete }, OSSL_DISPATCH_END, }; diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h index 190c46a285c0a..53056fa59f694 100644 --- a/test/fake_rsaprov.h +++ b/test/fake_rsaprov.h @@ -13,3 +13,4 @@ OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); void fake_rsa_finish(OSSL_PROVIDER *p); OSSL_PARAM *fake_rsa_key_params(int priv); +void fake_rsa_restore_store_state(void); diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c index 7e69f4bbd50b0..09b060642b774 100644 --- a/test/provider_pkey_test.c +++ b/test/provider_pkey_test.c @@ -18,6 +18,7 @@ #include "fake_rsaprov.h" static OSSL_LIB_CTX *libctx = NULL; +extern int key_deleted; /* From fake_rsaprov.c */ /* Fetch SIGNATURE method using a libctx and propq */ static int fetch_sig(OSSL_LIB_CTX *ctx, const char *alg, const char *propq, @@ -288,6 +289,76 @@ static int test_pkey_store(int idx) return ret; } +static int test_pkey_delete(void) +{ + OSSL_PROVIDER *deflt = NULL; + OSSL_PROVIDER *fake_rsa = NULL; + int ret = 0; + EVP_PKEY *pkey = NULL; + OSSL_STORE_LOADER *loader = NULL; + OSSL_STORE_CTX *ctx = NULL; + OSSL_STORE_INFO *info; + const char *propq = "?provider=fake-rsa"; + + /* It's important to load the default provider first for this test */ + if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) + goto end; + + if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) + goto end; + + if (!TEST_ptr(loader = OSSL_STORE_LOADER_fetch(libctx, "fake_rsa", + propq))) + goto end; + + OSSL_STORE_LOADER_free(loader); + + /* First iteration: load key, check it, delete it */ + if (!TEST_ptr(ctx = OSSL_STORE_open_ex("fake_rsa:test", libctx, propq, + NULL, NULL, NULL, NULL, NULL))) + goto end; + + while (!OSSL_STORE_eof(ctx) + && (info = OSSL_STORE_load(ctx)) != NULL + && pkey == NULL) { + if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) + pkey = OSSL_STORE_INFO_get1_PKEY(info); + OSSL_STORE_INFO_free(info); + info = NULL; + } + + if (!TEST_ptr(pkey) || !TEST_int_eq(EVP_PKEY_is_a(pkey, "RSA"), 1)) + goto end; + EVP_PKEY_free(pkey); + pkey = NULL; + + if (!TEST_int_eq(OSSL_STORE_delete("fake_rsa:test", libctx, propq, + NULL, NULL, NULL), 1)) + goto end; + if (!TEST_int_eq(OSSL_STORE_close(ctx), 1)) + goto end; + + /* Second iteration: load key should fail */ + if (!TEST_ptr(ctx = OSSL_STORE_open_ex("fake_rsa:test", libctx, propq, + NULL, NULL, NULL, NULL, NULL))) + goto end; + + while (!OSSL_STORE_eof(ctx)) { + info = OSSL_STORE_load(ctx); + if (!TEST_ptr_null(info)) + goto end; + } + + ret = 1; + +end: + fake_rsa_finish(fake_rsa); + OSSL_PROVIDER_unload(deflt); + OSSL_STORE_close(ctx); + fake_rsa_restore_store_state(); + return ret; +} + int setup_tests(void) { libctx = OSSL_LIB_CTX_new(); @@ -298,6 +369,7 @@ int setup_tests(void) ADD_TEST(test_alternative_keygen_init); ADD_TEST(test_pkey_eq); ADD_ALL_TESTS(test_pkey_store, 2); + ADD_TEST(test_pkey_delete); return 1; } From ed4a71d18d939f557b430c4369d118b55c1c0b6c Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 31 Aug 2023 11:33:36 +0200 Subject: [PATCH 199/324] Store: API for deletion - documentation Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21901) --- doc/man3/OSSL_STORE_open.pod | 14 ++++++++++---- doc/man7/provider-storemgmt.pod | 12 ++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod index fe51912e84c05..8e4a9a7926785 100644 --- a/doc/man3/OSSL_STORE_open.pod +++ b/doc/man3/OSSL_STORE_open.pod @@ -4,7 +4,7 @@ OSSL_STORE_CTX, OSSL_STORE_post_process_info_fn, OSSL_STORE_open, OSSL_STORE_open_ex, -OSSL_STORE_ctrl, OSSL_STORE_load, OSSL_STORE_eof, +OSSL_STORE_ctrl, OSSL_STORE_load, OSSL_STORE_eof, OSSL_STORE_delete, OSSL_STORE_error, OSSL_STORE_close - Types and functions to read objects from a URI @@ -30,6 +30,9 @@ OSSL_STORE_error, OSSL_STORE_close OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx); int OSSL_STORE_eof(OSSL_STORE_CTX *ctx); + int OSSL_STORE_delete(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + const OSSL_PARAM params[]); int OSSL_STORE_error(OSSL_STORE_CTX *ctx); int OSSL_STORE_close(OSSL_STORE_CTX *ctx); @@ -104,6 +107,8 @@ Any other value is an error. OSSL_STORE_load() takes a B and tries to load the next available object and return it wrapped with B. +OSSL_STORE_delete() deletes the object identified by I. + OSSL_STORE_eof() takes a B and checks if we've reached the end of data. @@ -152,7 +157,8 @@ or an error occurred, 0 otherwise. OSSL_STORE_error() returns 1 if an error occurred in an OSSL_STORE_load() call, otherwise 0. -OSSL_STORE_ctrl() and OSSL_STORE_close() returns 1 on success, or 0 on failure. +OSSL_STORE_delete(), OSSL_STORE_ctrl() and OSSL_STORE_close() return 1 on +success, or 0 on failure. =head1 SEE ALSO @@ -161,6 +167,8 @@ L =head1 HISTORY +OSSL_STORE_delete() was added in OpenSSL 3.2. + OSSL_STORE_open_ex() was added in OpenSSL 3.0. B, OSSL_STORE_post_process_info_fn(), OSSL_STORE_open(), @@ -170,8 +178,6 @@ were added in OpenSSL 1.1.1. Handling of NULL I argument for OSSL_STORE_close() was introduced in OpenSSL 1.1.1h. -OSSL_STORE_open_ex() was added in OpenSSL 3.0. - OSSL_STORE_ctrl() and OSSL_STORE_vctrl() were deprecated in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod index 615ff7ef8e552..c58df619db9bc 100644 --- a/doc/man7/provider-storemgmt.pod +++ b/doc/man7/provider-storemgmt.pod @@ -28,6 +28,10 @@ provider-storemgmt - The OSSL_STORE library E-E provider functions (void *loaderctx, const void *objref, size_t objref_sz, OSSL_CALLBACK *export_cb, void *export_cbarg); + int OSSL_FUNC_store_delete(void *provctx, const char *uri, + const OSSL_PARAM params[], + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg); + =head1 DESCRIPTION The STORE operation is the provider side of the L API. @@ -70,6 +74,7 @@ in L, as follows: OSSL_FUNC_store_eof OSSL_FUNC_STORE_EOF OSSL_FUNC_store_close OSSL_FUNC_STORE_CLOSE OSSL_FUNC_store_export_object OSSL_FUNC_STORE_EXPORT_OBJECT + OSSL_FUNC_store_delete OSSL_FUNC_STORE_DELETE =head2 Functions @@ -114,6 +119,11 @@ OSSL_FUNC_store_export_object() should export the object of size I referenced by I as an L array and pass that to the I as well as the given I. +OSSL_FUNC_store_delete() deletes the object identified by the I. The +implementation is entirely responsible for the interpretation of the URI. In +case a passphrase needs to be prompted to remove an object, I should be +called. + =head2 Load Parameters =over 4 @@ -186,6 +196,8 @@ L The STORE interface was introduced in OpenSSL 3.0. +OSSL_FUNC_store_delete() callback was added in OpenSSL 3.2 + =head1 COPYRIGHT Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. From 388a8e731445d190a46ec27b2ff5b4bf334d526b Mon Sep 17 00:00:00 2001 From: Olga Batyshkina Date: Mon, 7 Aug 2023 15:14:53 +0200 Subject: [PATCH 200/324] Fix PKCS#12 creation error when certificate contains auxiliary data Prefer friendly name passed by the caller and calculated local key id to ones found in certificate auxiliary data when creating PKCS#12. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21675) --- crypto/pkcs12/p12_crt.c | 62 ++++++++++++++++++++++++------------ test/pkcs12_format_test.c | 66 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+), 20 deletions(-) diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 3246fbb7e8479..7681731207b15 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -16,6 +16,12 @@ static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); static int pkcs12_remove_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen); static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) { @@ -39,6 +45,9 @@ PKCS12 *PKCS12_create_ex2(const char *pass, const char *name, EVP_PKEY *pkey, int i, cbret; unsigned char keyid[EVP_MAX_MD_SIZE]; unsigned int keyidlen = 0; + int namelen = -1; + unsigned char *pkeyid = NULL; + int pkeyidlen = -1; /* Set defaults */ if (nid_cert == NID_undef) @@ -63,11 +72,16 @@ PKCS12 *PKCS12_create_ex2(const char *pass, const char *name, EVP_PKEY *pkey, } if (cert) { - bag = PKCS12_add_cert(&bags, cert); - if (name && !PKCS12_add_friendlyname(bag, name, -1)) - goto err; - if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) - goto err; + if (name == NULL) + name = (char *)X509_alias_get0(cert, &namelen); + if (keyidlen > 0) { + pkeyid = keyid; + pkeyidlen = keyidlen; + } else { + pkeyid = X509_keyid_get0(cert, &pkeyidlen); + } + + bag = pkcs12_add_cert_bag(&bags, cert, name, namelen, pkeyid, pkeyidlen); if (cb != NULL) { cbret = cb(bag, cbarg); if (cbret == -1) { @@ -175,30 +189,23 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 * iter, mac_iter, keytype, NULL, NULL); } -PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, + X509 *cert, + const char *name, + int namelen, + unsigned char *keyid, + int keyidlen) { PKCS12_SAFEBAG *bag = NULL; - char *name; - int namelen = -1; - unsigned char *keyid; - int keyidlen = -1; /* Add user certificate */ if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL) goto err; - /* - * Use friendlyName and localKeyID in certificate. (if present) - */ - - name = (char *)X509_alias_get0(cert, &namelen); - - if (name && !PKCS12_add_friendlyname(bag, name, namelen)) + if (name != NULL && !PKCS12_add_friendlyname(bag, name, namelen)) goto err; - keyid = X509_keyid_get0(cert, &keyidlen); - - if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) + if (keyid != NULL && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) goto err; if (!pkcs12_add_bag(pbags, bag)) @@ -209,7 +216,22 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) err: PKCS12_SAFEBAG_free(bag); return NULL; +} + +PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) +{ + char *name = NULL; + int namelen = -1; + unsigned char *keyid = NULL; + int keyidlen = -1; + + /* + * Use friendlyName and localKeyID in certificate. (if present) + */ + name = (char *)X509_alias_get0(cert, &namelen); + keyid = X509_keyid_get0(cert, &keyidlen); + return pkcs12_add_cert_bag(pbags, cert, name, namelen, keyid, keyidlen); } PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags, diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index 507a9baf07475..e2048bc27e75b 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -882,6 +882,70 @@ static int pkcs12_create_test(void) } #endif +static int pkcs12_recreate_test(void) +{ + int ret = 0; + X509 *cert = NULL; + X509 *cert_parsed = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY *pkey_parsed = NULL; + PKCS12 *p12 = NULL; + PKCS12 *p12_parsed = NULL; + PKCS12 *p12_recreated = NULL; + const unsigned char *cert_bytes = CERT1; + const unsigned char *key_bytes = KEY1; + BIO *bio = NULL; + + cert = d2i_X509(NULL, &cert_bytes, sizeof(CERT1)); + if (!TEST_ptr(cert)) + goto err; + pkey = d2i_AutoPrivateKey(NULL, &key_bytes, sizeof(KEY1)); + if (!TEST_ptr(pkey)) + goto err; + p12 = PKCS12_create("pass", NULL, pkey, cert, NULL, NID_aes_256_cbc, + NID_aes_256_cbc, 2, 1, 0); + if (!TEST_ptr(p12)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + bio = BIO_new(BIO_s_mem()); + if (!TEST_ptr(bio)) + goto err; + if (!TEST_int_eq(i2d_PKCS12_bio(bio, p12), 1)) + goto err; + p12_parsed = PKCS12_init_ex(NID_pkcs7_data, testctx, NULL); + if (!TEST_ptr(p12_parsed)) + goto err; + p12_parsed = d2i_PKCS12_bio(bio, &p12_parsed); + if (!TEST_ptr(p12_parsed)) + goto err; + if (!TEST_int_eq(PKCS12_parse(p12_parsed, "pass", &pkey_parsed, + &cert_parsed, NULL), 1)) + goto err; + + /* cert_parsed also contains auxiliary data */ + p12_recreated = PKCS12_create("new_pass", NULL, pkey_parsed, cert_parsed, + NULL, NID_aes_256_cbc, NID_aes_256_cbc, + 2, 1, 0); + if (!TEST_ptr(p12_recreated)) + goto err; + if (!TEST_int_eq(ERR_peek_error(), 0)) + goto err; + + ret = 1; +err: + BIO_free(bio); + PKCS12_free(p12); + PKCS12_free(p12_parsed); + PKCS12_free(p12_recreated); + EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey_parsed); + X509_free(cert); + X509_free(cert_parsed); + return ret; +} + typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, @@ -963,6 +1027,8 @@ int setup_tests(void) if (default_libctx) ADD_TEST(pkcs12_create_test); #endif + if (default_libctx) + ADD_TEST(pkcs12_recreate_test); ADD_ALL_TESTS(test_single_key_enc_pass, OSSL_NELEM(passwords)); ADD_ALL_TESTS(test_single_key_enc_iter, OSSL_NELEM(iters)); ADD_TEST(test_single_key_with_attrs); From bbb6d620f6014274cb00a8186225447a2a114543 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 12 Sep 2023 17:07:53 -0400 Subject: [PATCH 201/324] Fix regression in evp_test for provider compat CI If we ignore the faliure to copy on an old fips provider, we need to use ctx_base, rather than ctx Fixes #22076 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22102) --- test/evp_test.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/evp_test.c b/test/evp_test.c index 7447435f06045..f15b2c5a1732c 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -877,6 +877,11 @@ static int cipher_test_enc(EVP_TEST *t, int enc, size_t out_misalign, } else { TEST_info("Allowing copy fail as an old fips provider is in use."); } + EVP_CIPHER_CTX_free(ctx); + ctx = ctx_base; + } else { + EVP_CIPHER_CTX_free(ctx_base); + ctx_base = NULL; } /* Likewise for dup */ duped = EVP_CIPHER_CTX_dup(ctx); From 0ca5cf989101cae6ffeaef3518e99839fbccb9ba Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 12 Sep 2023 17:09:06 -0400 Subject: [PATCH 202/324] Fix a key repointing in various ciphers In the dupctx fixups I missed a pointer that needed to be repointed to the surrounding structures AES_KEY structure for the sm4/aes/aria ccm/gcm variants. This caused a colliding use of the key and possible use after free issues. Fixes #22076 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22102) --- providers/implementations/ciphers/cipher_aes_gcm.c | 8 +++++++- providers/implementations/ciphers/cipher_aria_ccm.c | 8 +++++++- providers/implementations/ciphers/cipher_aria_gcm.c | 8 +++++++- providers/implementations/ciphers/cipher_sm4_ccm.c | 8 +++++++- providers/implementations/ciphers/cipher_sm4_gcm.c | 8 +++++++- 5 files changed, 35 insertions(+), 5 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index 0a15693cc1a4c..edc3cc262ef95 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -37,10 +37,16 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits) static void *aes_gcm_dupctx(void *provctx) { PROV_AES_GCM_CTX *ctx = provctx; + PROV_AES_GCM_CTX *dctx = NULL; if (ctx == NULL) return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); + + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + if (dctx != NULL && dctx->base.gcm.key != NULL) + dctx->base.gcm.key = &dctx->ks.ks; + + return dctx; } static OSSL_FUNC_cipher_freectx_fn aes_gcm_freectx; diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c index 39a96a6f1404d..5fae5934698a2 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.c +++ b/providers/implementations/ciphers/cipher_aria_ccm.c @@ -31,10 +31,16 @@ static void *aria_ccm_newctx(void *provctx, size_t keybits) static void *aria_ccm_dupctx(void *provctx) { PROV_ARIA_CCM_CTX *ctx = provctx; + PROV_ARIA_CCM_CTX *dctx = NULL; if (ctx == NULL) return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); + + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + if (dctx != NULL && dctx->base.ccm_ctx.key != NULL) + dctx->base.ccm_ctx.key = &dctx->ks.ks; + + return dctx; } static void aria_ccm_freectx(void *vctx) diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index 6ffa0910fa21d..f9eb64cc194f6 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -30,10 +30,16 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits) static void *aria_gcm_dupctx(void *provctx) { PROV_ARIA_GCM_CTX *ctx = provctx; + PROV_ARIA_GCM_CTX *dctx = NULL; if (ctx == NULL) return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); + + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + if (dctx != NULL && dctx->base.gcm.key != NULL) + dctx->base.gcm.key = &dctx->ks.ks; + + return dctx; } static OSSL_FUNC_cipher_freectx_fn aria_gcm_freectx; diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c index 5fd7d1a114c13..47fc6e103cce0 100644 --- a/providers/implementations/ciphers/cipher_sm4_ccm.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -31,10 +31,16 @@ static void *sm4_ccm_newctx(void *provctx, size_t keybits) static void *sm4_ccm_dupctx(void *provctx) { PROV_SM4_CCM_CTX *ctx = provctx; + PROV_SM4_CCM_CTX *dctx = NULL; if (ctx == NULL) return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); + + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + if (dctx != NULL && dctx->base.ccm_ctx.key != NULL) + dctx->base.ccm_ctx.key = &dctx->ks.ks; + + return dctx; } static void sm4_ccm_freectx(void *vctx) diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c index 79e1b556d4371..e8fcf5787e489 100644 --- a/providers/implementations/ciphers/cipher_sm4_gcm.c +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -32,10 +32,16 @@ static void *sm4_gcm_newctx(void *provctx, size_t keybits) static void *sm4_gcm_dupctx(void *provctx) { PROV_SM4_GCM_CTX *ctx = provctx; + PROV_SM4_GCM_CTX *dctx = NULL; if (ctx == NULL) return NULL; - return OPENSSL_memdup(ctx, sizeof(*ctx)); + + dctx = OPENSSL_memdup(ctx, sizeof(*ctx)); + if (dctx != NULL && dctx->base.gcm.key != NULL) + dctx->base.gcm.key = &dctx->ks.ks; + + return dctx; } static void sm4_gcm_freectx(void *vctx) From 798d69c8670283bdea5c39b03ff573d0c6a6b9fc Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 14 Sep 2023 16:59:47 +0200 Subject: [PATCH 203/324] coveralls.yml: Improve coverage mapping and remove 1.1.1 Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22104) --- .github/workflows/coveralls.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 7771f5fd38f76..bdb576fd650a5 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -25,16 +25,14 @@ jobs: matrix: branches: [ { - branch: OpenSSL_1_1_1-stable - }, { branch: openssl-3.1, - extra_config: enable-fips + extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 }, { branch: openssl-3.0, - extra_config: enable-fips + extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 }, { branch: master, - extra_config: no-afalgeng enable-fips enable-tfo + extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 enable-tfo } ] runs-on: ubuntu-latest From 10fe5e29cad9a9dbaeda3cdc7c62470b21dd7d38 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:50:11 +0200 Subject: [PATCH 204/324] Fix new typos found by codespell Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22098) --- NEWS.md | 2 +- doc/man1/openssl-cms.pod.in | 2 +- doc/man7/ossl-guide-libraries-introduction.pod | 4 ++-- providers/implementations/rands/drbg_ctr.c | 8 ++++---- providers/implementations/rands/drbg_hash.c | 6 +++--- providers/implementations/rands/drbg_hmac.c | 4 ++-- providers/implementations/rands/drbg_local.h | 2 +- ssl/quic/quic_local.h | 2 +- test/helpers/handshake_srp.c | 5 +++-- test/testutil/tests.c | 2 +- 10 files changed, 19 insertions(+), 18 deletions(-) diff --git a/NEWS.md b/NEWS.md index 6c440b68eb817..d0312961dfdc8 100644 --- a/NEWS.md +++ b/NEWS.md @@ -135,7 +135,7 @@ OpenSSL 3.0 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key ([CVE-2022-1434]) * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory - occuppied by the removed hash table entries ([CVE-2022-1473]) + occupied by the removed hash table entries ([CVE-2022-1473]) ### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [15 Mar 2022] diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 50845b772e4ea..a3ef9c0181205 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -402,7 +402,7 @@ option. =item I ... This is an alternative to using the B<-recip> option when encrypting a message. -One or more certificate filennames may be given. +One or more certificate filenames may be given. =item B<-I> diff --git a/doc/man7/ossl-guide-libraries-introduction.pod b/doc/man7/ossl-guide-libraries-introduction.pod index 78e0853d8e68d..d54e98cd86396 100644 --- a/doc/man7/ossl-guide-libraries-introduction.pod +++ b/doc/man7/ossl-guide-libraries-introduction.pod @@ -15,12 +15,12 @@ encryption, digital signatures, hash functions, etc. It additionally supplies supporting APIs for cryptography related standards, e.g. for reading and writing digital certificates (also known as X.509 certificates). Finally it also supplies various additional supporting APIs that are not directly cryptography -related but are nonetheless useful and dependended upon by other APIs. For +related but are nonetheless useful and depended upon by other APIs. For example the "BIO" functions provide capabilities for abstracting I/O, e.g. via a file or over a network. The C library provides functions to perform secure communication between -two peers across a network. Most signficiantly it implements support for the +two peers across a network. Most significantly it implements support for the SSL/TLS, DTLS and QUIC standards. The C library depends on and uses many of the capabilities supplied by diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 2dc51d03c1653..cc4ed25cfd722 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -507,10 +507,10 @@ static int drbg_ctr_verify_zeroization(void *vdrbg) if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) return 0; - PROV_DRBG_VERYIFY_ZEROIZATION(ctr->K); - PROV_DRBG_VERYIFY_ZEROIZATION(ctr->V); - PROV_DRBG_VERYIFY_ZEROIZATION(ctr->bltmp); - PROV_DRBG_VERYIFY_ZEROIZATION(ctr->KX); + PROV_DRBG_VERIFY_ZEROIZATION(ctr->K); + PROV_DRBG_VERIFY_ZEROIZATION(ctr->V); + PROV_DRBG_VERIFY_ZEROIZATION(ctr->bltmp); + PROV_DRBG_VERIFY_ZEROIZATION(ctr->KX); if (ctr->bltmp_pos != 0) goto err; diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index 246aab58c96c0..a216910d831a9 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -405,9 +405,9 @@ static int drbg_hash_verify_zeroization(void *vdrbg) if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) return 0; - PROV_DRBG_VERYIFY_ZEROIZATION(hash->V); - PROV_DRBG_VERYIFY_ZEROIZATION(hash->C); - PROV_DRBG_VERYIFY_ZEROIZATION(hash->vtmp); + PROV_DRBG_VERIFY_ZEROIZATION(hash->V); + PROV_DRBG_VERIFY_ZEROIZATION(hash->C); + PROV_DRBG_VERIFY_ZEROIZATION(hash->vtmp); ret = 1; err: diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index ca190a740e4ca..74d47886b4444 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -298,8 +298,8 @@ static int drbg_hmac_verify_zeroization(void *vdrbg) if (drbg->lock != NULL && !CRYPTO_THREAD_read_lock(drbg->lock)) return 0; - PROV_DRBG_VERYIFY_ZEROIZATION(hmac->K); - PROV_DRBG_VERYIFY_ZEROIZATION(hmac->V); + PROV_DRBG_VERIFY_ZEROIZATION(hmac->K); + PROV_DRBG_VERIFY_ZEROIZATION(hmac->V); ret = 1; err: diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h index dd46593a5f096..50f98a0b61ca3 100644 --- a/providers/implementations/rands/drbg_local.h +++ b/providers/implementations/rands/drbg_local.h @@ -206,7 +206,7 @@ OSSL_FUNC_rand_get_seed_fn ossl_drbg_get_seed; OSSL_FUNC_rand_clear_seed_fn ossl_drbg_clear_seed; /* Verify that an array of numeric values is all zero */ -#define PROV_DRBG_VERYIFY_ZEROIZATION(v) \ +#define PROV_DRBG_VERIFY_ZEROIZATION(v) \ { \ size_t i; \ \ diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index 063df7796a241..928ae4c6bf3f9 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -69,7 +69,7 @@ struct quic_xso_st { * b2 must equal b1 (validated unless ACCEPT_MOVING_WRITE_BUFFER) * l2 must equal l1 (always validated) * append into sstream from [b2 + aon_buf_pos, b2 + aon_buf_len) - * if done, aon_write_in_progess=0 + * if done, aon_write_in_progress=0 * */ /* Is an AON write in progress? */ diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c index 43a5a4fd605a5..95fb101059f2e 100644 --- a/test/helpers/handshake_srp.c +++ b/test/helpers/handshake_srp.c @@ -8,8 +8,9 @@ */ /* - * SRP is deprecated and there is no replacent. When SRP is removed, the code in - * this file can be removed too. Until then we have to use the deprecated APIs. + * SRP is deprecated and there is no replacement. When SRP is removed, + * the code in this file can be removed too. Until then we have to use + * the deprecated APIs. */ #define OPENSSL_SUPPRESS_DEPRECATED diff --git a/test/testutil/tests.c b/test/testutil/tests.c index 50d4e12e054d7..efc4fd2b649a7 100644 --- a/test/testutil/tests.c +++ b/test/testutil/tests.c @@ -18,7 +18,7 @@ /* * Output a failed test first line. - * All items are optional are generally not preinted if passed as NULL. + * All items are optional are generally not printed if passed as NULL. * The special cases are for prefix where "ERROR" is assumed and for left * and right where a non-failure message is produced if either is NULL. */ From 46ea5486f34ff8c2fed67674da2a363bbd66691b Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Fri, 15 Sep 2023 15:32:25 +0200 Subject: [PATCH 205/324] APPS: remove duplicate definition of `trace_data_stack` Note: It seems like the C compiler doesn't care about the duplicate. (The first definition is eight lines above.) The C++ compiler however didn't like it when I reused the tracing code snippets elsewhere. Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22117) --- apps/openssl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/apps/openssl.c b/apps/openssl.c index dd41ac3a84e44..adf77096c7f31 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -157,8 +157,6 @@ static void tracedata_free(tracedata *data) OPENSSL_free(data); } -static STACK_OF(tracedata) *trace_data_stack; - static void cleanup_trace(void) { sk_tracedata_pop_free(trace_data_stack, tracedata_free); From 861027ffd06019baf82148837e30a992ca9b055e Mon Sep 17 00:00:00 2001 From: Pan Lanlan Date: Sat, 9 Sep 2023 00:13:43 +0800 Subject: [PATCH 206/324] Update OPENSSL_buf2hexstr() to use DEFAULT_SEPARATOR. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22041) --- crypto/o_str.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/o_str.c b/crypto/o_str.c index 119d791e2072b..274b8476140b1 100644 --- a/crypto/o_str.c +++ b/crypto/o_str.c @@ -279,13 +279,13 @@ char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep) /* - * Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its - * hex representation @@@ (Contents of buffer are always kept in ASCII, also - * on EBCDIC machines) + * Given a buffer of length 'buflen' return a OPENSSL_malloc'ed string with + * its hex representation @@@ (Contents of buffer are always kept in ASCII, + * also on EBCDIC machines) */ char *OPENSSL_buf2hexstr(const unsigned char *buf, long buflen) { - return ossl_buf2hexstr_sep(buf, buflen, ':'); + return ossl_buf2hexstr_sep(buf, buflen, DEFAULT_SEPARATOR); } int openssl_strerror_r(int errnum, char *buf, size_t buflen) From 2743594d73e65c38375c619e89ec62579e2c24a9 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Tue, 12 Sep 2023 12:00:21 +0530 Subject: [PATCH 207/324] Enhance code safety and readability in SSL_get_shared_ciphers() This commit introduces two key improvements: 1. Improve code safety by replacing the conditional statement with `if (n >= size)` and using OPENSSL_strnlen() instead of strlen(). This change ensures proper buffer size handling and adheres to secure coding practices. 2. Enhance code readability by substituting `strcpy(p, c->name)` with `memcpy(p, c->name, n)`. This adjustment prioritizes code clarity and maintenance, even while mitigating a minimal buffer overflow risk. These enhancements bolster the code's robustness and comprehensibility, aligning with secure coding principles and best practices. Fixes #19837 Signed-off-by: Sumitra Sharma Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21934) --- ssl/ssl_lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b7fa9d78f70a9..fdc8b6b82410d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3397,14 +3397,14 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) if (sk_SSL_CIPHER_find(srvrsk, c) < 0) continue; - n = strlen(c->name); - if (n + 1 > size) { + n = OPENSSL_strnlen(c->name, size); + if (n >= size) { if (p != buf) --p; *p = '\0'; return buf; } - strcpy(p, c->name); + memcpy(p, c->name, n); p += n; *(p++) = ':'; size -= n + 1; From 19937db0f2769bc9e4882b476901e446eaadb384 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 13 Sep 2023 16:56:58 +0200 Subject: [PATCH 208/324] Postponed further context duplication support for ciphers Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22094) --- test/evp_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index f15b2c5a1732c..ff424eac729b4 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -735,9 +735,9 @@ static int cipher_test_enc(EVP_TEST *t, int enc, size_t out_misalign, int ok = 0, tmplen, chunklen, tmpflen, i; EVP_CIPHER_CTX *ctx_base = NULL; EVP_CIPHER_CTX *ctx = NULL, *duped; - int fips_dupctx_supported = (fips_provider_version_ge(libctx, 3, 0, 11) - && fips_provider_version_lt(libctx, 3, 1, 0)) - || fips_provider_version_ge(libctx, 3, 1, 3); + int fips_dupctx_supported = (fips_provider_version_ge(libctx, 3, 0, 12) + && fips_provider_version_lt(libctx, 3, 1, 0)) + || fips_provider_version_ge(libctx, 3, 1, 4); t->err = "TEST_FAILURE"; if (!TEST_ptr(ctx_base = EVP_CIPHER_CTX_new())) From 96e678087de25c4bb19ef01492bd04002c3fe315 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 23 Jan 2023 17:28:21 -0500 Subject: [PATCH 209/324] Allow to pass a passprase callback at store open Some PKCS11 modules require authentication early on to be able to preload objects, which we want to do to avoid costly roundtrips when the HSM is actually reached over a network (Cloud HSM). Unfortunately at open time we can't interact with the user becaue the callbacks are only passed at object load time. later on. This patch corrects this issue by providing a more feature rich open call for providers. Signed-off-by: Simo Sorce Reviewed-by: Dmitry Belyavskiy Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/20131) --- crypto/store/store_lib.c | 38 ++++++++++++++++++++++----------- crypto/store/store_local.h | 1 + crypto/store/store_meth.c | 4 ++++ include/openssl/core_dispatch.h | 4 ++++ 4 files changed, 35 insertions(+), 12 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index a68e8e28b62de..d0561f636cfde 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -66,6 +66,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { + struct ossl_passphrase_data_st pwdata = { 0 }; const OSSL_STORE_LOADER *loader = NULL; OSSL_STORE_LOADER *fetched_loader = NULL; OSSL_STORE_LOADER_CTX *loader_ctx = NULL; @@ -102,6 +103,13 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, ERR_set_mark(); + if (ui_method != NULL + && (!ossl_pw_set_ui_method(&pwdata, ui_method, ui_data) + || !ossl_pw_enable_passphrase_caching(&pwdata))) { + ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB); + goto err; + } + /* * Try each scheme until we find one that could open the URI. * @@ -135,17 +143,28 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); no_loader_found = 0; - loader_ctx = fetched_loader->p_open(provctx, uri); + if (fetched_loader->p_open_ex != NULL) { + loader_ctx = + fetched_loader->p_open_ex(provctx, uri, params, + ossl_pw_passphrase_callback_dec, + &pwdata); + } else { + loader_ctx = fetched_loader->p_open(provctx, uri); + if (loader_ctx != NULL && + !loader_set_params(fetched_loader, loader_ctx, + params, propq)) { + (void)fetched_loader->p_close(loader_ctx); + loader_ctx = NULL; + } + } if (loader_ctx == NULL) { OSSL_STORE_LOADER_free(fetched_loader); fetched_loader = NULL; - } else if (!loader_set_params(fetched_loader, loader_ctx, - params, propq)) { - (void)fetched_loader->p_close(loader_ctx); - OSSL_STORE_LOADER_free(fetched_loader); - fetched_loader = NULL; } loader = fetched_loader; + + /* Clear any internally cached passphrase */ + (void)ossl_pw_clear_passphrase_cache(&pwdata); } } @@ -171,18 +190,13 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, || (ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) goto err; - if (ui_method != NULL - && (!ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data) - || !ossl_pw_enable_passphrase_caching(&ctx->pwdata))) { - ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB); - goto err; - } ctx->properties = propq_copy; ctx->fetched_loader = fetched_loader; ctx->loader = loader; ctx->loader_ctx = loader_ctx; ctx->post_process = post_process; ctx->post_process_data = post_process_data; + ctx->pwdata = pwdata; /* * If the attempt to open with the 'file' scheme loader failed and the diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h index 06c8c9b218885..6ad79180a091f 100644 --- a/crypto/store/store_local.h +++ b/crypto/store/store_local.h @@ -113,6 +113,7 @@ struct ossl_store_loader_st { OSSL_FUNC_store_close_fn *p_close; OSSL_FUNC_store_export_object_fn *p_export_object; OSSL_FUNC_store_delete_fn *p_delete; + OSSL_FUNC_store_open_ex_fn *p_open_ex; }; DEFINE_LHASH_OF_EX(OSSL_STORE_LOADER); diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index 766777c3a0295..6ac8fd5f9374b 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -223,6 +223,10 @@ static void *loader_from_algorithm(int scheme_id, const OSSL_ALGORITHM *algodef, if (loader->p_delete == NULL) loader->p_delete = OSSL_FUNC_store_delete(fns); break; + case OSSL_FUNC_STORE_OPEN_EX: + if (loader->p_open_ex == NULL) + loader->p_open_ex = OSSL_FUNC_store_open_ex(fns); + break; } } diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 9631626ae36bf..73f040285cd51 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -937,6 +937,7 @@ OSSL_CORE_MAKE_FUNC(int, decoder_export_object, #define OSSL_FUNC_STORE_CLOSE 7 #define OSSL_FUNC_STORE_EXPORT_OBJECT 8 #define OSSL_FUNC_STORE_DELETE 9 +#define OSSL_FUNC_STORE_OPEN_EX 10 OSSL_CORE_MAKE_FUNC(void *, store_open, (void *provctx, const char *uri)) OSSL_CORE_MAKE_FUNC(void *, store_attach, (void *provctx, OSSL_CORE_BIO *in)) OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, store_settable_ctx_params, @@ -955,6 +956,9 @@ OSSL_CORE_MAKE_FUNC(int, store_export_object, OSSL_CORE_MAKE_FUNC(int, store_delete, (void *provctx, const char *uri, const OSSL_PARAM params[], OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)) +OSSL_CORE_MAKE_FUNC(void *, store_open_ex, + (void *provctx, const char *uri, const OSSL_PARAM params[], + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)) # ifdef __cplusplus } From 64129008fb822758778f7dd29cec6a0a4582e4d2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 14 Sep 2023 09:25:30 -0400 Subject: [PATCH 210/324] Add Test to verify open_ex password checking works Signed-off-by: Simo Sorce Reviewed-by: Dmitry Belyavskiy Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/20131) --- test/fake_rsaprov.c | 46 ++++++++++++++++++++++++++- test/fake_rsaprov.h | 2 ++ test/provider_pkey_test.c | 66 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 1 deletion(-) diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c index 9bc463b2c8554..c1b8e28286143 100644 --- a/test/fake_rsaprov.c +++ b/test/fake_rsaprov.c @@ -525,6 +525,7 @@ static const OSSL_ALGORITHM fake_rsa_sig_algs[] = { }; static OSSL_FUNC_store_open_fn fake_rsa_st_open; +static OSSL_FUNC_store_open_ex_fn fake_rsa_st_open_ex; static OSSL_FUNC_store_settable_ctx_params_fn fake_rsa_st_settable_ctx_params; static OSSL_FUNC_store_set_ctx_params_fn fake_rsa_st_set_ctx_params; static OSSL_FUNC_store_load_fn fake_rsa_st_load; @@ -533,8 +534,13 @@ static OSSL_FUNC_store_close_fn fake_rsa_st_close; static OSSL_FUNC_store_delete_fn fake_rsa_st_delete; static const char fake_rsa_scheme[] = "fake_rsa:"; +static const char fake_rsa_openpwtest[] = "fake_rsa:openpwtest"; +static const char fake_rsa_prompt[] = "Fake Prompt Info"; -static void *fake_rsa_st_open(void *provctx, const char *uri) +static void *fake_rsa_st_open_ex(void *provctx, const char *uri, + const OSSL_PARAM params[], + OSSL_PASSPHRASE_CALLBACK *pw_cb, + void *pw_cbarg) { unsigned char *storectx = NULL; @@ -542,10 +548,47 @@ static void *fake_rsa_st_open(void *provctx, const char *uri) if (strncmp(uri, fake_rsa_scheme, sizeof(fake_rsa_scheme) - 1) != 0) return NULL; + if (strncmp(uri, fake_rsa_openpwtest, + sizeof(fake_rsa_openpwtest) - 1) == 0) { + const char *pw_check = FAKE_PASSPHRASE; + char fakepw[sizeof(FAKE_PASSPHRASE) + 1] = { 0 }; + size_t fakepw_len = 0; + OSSL_PARAM pw_params[2] = { + OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO, + (void *)fake_rsa_prompt, + sizeof(fake_rsa_prompt) - 1), + OSSL_PARAM_END, + }; + + if (pw_cb == NULL) { + return NULL; + } + + if (!pw_cb(fakepw, sizeof(fakepw), &fakepw_len, pw_params, pw_cbarg)) { + TEST_info("fake_rsa_open_ex failed passphrase callback"); + return NULL; + } + if (strncmp(pw_check, fakepw, sizeof(pw_check) - 1) != 0) { + TEST_info("fake_rsa_open_ex failed passphrase check"); + return NULL; + } + } + storectx = OPENSSL_zalloc(1); if (!TEST_ptr(storectx)) return NULL; + TEST_info("fake_rsa_open_ex called"); + + return storectx; +} + +static void *fake_rsa_st_open(void *provctx, const char *uri) +{ + unsigned char *storectx = NULL; + + storectx = fake_rsa_st_open_ex(provctx, uri, NULL, NULL, NULL); + TEST_info("fake_rsa_open called"); return storectx; @@ -643,6 +686,7 @@ static int fake_rsa_st_close(void *loaderctx) static const OSSL_DISPATCH fake_rsa_store_funcs[] = { { OSSL_FUNC_STORE_OPEN, (void (*)(void))fake_rsa_st_open }, + { OSSL_FUNC_STORE_OPEN_EX, (void (*)(void))fake_rsa_st_open_ex }, { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))fake_rsa_st_settable_ctx_params }, { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))fake_rsa_st_set_ctx_params }, diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h index 53056fa59f694..9c353b386f3b6 100644 --- a/test/fake_rsaprov.h +++ b/test/fake_rsaprov.h @@ -9,6 +9,8 @@ #include +#define FAKE_PASSPHRASE "Passphrase Testing" + /* Fake RSA provider implementation */ OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); void fake_rsa_finish(OSSL_PROVIDER *p); diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c index 09b060642b774..7d5fcfa647e78 100644 --- a/test/provider_pkey_test.c +++ b/test/provider_pkey_test.c @@ -14,6 +14,7 @@ #include #include #include +#include #include "testutil.h" #include "fake_rsaprov.h" @@ -359,6 +360,70 @@ static int test_pkey_delete(void) return ret; } +static int fake_pw_read_string(UI *ui, UI_STRING *uis) +{ + const char *passphrase = FAKE_PASSPHRASE; + + if (UI_get_string_type(uis) == UIT_PROMPT) { + UI_set_result(ui, uis, passphrase); + return 1; + } + + return 0; +} + +static int test_pkey_store_open_ex(void) +{ + OSSL_PROVIDER *deflt = NULL; + OSSL_PROVIDER *fake_rsa = NULL; + int ret = 0; + EVP_PKEY *pkey = NULL; + OSSL_STORE_LOADER *loader = NULL; + OSSL_STORE_CTX *ctx = NULL; + const char *propq = "?provider=fake-rsa"; + UI_METHOD *ui_method = NULL; + + /* It's important to load the default provider first for this test */ + if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) + goto end; + + if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) + goto end; + + if (!TEST_ptr(loader = OSSL_STORE_LOADER_fetch(libctx, "fake_rsa", + propq))) + goto end; + + OSSL_STORE_LOADER_free(loader); + + if (!TEST_ptr(ui_method= UI_create_method("PW Callbacks"))) + goto end; + + if (UI_method_set_reader(ui_method, fake_pw_read_string)) + goto end; + + if (!TEST_ptr(ctx = OSSL_STORE_open_ex("fake_rsa:openpwtest", libctx, propq, + ui_method, NULL, NULL, NULL, NULL))) + goto end; + + /* retry w/o ui_method to ensure we actually enter pw checks and fail */ + OSSL_STORE_close(ctx); + if (!TEST_ptr_null(ctx = OSSL_STORE_open_ex("fake_rsa:openpwtest", libctx, + propq, NULL, NULL, NULL, NULL, + NULL))) + goto end; + + ret = 1; + +end: + UI_destroy_method(ui_method); + fake_rsa_finish(fake_rsa); + OSSL_PROVIDER_unload(deflt); + OSSL_STORE_close(ctx); + EVP_PKEY_free(pkey); + return ret; +} + int setup_tests(void) { libctx = OSSL_LIB_CTX_new(); @@ -370,6 +435,7 @@ int setup_tests(void) ADD_TEST(test_pkey_eq); ADD_ALL_TESTS(test_pkey_store, 2); ADD_TEST(test_pkey_delete); + ADD_TEST(test_pkey_store_open_ex); return 1; } From e40d538ad72c8e496b1dfe7d93c6002ce48351f5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 14 Sep 2023 16:55:32 -0400 Subject: [PATCH 211/324] Add provider documentation for the new open_ex Signed-off-by: Simo Sorce Reviewed-by: Dmitry Belyavskiy Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/20131) --- doc/man7/provider-storemgmt.pod | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod index c58df619db9bc..a8ce43c4bb2b5 100644 --- a/doc/man7/provider-storemgmt.pod +++ b/doc/man7/provider-storemgmt.pod @@ -27,6 +27,10 @@ provider-storemgmt - The OSSL_STORE library E-E provider functions int OSSL_FUNC_store_export_object (void *loaderctx, const void *objref, size_t objref_sz, OSSL_CALLBACK *export_cb, void *export_cbarg); + void *OSSL_FUNC_store_open_ex(void *provctx, const char *uri, + const OSSL_PARAM params[], + OSSL_PASSPHRASE_CALLBACK *pw_cb, + void *pw_cbarg); int OSSL_FUNC_store_delete(void *provctx, const char *uri, const OSSL_PARAM params[], @@ -75,6 +79,7 @@ in L, as follows: OSSL_FUNC_store_close OSSL_FUNC_STORE_CLOSE OSSL_FUNC_store_export_object OSSL_FUNC_STORE_EXPORT_OBJECT OSSL_FUNC_store_delete OSSL_FUNC_STORE_DELETE + OSSL_FUNC_store_open_ex OSSL_FUNC_STORE_OPEN_EX =head2 Functions @@ -124,6 +129,13 @@ implementation is entirely responsible for the interpretation of the URI. In case a passphrase needs to be prompted to remove an object, I should be called. +OSSL_FUNC_store_open_ex() is an extended variant of OSSL_FUNC_store_open(). If +the provider does not implement this function the code internally falls back to +use the original OSSL_FUNC_store_open(). +This variant additionally accepts an L object and a I +callback that can be used to request a passphrase in cases where the whole +store needs to be unlocked before performing any load operation. + =head2 Load Parameters =over 4 From 0e138b7b591f160a50aff22f662254d1b39c9cac Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 18 Sep 2023 16:02:21 +0200 Subject: [PATCH 212/324] enc: "bad decrypt" only in decryption CLA: trivial Signed-off-by: Mathieu Tortuyaux Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22134) --- apps/enc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/enc.c b/apps/enc.c index 26e009e43791c..d94f5236d7bbe 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -701,7 +701,10 @@ int enc_main(int argc, char **argv) break; } if (!BIO_flush(wbio)) { - BIO_printf(bio_err, "bad decrypt\n"); + if (enc) + BIO_printf(bio_err, "bad encrypt\n"); + else + BIO_printf(bio_err, "bad decrypt\n"); goto end; } From e900942587a18cdd6e3b064d6b21c9ce36a7b640 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Mon, 18 Sep 2023 10:53:00 +0200 Subject: [PATCH 213/324] os zoo ci Use a Github Actions expression to set value for the environment variable. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22130) --- .github/workflows/os-zoo.yml | 111 +++++++++++++++++++++++------------ 1 file changed, 73 insertions(+), 38 deletions(-) diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index ee327f4c1bfe2..98fe0c744cc42 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -15,80 +15,116 @@ permissions: contents: read jobs: - # This has to be a separate job, it seems, because we want to use a - # container for it. - unix-container: + alpine: strategy: fail-fast: false matrix: - image: ['alpine:edge', 'alpine:latest'] - cc: ['gcc', 'clang'] + tag: [edge, latest] + cc: [gcc, clang] + branch: [openssl-3.0, openssl-3.1, master] runs-on: ubuntu-latest container: - image: ${{ matrix.image }} + image: docker.io/library/alpine:${{ matrix.tag }} + env: + # https://www.openwall.com/lists/musl/2022/02/16/14 + EXTRA_CFLAGS: ${{ matrix.cc == 'clang' && '-Wno-sign-compare' || '' }} + CC: ${{ matrix.cc }} steps: - name: install packages - run: | - apk --no-cache add build-base perl linux-headers git ${{ matrix.cc }} - + run: apk --no-cache add build-base perl linux-headers ${{ matrix.cc }} - uses: actions/checkout@v4 - + with: + ref: ${{ matrix.branch }} - name: config run: | - cc="${{ matrix.cc }}" - - extra_cflags="" - if [[ ${cc} == "clang" ]] ; then - # https://www.openwall.com/lists/musl/2022/02/16/14 - extra_cflags="-Wno-sign-compare" - fi - - CC=${{ matrix.cc }} ./config --banner=Configured no-shared \ - -Wall -Werror enable-fips --strict-warnings -DOPENSSL_USE_IPV6=0 ${extra_cflags} - + ./config --banner=Configured no-shared -Wall -Werror enable-fips --strict-warnings -DOPENSSL_USE_IPV6=0 \ + ${EXTRA_CFLAGS} - name: config dump run: ./configdata.pm --dump - name: make run: make -s -j4 - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} - unix: + + linux: + strategy: + fail-fast: false + matrix: + branch: [openssl-3.0, openssl-3.1, master] + zoo: + - image: docker.io/library/debian:10 + install: apt-get update && apt-get install -y gcc make perl + - image: docker.io/library/debian:11 + install: apt-get update && apt-get install -y gcc make perl + - image: docker.io/library/debian:12 + install: apt-get update && apt-get install -y gcc make perl + - image: docker.io/library/ubuntu:20.04 + install: apt-get update && apt-get install -y gcc make perl + - image: docker.io/library/ubuntu:22.04 + install: apt-get update && apt-get install -y gcc make perl + - image: docker.io/library/fedora:38 + install: dnf install -y gcc make perl-core + - image: docker.io/library/fedora:39 + install: dnf install -y gcc make perl-core + - image: docker.io/library/centos:8 + install: | + sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \ + sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* && \ + dnf install -y gcc make perl-core + - image: docker.io/library/rockylinux:8 + install: dnf install -y gcc make perl-core + - image: docker.io/library/rockylinux:9 + install: dnf install -y gcc make perl-core + runs-on: ubuntu-latest + container: ${{ matrix.zoo.image }} + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ matrix.branch }} + - name: install packages + run: ${{ matrix.zoo.install }} + - name: config + run: ./config + - name: config dump + run: ./configdata.pm --dump + - name: make + run: make -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + + macos: strategy: fail-fast: false matrix: - os: [ - macos-11, - macos-12, - macos-13, - ubuntu-20.04, - ubuntu-22.04, - ] + branch: [openssl-3.0, openssl-3.1, master] + os: [macos-11, macos-12, macos-13] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ matrix.branch }} - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - name: config - run: | - CC=${{ matrix.zoo.cc }} ./config --banner=Configured \ - -Wall -Werror --strict-warnings enable-fips + run: ./config --banner=Configured -Wall -Werror --strict-warnings enable-fips - name: config dump run: ./configdata.pm --dump - name: make run: make -s -j4 - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + windows: strategy: fail-fast: false matrix: - os: [ - windows-2019, - windows-2022 - ] + branch: [openssl-3.0, openssl-3.1, master] + os: [windows-2019, windows-2022] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ matrix.branch }} - name: checkout fuzz/corpora submodule run: git submodule update --init --depth 1 fuzz/corpora - uses: ilammy/msvc-dev-cmd@v1 @@ -98,8 +134,7 @@ jobs: run: mkdir _build - name: config working-directory: _build - run: | - perl ..\Configure --banner=Configured no-makedepend enable-fips + run: perl ..\Configure --banner=Configured no-makedepend enable-fips - name: config dump working-directory: _build run: ./configdata.pm --dump From 955c133ccccd2b6e3f5a1b1342045111fe8b3e86 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Mon, 18 Sep 2023 16:38:11 +0530 Subject: [PATCH 214/324] Add documentation for the function SSL_CONF_CTX_finish. Add documentation for the function SSL_CONF_CTX_finish() in man3. Fixes #22084 Signed-off-by: Sumitra Sharma Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22128) --- doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod | 8 ++++++++ util/missingssl.txt | 1 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod index 06cc1e4ec539d..b74c869b83d2d 100644 --- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod +++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod @@ -2,6 +2,7 @@ =head1 NAME +SSL_CONF_CTX_finish, SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure =head1 SYNOPSIS @@ -10,6 +11,7 @@ SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx); void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); + int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx); =head1 DESCRIPTION @@ -23,6 +25,10 @@ B structure B. Any previous B or B associated with B is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to B. +The function SSL_CONF_CTX_finish() must be called after all configuration +operations have been completed. It is used to finalise any operations +or to process defaults. + =head1 NOTES The context need not be set or it can be set to B in which case only @@ -32,6 +38,8 @@ syntax checking of commands is performed, where possible. SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value. +SSL_CONF_CTX_finish() returns 1 for success and 0 for failure. + =head1 SEE ALSO L, diff --git a/util/missingssl.txt b/util/missingssl.txt index 224eb84899f5b..1338feed71188 100644 --- a/util/missingssl.txt +++ b/util/missingssl.txt @@ -3,7 +3,6 @@ ERR_load_SSL_strings(3) SRP_Calc_A_param(3) SSL_COMP_get_name(3) SSL_COMP_set0_compression_methods(3) -SSL_CONF_CTX_finish(3) SSL_CTX_SRP_CTX_free(3) SSL_CTX_SRP_CTX_init(3) SSL_CTX_get0_certificate(3) From 3432157ba1e0e29bab8bdd31d7ae728930e57c42 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 6 Sep 2023 08:04:17 +0100 Subject: [PATCH 215/324] QUIC: Wire SSL_net_(read|write)_desired for TLS/DTLS Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21979) --- ssl/ssl_lib.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fdc8b6b82410d..fec9124ce4c09 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -7344,11 +7344,11 @@ int SSL_net_read_desired(SSL *s) { #ifndef OPENSSL_NO_QUIC if (!IS_QUIC(s)) - return 0; + return SSL_want_read(s); return ossl_quic_get_net_read_desired(s); #else - return 0; + return SSL_want_read(s); #endif } @@ -7356,11 +7356,11 @@ int SSL_net_write_desired(SSL *s) { #ifndef OPENSSL_NO_QUIC if (!IS_QUIC(s)) - return 0; + return SSL_want_write(s); return ossl_quic_get_net_write_desired(s); #else - return 0; + return SSL_want_write(s); #endif } From f26244336f2a1b0d3040fe1db5d1024ec40e0b8b Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 13 Sep 2023 13:46:27 +0100 Subject: [PATCH 216/324] QUIC APL: Wire SSL_get_[rw]poll_descriptor for TLS/DTLS Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21979) --- ssl/ssl_lib.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fec9124ce4c09..f15fe126a22f5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -7318,26 +7318,32 @@ int SSL_get_event_timeout(SSL *s, struct timeval *tv, int *is_infinite) int SSL_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc) { -#ifndef OPENSSL_NO_QUIC - if (!IS_QUIC(s)) - return -1; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); - return ossl_quic_get_rpoll_descriptor(s, desc); -#else - return -1; +#ifndef OPENSSL_NO_QUIC + if (IS_QUIC(s)) + return ossl_quic_get_rpoll_descriptor(s, desc); #endif + + if (sc == NULL || sc->rbio == NULL) + return 0; + + return BIO_get_rpoll_descriptor(sc->rbio, desc); } int SSL_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc) { -#ifndef OPENSSL_NO_QUIC - if (!IS_QUIC(s)) - return -1; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); - return ossl_quic_get_wpoll_descriptor(s, desc); -#else - return -1; +#ifndef OPENSSL_NO_QUIC + if (IS_QUIC(s)) + return ossl_quic_get_wpoll_descriptor(s, desc); #endif + + if (sc == NULL || sc->wbio == NULL) + return 0; + + return BIO_get_wpoll_descriptor(sc->wbio, desc); } int SSL_net_read_desired(SSL *s) From b509d0bd25ca457764aaa5e7dcb797dc6a17a98f Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 13 Sep 2023 13:46:44 +0100 Subject: [PATCH 217/324] QUIC: Update documentation for SSL_get_[rw]poll_descriptor, SSL_net_(read|write)_desired Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21979) --- doc/man3/SSL_get_rpoll_descriptor.pod | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_get_rpoll_descriptor.pod b/doc/man3/SSL_get_rpoll_descriptor.pod index 5e1879580e82f..3bdd0a924c646 100644 --- a/doc/man3/SSL_get_rpoll_descriptor.pod +++ b/doc/man3/SSL_get_rpoll_descriptor.pod @@ -66,7 +66,14 @@ may change in response to any call to the SSL object other than SSL_net_read_desired(), SSL_net_write_desired(), SSL_get_rpoll_descriptor(), SSL_get_wpoll_descriptor() and SSL_get_event_timeout(). -These functions are not supported on non-QUIC SSL objects. +On non-QUIC SSL objects, calls to SSL_get_rpoll_descriptor() and +SSL_get_wpoll_descriptor() function the same as calls to +BIO_get_rpoll_descriptor() and BIO_get_wpoll_descriptor() on the respective read +and write BIOs configured on the SSL object. + +On non-QUIC SSL objects, calls to SSL_net_read_desired() and +SSL_net_write_desired() function identically to calls to SSL_want_read() and +SSL_want_write() respectively. =head1 RETURN VALUES From 7e1b0dc1ef3cf0a7b02af0a09ab8aa5608134990 Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Wed, 13 Sep 2023 13:47:13 +0100 Subject: [PATCH 218/324] SSL: Test SSL_get_[rw]poll_descriptor, SSL_net_(read|write)_desired Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21979) --- test/helpers/ssltestlib.c | 22 ++++++++++++++++++++++ test/sslapitest.c | 13 +++++++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 0b1e56f064ca6..3ae3e7d4eaf47 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -985,6 +985,7 @@ int create_ssl_objects2(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, { SSL *serverssl = NULL, *clientssl = NULL; BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL; + BIO_POLL_DESCRIPTOR rdesc = {0}, wdesc = {0}; if (*sssl != NULL) serverssl = *sssl; @@ -999,8 +1000,29 @@ int create_ssl_objects2(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, || !TEST_ptr(c_to_s_bio = BIO_new_socket(cfd, BIO_NOCLOSE))) goto error; + if (!TEST_false(SSL_get_rpoll_descriptor(clientssl, &rdesc) + || !TEST_false(SSL_get_wpoll_descriptor(clientssl, &wdesc)))) + goto error; + SSL_set_bio(clientssl, c_to_s_bio, c_to_s_bio); SSL_set_bio(serverssl, s_to_c_bio, s_to_c_bio); + + if (!TEST_true(SSL_get_rpoll_descriptor(clientssl, &rdesc)) + || !TEST_true(SSL_get_wpoll_descriptor(clientssl, &wdesc)) + || !TEST_int_eq(rdesc.type, BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD) + || !TEST_int_eq(wdesc.type, BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD) + || !TEST_int_eq(rdesc.value.fd, cfd) + || !TEST_int_eq(wdesc.value.fd, cfd)) + goto error; + + if (!TEST_true(SSL_get_rpoll_descriptor(serverssl, &rdesc)) + || !TEST_true(SSL_get_wpoll_descriptor(serverssl, &wdesc)) + || !TEST_int_eq(rdesc.type, BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD) + || !TEST_int_eq(wdesc.type, BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD) + || !TEST_int_eq(rdesc.value.fd, sfd) + || !TEST_int_eq(wdesc.value.fd, sfd)) + goto error; + *sssl = serverssl; *cssl = clientssl; return 1; diff --git a/test/sslapitest.c b/test/sslapitest.c index ec29157007c74..9539b4cf3a658 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -6601,7 +6601,9 @@ static int test_key_update_peer_in_write(int tst) /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1) - || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)) + || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE) + || !TEST_true(SSL_want_write(peerwrite)) + || !TEST_true(SSL_net_write_desired(peerwrite))) goto end; /* Reinstate the original writing endpoint's write BIO */ @@ -6610,7 +6612,9 @@ static int test_key_update_peer_in_write(int tst) /* Now read some data - we will read the key update */ if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1) - || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)) + || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ) + || !TEST_true(SSL_want_read(peerwrite)) + || !TEST_true(SSL_net_read_desired(peerwrite))) goto end; /* @@ -6626,6 +6630,11 @@ static int test_key_update_peer_in_write(int tst) || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) goto end; + if (!TEST_false(SSL_net_read_desired(peerwrite)) + || !TEST_false(SSL_net_write_desired(peerwrite)) + || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING)) + goto end; + testresult = 1; end: From b79e73cfba2f17cc810bde3c50a2a1d4f03b8cae Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Thu, 14 Sep 2023 08:40:14 +0100 Subject: [PATCH 219/324] BIO: Wire poll descriptor functions in BIO_s_sock Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21979) --- crypto/bio/bss_sock.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index f64eb8c843a4b..4ff4defadff46 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -215,6 +215,20 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_FLUSH: ret = 1; break; + case BIO_CTRL_GET_RPOLL_DESCRIPTOR: + case BIO_CTRL_GET_WPOLL_DESCRIPTOR: + { + BIO_POLL_DESCRIPTOR *pd = ptr; + + if (!b->init) { + ret = 0; + break; + } + + pd->type = BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD; + pd->value.fd = b->num; + } + break; # ifndef OPENSSL_NO_KTLS case BIO_CTRL_SET_KTLS: crypto_info = (ktls_crypto_info_t *)ptr; From be01f609f98a8930f2c91b813715e515a88f4d54 Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 19 Sep 2023 11:07:21 +1000 Subject: [PATCH 220/324] coverity: NULL dereference Fixes coverity 1544699. Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/22138) --- crypto/engine/eng_table.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index 3138a1526002a..9dc3144bbfd7b 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -97,6 +97,7 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, if (added && !engine_cleanup_add_first(cleanup)) { lh_ENGINE_PILE_free(&(*table)->piles); *table = NULL; + goto end; } while (num_nids--) { tmplate.nid = *nids; From 44fbe0de34137c7834dc81c1116d7538a2b4f773 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 15 Sep 2023 14:29:05 +0100 Subject: [PATCH 221/324] Enable the ability to seed the test RNG without randomising test ordering Numerous tests use the test_random() function to get a random number. If a test fails then the seed that was used for the test RNG is displayed. Setting the seed to the same value in a future run is supposed to cause the same random numbers to be generated again. The way to set the RNG seed again is to use the `OPENSSL_TEST_RAND_ORDER` environment variable. However setting this environment variable *also* randomises the test ordering as well as seeding the RNG. This in itself calls test_random() so, in fact, when the test finally runs it gets different random numbers to when it originally run (defeating the repeatability objective). This means that only way repeatability can be obtained is if the test was originally run with `OPENSSL_TEST_RAND_ORDER` set to 0. If that wasn't done then the seed printed when the test failed is not useful. We introduce a new environment variable `OPENSSL_TEST_RAND_SEED` which can be used to independently seed the test RNG without randomising the test ordering. This can be used to get repeatability in cases where test ordering randomisation was not done in the first place. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22118) --- test/testutil/driver.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/test/testutil/driver.c b/test/testutil/driver.c index 6427d235af20e..033be2fcc5e0e 100644 --- a/test/testutil/driver.c +++ b/test/testutil/driver.c @@ -102,15 +102,18 @@ static void set_seed(int s) int setup_test_framework(int argc, char *argv[]) { - char *test_seed = getenv("OPENSSL_TEST_RAND_ORDER"); + char *test_rand_order = getenv("OPENSSL_TEST_RAND_ORDER"); + char *test_rand_seed = getenv("OPENSSL_TEST_RAND_SEED"); char *TAP_levels = getenv("HARNESS_OSSL_LEVEL"); if (TAP_levels != NULL) level = 4 * atoi(TAP_levels); test_adjust_streams_tap_level(level); - if (test_seed != NULL) { + if (test_rand_order != NULL) { rand_order = 1; - set_seed(atoi(test_seed)); + set_seed(atoi(test_rand_order)); + } else if (test_rand_seed != NULL) { + set_seed(atoi(test_rand_seed)); } else { set_seed(0); } @@ -264,8 +267,12 @@ PRINTF_FORMAT(2, 3) static void test_verdict(int verdict, test_flush_stdout(); test_flush_stderr(); - if (verdict == 0 && seed != 0) - test_printf_tapout("# OPENSSL_TEST_RAND_ORDER=%d\n", seed); + if (verdict == 0) { + if (rand_order) + test_printf_tapout("# OPENSSL_TEST_RAND_ORDER=%d\n", seed); + else + test_printf_tapout("# OPENSSL_TEST_RAND_SEED=%d\n", seed); + } test_printf_tapout("%s ", verdict != 0 ? "ok" : "not ok"); va_start(ap, description); test_vprintf_tapout(description, ap); From 7251b2eb14427341630881cf10e4be3fa8661e8c Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 15 Sep 2023 14:36:05 +0100 Subject: [PATCH 222/324] Document the OPENSSL_TEST_RAND_SEED environment variable Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22118) --- test/README.md | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/test/README.md b/test/README.md index 9a5c91953ddb7..fe25bd8b4ecbf 100644 --- a/test/README.md +++ b/test/README.md @@ -149,17 +149,33 @@ To run up to four tests in parallel at any given time: $ make HARNESS_JOBS=4 test +Random numbers in tests +----------------------- + +Some tests use random numbers as part of the test. In some cases a test failure +may occur for some random numbers, but not for others. The seed used for the +rand number generator can be set via the `OPENSSL_TEST_RAND_SEED` environment +variable. It can also be set via the `OPENSSL_TEST_RAND_ORDER` environment +variable which additionally randomises the order tests are run in (see below). + +When a test fails the test harness will display the seed used during the test +(displaying either the `OPENSSL_TEST_RAND_SEED` or `OPENSSL_TEST_RAND_ORDER` +environment variable value that must be used to recreate the results), e.g. + + $ make OPENSSL_TEST_RAND_SEED=42 test + Randomisation of Test Ordering ------------------------------ By default, the test harness will execute tests in the order they were added. By setting the `OPENSSL_TEST_RAND_ORDER` environment variable to zero, the -test ordering will be randomised. If a randomly ordered test fails, the -seed value used will be reported. Setting the `OPENSSL_TEST_RAND_ORDER` -environment variable to this value will rerun the tests in the same -order. This assures repeatability of randomly ordered test runs. -This repeatability is independent of the operating system, processor or -platform used. +test ordering will be randomised. This additionally seeds the random number +generator used within the tests as described in the section above. If a randomly +ordered test fails, the seed value used will be reported. Setting the +`OPENSSL_TEST_RAND_ORDER` environment variable to this value will rerun the +tests in the same order and will also seed the test random number generator. +This assures repeatability of randomly ordered test runs. This repeatability is +independent of the operating system, processor or platform used. To randomise the test ordering: From 54fbb9e416524e09d6125ffc551cefba83306992 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Fri, 8 Sep 2023 12:31:09 +0200 Subject: [PATCH 223/324] doc: suggestions for OSSL_PROVIDER_load_ex design document Late review comments for pull request #21604, sort of. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22029) --- doc/designs/prov_loadex.md | 41 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/doc/designs/prov_loadex.md b/doc/designs/prov_loadex.md index 818f5cce2d78f..f28f6d2f4da6f 100644 --- a/doc/designs/prov_loadex.md +++ b/doc/designs/prov_loadex.md @@ -1,12 +1,12 @@ Providers run-time configuration ================================ -Currently any provider run-time activation requires presence of the +Currently any provider run-time activation requires the presence of the initialization parameters in the OpenSSL configuration file. Otherwise the -provider will be activated with some "default" settings, that may or may not +provider will be activated with some default settings, that may or may not work for a particular application. For real-world systems it may require -providing a specially designed OpenSSL config and passing it somehow (e.g. via -environment) that has its obvious drawbacks. +providing a specially designed OpenSSL configuration file and passing it somehow +(e.g. via environment), which has obvious drawbacks. We need a possibility to initialize providers on per-application level according to per-application parameters. It's necessary for example for PKCS#11 @@ -21,23 +21,23 @@ OSSL_PROVIDER *OSSL_PROVIDER_load_ex(OSSL_LIB_CTX *libctx, const char *name, OSSL_PARAM params[]); ``` -intended to configure the provider in load time. +intended to configure the provider at load time. It accepts only parameters of type `OSSL_PARAM_UTF8_STRING` because any provider can be initialized from the config file where the values are represented as strings and provider init function has to deal with it. -Explicitly configured parameters can contradict the parameters named in the +Explicitly configured parameters can differ from the parameters named in the configuration file. Here are the current design decisions and some possible future steps. Real-world cases ---------------- -Many applications use PKCS#11 API with a specific drivers. OpenSSL PKCS#11 +Many applications use PKCS#11 API with specific drivers. OpenSSL PKCS#11 provider also provides a set of -tweaks usable in particular situations. So there are at least several scenarios -I have in mind: +tweaks usable in particular situations. So there are several scenarios for which +the new API can be used: 1. Configure a provider in the config file, activate on demand 2. Load/activate a provider run-time with parameters @@ -45,26 +45,25 @@ I have in mind: Current design -------------- -When the provider is loaded in the current library context and activated, the -currently loaded provider will be returned as the result of -`OSSL_PROVIDER_load_ex` call. +When the provider is already loaded an activated in the current library context, +the `OSSL_PROVIDER_load_ex` call simply returns the active provider and the +extra parameters are ignored. -When the provider is loaded in the current library context and NOT activated, -the parameters provided int the `OSSL_PROVIDER_load_ex` call will have the -preference. +In all other cases, the extra parameters provided by the `OSSL_PROVIDER_load_ex` +call are applied and the values from the config file are ignored. Separate instances of the provider can be loaded in the separate library contexts. -Several instances of the same provider in the same context using different -section names, module names (e.g. via symlinks) and provider names. But unless -the provider does not support some configuration options, the algorithms in +Several instances of the same provider can be loaded in the same context using +different section names, module names (e.g. via symlinks) and provider names. +But unless the provider supports some configuration options, the algorithms in this case will have the same `provider` property and the result of fetching is not determined. We strongly discourage against this trick. -The run-time change of the loaded provider configuration is not supported. If -it is necessary, the calls to `OSSL_PROVIDER_unload` with the following call to -the `OSSL_PROVIDER_load` or `OSSL_PROVIDER_load_ex` should be used. +Changing the loaded provider configuration at runtime is not supported. If +it is necessary, the provider needs to be unloaded using `OSSL_PROVIDER_unload` +and reloaded using `OSSL_PROVIDER_load` or `OSSL_PROVIDER_load_ex` should be used. Possible future steps --------------------- From 0988de278c2f861e47d63cd284992befa686e4a8 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Fri, 8 Sep 2023 12:35:57 +0200 Subject: [PATCH 224/324] doc: change name of OSSL_PROVIDER_load_ex design document Use dashes instead of underscores, to be more consistent with existing document names. And speaking of consistency, introduce a consistent name transformation, which will scale better when design documents start filling the folder ;-) OSSL_PROVIDER_load_ex -> ossl-provider-load-ex.md Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22029) --- doc/designs/{prov_loadex.md => ossl-provider-load-ex.md} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename doc/designs/{prov_loadex.md => ossl-provider-load-ex.md} (95%) diff --git a/doc/designs/prov_loadex.md b/doc/designs/ossl-provider-load-ex.md similarity index 95% rename from doc/designs/prov_loadex.md rename to doc/designs/ossl-provider-load-ex.md index f28f6d2f4da6f..62d5c8c327663 100644 --- a/doc/designs/prov_loadex.md +++ b/doc/designs/ossl-provider-load-ex.md @@ -1,5 +1,5 @@ -Providers run-time configuration -================================ +OSSL_PROVIDER_load_ex - activating providers with run-time configuration +======================================================================== Currently any provider run-time activation requires the presence of the initialization parameters in the OpenSSL configuration file. Otherwise the From 080bd08fd32608b4f2edfa4b1e87e199b08a8835 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 6 May 2021 18:49:54 +0200 Subject: [PATCH 225/324] cmp_vfy.c: Use verification callback if cert_acceptable() finds expired cert Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21656) --- crypto/cmp/cmp_vfy.c | 33 ++++++++++++++++++++++-------- doc/man3/OSSL_CMP_validate_msg.pod | 8 +++++--- 2 files changed, 30 insertions(+), 11 deletions(-) diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 2d7b2388ced41..1869fae696357 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -139,6 +139,24 @@ int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx, return valid; } +static int verify_cb_cert(X509_STORE *ts, X509 *cert, int err) +{ + X509_STORE_CTX_verify_cb verify_cb; + X509_STORE_CTX *csc; + int ok = 0; + + if (ts == NULL || (verify_cb = X509_STORE_get_verify_cb(ts)) == NULL) + return ok; + if ((csc = X509_STORE_CTX_new()) != NULL + && X509_STORE_CTX_init(csc, ts, cert, NULL)) { + X509_STORE_CTX_set_error(csc, err); + X509_STORE_CTX_set_current_cert(csc, cert); + ok = (*verify_cb)(0, csc); + } + X509_STORE_CTX_free(csc); + return ok; +} + /* Return 0 if expect_name != NULL and there is no matching actual_name */ static int check_name(const OSSL_CMP_CTX *ctx, int log_success, const char *actual_desc, const X509_NAME *actual_name, @@ -256,9 +274,14 @@ static int cert_acceptable(const OSSL_CMP_CTX *ctx, time_cmp = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert), X509_get0_notAfter(cert)); if (time_cmp != 0) { + int err = time_cmp > 0 ? X509_V_ERR_CERT_HAS_EXPIRED + : X509_V_ERR_CERT_NOT_YET_VALID; + ossl_cmp_warn(ctx, time_cmp > 0 ? "cert has expired" : "cert is not yet valid"); - return 0; + if (ctx->log_cb != NULL /* logging not temporarily disabled */ + && verify_cb_cert(ts, cert, err) <= 0) + return 0; } if (!check_name(ctx, 1, @@ -432,12 +455,6 @@ static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, return ret; } -static int no_log_cb(const char *func, const char *file, int line, - OSSL_CMP_severity level, const char *msg) -{ - return 1; -} - /*- * Verify message signature with any acceptable and valid candidate cert. * On success cache the found cert using ossl_cmp_ctx_set1_validatedSrvCert(). @@ -465,7 +482,7 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) /* enable clearing irrelevant errors in attempts to validate sender certs */ (void)ERR_set_mark(); - ctx->log_cb = no_log_cb; /* temporarily disable logging */ + ctx->log_cb = NULL; /* temporarily disable logging */ /* * try first cached scrt, used successfully earlier in same transaction, diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index 9fe7f4385f0f1..7dbe3f74ca1eb 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -30,10 +30,12 @@ is preferably the one provided by a call to L. If no such sender cert has been pinned then candidate sender certificates are taken from the list of certificates received in the I extraCerts, then any certificates provided before via L, and -then all trusted certificates provided via L, -where a candidate is acceptable only if has not expired, its subject DN matches +then all trusted certificates provided via L. +A candidate certificate is acceptable only if it is currently valid +(or the trust store contains a verification callback that overrides the verdict +that the certificate is expired or not yet valid), its subject DN matches the I sender DN (as far as present), and its subject key identifier -is present and matches the senderKID (as far as the latter present). +is present and matches the senderKID (as far as the latter is present). Each acceptable cert is tried in the given order to see if the message signature check succeeds and the cert and its path can be verified using any trust store set via L. From 8c040c086ca11a519975c58961a5dc933aa6524a Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Mon, 11 Sep 2023 06:38:31 +0200 Subject: [PATCH 226/324] Fix some memory leaks in the openssl app In some error cases the normal cleanup did not happen, but instead an exit(1) which caused some memory leaks, as reported in #22049. Reviewed-by: Tom Cosgrove Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/22055) --- apps/dgst.c | 2 ++ apps/dhparam.c | 2 ++ apps/dsaparam.c | 2 ++ apps/gendsa.c | 2 ++ apps/genpkey.c | 2 ++ apps/genrsa.c | 2 ++ apps/lib/apps.c | 8 ++++---- apps/req.c | 2 ++ 8 files changed, 18 insertions(+), 4 deletions(-) diff --git a/apps/dgst.c b/apps/dgst.c index fe05b312d7b2d..28123f813f112 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -321,6 +321,8 @@ int dgst_main(int argc, char **argv) sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */); /* Verbose output would make external-tests gost-engine fail */ EVP_PKEY_CTX_free(mac_ctx); + if (sigkey == NULL) + goto end; } if (hmac_key != NULL) { diff --git a/apps/dhparam.c b/apps/dhparam.c index a41e70fe38330..d14c569503013 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -233,6 +233,8 @@ int dhparam_main(int argc, char **argv) } tmppkey = app_paramgen(ctx, alg); + if (tmppkey == NULL) + goto end; EVP_PKEY_CTX_free(ctx); ctx = NULL; if (dsaparam) { diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 4eb157042e562..8bd2e1361bf52 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -232,6 +232,8 @@ int dsaparam_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", numbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (outformat == FORMAT_ASN1) i = i2d_PrivateKey_bio(out, pkey); diff --git a/apps/gendsa.c b/apps/gendsa.c index bd8aecedbd9c6..b6d1d0f5b3f76 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -148,6 +148,8 @@ int gendsa_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "DSA", nbits, verbose); + if (pkey == NULL) + goto end; assert(private); if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) { diff --git a/apps/genpkey.c b/apps/genpkey.c index 5a59dae6811d6..080f1f60756e7 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -234,6 +234,8 @@ int genpkey_main(int argc, char **argv) pkey = do_param ? app_paramgen(ctx, algname) : app_keygen(ctx, algname, 0, 0 /* not verbose */); + if (pkey == NULL) + goto end; if (do_param) { rv = PEM_write_bio_Parameters(out, pkey); diff --git a/apps/genrsa.c b/apps/genrsa.c index 3151de646bca5..f71bc6eeb111d 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -204,6 +204,8 @@ int genrsa_main(int argc, char **argv) goto end; } pkey = app_keygen(ctx, "RSA", num, verbose); + if (pkey == NULL) + goto end; if (verbose) { BIGNUM *e = NULL; diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 8aad9a1ef7cf9..6b2a4b86ce670 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -3417,8 +3417,8 @@ EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose) BIO_printf(bio_err, "Warning: generating random key material may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_keygen(ctx, &res) <= 0) - app_bail_out("%s: Error generating %s key\n", opt_getprog(), - alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Error generating %s key\n", opt_getprog(), + alg != NULL ? alg : "asymmetric"); return res; } @@ -3430,8 +3430,8 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg) BIO_printf(bio_err, "Warning: generating random key parameters may take a long time\n" "if the system has a poor entropy source\n"); if (EVP_PKEY_paramgen(ctx, &res) <= 0) - app_bail_out("%s: Generating %s key parameters failed\n", - opt_getprog(), alg != NULL ? alg : "asymmetric"); + BIO_printf(bio_err, "%s: Generating %s key parameters failed\n", + opt_getprog(), alg != NULL ? alg : "asymmetric"); return res; } diff --git a/apps/req.c b/apps/req.c index c4c9ba292cb05..3ce2b384969b6 100644 --- a/apps/req.c +++ b/apps/req.c @@ -663,6 +663,8 @@ int req_main(int argc, char **argv) EVP_PKEY_CTX_set_cb(genctx, progress_cb); pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose); + if (pkey == NULL) + goto end; EVP_PKEY_CTX_free(genctx); genctx = NULL; From d4f22a915ac50570015a23ad794032c4fb9496cb Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Tue, 19 Sep 2023 20:15:18 +0200 Subject: [PATCH 227/324] Fix error handling in CRYPTO_get_ex_new_index If an out of memory error happens when the index zero is reserved in a newly created ip->meth stack object, that reservation is not done in a second attempt, which makes various X_set_ex_data overwrite the value of X_set_app_data. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22149) --- crypto/ex_data.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/ex_data.c b/crypto/ex_data.c index c9ec9d33370d2..0412f38e9baae 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -171,6 +171,8 @@ int ossl_crypto_get_ex_new_index_ex(OSSL_LIB_CTX *ctx, int class_index, * "app_data" routines use ex_data index zero. See RT 3710. */ if (ip->meth == NULL || !sk_EX_CALLBACK_push(ip->meth, NULL)) { + sk_EX_CALLBACK_free(ip->meth); + ip->meth = NULL; ERR_raise(ERR_LIB_CRYPTO, ERR_R_CRYPTO_LIB); goto err; } From 5fbfd641aeebdf4b29a0749e13a79a1e59502878 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 20 Sep 2023 15:45:56 +0200 Subject: [PATCH 228/324] Fix error handling in lhash contract When the realloc fails in contract, this not a fatal error, since the memory is only shrinked. It is also no option to exit the function at this point, since that would leave the hash table in an inconsistent state. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22154) --- crypto/lhash/lhash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 526af83026064..9d2b284ae0fa2 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -260,12 +260,12 @@ static void contract(OPENSSL_LHASH *lh) if (n == NULL) { /* fputs("realloc error in lhash", stderr); */ lh->error++; - return; + } else { + lh->b = n; } lh->num_alloc_nodes /= 2; lh->pmax /= 2; lh->p = lh->pmax - 1; - lh->b = n; } else lh->p--; From dee2129802d9694d72e8745aec2d8bd4577ee4ee Mon Sep 17 00:00:00 2001 From: Steffen Klee Date: Wed, 20 Sep 2023 00:04:18 +0200 Subject: [PATCH 229/324] Fix test_cms if DSA is not supported CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22150) --- test/recipes/80-test_cms.t | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 21c683c4046a7..385791610577e 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -1144,9 +1144,13 @@ with({ exit_checker => sub { return shift == 6; } }, # Test case for return value mis-check reported in #21986 with({ exit_checker => sub { return shift == 3; } }, sub { - ok(run(app(['openssl', 'cms', '-sign', - '-in', srctop_file("test", "smcont.txt"), - '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), - '-md', 'SHAKE256'])), - "issue#21986"); + SKIP: { + skip "DSA is not supported in this build", 1 if $no_dsa; + + ok(run(app(['openssl', 'cms', '-sign', + '-in', srctop_file("test", "smcont.txt"), + '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), + '-md', 'SHAKE256'])), + "issue#21986"); + } }); From 1bebf4b0417303895a6cc350da97beb0d1534b60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= Date: Tue, 12 Sep 2023 15:24:21 +0200 Subject: [PATCH 230/324] Add command line option for setting provider in evp_test Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/22151) --- test/evp_test.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/test/evp_test.c b/test/evp_test.c index ff424eac729b4..f998c21426c27 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -73,10 +73,12 @@ typedef enum OPTION_choice { OPT_EOF = 0, OPT_CONFIG_FILE, OPT_IN_PLACE, + OPT_PROVIDER_NAME, OPT_TEST_ENUM } OPTION_CHOICE; static OSSL_PROVIDER *prov_null = NULL; +static OSSL_PROVIDER *libprov = NULL; static OSSL_LIB_CTX *libctx = NULL; /* List of public and private keys */ @@ -4117,6 +4119,8 @@ const OPTIONS *test_get_options(void) "The configuration file to use for the libctx" }, { "process", OPT_IN_PLACE, 's', "Mode for data processing by cipher tests [in_place/both], both by default"}, + { "provider", OPT_PROVIDER_NAME, 's', + "The provider to load (when no configuration file, the default value is 'default')" }, { OPT_HELP_STR, 1, '-', "file\tFile to run tests on.\n" }, { NULL } }; @@ -4127,6 +4131,7 @@ int setup_tests(void) { size_t n; char *config_file = NULL; + char *provider_name = NULL; OPTION_CHOICE o; @@ -4139,6 +4144,9 @@ int setup_tests(void) if ((process_mode_in_place = evp_test_process_mode(opt_arg())) == -1) return 0; break; + case OPT_PROVIDER_NAME: + provider_name = opt_arg(); + break; case OPT_TEST_CASES: break; default: @@ -4152,7 +4160,9 @@ int setup_tests(void) * Load the 'null' provider into the default library context to ensure that * the tests do not fallback to using the default provider. */ - if (!test_get_libctx(&libctx, &prov_null, config_file, NULL, NULL)) + if (config_file == NULL && provider_name == NULL) + provider_name = "default"; + if (!test_get_libctx(&libctx, &prov_null, config_file, &libprov, provider_name)) return 0; n = test_get_argument_count(); @@ -4165,6 +4175,7 @@ int setup_tests(void) void cleanup_tests(void) { + OSSL_PROVIDER_unload(libprov); OSSL_PROVIDER_unload(prov_null); OSSL_LIB_CTX_free(libctx); } From f34878d846de43a6f760e506f440b5fef85afba6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= Date: Fri, 8 Sep 2023 11:44:27 +0200 Subject: [PATCH 231/324] Add command line option for setting propquery in evp_test Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/22151) --- test/evp_test.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index f998c21426c27..309ab94c21b54 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -74,6 +74,7 @@ typedef enum OPTION_choice { OPT_CONFIG_FILE, OPT_IN_PLACE, OPT_PROVIDER_NAME, + OPT_PROV_PROPQUERY, OPT_TEST_ENUM } OPTION_CHOICE; @@ -116,6 +117,7 @@ static int memory_err_compare(EVP_TEST *t, const char *err, /* Option specific for evp test */ static int process_mode_in_place; +static const char *propquery = NULL; static int evp_test_process_mode(char *mode) { @@ -367,7 +369,7 @@ static int digest_test_init(EVP_TEST *t, const char *alg) return 1; } - if ((digest = fetched_digest = EVP_MD_fetch(libctx, alg, NULL)) == NULL + if ((digest = fetched_digest = EVP_MD_fetch(libctx, alg, propquery)) == NULL && (digest = EVP_get_digestbyname(alg)) == NULL) return 0; if (!TEST_ptr(mdat = OPENSSL_zalloc(sizeof(*mdat)))) @@ -596,7 +598,7 @@ static int cipher_test_init(EVP_TEST *t, const char *alg) } ERR_set_mark(); - if ((cipher = fetched_cipher = EVP_CIPHER_fetch(libctx, alg, NULL)) == NULL + if ((cipher = fetched_cipher = EVP_CIPHER_fetch(libctx, alg, propquery)) == NULL && (cipher = EVP_get_cipherbyname(alg)) == NULL) { /* a stitched cipher might not be available */ if (strstr(alg, "HMAC") != NULL) { @@ -1244,7 +1246,7 @@ static int mac_test_init(EVP_TEST *t, const char *alg) t->skip = 1; return 1; } - if ((mac = EVP_MAC_fetch(libctx, alg, NULL)) == NULL) { + if ((mac = EVP_MAC_fetch(libctx, alg, propquery)) == NULL) { /* * Since we didn't find an EVP_MAC, we check for known EVP_PKEY methods * For debugging purposes, we allow 'NNNN by EVP_PKEY' to force running @@ -1421,7 +1423,7 @@ static int mac_test_run_pkey(EVP_TEST *t) t->err = NULL; goto err; } - if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, expected->alg, NULL))) { + if (!TEST_ptr(cipher = EVP_CIPHER_fetch(libctx, expected->alg, propquery))) { t->err = "MAC_KEY_CREATE_ERROR"; goto err; } @@ -1794,7 +1796,7 @@ static int pkey_test_init(EVP_TEST *t, const char *name, return 0; } kdata->keyop = keyop; - if (!TEST_ptr(kdata->ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL))) { + if (!TEST_ptr(kdata->ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propquery))) { EVP_PKEY_free(pkey); OPENSSL_free(kdata); return 0; @@ -2293,7 +2295,7 @@ static int pbe_test_run(EVP_TEST *t) #endif } else if (expected->pbe_type == PBE_TYPE_PKCS12) { fetched_digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(expected->md), - NULL); + propquery); if (fetched_digest == NULL) { t->err = "PKCS12_ERROR"; goto err; @@ -2533,7 +2535,7 @@ static int rand_test_init(EVP_TEST *t, const char *name) if (!EVP_RAND_CTX_set_params(rdata->parent, params)) goto err; - rand = EVP_RAND_fetch(libctx, name, NULL); + rand = EVP_RAND_fetch(libctx, name, propquery); if (rand == NULL) goto err; rdata->ctx = EVP_RAND_CTX_new(rand, rdata->parent); @@ -2785,7 +2787,7 @@ static int kdf_test_init(EVP_TEST *t, const char *name) kdata->p = kdata->params; *kdata->p = OSSL_PARAM_construct_end(); - kdf = EVP_KDF_fetch(libctx, name, NULL); + kdf = EVP_KDF_fetch(libctx, name, propquery); if (kdf == NULL) { OPENSSL_free(kdata); return 0; @@ -2994,7 +2996,7 @@ static int pkey_kdf_test_init(EVP_TEST *t, const char *name) if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata)))) return 0; - kdata->ctx = EVP_PKEY_CTX_new_from_name(libctx, name, NULL); + kdata->ctx = EVP_PKEY_CTX_new_from_name(libctx, name, propquery); if (kdata->ctx == NULL || EVP_PKEY_derive_init(kdata->ctx) <= 0) goto err; @@ -3222,7 +3224,7 @@ static int keygen_test_init(EVP_TEST *t, const char *alg) t->skip = 1; return 1; } - if (!TEST_ptr(genctx = EVP_PKEY_CTX_new_from_name(libctx, alg, NULL))) + if (!TEST_ptr(genctx = EVP_PKEY_CTX_new_from_name(libctx, alg, propquery))) goto err; if (EVP_PKEY_keygen_init(genctx) <= 0) { @@ -4121,6 +4123,8 @@ const OPTIONS *test_get_options(void) "Mode for data processing by cipher tests [in_place/both], both by default"}, { "provider", OPT_PROVIDER_NAME, 's', "The provider to load (when no configuration file, the default value is 'default')" }, + { "propquery", OPT_PROV_PROPQUERY, 's', + "Property query used when fetching algorithms" }, { OPT_HELP_STR, 1, '-', "file\tFile to run tests on.\n" }, { NULL } }; @@ -4147,6 +4151,9 @@ int setup_tests(void) case OPT_PROVIDER_NAME: provider_name = opt_arg(); break; + case OPT_PROV_PROPQUERY: + propquery = opt_arg(); + break; case OPT_TEST_CASES: break; default: From 43b94c7fe4a427ad95f7401dd24f42d2ae094dfb Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 14 Sep 2023 10:59:47 +0100 Subject: [PATCH 232/324] Create a noisy dgram test Create a noisy dgram test that can drop/duplicate/reorder UDP packets and ensure that the QUIC connection is tolerant of this. At this stage we just create the outline of the test. Adding in the noise will come in future commits. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/build.info | 8 +-- test/helpers/noisydgrambio.c | 130 +++++++++++++++++++++++++++++++++++ test/helpers/quictestlib.c | 8 +++ test/helpers/quictestlib.h | 12 +++- test/quicapitest.c | 31 +++++++++ 5 files changed, 183 insertions(+), 6 deletions(-) create mode 100644 test/helpers/noisydgrambio.c diff --git a/test/build.info b/test/build.info index d897f726a86fe..4736e28c8b0bb 100644 --- a/test/build.info +++ b/test/build.info @@ -339,7 +339,7 @@ IF[{- !$disabled{tests} -}] INCLUDE[quic_client_test]=../include ../apps/include DEPEND[quic_client_test]=../libcrypto.a ../libssl.a libtestutil.a - SOURCE[quic_multistream_test]=quic_multistream_test.c helpers/ssltestlib.c helpers/quictestlib.c + SOURCE[quic_multistream_test]=quic_multistream_test.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c INCLUDE[quic_multistream_test]=../include ../apps/include DEPEND[quic_multistream_test]=../libcrypto.a ../libssl.a libtestutil.a @@ -818,15 +818,15 @@ IF[{- !$disabled{tests} -}] INCLUDE[event_queue_test]=../include ../apps/include DEPEND[event_queue_test]=../libcrypto ../libssl.a libtestutil.a - SOURCE[quicfaultstest]=quicfaultstest.c helpers/ssltestlib.c helpers/quictestlib.c + SOURCE[quicfaultstest]=quicfaultstest.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c INCLUDE[quicfaultstest]=../include ../apps/include .. DEPEND[quicfaultstest]=../libcrypto.a ../libssl.a libtestutil.a - SOURCE[quicapitest]=quicapitest.c helpers/ssltestlib.c helpers/quictestlib.c + SOURCE[quicapitest]=quicapitest.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c INCLUDE[quicapitest]=../include ../apps/include DEPEND[quicapitest]=../libcrypto.a ../libssl.a libtestutil.a - SOURCE[quic_newcid_test]=quic_newcid_test.c helpers/ssltestlib.c helpers/quictestlib.c + SOURCE[quic_newcid_test]=quic_newcid_test.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c INCLUDE[quic_newcid_test]=../include ../apps/include .. DEPEND[quic_newcid_test]=../libcrypto.a ../libssl.a libtestutil.a ENDIF diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c new file mode 100644 index 0000000000000..890ff7904c08f --- /dev/null +++ b/test/helpers/noisydgrambio.c @@ -0,0 +1,130 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "quictestlib.h" + +static int noisy_dgram_read(BIO *bio, char *out, int outl) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static int noisy_dgram_write(BIO *bio, const char *in, int inl) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) +{ + long ret; + BIO *next = BIO_next(bio); + + if (next == NULL) + return 0; + + switch (cmd) { + case BIO_CTRL_DUP: + ret = 0L; + break; + default: + ret = BIO_ctrl(next, cmd, num, ptr); + break; + } + return ret; +} + +static int noisy_dgram_gets(BIO *bio, char *buf, int size) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static int noisy_dgram_puts(BIO *bio, const char *str) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, + size_t num_msg, uint64_t flags, + size_t *msgs_processed) +{ + BIO *next = BIO_next(bio); + + if (next == NULL) + return 0; + + /* + * We only introduce noise when receiving messages. We just pass this on + * to the underlying BIO. + */ + return BIO_sendmmsg(next, msg, stride, num_msg, flags, msgs_processed); +} + +static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, + size_t num_msg, uint64_t flags, + size_t *msgs_processed) +{ + BIO *next = BIO_next(bio); + + if (next == NULL) + return 0; + + /* + * We will introduce noise here. None implemented yet. + */ + return BIO_recvmmsg(next, msg, stride, num_msg, flags, msgs_processed); +} + +static int noisy_dgram_new(BIO *bio) +{ + BIO_set_init(bio, 1); + + return 1; +} + +static int noisy_dgram_free(BIO *bio) +{ + BIO_set_init(bio, 0); + + return 1; +} + +/* Choose a sufficiently large type likely to be unused for this custom BIO */ +#define BIO_TYPE_NOISY_DGRAM_FILTER (0x80 | BIO_TYPE_FILTER) + +static BIO_METHOD *method_noisy_dgram = NULL; + +/* Note: Not thread safe! */ +const BIO_METHOD *bio_f_noisy_dgram_filter(void) +{ + if (method_noisy_dgram == NULL) { + method_noisy_dgram = BIO_meth_new(BIO_TYPE_NOISY_DGRAM_FILTER, + "Nosiy datagram filter"); + if (method_noisy_dgram == NULL + || !BIO_meth_set_write(method_noisy_dgram, noisy_dgram_write) + || !BIO_meth_set_read(method_noisy_dgram, noisy_dgram_read) + || !BIO_meth_set_puts(method_noisy_dgram, noisy_dgram_puts) + || !BIO_meth_set_gets(method_noisy_dgram, noisy_dgram_gets) + || !BIO_meth_set_ctrl(method_noisy_dgram, noisy_dgram_ctrl) + || !BIO_meth_set_sendmmsg(method_noisy_dgram, noisy_dgram_sendmmsg) + || !BIO_meth_set_recvmmsg(method_noisy_dgram, noisy_dgram_recvmmsg) + || !BIO_meth_set_create(method_noisy_dgram, noisy_dgram_new) + || !BIO_meth_set_destroy(method_noisy_dgram, noisy_dgram_free)) + return NULL; + } + return method_noisy_dgram; +} + +void bio_f_noisy_dgram_filter_free(void) +{ + BIO_meth_free(method_noisy_dgram); +} diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index f0955559dcac2..bc135eec95bd1 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -140,6 +140,14 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, goto err; } + if ((flags & QTEST_FLAG_NOISE) != 0) { + BIO *noisebio = BIO_new(bio_f_noisy_dgram_filter()); + + if (!TEST_ptr(noisebio)) + goto err; + cbio = BIO_push(noisebio, cbio); + } + SSL_set_bio(*cssl, cbio, cbio); if (!TEST_true(SSL_set_blocking_mode(*cssl, diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index 45f6ebec7918e..7a72e352d9a86 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -27,9 +27,11 @@ typedef struct qtest_fault_encrypted_extensions { /* Flags for use with qtest_create_quic_objects() */ /* Indicates whether we are using blocking mode or not */ -#define QTEST_FLAG_BLOCK 1 +#define QTEST_FLAG_BLOCK (1 << 0) /* Use fake time rather than real time */ -#define QTEST_FLAG_FAKE_TIME 2 +#define QTEST_FLAG_FAKE_TIME (1 << 1) +/* Introduce noise in the BIO */ +#define QTEST_FLAG_NOISE (1 << 2) /* * Given an SSL_CTX for the client and filenames for the server certificate and @@ -230,3 +232,9 @@ int qtest_fault_set_datagram_listener(QTEST_FAULT *fault, * exceeds the over allocation. */ int qtest_fault_resize_datagram(QTEST_FAULT *fault, size_t newlen); + +/* BIO filter for simulating a noisy UDP socket */ +const BIO_METHOD *bio_f_noisy_dgram_filter(void); + +/* Free the BIO filter method object */ +void bio_f_noisy_dgram_filter_free(void); \ No newline at end of file diff --git a/test/quicapitest.c b/test/quicapitest.c index c471495aa21bc..ed11b73ba24cd 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1250,6 +1250,34 @@ static int test_alpn(int idx) return testresult; } +static int test_noisy_dgram(void) +{ + SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + SSL *clientquic = NULL; + QUIC_TSERVER *qtserv = NULL; + int testresult = 0; + + if (!TEST_ptr(cctx) + || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, + privkey, + QTEST_FLAG_NOISE, + &qtserv, + &clientquic, NULL))) + goto err; + + if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))) + goto err; + + testresult = 1; + err: + ossl_quic_tserver_free(qtserv); + SSL_free(clientquic); + SSL_CTX_free(cctx); + + return testresult; +} + + OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n") int setup_tests(void) @@ -1323,6 +1351,8 @@ int setup_tests(void) ADD_ALL_TESTS(test_non_io_retry, 2); ADD_TEST(test_quic_psk); ADD_ALL_TESTS(test_alpn, 2); + ADD_TEST(test_noisy_dgram); + return 1; err: cleanup_tests(); @@ -1331,6 +1361,7 @@ int setup_tests(void) void cleanup_tests(void) { + bio_f_noisy_dgram_filter_free(); OPENSSL_free(cert); OPENSSL_free(privkey); OSSL_PROVIDER_unload(defctxnull); From c6bb25fab062738d22bea38462d14bd1c7de22e5 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 14 Sep 2023 12:24:12 +0100 Subject: [PATCH 233/324] Add the ability to drop datagrams in the noisy dgram BIO Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/noisydgrambio.c | 126 ++++++++++++++++++++++++++++++++++- 1 file changed, 123 insertions(+), 3 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index 890ff7904c08f..f55be83616323 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -9,6 +9,11 @@ #include #include "quictestlib.h" +#include "../testutil.h" + +struct noisy_dgram_st { + size_t this_dgram; +}; static int noisy_dgram_read(BIO *bio, char *out, int outl) { @@ -69,23 +74,136 @@ static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, return BIO_sendmmsg(next, msg, stride, num_msg, flags, msgs_processed); } +static int should_drop(BIO *bio) +{ + struct noisy_dgram_st *data = BIO_get_data(bio); + + if (data == NULL) + return 0; + + /* + * Drop datagram 1 for now. + * TODO(QUIC): Provide more control over this behaviour. + */ + if (data->this_dgram == 1) + return 1; + + return 0; +} + +/* There isn't a public function to do BIO_ADDR_copy() so we create one */ +static int bio_addr_copy(BIO_ADDR *dst, BIO_ADDR *src) +{ + size_t len; + void *data = NULL; + int res = 0; + int family; + + if (src == NULL || dst == NULL) + return 0; + + family = BIO_ADDR_family(src); + if (family == AF_UNSPEC) { + BIO_ADDR_clear(dst); + return 1; + } + + if (!BIO_ADDR_rawaddress(src, NULL, &len)) + return 0; + + if (len > 0) { + data = OPENSSL_malloc(len); + if (!TEST_ptr(data)) + return 0; + } + + if (!BIO_ADDR_rawaddress(src, data, &len)) + goto err; + + if (!BIO_ADDR_rawmake(src, family, data, len, BIO_ADDR_rawport(src))) + goto err; + + res = 1; + err: + OPENSSL_free(data); + return res; +} + static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed) { BIO *next = BIO_next(bio); + size_t i, data_len = 0, drop_cnt = 0; + BIO_MSG *src, *dst; + struct noisy_dgram_st *data; - if (next == NULL) + if (!TEST_ptr(next)) + return 0; + + data = BIO_get_data(bio); + if (!TEST_ptr(data)) return 0; /* - * We will introduce noise here. None implemented yet. + * For simplicity we assume that all elements in the msg array have the + * same data_len. They are not required to by the API, but it would be quite + * strange for that not to be the case - and our code that calls + * BIO_recvmmsg does do this (which is all that is important for this test + * code). We test the invariant here. */ - return BIO_recvmmsg(next, msg, stride, num_msg, flags, msgs_processed); + for (i = 0; i < num_msg; i++) { + if (i == 0) + data_len = msg[i].data_len; + else if (!TEST_size_t_eq(msg[i].data_len, data_len)) + return 0; + } + + if (!BIO_recvmmsg(next, msg, stride, num_msg, flags, msgs_processed)) + return 0; + + /* Drop any messages */ + for (i = 0, src = msg, dst = msg; + i < *msgs_processed; + i++, src++, data->this_dgram++) { + if (should_drop(bio)) { + drop_cnt++; + continue; + } + + if (src != dst) { + /* Copy the src BIO_MSG to the dst BIO_MSG */ + memcpy(dst->data, src->data, src->data_len); + dst->data_len = src->data_len; + dst->flags = src->flags; + if (src->local != NULL + && !TEST_true(bio_addr_copy(dst->local, src->local))) + return 0; + if (!TEST_true(bio_addr_copy(dst->peer, src->peer))) + return 0; + } + + dst++; + } + + *msgs_processed -= drop_cnt; + + if (*msgs_processed == 0) { + ERR_raise(ERR_LIB_BIO, BIO_R_NON_FATAL); + return 0; + } + + return 1; } static int noisy_dgram_new(BIO *bio) { + struct noisy_dgram_st *data = OPENSSL_zalloc(sizeof(*data)); + + if (!TEST_ptr(data)) + return 0; + + BIO_set_data(bio, data); BIO_set_init(bio, 1); return 1; @@ -93,6 +211,8 @@ static int noisy_dgram_new(BIO *bio) static int noisy_dgram_free(BIO *bio) { + OPENSSL_free(BIO_get_data(bio)); + BIO_set_data(bio, NULL); BIO_set_init(bio, 0); return 1; From 19d79bb2ba45729a49cbac9f98bd916190be0b4b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 14 Sep 2023 16:34:41 +0100 Subject: [PATCH 234/324] Extend the nosiy datagram test to send more data We send several messages between client and server, and server and client, and also create a new stream. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/quicapitest.c | 116 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 115 insertions(+), 1 deletion(-) diff --git a/test/quicapitest.c b/test/quicapitest.c index ed11b73ba24cd..19b59951f6e7d 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1250,12 +1250,67 @@ static int test_alpn(int idx) return testresult; } +#define MAX_LOOPS 40 + +/* + * Keep retrying SSL_read_ex until it succeeds or we give up. Accept a stream + * if we don't already have one + */ +static int unreliable_client_read(SSL *clientquic, SSL **stream, void *buf, + size_t buflen, size_t *readbytes, + QUIC_TSERVER *qtserv) +{ + int abortctr; + + /* We just do this in a loop with a sleep for simplicity */ + for (abortctr = 0; abortctr < MAX_LOOPS; abortctr++) { + if (*stream == NULL) { + SSL_handle_events(clientquic); + *stream = SSL_accept_stream(clientquic, 0); + } + + if (*stream != NULL) { + if (SSL_read_ex(*stream, buf, buflen, readbytes)) + return 1; + if (SSL_get_error(*stream, 0) != SSL_ERROR_WANT_READ) + return 0; + } + ossl_quic_tserver_tick(qtserv); + OSSL_sleep(10); + } + + return 0; +} + +/* Keep retrying ossl_quic_tserver_read until it succeeds or we give up */ +static int unreliable_server_read(QUIC_TSERVER *qtserv, uint64_t sid, + void *buf, size_t buflen, size_t *readbytes, + SSL *clientquic) +{ + int abortctr; + + /* We just do this in a loop with a sleep for simplicity */ + for (abortctr = 0; abortctr < MAX_LOOPS; abortctr++) { + if (ossl_quic_tserver_read(qtserv, sid, buf, buflen, readbytes)) + return 1; + ossl_quic_tserver_tick(qtserv); + SSL_handle_events(clientquic); + OSSL_sleep(10); + } + + return 0; +} + static int test_noisy_dgram(void) { SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); - SSL *clientquic = NULL; + SSL *clientquic = NULL, *stream[2] = { NULL, NULL }; QUIC_TSERVER *qtserv = NULL; int testresult = 0; + uint64_t sid = 0; + char *msg = "Hello world!"; + size_t msglen = strlen(msg), written, readbytes, i, j; + unsigned char buf[80]; if (!TEST_ptr(cctx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, @@ -1268,9 +1323,68 @@ static int test_noisy_dgram(void) if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))) goto err; + if (!TEST_true(SSL_set_incoming_stream_policy(clientquic, + SSL_INCOMING_STREAM_POLICY_ACCEPT, + 0)) + || !TEST_true(SSL_set_default_stream_mode(clientquic, + SSL_DEFAULT_STREAM_MODE_NONE))) + goto err; + + for (j = 0; j < 2; j++) { + if (!TEST_true(ossl_quic_tserver_stream_new(qtserv, 0, &sid))) + goto err; + ossl_quic_tserver_tick(qtserv); + + /* + * Send data from the server to the client. Some datagrams may get lost, + * dropped or re-ordered. We repeat 10 times to ensure we are sending + * enough datagrams for problems to be noticed. + */ + for (i = 0; i < 10; i++) { + if (!TEST_true(ossl_quic_tserver_write(qtserv, sid, + (unsigned char *)msg, msglen, + &written)) + || !TEST_size_t_eq(msglen, written)) + goto err; + ossl_quic_tserver_tick(qtserv); + + /* + * Since the underlying BIO is now noisy we may get failures that + * need to be retried - so we use unreliable_client_read() to handle + * that + */ + if (!TEST_true(unreliable_client_read(clientquic, &stream[j], buf, + sizeof(buf), &readbytes, + qtserv)) + || !TEST_mem_eq(msg, msglen, buf, readbytes)) + goto err; + } + + /* Send data from the client to the server */ + for (i = 0; i < 10; i++) { + if (!TEST_true(SSL_write_ex(stream[j], (unsigned char *)msg, + msglen, &written)) + || !TEST_size_t_eq(msglen, written)) + goto err; + + ossl_quic_tserver_tick(qtserv); + /* + * Since the underlying BIO is now noisy we may get failures that + * need to be retried - so we use unreliable_server_read() to handle + * that + */ + if (!TEST_true(unreliable_server_read(qtserv, sid, buf, sizeof(buf), + &readbytes, clientquic)) + || !TEST_mem_eq(msg, msglen, buf, readbytes)) + goto err; + } + } + testresult = 1; err: ossl_quic_tserver_free(qtserv); + SSL_free(stream[0]); + SSL_free(stream[1]); SSL_free(clientquic); SSL_CTX_free(cctx); From d3a8daca587157dda52991448258800e9cf1f657 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 15 Sep 2023 15:35:56 +0100 Subject: [PATCH 235/324] Use test_random() to introduce better noise into the noisy dgram BIO We drop some datagrams, and we delay some datagrams. We can also duplicate some datagrams. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/noisydgrambio.c | 162 +++++++++++++++++++++++++++-------- test/quicapitest.c | 2 +- 2 files changed, 128 insertions(+), 36 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index f55be83616323..c1eb141ee5ce9 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -11,8 +11,12 @@ #include "quictestlib.h" #include "../testutil.h" +#define MSG_DATA_LEN_MAX 1472 + struct noisy_dgram_st { - size_t this_dgram; + uint64_t this_dgram; + BIO_MSG msg; + uint64_t delayed_dgram; }; static int noisy_dgram_read(BIO *bio, char *out, int outl) @@ -74,21 +78,31 @@ static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, return BIO_sendmmsg(next, msg, stride, num_msg, flags, msgs_processed); } -static int should_drop(BIO *bio) +static void get_noise(uint64_t *delay, int *should_drop) { - struct noisy_dgram_st *data = BIO_get_data(bio); + uint32_t type; - if (data == NULL) - return 0; + /* 20% of all datagrams should be noisy */ + if (test_random() % 5 != 0) { + *delay = 0; + *should_drop = 0; + return; + } + + type = test_random() % 3; + + /* Of noisy datagrams, 33% drop only, 33% delay only, 33% drop and delay */ + + *should_drop = (type == 0 || type == 1); + + /* Where a delay occurs we delay by 1 - 4 datagrams */ + *delay = (type == 0) ? 0 : (uint64_t)((test_random() % 4) + 1); /* - * Drop datagram 1 for now. - * TODO(QUIC): Provide more control over this behaviour. + * No point in delaying by 1 datagram if we are also dropping, so we delay + * by an extra datagram in that case */ - if (data->this_dgram == 1) - return 1; - - return 0; + *delay += (uint64_t)(*should_drop); } /* There isn't a public function to do BIO_ADDR_copy() so we create one */ @@ -129,13 +143,36 @@ static int bio_addr_copy(BIO_ADDR *dst, BIO_ADDR *src) return res; } +static int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src) +{ + /* + * Note it is assumed that the originally allocated data sizes for dst and + * src are the same + */ + memcpy(dst->data, src->data, src->data_len); + dst->data_len = src->data_len; + dst->flags = src->flags; + if (dst->local != NULL) { + if (src->local != NULL) { + if (!TEST_true(bio_addr_copy(dst->local, src->local))) + return 0; + } else { + BIO_ADDR_clear(dst->local); + } + } + if (!TEST_true(bio_addr_copy(dst->peer, src->peer))) + return 0; + + return 1; +} + static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed) { BIO *next = BIO_next(bio); - size_t i, data_len = 0, drop_cnt = 0; - BIO_MSG *src, *dst; + size_t i, j, data_len = 0, msg_cnt = 0; + BIO_MSG *thismsg; struct noisy_dgram_st *data; if (!TEST_ptr(next)) @@ -153,42 +190,76 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, * code). We test the invariant here. */ for (i = 0; i < num_msg; i++) { - if (i == 0) + if (i == 0) { data_len = msg[i].data_len; - else if (!TEST_size_t_eq(msg[i].data_len, data_len)) + if (!TEST_size_t_le(data_len, MSG_DATA_LEN_MAX)) + return 0; + } else if (!TEST_size_t_eq(msg[i].data_len, data_len)) { return 0; + } } if (!BIO_recvmmsg(next, msg, stride, num_msg, flags, msgs_processed)) return 0; - /* Drop any messages */ - for (i = 0, src = msg, dst = msg; - i < *msgs_processed; - i++, src++, data->this_dgram++) { - if (should_drop(bio)) { - drop_cnt++; - continue; + msg_cnt = *msgs_processed; + + /* Introduce noise */ + for (i = 0, thismsg = msg; + i < msg_cnt; + i++, thismsg++, data->this_dgram++) { + uint64_t delay; + int should_drop; + + /* If we have a delayed message ready insert it now */ + if (data->delayed_dgram > 0 + && data->delayed_dgram == data->this_dgram) { + if (msg_cnt < num_msg) { + /* Make space for the inserted message */ + for (j = msg_cnt; j > i; j--) { + if (!bio_msg_copy(&msg[j], &msg[j - 1])) + return 0; + } + if (!bio_msg_copy(thismsg, &data->msg)) + return 0; + msg_cnt++; + data->delayed_dgram = 0; + continue; + } /* else we have no space for the insertion, so just drop it */ + data->delayed_dgram = 0; } - if (src != dst) { - /* Copy the src BIO_MSG to the dst BIO_MSG */ - memcpy(dst->data, src->data, src->data_len); - dst->data_len = src->data_len; - dst->flags = src->flags; - if (src->local != NULL - && !TEST_true(bio_addr_copy(dst->local, src->local))) - return 0; - if (!TEST_true(bio_addr_copy(dst->peer, src->peer))) + get_noise(&delay, &should_drop); + + /* We ignore delay if a message is already delayed */ + if (delay > 0 && data->delayed_dgram == 0) { + /* + * Note that a message may be delayed *and* dropped, or delayed + * and *not* dropped. + * Delayed and dropped means the message will not be sent now and + * will only be sent after the delay. + * Delayed and not dropped means the message will be sent now and + * a duplicate will also be sent after the delay. + */ + + if (!bio_msg_copy(&data->msg, thismsg)) return 0; + + data->delayed_dgram = data->this_dgram + delay; } - dst++; + if (should_drop) { + for (j = i + 1; j < msg_cnt; j++) { + if (!bio_msg_copy(&msg[j - 1], &msg[j])) + return 0; + } + msg_cnt--; + } } - *msgs_processed -= drop_cnt; + *msgs_processed = msg_cnt; - if (*msgs_processed == 0) { + if (msg_cnt == 0) { ERR_raise(ERR_LIB_BIO, BIO_R_NON_FATAL); return 0; } @@ -196,6 +267,17 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, return 1; } +static void data_free(struct noisy_dgram_st *data) +{ + if (data == NULL) + return; + + OPENSSL_free(data->msg.data); + BIO_ADDR_free(data->msg.peer); + BIO_ADDR_free(data->msg.local); + OPENSSL_free(data); +} + static int noisy_dgram_new(BIO *bio) { struct noisy_dgram_st *data = OPENSSL_zalloc(sizeof(*data)); @@ -203,6 +285,16 @@ static int noisy_dgram_new(BIO *bio) if (!TEST_ptr(data)) return 0; + data->msg.data = OPENSSL_malloc(MSG_DATA_LEN_MAX); + data->msg.peer = BIO_ADDR_new(); + data->msg.local = BIO_ADDR_new(); + if (data->msg.data == NULL + || data->msg.peer == NULL + || data->msg.local == NULL) { + data_free(data); + return 0; + } + BIO_set_data(bio, data); BIO_set_init(bio, 1); @@ -211,7 +303,7 @@ static int noisy_dgram_new(BIO *bio) static int noisy_dgram_free(BIO *bio) { - OPENSSL_free(BIO_get_data(bio)); + data_free(BIO_get_data(bio)); BIO_set_data(bio, NULL); BIO_set_init(bio, 0); diff --git a/test/quicapitest.c b/test/quicapitest.c index 19b59951f6e7d..0030c3108211e 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1250,7 +1250,7 @@ static int test_alpn(int idx) return testresult; } -#define MAX_LOOPS 40 +#define MAX_LOOPS 2000 /* * Keep retrying SSL_read_ex until it succeeds or we give up. Accept a stream From fbfcc3fe3458c50a11aa414a1e499a2eee0eb2e9 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 18 Sep 2023 11:41:42 +0100 Subject: [PATCH 236/324] Add some optional debug output to the noisy dgram BIO Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/noisydgrambio.c | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index c1eb141ee5ce9..b42dbe6f4b50e 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -202,6 +202,16 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, if (!BIO_recvmmsg(next, msg, stride, num_msg, flags, msgs_processed)) return 0; +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("Pre-filter datagram list:\n"); + for (i = 0; i < *msgs_processed; i++) { + printf("Pre-filter Datagram:\n"); + BIO_dump_fp(stdout, msg[i].data, msg[i].data_len); + printf("\n"); + } + printf("End of pre-filter datagram list\nApplying noise filters:\n"); +#endif + msg_cnt = *msgs_processed; /* Introduce noise */ @@ -224,6 +234,11 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, return 0; msg_cnt++; data->delayed_dgram = 0; +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("**Inserting a delayed datagram\n"); + BIO_dump_fp(stdout, thismsg->data, thismsg->data_len); + printf("\n"); +#endif continue; } /* else we have no space for the insertion, so just drop it */ data->delayed_dgram = 0; @@ -246,9 +261,21 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, return 0; data->delayed_dgram = data->this_dgram + delay; + +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("**Delaying a datagram for %u messages%s\n", + (unsigned int)delay, should_drop ? "" : "(duplicating)"); + BIO_dump_fp(stdout, thismsg->data, thismsg->data_len); + printf("\n"); +#endif } if (should_drop) { +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("**Dropping a datagram\n"); + BIO_dump_fp(stdout, thismsg->data, thismsg->data_len); + printf("\n"); +#endif for (j = i + 1; j < msg_cnt; j++) { if (!bio_msg_copy(&msg[j - 1], &msg[j])) return 0; @@ -257,6 +284,16 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, } } +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("End of noise filters\nPost-filter datagram list:\n"); + for (i = 0; i < msg_cnt; i++) { + printf("Post-filter Datagram:\n"); + BIO_dump_fp(stdout, msg[i].data, msg[i].data_len); + printf("\n"); + } + printf("End of post-filter datagram list\n"); +#endif + *msgs_processed = msg_cnt; if (msg_cnt == 0) { From a2026db2643db1e34cc25960e9ef74d08bcdee5a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 18 Sep 2023 16:55:52 +0100 Subject: [PATCH 237/324] Add support for timeouts into quictestlib.c Now that we have a noisy datagram BIO we cannot rely on datagrams always reliably being delivered in the test framework. We need to start taking notice of timeouts and handling them appropriately. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/quictestlib.c | 55 +++++++++++++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index bc135eec95bd1..28791267edd00 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -66,6 +66,7 @@ struct qtest_fault { static void packet_plain_finish(void *arg); static void handshake_finish(void *arg); +static int using_fake_time = 0; static OSSL_TIME fake_now; static OSSL_TIME fake_now_cb(void *arg) @@ -180,11 +181,14 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, goto err; tserver_args.ctx = serverctx; if ((flags & QTEST_FLAG_FAKE_TIME) != 0) { + using_fake_time = 1; fake_now = ossl_time_zero(); /* zero time can have a special meaning, bump it */ qtest_add_time(1); tserver_args.now_cb = fake_now_cb; (void)ossl_quic_conn_set_override_now_cb(*cssl, fake_now_cb, NULL); + } else { + using_fake_time = 0; } if (!TEST_ptr(*qtserv = ossl_quic_tserver_new(&tserver_args, certfile, @@ -262,6 +266,47 @@ static void run_server_thread(void) } #endif +static int wait_for_timeout(SSL *s, QUIC_TSERVER *qtserv) +{ + struct timeval tv; + OSSL_TIME ctimeout, stimeout, mintimeout, now; + int cinf; + + /* We don't need to wait in blocking mode */ + if (s == NULL || qtserv == NULL) + return 1; + + /* Don't wait if either BIO has data waiting */ + if (BIO_pending(SSL_get_rbio(s)) > 0 + || BIO_pending(ossl_quic_tserver_get0_rbio(qtserv)) > 0) + return 1; + + /* + * Neither endpoint has data waiting to be read. We assume data transmission + * is instantaneous due to using mem based BIOs, so there is no data "in + * flight" and no more data will be sent by either endpoint until some time + * based event has occurred. Therefore, wait for a timeout to occur. This + * might happen if we are using the noisy BIO and datagrams have been lost. + */ + if (!SSL_get_event_timeout(s, &tv, &cinf)) + return 0; + if (using_fake_time) + now = fake_now; + else + now = ossl_time_now(); + ctimeout = cinf ? ossl_time_infinite() : ossl_time_from_timeval(tv); + stimeout = ossl_time_subtract(ossl_quic_tserver_get_deadline(qtserv), now); + mintimeout = ossl_time_min(ctimeout, stimeout); + if (ossl_time_is_infinite(mintimeout)) + return 0; + if (using_fake_time) + fake_now = ossl_time_add(now, mintimeout); + else + OSSL_sleep(ossl_time2ms(mintimeout)); + + return 1; +} + int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, int wanterr) { @@ -327,13 +372,6 @@ int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, } } - /* - * We're cheating. We don't take any notice of SSL_get_tick_timeout() - * and tick every time around the loop anyway. This is inefficient. We - * can get away with it in test code because we control both ends of - * the communications and don't expect network delays. This shouldn't - * be done in a real application. - */ if (!clienterr && retc <= 0) SSL_handle_events(clientssl); @@ -352,6 +390,9 @@ int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, TEST_info("No progress made"); goto err; } + + if (!wait_for_timeout(clientssl, qtserv)) + goto err; } while ((retc <= 0 && !clienterr) || (rets <= 0 && !servererr #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) From 5d3933eef0d937a4845a439d5fbfa76738592fc0 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 18 Sep 2023 17:06:31 +0100 Subject: [PATCH 238/324] Use fake time rather than real time in the noisy dgram test Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/quicapitest.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/test/quicapitest.c b/test/quicapitest.c index 0030c3108211e..023738a22bb1b 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1276,7 +1276,7 @@ static int unreliable_client_read(SSL *clientquic, SSL **stream, void *buf, return 0; } ossl_quic_tserver_tick(qtserv); - OSSL_sleep(10); + qtest_add_time(1); } return 0; @@ -1295,7 +1295,7 @@ static int unreliable_server_read(QUIC_TSERVER *qtserv, uint64_t sid, return 1; ossl_quic_tserver_tick(qtserv); SSL_handle_events(clientquic); - OSSL_sleep(10); + qtest_add_time(1); } return 0; @@ -1315,7 +1315,8 @@ static int test_noisy_dgram(void) if (!TEST_ptr(cctx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, - QTEST_FLAG_NOISE, + QTEST_FLAG_NOISE + | QTEST_FLAG_FAKE_TIME, &qtserv, &clientquic, NULL))) goto err; @@ -1334,6 +1335,7 @@ static int test_noisy_dgram(void) if (!TEST_true(ossl_quic_tserver_stream_new(qtserv, 0, &sid))) goto err; ossl_quic_tserver_tick(qtserv); + qtest_add_time(1); /* * Send data from the server to the client. Some datagrams may get lost, @@ -1347,6 +1349,7 @@ static int test_noisy_dgram(void) || !TEST_size_t_eq(msglen, written)) goto err; ossl_quic_tserver_tick(qtserv); + qtest_add_time(1); /* * Since the underlying BIO is now noisy we may get failures that @@ -1368,6 +1371,8 @@ static int test_noisy_dgram(void) goto err; ossl_quic_tserver_tick(qtserv); + qtest_add_time(1); + /* * Since the underlying BIO is now noisy we may get failures that * need to be retried - so we use unreliable_server_read() to handle From 35bd8a60043bde500f777e465530076524d2534a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 19 Sep 2023 11:52:42 +0100 Subject: [PATCH 239/324] Add a packet splitting BIO Provide a BIO filter that can split QUIC datagrams containing multiple packets, such that each packet is in its own datagram. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/build.info | 10 ++- test/helpers/noisydgrambio.c | 61 ------------- test/helpers/pktsplitbio.c | 169 +++++++++++++++++++++++++++++++++++ test/helpers/quictestlib.c | 61 +++++++++++++ test/helpers/quictestlib.h | 17 +++- 5 files changed, 252 insertions(+), 66 deletions(-) create mode 100644 test/helpers/pktsplitbio.c diff --git a/test/build.info b/test/build.info index 4736e28c8b0bb..4c81a2b77984c 100644 --- a/test/build.info +++ b/test/build.info @@ -339,7 +339,9 @@ IF[{- !$disabled{tests} -}] INCLUDE[quic_client_test]=../include ../apps/include DEPEND[quic_client_test]=../libcrypto.a ../libssl.a libtestutil.a - SOURCE[quic_multistream_test]=quic_multistream_test.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c + $QUICTESTHELPERS=helpers/quictestlib.c helpers/noisydgrambio.c helpers/pktsplitbio.c + + SOURCE[quic_multistream_test]=quic_multistream_test.c helpers/ssltestlib.c $QUICTESTHELPERS INCLUDE[quic_multistream_test]=../include ../apps/include DEPEND[quic_multistream_test]=../libcrypto.a ../libssl.a libtestutil.a @@ -818,15 +820,15 @@ IF[{- !$disabled{tests} -}] INCLUDE[event_queue_test]=../include ../apps/include DEPEND[event_queue_test]=../libcrypto ../libssl.a libtestutil.a - SOURCE[quicfaultstest]=quicfaultstest.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c + SOURCE[quicfaultstest]=quicfaultstest.c helpers/ssltestlib.c $QUICTESTHELPERS INCLUDE[quicfaultstest]=../include ../apps/include .. DEPEND[quicfaultstest]=../libcrypto.a ../libssl.a libtestutil.a - SOURCE[quicapitest]=quicapitest.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c + SOURCE[quicapitest]=quicapitest.c helpers/ssltestlib.c $QUICTESTHELPERS INCLUDE[quicapitest]=../include ../apps/include DEPEND[quicapitest]=../libcrypto.a ../libssl.a libtestutil.a - SOURCE[quic_newcid_test]=quic_newcid_test.c helpers/ssltestlib.c helpers/quictestlib.c helpers/noisydgrambio.c + SOURCE[quic_newcid_test]=quic_newcid_test.c helpers/ssltestlib.c $QUICTESTHELPERS INCLUDE[quic_newcid_test]=../include ../apps/include .. DEPEND[quic_newcid_test]=../libcrypto.a ../libssl.a libtestutil.a ENDIF diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index b42dbe6f4b50e..7dc6a9cf35f40 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -105,67 +105,6 @@ static void get_noise(uint64_t *delay, int *should_drop) *delay += (uint64_t)(*should_drop); } -/* There isn't a public function to do BIO_ADDR_copy() so we create one */ -static int bio_addr_copy(BIO_ADDR *dst, BIO_ADDR *src) -{ - size_t len; - void *data = NULL; - int res = 0; - int family; - - if (src == NULL || dst == NULL) - return 0; - - family = BIO_ADDR_family(src); - if (family == AF_UNSPEC) { - BIO_ADDR_clear(dst); - return 1; - } - - if (!BIO_ADDR_rawaddress(src, NULL, &len)) - return 0; - - if (len > 0) { - data = OPENSSL_malloc(len); - if (!TEST_ptr(data)) - return 0; - } - - if (!BIO_ADDR_rawaddress(src, data, &len)) - goto err; - - if (!BIO_ADDR_rawmake(src, family, data, len, BIO_ADDR_rawport(src))) - goto err; - - res = 1; - err: - OPENSSL_free(data); - return res; -} - -static int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src) -{ - /* - * Note it is assumed that the originally allocated data sizes for dst and - * src are the same - */ - memcpy(dst->data, src->data, src->data_len); - dst->data_len = src->data_len; - dst->flags = src->flags; - if (dst->local != NULL) { - if (src->local != NULL) { - if (!TEST_true(bio_addr_copy(dst->local, src->local))) - return 0; - } else { - BIO_ADDR_clear(dst->local); - } - } - if (!TEST_true(bio_addr_copy(dst->peer, src->peer))) - return 0; - - return 1; -} - static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed) diff --git a/test/helpers/pktsplitbio.c b/test/helpers/pktsplitbio.c new file mode 100644 index 0000000000000..a3c01b9506f28 --- /dev/null +++ b/test/helpers/pktsplitbio.c @@ -0,0 +1,169 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "quictestlib.h" +#include "../testutil.h" + +static int pkt_split_dgram_read(BIO *bio, char *out, int outl) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static int pkt_split_dgram_write(BIO *bio, const char *in, int inl) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static long pkt_split_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) +{ + long ret; + BIO *next = BIO_next(bio); + + if (next == NULL) + return 0; + + switch (cmd) { + case BIO_CTRL_DUP: + ret = 0L; + break; + default: + ret = BIO_ctrl(next, cmd, num, ptr); + break; + } + return ret; +} + +static int pkt_split_dgram_gets(BIO *bio, char *buf, int size) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static int pkt_split_dgram_puts(BIO *bio, const char *str) +{ + /* We don't support this - not needed anyway */ + return -1; +} + +static int pkt_split_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, + size_t num_msg, uint64_t flags, + size_t *msgs_processed) +{ + BIO *next = BIO_next(bio); + + if (next == NULL) + return 0; + + /* + * We only introduce noise when receiving messages. We just pass this on + * to the underlying BIO. + */ + return BIO_sendmmsg(next, msg, stride, num_msg, flags, msgs_processed); +} + +static int pkt_split_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, + size_t num_msg, uint64_t flags, + size_t *msgs_processed) +{ + BIO *next = BIO_next(bio); + size_t i, j, data_len = 0, msg_cnt = 0; + BIO_MSG *thismsg; + + if (!TEST_ptr(next)) + return 0; + + /* + * For simplicity we assume that all elements in the msg array have the + * same data_len. They are not required to by the API, but it would be quite + * strange for that not to be the case - and our code that calls + * BIO_recvmmsg does do this (which is all that is important for this test + * code). We test the invariant here. + */ + for (i = 0; i < num_msg; i++) { + if (i == 0) + data_len = msg[i].data_len; + else if (!TEST_size_t_eq(msg[i].data_len, data_len)) + return 0; + } + + if (!BIO_recvmmsg(next, msg, stride, num_msg, flags, msgs_processed)) + return 0; + + msg_cnt = *msgs_processed; + if (msg_cnt == num_msg) + return 1; /* We've used all our slots and can't split any more */ + assert(msg_cnt < num_msg); + + for (i = 0, thismsg = msg; i < msg_cnt; i++, thismsg++) { + QUIC_PKT_HDR hdr; + PACKET pkt; + size_t remain; + + if (!PACKET_buf_init(&pkt, thismsg->data, thismsg->data_len)) + return 0; + + /* Decode the packet header */ + /* + * TODO(QUIC SERVER): We need to query the short connection id len + * here, e.g. via some API SSL_get_short_conn_id_len() + */ + if (ossl_quic_wire_decode_pkt_hdr(&pkt, 0, 0, 0, &hdr, NULL) != 1) + return 0; + remain = PACKET_remaining(&pkt); + if (remain > 0) { + for (j = msg_cnt; j > i; j--) { + if (!bio_msg_copy(&msg[j], &msg[j - 1])) + return 0; + } + thismsg->data_len -= remain; + msg[i + 1].data_len = remain; + memmove(msg[i + 1].data, + (unsigned char *)msg[i + 1].data + thismsg->data_len, + remain); + msg_cnt++; + } + } + + *msgs_processed = msg_cnt; + return 1; +} + +/* Choose a sufficiently large type likely to be unused for this custom BIO */ +#define BIO_TYPE_PKT_SPLIT_DGRAM_FILTER (0x81 | BIO_TYPE_FILTER) + +static BIO_METHOD *method_pkt_split_dgram = NULL; + +/* Note: Not thread safe! */ +const BIO_METHOD *bio_f_pkt_split_dgram_filter(void) +{ + if (method_pkt_split_dgram == NULL) { + method_pkt_split_dgram = BIO_meth_new(BIO_TYPE_PKT_SPLIT_DGRAM_FILTER, + "Packet splitting datagram filter"); + if (method_pkt_split_dgram == NULL + || !BIO_meth_set_write(method_pkt_split_dgram, pkt_split_dgram_write) + || !BIO_meth_set_read(method_pkt_split_dgram, pkt_split_dgram_read) + || !BIO_meth_set_puts(method_pkt_split_dgram, pkt_split_dgram_puts) + || !BIO_meth_set_gets(method_pkt_split_dgram, pkt_split_dgram_gets) + || !BIO_meth_set_ctrl(method_pkt_split_dgram, pkt_split_dgram_ctrl) + || !BIO_meth_set_sendmmsg(method_pkt_split_dgram, + pkt_split_dgram_sendmmsg) + || !BIO_meth_set_recvmmsg(method_pkt_split_dgram, + pkt_split_dgram_recvmmsg)) + return NULL; + } + return method_pkt_split_dgram; +} + +void bio_f_pkt_split_dgram_filter_free(void) +{ + BIO_meth_free(method_pkt_split_dgram); +} diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 28791267edd00..6381d720fff2b 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -1044,3 +1044,64 @@ int qtest_fault_resize_datagram(QTEST_FAULT *fault, size_t newlen) return 1; } + +/* There isn't a public function to do BIO_ADDR_copy() so we create one */ +int bio_addr_copy(BIO_ADDR *dst, BIO_ADDR *src) +{ + size_t len; + void *data = NULL; + int res = 0; + int family; + + if (src == NULL || dst == NULL) + return 0; + + family = BIO_ADDR_family(src); + if (family == AF_UNSPEC) { + BIO_ADDR_clear(dst); + return 1; + } + + if (!BIO_ADDR_rawaddress(src, NULL, &len)) + return 0; + + if (len > 0) { + data = OPENSSL_malloc(len); + if (!TEST_ptr(data)) + return 0; + } + + if (!BIO_ADDR_rawaddress(src, data, &len)) + goto err; + + if (!BIO_ADDR_rawmake(src, family, data, len, BIO_ADDR_rawport(src))) + goto err; + + res = 1; + err: + OPENSSL_free(data); + return res; +} + +int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src) +{ + /* + * Note it is assumed that the originally allocated data sizes for dst and + * src are the same + */ + memcpy(dst->data, src->data, src->data_len); + dst->data_len = src->data_len; + dst->flags = src->flags; + if (dst->local != NULL) { + if (src->local != NULL) { + if (!TEST_true(bio_addr_copy(dst->local, src->local))) + return 0; + } else { + BIO_ADDR_clear(dst->local); + } + } + if (!TEST_true(bio_addr_copy(dst->peer, src->peer))) + return 0; + + return 1; +} diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index 7a72e352d9a86..f18cd29481163 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -233,8 +233,23 @@ int qtest_fault_set_datagram_listener(QTEST_FAULT *fault, */ int qtest_fault_resize_datagram(QTEST_FAULT *fault, size_t newlen); +/* Copy a BIO_ADDR */ +int bio_addr_copy(BIO_ADDR *dst, BIO_ADDR *src); + +/* Copy a BIO_MSG */ +int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src); + /* BIO filter for simulating a noisy UDP socket */ const BIO_METHOD *bio_f_noisy_dgram_filter(void); /* Free the BIO filter method object */ -void bio_f_noisy_dgram_filter_free(void); \ No newline at end of file +void bio_f_noisy_dgram_filter_free(void); + +/* + * BIO filter for splitting QUIC datagrams containing multiple packets into + * individual datagrams. + */ +const BIO_METHOD *bio_f_pkt_split_dgram_filter(void); + +/* Free the BIO filter method object */ +void bio_f_pkt_split_dgram_filter_free(void); From b1584a85d07fdf1cfaa7423392fba439f7b6b0ac Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 19 Sep 2023 12:21:27 +0100 Subject: [PATCH 240/324] Extend the noisy dgram test so that packets are also affected by noise Where multiple packets are in a single datagram we split them so that all packets can be affected by the noise Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/quictestlib.c | 8 ++++++++ test/helpers/quictestlib.h | 2 ++ test/quicapitest.c | 21 ++++++++++++++++----- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 6381d720fff2b..3c3cb73f969e4 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -141,6 +141,14 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, goto err; } + if ((flags & QTEST_FLAG_PACKET_SPLIT) != 0) { + BIO *pktsplitbio = BIO_new(bio_f_pkt_split_dgram_filter()); + + if (!TEST_ptr(pktsplitbio)) + goto err; + cbio = BIO_push(pktsplitbio, cbio); + } + if ((flags & QTEST_FLAG_NOISE) != 0) { BIO *noisebio = BIO_new(bio_f_noisy_dgram_filter()); diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index f18cd29481163..4e61b8965d610 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -32,6 +32,8 @@ typedef struct qtest_fault_encrypted_extensions { #define QTEST_FLAG_FAKE_TIME (1 << 1) /* Introduce noise in the BIO */ #define QTEST_FLAG_NOISE (1 << 2) +/* Split datagrams such that each datagram contains one packet */ +#define QTEST_FLAG_PACKET_SPLIT (1 << 3) /* * Given an SSL_CTX for the client and filenames for the server certificate and diff --git a/test/quicapitest.c b/test/quicapitest.c index 023738a22bb1b..cd006b470349e 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1301,7 +1301,15 @@ static int unreliable_server_read(QUIC_TSERVER *qtserv, uint64_t sid, return 0; } -static int test_noisy_dgram(void) +/* + * Create a connection and send data using an unreliable transport. We introduce + * random noise to drop, delay and duplicate datagrams. + * Test 0: Introduce random noise to datagrams + * Test 1: As with test 0 but also split datagrams containing multiple packets + * into individual datagrams so that individual packets can be affected + * by noise - not just a whole datagram. + */ +static int test_noisy_dgram(int idx) { SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); SSL *clientquic = NULL, *stream[2] = { NULL, NULL }; @@ -1311,12 +1319,14 @@ static int test_noisy_dgram(void) char *msg = "Hello world!"; size_t msglen = strlen(msg), written, readbytes, i, j; unsigned char buf[80]; + int flags = QTEST_FLAG_NOISE | QTEST_FLAG_FAKE_TIME; + + if (idx == 1) + flags |= QTEST_FLAG_PACKET_SPLIT; if (!TEST_ptr(cctx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, - privkey, - QTEST_FLAG_NOISE - | QTEST_FLAG_FAKE_TIME, + privkey, flags, &qtserv, &clientquic, NULL))) goto err; @@ -1470,7 +1480,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_non_io_retry, 2); ADD_TEST(test_quic_psk); ADD_ALL_TESTS(test_alpn, 2); - ADD_TEST(test_noisy_dgram); + ADD_ALL_TESTS(test_noisy_dgram, 2); return 1; err: @@ -1481,6 +1491,7 @@ int setup_tests(void) void cleanup_tests(void) { bio_f_noisy_dgram_filter_free(); + bio_f_pkt_split_dgram_filter_free(); OPENSSL_free(cert); OPENSSL_free(privkey); OSSL_PROVIDER_unload(defctxnull); From 8d8c0a901e5d65d68070fbe812d7e8c1449381e1 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 19 Sep 2023 16:40:25 +0100 Subject: [PATCH 241/324] Add the ability to do client side tracing in quictestlib.c We add a new flag QTEST_FLAG_CLIENT_TRACE to get debug tracing output if required. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- .../quic-design/quic-fault-injector.md | 6 ++--- test/helpers/quictestlib.c | 17 ++++++++++++- test/helpers/quictestlib.h | 5 ++-- test/quic_newcid_test.c | 2 +- test/quicapitest.c | 24 ++++++++++--------- test/quicfaultstest.c | 8 +++---- 6 files changed, 40 insertions(+), 22 deletions(-) diff --git a/doc/designs/quic-design/quic-fault-injector.md b/doc/designs/quic-design/quic-fault-injector.md index 30db905ee84a6..bea36b98cbf62 100644 --- a/doc/designs/quic-design/quic-fault-injector.md +++ b/doc/designs/quic-design/quic-fault-injector.md @@ -215,7 +215,7 @@ typedef struct ossl_qf_encrypted_extensions { int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_CTX *serverctx, char *certfile, char *keyfile, int block, QUIC_TSERVER **qtserv, SSL **cssl, - OSSL_QUIC_FAULT **fault); + OSSL_QUIC_FAULT **fault, BIO **tracebio); /* * Free up a Fault Injector instance @@ -440,7 +440,7 @@ static int test_unknown_frame(void) goto err; if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, - &qtserv, &cssl, &fault))) + &qtserv, &cssl, &fault, NULL))) goto err; if (!TEST_true(qtest_create_quic_connection(qtserv, cssl))) @@ -523,7 +523,7 @@ static int test_no_transport_params(void) goto err; if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, - &qtserv, &cssl, &fault))) + &qtserv, &cssl, &fault, NULL))) goto err; if (!TEST_true(ossl_quic_fault_set_hand_enc_ext_listener(fault, diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 3c3cb73f969e4..bb2ae9b3ba2c7 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -77,7 +77,7 @@ static OSSL_TIME fake_now_cb(void *arg) int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_CTX *serverctx, char *certfile, char *keyfile, int flags, QUIC_TSERVER **qtserv, SSL **cssl, - QTEST_FAULT **fault) + QTEST_FAULT **fault, BIO **tracebio) { /* ALPN value as recognised by QUIC_TSERVER */ unsigned char alpn[] = { 8, 'o', 's', 's', 'l', 't', 'e', 's', 't' }; @@ -85,6 +85,7 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, BIO *cbio = NULL, *sbio = NULL, *fisbio = NULL; BIO_ADDR *peeraddr = NULL; struct in_addr ina = {0}; + BIO *tmpbio = NULL; *qtserv = NULL; if (fault != NULL) @@ -96,6 +97,17 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, return 0; } + if ((flags & QTEST_FLAG_CLIENT_TRACE) != 0) { + tmpbio = BIO_new_fp(stdout, BIO_NOCLOSE); + if (!TEST_ptr(tmpbio)) + goto err; + + SSL_set_msg_callback(*cssl, SSL_trace); + SSL_set_msg_callback_arg(*cssl, tmpbio); + } + if (tracebio != NULL) + *tracebio = tmpbio; + /* SSL_set_alpn_protos returns 0 for success! */ if (!TEST_false(SSL_set_alpn_protos(*cssl, alpn, sizeof(alpn)))) goto err; @@ -224,6 +236,9 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, ossl_quic_tserver_free(*qtserv); if (fault != NULL) OPENSSL_free(*fault); + BIO_free(tmpbio); + if (tracebio != NULL) + *tracebio = NULL; return 0; } diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index 4e61b8965d610..e5190c62b1190 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -34,7 +34,8 @@ typedef struct qtest_fault_encrypted_extensions { #define QTEST_FLAG_NOISE (1 << 2) /* Split datagrams such that each datagram contains one packet */ #define QTEST_FLAG_PACKET_SPLIT (1 << 3) - +/* Turn on client side tracing */ +#define QTEST_FLAG_CLIENT_TRACE (1 << 4) /* * Given an SSL_CTX for the client and filenames for the server certificate and * keyfile, create a server and client instances as well as a fault injector @@ -43,7 +44,7 @@ typedef struct qtest_fault_encrypted_extensions { int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_CTX *serverctx, char *certfile, char *keyfile, int flags, QUIC_TSERVER **qtserv, SSL **cssl, - QTEST_FAULT **fault); + QTEST_FAULT **fault, BIO **tracebio); /* Where QTEST_FLAG_FAKE_TIME is used, add millis to the current time */ void qtest_add_time(uint64_t millis); diff --git a/test/quic_newcid_test.c b/test/quic_newcid_test.c index cda55abca3cd3..80a15e1b7ab0f 100644 --- a/test/quic_newcid_test.c +++ b/test/quic_newcid_test.c @@ -68,7 +68,7 @@ static int test_ncid_frame(int fail) goto err; if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, - &qtserv, &cssl, &fault))) + &qtserv, &cssl, &fault, NULL))) goto err; if (!TEST_true(qtest_create_quic_connection(qtserv, cssl))) diff --git a/test/quicapitest.c b/test/quicapitest.c index cd006b470349e..94562f3a5bf75 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -69,7 +69,7 @@ static int test_quic_write_read(int idx) ? QTEST_FLAG_BLOCK : 0, &qtserv, &clientquic, - NULL)) + NULL, NULL)) || !TEST_true(SSL_set_tlsext_host_name(clientquic, "localhost"))) goto end; @@ -220,7 +220,7 @@ static int test_fin_only_blocking(void) cert, privkey, QTEST_FLAG_BLOCK, &qtserv, &clientquic, - NULL)) + NULL, NULL)) || !TEST_true(SSL_set_tlsext_host_name(clientquic, "localhost"))) goto end; @@ -380,7 +380,7 @@ static int test_version(void) if (!TEST_ptr(cctx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, 0, &qtserv, - &clientquic, NULL)) + &clientquic, NULL, NULL)) || !TEST_true(qtest_create_quic_connection(qtserv, clientquic))) goto err; @@ -502,7 +502,7 @@ static int test_ssl_trace(void) privkey, QTEST_FLAG_FAKE_TIME, &qtserv, - &clientquic, NULL))) + &clientquic, NULL, NULL))) goto err; SSL_set_msg_callback(clientquic, SSL_trace); @@ -829,7 +829,8 @@ static int test_bio_ssl(void) goto err; if (!TEST_true(qtest_create_quic_objects(libctx, NULL, NULL, cert, privkey, - 0, &qtserv, &clientquic, NULL))) + 0, &qtserv, &clientquic, NULL, + NULL))) goto err; msglen = strlen(msg); @@ -946,7 +947,7 @@ static int test_back_pressure(void) if (!TEST_ptr(cctx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, 0, &qtserv, - &clientquic, NULL)) + &clientquic, NULL, NULL)) || !TEST_true(qtest_create_quic_connection(qtserv, clientquic))) goto err; @@ -1024,7 +1025,7 @@ static int test_multiple_dgrams(void) || !TEST_ptr(buf) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, 0, &qtserv, - &clientquic, NULL)) + &clientquic, NULL, NULL)) || !TEST_true(qtest_create_quic_connection(qtserv, clientquic))) goto err; @@ -1088,7 +1089,8 @@ static int test_non_io_retry(int idx) flags = (idx >= 1) ? QTEST_FLAG_BLOCK : 0; if (!TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, - flags, &qtserv, &clientquic, NULL)) + flags, &qtserv, &clientquic, NULL, + NULL)) || !TEST_true(qtest_create_quic_connection_ex(qtserv, clientquic, SSL_ERROR_WANT_RETRY_VERIFY)) || !TEST_int_eq(SSL_want(clientquic), SSL_RETRY_VERIFY) @@ -1156,7 +1158,7 @@ static int test_quic_psk(void) /* No cert or private key for the server, i.e. PSK only */ || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, NULL, NULL, 0, &qtserv, - &clientquic, NULL))) + &clientquic, NULL, NULL))) goto end; SSL_set_psk_use_session_callback(clientquic, use_session_cb); @@ -1215,7 +1217,7 @@ static int test_alpn(int idx) privkey, QTEST_FLAG_FAKE_TIME, &qtserv, - &clientquic, NULL))) + &clientquic, NULL, NULL))) goto err; if (idx == 0) { @@ -1328,7 +1330,7 @@ static int test_noisy_dgram(int idx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, flags, &qtserv, - &clientquic, NULL))) + &clientquic, NULL, NULL))) goto err; if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))) diff --git a/test/quicfaultstest.c b/test/quicfaultstest.c index a6ba0dc05340e..28f52cd6f22a2 100644 --- a/test/quicfaultstest.c +++ b/test/quicfaultstest.c @@ -35,7 +35,7 @@ static int test_basic(void) goto err; if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, - &qtserv, &cssl, NULL))) + &qtserv, &cssl, NULL, NULL))) goto err; if (!TEST_true(qtest_create_quic_connection(qtserv, cssl))) @@ -105,7 +105,7 @@ static int test_unknown_frame(void) goto err; if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, - &qtserv, &cssl, &fault))) + &qtserv, &cssl, &fault, NULL))) goto err; if (!TEST_true(qtest_create_quic_connection(qtserv, cssl))) @@ -187,7 +187,7 @@ static int test_drop_extensions(int idx) goto err; if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, 0, - &qtserv, &cssl, &fault))) + &qtserv, &cssl, &fault, NULL))) goto err; if (idx == 0) { @@ -275,7 +275,7 @@ static int test_corrupted_data(int idx) if (!TEST_true(qtest_create_quic_objects(NULL, cctx, NULL, cert, privkey, QTEST_FLAG_FAKE_TIME, &qtserv, - &cssl, &fault))) + &cssl, &fault, NULL))) goto err; if (idx == 0) { From 0a2369fd446e27f59f0025d8d885c07a107df615 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 19 Sep 2023 16:52:00 +0100 Subject: [PATCH 242/324] Ensure client to server datagrams are noisy too So far we've only applied noise to the server to client datagrams. Do the same thing the other way around. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/quictestlib.c | 32 +++++++++++++++++++++++--------- test/helpers/quictestlib.h | 6 ++++++ test/quicapitest.c | 9 +++++++-- 3 files changed, 36 insertions(+), 11 deletions(-) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index bb2ae9b3ba2c7..6a72cc27bea22 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -159,6 +159,11 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_ptr(pktsplitbio)) goto err; cbio = BIO_push(pktsplitbio, cbio); + + pktsplitbio = BIO_new(bio_f_pkt_split_dgram_filter()); + if (!TEST_ptr(pktsplitbio)) + goto err; + sbio = BIO_push(pktsplitbio, sbio); } if ((flags & QTEST_FLAG_NOISE) != 0) { @@ -167,6 +172,12 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_ptr(noisebio)) goto err; cbio = BIO_push(noisebio, cbio); + + noisebio = BIO_new(bio_f_noisy_dgram_filter()); + + if (!TEST_ptr(noisebio)) + goto err; + sbio = BIO_push(noisebio, sbio); } SSL_set_bio(*cssl, cbio, cbio); @@ -228,9 +239,9 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, err: SSL_CTX_free(tserver_args.ctx); BIO_ADDR_free(peeraddr); - BIO_free(cbio); + BIO_free_all(cbio); BIO_free(fisbio); - BIO_free(sbio); + BIO_free_all(sbio); SSL_free(*cssl); *cssl = NULL; ossl_quic_tserver_free(*qtserv); @@ -289,14 +300,14 @@ static void run_server_thread(void) } #endif -static int wait_for_timeout(SSL *s, QUIC_TSERVER *qtserv) +int qtest_wait_for_timeout(SSL *s, QUIC_TSERVER *qtserv) { struct timeval tv; OSSL_TIME ctimeout, stimeout, mintimeout, now; int cinf; /* We don't need to wait in blocking mode */ - if (s == NULL || qtserv == NULL) + if (s == NULL || SSL_get_blocking_mode(s)) return 1; /* Don't wait if either BIO has data waiting */ @@ -395,12 +406,13 @@ int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, } } - if (!clienterr && retc <= 0) + qtest_add_time(1); + if (clientssl != NULL) SSL_handle_events(clientssl); + if (qtserv != NULL) + ossl_quic_tserver_tick(qtserv); if (!servererr && rets <= 0) { - qtest_add_time(1); - ossl_quic_tserver_tick(qtserv); servererr = ossl_quic_tserver_is_term_any(qtserv); if (!servererr) rets = ossl_quic_tserver_is_handshake_confirmed(qtserv); @@ -414,8 +426,10 @@ int qtest_create_quic_connection_ex(QUIC_TSERVER *qtserv, SSL *clientssl, goto err; } - if (!wait_for_timeout(clientssl, qtserv)) - goto err; + if ((retc <= 0 && !clienterr) || (rets <= 0 && !servererr)) { + if (!qtest_wait_for_timeout(clientssl, qtserv)) + goto err; + } } while ((retc <= 0 && !clienterr) || (rets <= 0 && !servererr #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index e5190c62b1190..844aec8a60be6 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -67,6 +67,12 @@ int qtest_supports_blocking(void); */ int qtest_create_quic_connection(QUIC_TSERVER *qtserv, SSL *clientssl); +/* + * Check if both client and server have no data to read and are waiting on a + * timeout. If so, wait until the timeout has expired. + */ +int qtest_wait_for_timeout(SSL *s, QUIC_TSERVER *qtserv); + /* * Same as qtest_create_quic_connection but will stop (successfully) if the * clientssl indicates SSL_ERROR_WANT_XXX as specified by |wanterr| diff --git a/test/quicapitest.c b/test/quicapitest.c index 94562f3a5bf75..b02db15d65cbc 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1274,13 +1274,15 @@ static int unreliable_client_read(SSL *clientquic, SSL **stream, void *buf, if (*stream != NULL) { if (SSL_read_ex(*stream, buf, buflen, readbytes)) return 1; - if (SSL_get_error(*stream, 0) != SSL_ERROR_WANT_READ) + if (!TEST_int_eq(SSL_get_error(*stream, 0), SSL_ERROR_WANT_READ)) return 0; } ossl_quic_tserver_tick(qtserv); qtest_add_time(1); + qtest_wait_for_timeout(clientquic, qtserv); } + TEST_error("No progress made"); return 0; } @@ -1293,13 +1295,16 @@ static int unreliable_server_read(QUIC_TSERVER *qtserv, uint64_t sid, /* We just do this in a loop with a sleep for simplicity */ for (abortctr = 0; abortctr < MAX_LOOPS; abortctr++) { - if (ossl_quic_tserver_read(qtserv, sid, buf, buflen, readbytes)) + if (ossl_quic_tserver_read(qtserv, sid, buf, buflen, readbytes) + && *readbytes > 1) return 1; ossl_quic_tserver_tick(qtserv); SSL_handle_events(clientquic); qtest_add_time(1); + qtest_wait_for_timeout(clientquic, qtserv); } + TEST_error("No progress made"); return 0; } From c29b13a7356432a0f177dd838afbec963f1d6212 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 20 Sep 2023 13:25:42 +0100 Subject: [PATCH 243/324] Remove some redundant code from test helper BIOs Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/noisydgrambio.c | 28 ---------------------------- test/helpers/pktsplitbio.c | 28 ---------------------------- 2 files changed, 56 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index 7dc6a9cf35f40..c93b6961ecd18 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -19,18 +19,6 @@ struct noisy_dgram_st { uint64_t delayed_dgram; }; -static int noisy_dgram_read(BIO *bio, char *out, int outl) -{ - /* We don't support this - not needed anyway */ - return -1; -} - -static int noisy_dgram_write(BIO *bio, const char *in, int inl) -{ - /* We don't support this - not needed anyway */ - return -1; -} - static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) { long ret; @@ -50,18 +38,6 @@ static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) return ret; } -static int noisy_dgram_gets(BIO *bio, char *buf, int size) -{ - /* We don't support this - not needed anyway */ - return -1; -} - -static int noisy_dgram_puts(BIO *bio, const char *str) -{ - /* We don't support this - not needed anyway */ - return -1; -} - static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed) @@ -298,10 +274,6 @@ const BIO_METHOD *bio_f_noisy_dgram_filter(void) method_noisy_dgram = BIO_meth_new(BIO_TYPE_NOISY_DGRAM_FILTER, "Nosiy datagram filter"); if (method_noisy_dgram == NULL - || !BIO_meth_set_write(method_noisy_dgram, noisy_dgram_write) - || !BIO_meth_set_read(method_noisy_dgram, noisy_dgram_read) - || !BIO_meth_set_puts(method_noisy_dgram, noisy_dgram_puts) - || !BIO_meth_set_gets(method_noisy_dgram, noisy_dgram_gets) || !BIO_meth_set_ctrl(method_noisy_dgram, noisy_dgram_ctrl) || !BIO_meth_set_sendmmsg(method_noisy_dgram, noisy_dgram_sendmmsg) || !BIO_meth_set_recvmmsg(method_noisy_dgram, noisy_dgram_recvmmsg) diff --git a/test/helpers/pktsplitbio.c b/test/helpers/pktsplitbio.c index a3c01b9506f28..536e62f8a0030 100644 --- a/test/helpers/pktsplitbio.c +++ b/test/helpers/pktsplitbio.c @@ -11,18 +11,6 @@ #include "quictestlib.h" #include "../testutil.h" -static int pkt_split_dgram_read(BIO *bio, char *out, int outl) -{ - /* We don't support this - not needed anyway */ - return -1; -} - -static int pkt_split_dgram_write(BIO *bio, const char *in, int inl) -{ - /* We don't support this - not needed anyway */ - return -1; -} - static long pkt_split_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) { long ret; @@ -42,18 +30,6 @@ static long pkt_split_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) return ret; } -static int pkt_split_dgram_gets(BIO *bio, char *buf, int size) -{ - /* We don't support this - not needed anyway */ - return -1; -} - -static int pkt_split_dgram_puts(BIO *bio, const char *str) -{ - /* We don't support this - not needed anyway */ - return -1; -} - static int pkt_split_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed) @@ -149,10 +125,6 @@ const BIO_METHOD *bio_f_pkt_split_dgram_filter(void) method_pkt_split_dgram = BIO_meth_new(BIO_TYPE_PKT_SPLIT_DGRAM_FILTER, "Packet splitting datagram filter"); if (method_pkt_split_dgram == NULL - || !BIO_meth_set_write(method_pkt_split_dgram, pkt_split_dgram_write) - || !BIO_meth_set_read(method_pkt_split_dgram, pkt_split_dgram_read) - || !BIO_meth_set_puts(method_pkt_split_dgram, pkt_split_dgram_puts) - || !BIO_meth_set_gets(method_pkt_split_dgram, pkt_split_dgram_gets) || !BIO_meth_set_ctrl(method_pkt_split_dgram, pkt_split_dgram_ctrl) || !BIO_meth_set_sendmmsg(method_pkt_split_dgram, pkt_split_dgram_sendmmsg) From f13f9b716e8b148b97dbe49e823b9dc3f235de1f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 20 Sep 2023 16:24:37 +0100 Subject: [PATCH 244/324] Ensure we up-ref the sbio before passing it to tserver We are actually passing two references to sbio: one as part of a BIO chain and one stand alone. Therefore we need two references. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/quictestlib.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 6a72cc27bea22..f5a46efb6f016 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -201,8 +201,12 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, BIO_set_data(fisbio, fault == NULL ? NULL : *fault); - if (!TEST_ptr(BIO_push(fisbio, sbio))) + if (!BIO_up_ref(sbio)) goto err; + if (!TEST_ptr(BIO_push(fisbio, sbio))) { + BIO_free(sbio); + goto err; + } tserver_args.libctx = libctx; tserver_args.net_rbio = sbio; @@ -240,7 +244,7 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_CTX_free(tserver_args.ctx); BIO_ADDR_free(peeraddr); BIO_free_all(cbio); - BIO_free(fisbio); + BIO_free_all(fisbio); BIO_free_all(sbio); SSL_free(*cssl); *cssl = NULL; From 18fd0ea04d6bd37809a4e9a669c49cf9bc146bfb Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 20 Sep 2023 16:25:44 +0100 Subject: [PATCH 245/324] Ensure we free all the BIOs in a chain for QUIC like we do in TLS An application may pass in a whole BIO chain via SSL_set_bio(). When we free the BIO we should be using BIO_free_all() not BIO_free() like we do with TLS. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- ssl/quic/quic_impl.c | 8 ++++---- ssl/quic/quic_tserver.c | 4 ++-- test/quic_multistream_test.c | 6 ++---- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index beec26c019c1d..cb927fa52d131 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -545,8 +545,8 @@ void ossl_quic_free(SSL *s) ossl_quic_channel_free(ctx.qc->ch); - BIO_free(ctx.qc->net_rbio); - BIO_free(ctx.qc->net_wbio); + BIO_free_all(ctx.qc->net_rbio); + BIO_free_all(ctx.qc->net_wbio); /* Note: SSL_free calls OPENSSL_free(qc) for us */ @@ -876,7 +876,7 @@ void ossl_quic_conn_set0_net_rbio(SSL *s, BIO *net_rbio) if (!ossl_quic_channel_set_net_rbio(ctx.qc->ch, net_rbio)) return; - BIO_free(ctx.qc->net_rbio); + BIO_free_all(ctx.qc->net_rbio); ctx.qc->net_rbio = net_rbio; if (net_rbio != NULL) @@ -903,7 +903,7 @@ void ossl_quic_conn_set0_net_wbio(SSL *s, BIO *net_wbio) if (!ossl_quic_channel_set_net_wbio(ctx.qc->ch, net_wbio)) return; - BIO_free(ctx.qc->net_wbio); + BIO_free_all(ctx.qc->net_wbio); ctx.qc->net_wbio = net_wbio; if (net_wbio != NULL) diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c index 92c17d10f3c64..3630577e707b9 100644 --- a/ssl/quic/quic_tserver.c +++ b/ssl/quic/quic_tserver.c @@ -159,8 +159,8 @@ void ossl_quic_tserver_free(QUIC_TSERVER *srv) return; ossl_quic_channel_free(srv->ch); - BIO_free(srv->args.net_rbio); - BIO_free(srv->args.net_wbio); + BIO_free_all(srv->args.net_rbio); + BIO_free_all(srv->args.net_wbio); OPENSSL_free(srv->ssl); SSL_free(srv->tls); SSL_CTX_free(srv->ctx); diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index b401e78e329ba..2ad4ef292e2d8 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -746,10 +746,8 @@ static int helper_init(struct helper *h, int free_order, int blocking, BIO_set_data(h->s_qtf_wbio, h->qtf); } - if (!need_injector) - h->s_net_bio_own = NULL; - - h->s_qtf_wbio_own = NULL; + h->s_net_bio_own = NULL; + h->s_qtf_wbio_own = NULL; h->c_fd = BIO_socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP, 0); if (!TEST_int_ge(h->c_fd, 0)) From 523c5a06c590b7f2950043a6b8308c3f3e49cb51 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 21 Sep 2023 10:25:00 +0100 Subject: [PATCH 246/324] Clarify the terminology in the noisy dgram BIO The previous terminology was quite confusing. We try to use drop, duplicate and delay more consistently and introduce the "reinject" terminology as a mechanism for implementing duplicates and delays. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22157) --- test/helpers/noisydgrambio.c | 107 +++++++++++++++++++++++------------ 1 file changed, 71 insertions(+), 36 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index c93b6961ecd18..8b68726dd2b4c 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -16,7 +16,7 @@ struct noisy_dgram_st { uint64_t this_dgram; BIO_MSG msg; - uint64_t delayed_dgram; + uint64_t reinject_dgram; }; static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) @@ -54,31 +54,66 @@ static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, return BIO_sendmmsg(next, msg, stride, num_msg, flags, msgs_processed); } -static void get_noise(uint64_t *delay, int *should_drop) +/* 1 in NOISE_RATE datagrams will be noisy. With a value of 5 that is 20% */ +#define NOISE_RATE 5 + +/* + * We have 3 different types of noise: drop, duplicate and delay + * Each of these have equal probability. + */ +#define NOISE_TYPE_DROP 0 +#define NOISE_TYPE_DUPLICATE 1 +#define NOISE_TYPE_DELAY 2 +#define NUM_NOISE_TYPES 3 + +/* + * When a duplicate occurs we reinject the new datagram after up to + * MAX_DGRAM_REINJECT datagrams have been sent. A reinject of 1 means that the + * duplicate follows immediately after the original datagram. A reinject of 4 + * means that original datagram plus 3 other datagrams are sent before the + * reinjected datagram is inserted. + * This also controls when a delay (not a duplicate) occurs. In that case + * we add 1 to the number because there is no point in skipping the current + * datagram only to immediately reinject it in the next datagram. + */ +#define MAX_DGRAM_REINJECT 4 + +static void get_noise(uint64_t *reinject, int *should_drop) { uint32_t type; - /* 20% of all datagrams should be noisy */ - if (test_random() % 5 != 0) { - *delay = 0; + if (test_random() % NOISE_RATE != 0) { + *reinject = 0; *should_drop = 0; return; } - type = test_random() % 3; + type = test_random() % NUM_NOISE_TYPES; - /* Of noisy datagrams, 33% drop only, 33% delay only, 33% drop and delay */ - - *should_drop = (type == 0 || type == 1); + /* + * Of noisy datagrams, 33% drop, 33% duplicate, 33% delay + * A duplicated datagram keeps the current datagram and reinjects a new + * identical one after up to MAX_DGRAM_DELAY datagrams have been sent. + * A delayed datagram is implemented as both a reinject and a drop, i.e. an + * identical datagram is reinjected after the given number of datagrams have + * been sent and the current datagram is dropped. + */ + *should_drop = (type == NOISE_TYPE_DROP || type == NOISE_TYPE_DELAY); - /* Where a delay occurs we delay by 1 - 4 datagrams */ - *delay = (type == 0) ? 0 : (uint64_t)((test_random() % 4) + 1); + /* + * Where a duplicate occurs we reinject the copy of the datagram up to + * MAX_DGRAM_DELAY datagrams later + */ + *reinject = (type == NOISE_TYPE_DROP) + ? 0 + : (uint64_t)((test_random() % MAX_DGRAM_REINJECT) + 1); /* - * No point in delaying by 1 datagram if we are also dropping, so we delay - * by an extra datagram in that case + * No point in reinjecting after 1 datagram if the current datagram is also + * dropped (i.e. this is a delay not a duplicate), so we reinject after an + * extra datagram in that case */ - *delay += (uint64_t)(*should_drop); + *reinject += (uint64_t)(*should_drop); } static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, @@ -133,14 +168,14 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, for (i = 0, thismsg = msg; i < msg_cnt; i++, thismsg++, data->this_dgram++) { - uint64_t delay; + uint64_t reinject; int should_drop; - /* If we have a delayed message ready insert it now */ - if (data->delayed_dgram > 0 - && data->delayed_dgram == data->this_dgram) { + /* If we have a message to reinject then insert it now */ + if (data->reinject_dgram > 0 + && data->reinject_dgram == data->this_dgram) { if (msg_cnt < num_msg) { - /* Make space for the inserted message */ + /* Make space for the injected message */ for (j = msg_cnt; j > i; j--) { if (!bio_msg_copy(&msg[j], &msg[j - 1])) return 0; @@ -148,38 +183,38 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, if (!bio_msg_copy(thismsg, &data->msg)) return 0; msg_cnt++; - data->delayed_dgram = 0; + data->reinject_dgram = 0; #ifdef OSSL_NOISY_DGRAM_DEBUG - printf("**Inserting a delayed datagram\n"); + printf("**Injecting a datagram\n"); BIO_dump_fp(stdout, thismsg->data, thismsg->data_len); printf("\n"); #endif continue; - } /* else we have no space for the insertion, so just drop it */ - data->delayed_dgram = 0; + } /* else we have no space for the injection, so just drop it */ + data->reinject_dgram = 0; } - get_noise(&delay, &should_drop); + get_noise(&reinject, &should_drop); - /* We ignore delay if a message is already delayed */ - if (delay > 0 && data->delayed_dgram == 0) { + /* + * We ignore reinjection if a message is already waiting to be + * reinjected + */ + if (reinject > 0 && data->reinject_dgram == 0) { /* - * Note that a message may be delayed *and* dropped, or delayed - * and *not* dropped. - * Delayed and dropped means the message will not be sent now and - * will only be sent after the delay. - * Delayed and not dropped means the message will be sent now and - * a duplicate will also be sent after the delay. + * Both duplicated and delayed datagrams get reintroduced after the + * delay period. Datagrams that are delayed only (not duplicated) + * will also have the current copy of the datagram dropped (i.e + * should_drop below will be true). */ - if (!bio_msg_copy(&data->msg, thismsg)) return 0; - data->delayed_dgram = data->this_dgram + delay; + data->reinject_dgram = data->this_dgram + reinject; #ifdef OSSL_NOISY_DGRAM_DEBUG - printf("**Delaying a datagram for %u messages%s\n", - (unsigned int)delay, should_drop ? "" : "(duplicating)"); + printf("**Scheduling a reinject after %u messages%s\n", + (unsigned int)reinject, should_drop ? "" : "(duplicating)"); BIO_dump_fp(stdout, thismsg->data, thismsg->data_len); printf("\n"); #endif From 34d36cdcbdde2e402446994e8384404ca98bfb3f Mon Sep 17 00:00:00 2001 From: Huiyue Xu Date: Thu, 14 Sep 2023 16:21:35 +0800 Subject: [PATCH 247/324] Do not include sparse_array.o in libssl sparse_array.o is not needed in libssl at 3.0.x version. Signed-off-by: Huiyue Xu Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22111) (cherry picked from commit a31cd07af1ca34cdbbd2b077a933208d447ed0b2) --- crypto/build.info | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto/build.info b/crypto/build.info index ef568070c14e4..2d5b22fcff4e9 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -102,8 +102,6 @@ $UTIL_COMMON=\ param_build_set.c der_writer.c threads_lib.c params_dup.c \ time.c params_idx.c -SHARED_SOURCE[../libssl]=sparse_array.c - SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \ From 1acc3e8cc3c69187b55cc557c1bc03278ab38063 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Thu, 21 Sep 2023 16:43:43 +0200 Subject: [PATCH 248/324] no-engine: fix signing with legacy app method based keys Signing with an app method based key (i.e. an `EVP_PKEY` which wraps an `RSA` key with an application defined `RSA_METHOD`) used to work in 1.1.1. That feature was broken in commit 60488d2434, but later on fixed by @t8m in commit b247113c05 (see #14859). This commit corrects a minor flaw of the fix, which affects only `no-engine` builds: the special treatment for foreign keys is guarded by an `OPENSSL_NO_ENGINE` check. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Dmitry Belyavskiy Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/22163) --- crypto/evp/pmeth_lib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 6bd9994072632..268b1617e3799 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -247,10 +247,11 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, */ if (e != NULL) pmeth = ENGINE_get_pkey_meth(e, id); - else if (pkey != NULL && pkey->foreign) + else +# endif /* OPENSSL_NO_ENGINE */ + if (pkey != NULL && pkey->foreign) pmeth = EVP_PKEY_meth_find(id); else -# endif app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id); /* END legacy */ From 6c03fa21ed4bbc9fd6d3013fdf9f4646d231f831 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Fri, 22 Sep 2023 17:52:09 +0200 Subject: [PATCH 249/324] adding -outpubkey option to genpkey Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22173) --- apps/genpkey.c | 26 +++++++++++++++++++++----- doc/man1/openssl-genpkey.pod.in | 18 ++++++++++++------ test/recipes/15-test_genec.t | 4 +++- 3 files changed, 36 insertions(+), 12 deletions(-) diff --git a/apps/genpkey.c b/apps/genpkey.c index 080f1f60756e7..66f0e1eaf01af 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -23,7 +23,7 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE, OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER, - OPT_VERBOSE, OPT_QUIET, OPT_CONFIG, + OPT_VERBOSE, OPT_QUIET, OPT_CONFIG, OPT_OUTPUBKEY, OPT_PROV_ENUM } OPTION_CHOICE; @@ -42,11 +42,12 @@ const OPTIONS genpkey_options[] = { OPT_CONFIG_OPTION, OPT_SECTION("Output"), - {"out", OPT_OUT, '>', "Output file"}, + {"out", OPT_OUT, '>', "Output (private key) file"}, + {"outpubkey", OPT_OUTPUBKEY, '>', "Output public key file"}, {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"}, {"pass", OPT_PASS, 's', "Output file pass phrase source"}, {"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"}, - {"text", OPT_TEXT, '-', "Print the in text"}, + {"text", OPT_TEXT, '-', "Print the private key in text"}, {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"}, OPT_PROV_OPTIONS, @@ -104,11 +105,12 @@ static void show_gen_pkeyopt(const char *algname, OSSL_LIB_CTX *libctx, const ch int genpkey_main(int argc, char **argv) { CONF *conf = NULL; - BIO *in = NULL, *out = NULL; + BIO *in = NULL, *out = NULL, *outpubkey = NULL; ENGINE *e = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog, *p; + char *outpubkeyfile = NULL; const char *ciphername = NULL, *paramfile = NULL, *algname = NULL; EVP_CIPHER *cipher = NULL; OPTION_CHOICE o; @@ -141,6 +143,9 @@ int genpkey_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; + case OPT_OUTPUBKEY: + outpubkeyfile = opt_arg(); + break; case OPT_PASS: passarg = opt_arg(); break; @@ -228,6 +233,12 @@ int genpkey_main(int argc, char **argv) if (out == NULL) goto end; + if (outpubkeyfile != NULL) { + outpubkey = bio_open_owner(outpubkeyfile, outformat, private); + if (outpubkey == NULL) + goto end; + } + if (verbose) EVP_PKEY_CTX_set_cb(ctx, progress_cb); EVP_PKEY_CTX_set_app_data(ctx, bio_err); @@ -242,9 +253,13 @@ int genpkey_main(int argc, char **argv) } else if (outformat == FORMAT_PEM) { assert(private); rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass); + if (rv > 0 && outpubkey != NULL) + rv = PEM_write_bio_PUBKEY(outpubkey, pkey); } else if (outformat == FORMAT_ASN1) { assert(private); rv = i2d_PrivateKey_bio(out, pkey); + if (rv > 0 && outpubkey != NULL) + rv = i2d_PUBKEY_bio(outpubkey, pkey); } else { BIO_printf(bio_err, "Bad format specified for key\n"); goto end; @@ -253,7 +268,7 @@ int genpkey_main(int argc, char **argv) ret = 0; if (rv <= 0) { - BIO_puts(bio_err, "Error writing key\n"); + BIO_puts(bio_err, "Error writing key(s)\n"); ret = 1; } @@ -277,6 +292,7 @@ int genpkey_main(int argc, char **argv) EVP_PKEY_CTX_free(ctx); EVP_CIPHER_free(cipher); BIO_free_all(out); + BIO_free_all(outpubkey); BIO_free(in); release_engine(e); OPENSSL_free(pass); diff --git a/doc/man1/openssl-genpkey.pod.in b/doc/man1/openssl-genpkey.pod.in index e760d613fe071..aa0b74e8aaeba 100644 --- a/doc/man1/openssl-genpkey.pod.in +++ b/doc/man1/openssl-genpkey.pod.in @@ -7,13 +7,14 @@ =head1 NAME -openssl-genpkey - generate a private key +openssl-genpkey - generate a private key or key pair =head1 SYNOPSIS B B [B<-help>] [B<-out> I] +[B<-outpubkey> I] [B<-outform> B|B] [B<-verbose>] [B<-quiet>] @@ -29,7 +30,7 @@ B B =head1 DESCRIPTION -This command generates a private key. +This command generates a private key or key pair. =head1 OPTIONS @@ -41,8 +42,13 @@ Print out a usage message. =item B<-out> I -Output the key to the specified file. If this argument is not specified then -standard output is used. +Output the private key to the specified file. If this argument is not +specified then standard output is used. + +=item B<-outpubkey> I + +Output the public key to the specified file. If this argument is not +specified then the public key is not output. =item B<-outform> B|B @@ -73,8 +79,8 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B. Public key algorithm to use such as RSA, DSA, DH or DHX. If used this option must precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> -are mutually exclusive. Engines may add algorithms in addition to the standard -built-in ones. +are mutually exclusive. Engines or providers may add algorithms in addition to +the standard built-in ones. Valid built-in algorithm names for private key generation are RSA, RSA-PSS, EC, X25519, X448, ED25519 and ED448. diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t index 2dfed387ca061..3e8c55071c4b1 100644 --- a/test/recipes/15-test_genec.t +++ b/test/recipes/15-test_genec.t @@ -232,13 +232,15 @@ foreach my $curvename (@curve_list) { foreach my $outform (@output_formats) { my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform; + my $outpubfile = "ecgen.${curvename}.${paramenc}-pub." . lc $outform; $fn->("genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (${outform})", app([ 'openssl', 'genpkey', '-algorithm', 'EC', '-pkeyopt', 'ec_paramgen_curve:'.$curvename, '-pkeyopt', 'ec_param_enc:'.$paramenc, '-outform', $outform, - '-out', $outfile])); + '-out', $outfile, + '-outpubkey', $outpubfile])); } } } From 442d08f215c48896f59e9c09a14773058f9e56bf Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 22 Sep 2023 17:31:34 +0100 Subject: [PATCH 250/324] Remove a spurious inclusion of the sparse array header file Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22174) --- ssl/event_queue.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ssl/event_queue.c b/ssl/event_queue.c index 49890a36b505f..20f4020db51b4 100644 --- a/ssl/event_queue.c +++ b/ssl/event_queue.c @@ -9,7 +9,6 @@ #include #include "internal/event_queue.h" -#include "crypto/sparse_array.h" #include "ssl_local.h" struct ossl_event_queue_st { From a18c9f80916134bd7122cc1ba204bb5cdca752a3 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 21 Sep 2023 11:59:58 +0100 Subject: [PATCH 251/324] Implement a public BIO_ADDR_copy() function We already have BIO_ADDR_dup() but in some contexts that is not sufficent. We implement BIO_ADDR_copy() and make BIO_ADDR_dup() use it. Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22164) --- crypto/bio/bio_addr.c | 19 +++++++++++++++++-- include/openssl/bio.h.in | 1 + util/libcrypto.num | 1 + 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/crypto/bio/bio_addr.c b/crypto/bio/bio_addr.c index aec94237fc8c8..2a6f6d522c7a5 100644 --- a/crypto/bio/bio_addr.c +++ b/crypto/bio/bio_addr.c @@ -65,14 +65,29 @@ void BIO_ADDR_free(BIO_ADDR *ap) OPENSSL_free(ap); } +int BIO_ADDR_copy(BIO_ADDR *dst, const BIO_ADDR *src) +{ + if (dst == NULL || src == NULL) + return 0; + + if (src->sa.sa_family == AF_UNSPEC) { + BIO_ADDR_clear(dst); + return 1; + } + + return BIO_ADDR_make(dst, &src->sa); +} + BIO_ADDR *BIO_ADDR_dup(const BIO_ADDR *ap) { BIO_ADDR *ret = NULL; if (ap != NULL) { ret = BIO_ADDR_new(); - if (ret != NULL) - BIO_ADDR_make(ret, &ap->sa); + if (ret != NULL && !BIO_ADDR_copy(ret, ap)) { + BIO_ADDR_free(ret); + ret = NULL; + } } return ret; } diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index 8aad1414460d9..c534dcd76cdb6 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -806,6 +806,7 @@ int BIO_hex_string(BIO *out, int indent, int width, const void *data, # ifndef OPENSSL_NO_SOCK BIO_ADDR *BIO_ADDR_new(void); +int BIO_ADDR_copy(BIO_ADDR *dst, const BIO_ADDR *src); BIO_ADDR *BIO_ADDR_dup(const BIO_ADDR *ap); int BIO_ADDR_rawmake(BIO_ADDR *ap, int family, const void *where, size_t wherelen, unsigned short port); diff --git a/util/libcrypto.num b/util/libcrypto.num index e4265b4cef0b6..6af1fe1707b9a 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5535,3 +5535,4 @@ OSSL_ERR_STATE_save_to_mark ? 3_2_0 EXIST::FUNCTION: X509_STORE_CTX_set_get_crl ? 3_2_0 EXIST::FUNCTION: X509_STORE_CTX_set_current_reasons ? 3_2_0 EXIST::FUNCTION: OSSL_STORE_delete ? 3_2_0 EXIST::FUNCTION: +BIO_ADDR_copy ? 3_2_0 EXIST::FUNCTION:SOCK From e55843ab50acde02cac8821d4552db9cba2d2e14 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 21 Sep 2023 12:10:15 +0100 Subject: [PATCH 252/324] Add documentation for the BIO_ADDR_copy() function Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22164) --- doc/man3/BIO_ADDR.pod | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/man3/BIO_ADDR.pod b/doc/man3/BIO_ADDR.pod index aa5bf77191461..20cd364d48aee 100644 --- a/doc/man3/BIO_ADDR.pod +++ b/doc/man3/BIO_ADDR.pod @@ -2,8 +2,8 @@ =head1 NAME -BIO_ADDR, BIO_ADDR_new, BIO_ADDR_dup, BIO_ADDR_clear, BIO_ADDR_free, -BIO_ADDR_rawmake, +BIO_ADDR, BIO_ADDR_new, BIO_ADDR_copy, BIO_ADDR_dup, BIO_ADDR_clear, +BIO_ADDR_free, BIO_ADDR_rawmake, BIO_ADDR_family, BIO_ADDR_rawaddress, BIO_ADDR_rawport, BIO_ADDR_hostname_string, BIO_ADDR_service_string, BIO_ADDR_path_string - BIO_ADDR routines @@ -16,6 +16,7 @@ BIO_ADDR_path_string - BIO_ADDR routines typedef union bio_addr_st BIO_ADDR; BIO_ADDR *BIO_ADDR_new(void); + int BIO_ADDR_copy(BIO_ADDR *dst, const BIO_ADDR *src); BIO_ADDR *BIO_ADDR_dup(const BIO_ADDR *ap); void BIO_ADDR_free(BIO_ADDR *); void BIO_ADDR_clear(BIO_ADDR *ap); @@ -39,6 +40,9 @@ BIO_ADDR_new() creates a new unfilled B, to be used with routines that will fill it with information, such as BIO_accept_ex(). +BIO_ADDR_copy() copies the contents of B into B. Neither B or +B can be NULL. + BIO_ADDR_dup() creates a new B, with a copy of the address data in B. @@ -112,6 +116,8 @@ BIO_ADDR_service_string() and BIO_ADDR_path_string() will return B on error and leave an error indication on the OpenSSL error stack. +BIO_ADDR_copy() returns 1 on success or 0 on error. + All other functions described here return 0 or B when the information they should return isn't available. @@ -121,7 +127,7 @@ L, L =head1 HISTORY -BIO_ADDR_dup() was added in OpenSSL 3.2. +BIO_ADDR_copy() and BIO_ADDR_dup() were added in OpenSSL 3.2. =head1 COPYRIGHT From d058ae6e0397faaa60c18c6ae3aecaff64dca47b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 21 Sep 2023 12:16:38 +0100 Subject: [PATCH 253/324] Clean away the test code implementation of bio_addr_copy We now have a public function for BIO_ADDR_copy() which can be used in preference to the test code's private implementation. Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22164) --- test/helpers/quictestlib.c | 42 ++------------------------------------ test/helpers/quictestlib.h | 3 --- 2 files changed, 2 insertions(+), 43 deletions(-) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index f5a46efb6f016..17da14766fcc0 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -1086,44 +1086,6 @@ int qtest_fault_resize_datagram(QTEST_FAULT *fault, size_t newlen) return 1; } -/* There isn't a public function to do BIO_ADDR_copy() so we create one */ -int bio_addr_copy(BIO_ADDR *dst, BIO_ADDR *src) -{ - size_t len; - void *data = NULL; - int res = 0; - int family; - - if (src == NULL || dst == NULL) - return 0; - - family = BIO_ADDR_family(src); - if (family == AF_UNSPEC) { - BIO_ADDR_clear(dst); - return 1; - } - - if (!BIO_ADDR_rawaddress(src, NULL, &len)) - return 0; - - if (len > 0) { - data = OPENSSL_malloc(len); - if (!TEST_ptr(data)) - return 0; - } - - if (!BIO_ADDR_rawaddress(src, data, &len)) - goto err; - - if (!BIO_ADDR_rawmake(src, family, data, len, BIO_ADDR_rawport(src))) - goto err; - - res = 1; - err: - OPENSSL_free(data); - return res; -} - int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src) { /* @@ -1135,13 +1097,13 @@ int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src) dst->flags = src->flags; if (dst->local != NULL) { if (src->local != NULL) { - if (!TEST_true(bio_addr_copy(dst->local, src->local))) + if (!TEST_true(BIO_ADDR_copy(dst->local, src->local))) return 0; } else { BIO_ADDR_clear(dst->local); } } - if (!TEST_true(bio_addr_copy(dst->peer, src->peer))) + if (!TEST_true(BIO_ADDR_copy(dst->peer, src->peer))) return 0; return 1; diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index 844aec8a60be6..f090299b22798 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -242,9 +242,6 @@ int qtest_fault_set_datagram_listener(QTEST_FAULT *fault, */ int qtest_fault_resize_datagram(QTEST_FAULT *fault, size_t newlen); -/* Copy a BIO_ADDR */ -int bio_addr_copy(BIO_ADDR *dst, BIO_ADDR *src); - /* Copy a BIO_MSG */ int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src); From 30224a248495ad604a06b8977fa3aa1cc75b9d0d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 21 Sep 2023 16:28:58 +0100 Subject: [PATCH 254/324] Add a test for BIO_ADDR_copy() We also add a test for BIO_ADDR_dup() which was also added in 3.2 Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22164) --- test/bio_addr_test.c | 164 ++++++++++++++++++++++++++++++++ test/build.info | 6 ++ test/recipes/61-test_bio_addr.t | 20 ++++ 3 files changed, 190 insertions(+) create mode 100644 test/bio_addr_test.c create mode 100644 test/recipes/61-test_bio_addr.t diff --git a/test/bio_addr_test.c b/test/bio_addr_test.c new file mode 100644 index 0000000000000..a985d03b14c1a --- /dev/null +++ b/test/bio_addr_test.c @@ -0,0 +1,164 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/e_os.h" +#include "internal/sockets.h" +#include "testutil.h" + +static int families[] = { + AF_INET, +#if OPENSSL_USE_IPV6 + AF_INET6, +#endif +#ifndef OPENSSL_NO_UNIX_SOCK + AF_UNIX +#endif +}; + +static BIO_ADDR *make_dummy_addr(int family) +{ + BIO_ADDR *addr; + union { + struct sockaddr_in sin; +#if OPENSSL_USE_IPV6 + struct sockaddr_in6 sin6; +#endif +#ifndef OPENSSL_NO_UNIX_SOCK + struct sockaddr_un sun; +#endif + } sa; + void *where; + size_t wherelen; + + /* Fill with a dummy address */ + switch(family) { + case AF_INET: + where = &(sa.sin.sin_addr); + wherelen = sizeof(sa.sin.sin_addr); + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: + where = &(sa.sin6.sin6_addr); + wherelen = sizeof(sa.sin6.sin6_addr); + break; +#endif +#ifndef OPENSSL_NO_UNIX_SOCK + case AF_UNIX: + where = &(sa.sun.sun_path); + /* BIO_ADDR_rawmake needs an extra byte for a NUL-terminator*/ + wherelen = sizeof(sa.sun.sun_path) - 1; + break; +#endif + default: + TEST_error("Unsupported address family"); + return 0; + } + /* + * Could be any data, but we make it printable because BIO_ADDR_rawmake + * expects the AF_UNIX address to be a string. + */ + memset(where, 'a', wherelen); + + addr = BIO_ADDR_new(); + if (!TEST_ptr(addr)) + return NULL; + + if (!TEST_true(BIO_ADDR_rawmake(addr, family, where, wherelen, 1000))) { + BIO_ADDR_free(addr); + return NULL; + } + + return addr; +} + +static int bio_addr_is_eq(const BIO_ADDR *a, const BIO_ADDR *b) +{ + struct sockaddr_storage adata, bdata; + size_t alen, blen; + + /* True even if a and b are NULL */ + if (a == b) + return 1; + + /* If one is NULL the other cannot be due to the test above */ + if (a == NULL || b == NULL) + return 0; + + if (BIO_ADDR_family(a) != BIO_ADDR_family(b)) + return 0; + + /* Works even with AF_UNIX/AF_UNSPEC which just returns 0 */ + if (BIO_ADDR_rawport(a) != BIO_ADDR_rawport(b)) + return 0; + + if (!BIO_ADDR_rawaddress(a, NULL, &alen) + || alen > sizeof(adata) + || !BIO_ADDR_rawaddress(a, &adata, &alen)) + return 0; + + if (!BIO_ADDR_rawaddress(a, NULL, &blen) + || blen > sizeof(bdata) + || !BIO_ADDR_rawaddress(a, &bdata, &blen)) + return 0; + + if (alen != blen) + return 0; + + if (alen == 0) + return 1; + + return memcmp(&adata, &bdata, alen) == 0; +} + +static int test_bio_addr_copy_dup(int idx) +{ + BIO_ADDR *src = NULL, *dst = NULL; + int ret = 0; + int docopy = idx & 1; + + idx >>= 1; + + src = make_dummy_addr(families[idx]); + if (!TEST_ptr(src)) + return 0; + + if (docopy) { + dst = BIO_ADDR_new(); + if (!TEST_ptr(dst)) + goto err; + + if (!TEST_true(BIO_ADDR_copy(dst, src))) + goto err; + } else { + dst = BIO_ADDR_dup(src); + if (!TEST_ptr(dst)) + goto err; + } + + if (!TEST_true(bio_addr_is_eq(src, dst))) + goto err; + + ret = 1; + err: + BIO_ADDR_free(src); + BIO_ADDR_free(dst); + return ret; +} + +int setup_tests(void) +{ + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + + ADD_ALL_TESTS(test_bio_addr_copy_dup, OSSL_NELEM(families) * 2); + return 1; +} diff --git a/test/build.info b/test/build.info index 4c81a2b77984c..73f8de1f7a125 100644 --- a/test/build.info +++ b/test/build.info @@ -522,6 +522,12 @@ IF[{- !$disabled{tests} -}] INCLUDE[http_test]=../include ../apps/include DEPEND[http_test]=../libcrypto libtestutil.a ENDIF + + PROGRAMS{noinst}=bio_addr_test + + SOURCE[bio_addr_test]=bio_addr_test.c + INCLUDE[bio_addr_test]=../include ../apps/include + DEPEND[bio_addr_test]=../libcrypto libtestutil.a ENDIF SOURCE[dtlstest]=dtlstest.c helpers/ssltestlib.c diff --git a/test/recipes/61-test_bio_addr.t b/test/recipes/61-test_bio_addr.t new file mode 100644 index 0000000000000..bd4c23a71f5ac --- /dev/null +++ b/test/recipes/61-test_bio_addr.t @@ -0,0 +1,20 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; + +setup("test_bio_addr"); + +plan skip_all => "No sockets in this configuration" + if disabled("sock"); + +plan tests => 1; + +ok(run(test(["bio_addr_test"])), "running bio_addr_test"); From 91bc783a93a2a695fe6a2f8da93cf5b5e086ba42 Mon Sep 17 00:00:00 2001 From: "Jonathan M. Wilbur" Date: Sat, 1 Jul 2023 15:56:40 +0000 Subject: [PATCH 255/324] Support all NULL-syntax X.509v3 extensions Signed-off-by: Jonathan M. Wilbur Reviewed-by: Todd Short Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21342) --- crypto/x509/build.info | 3 +- crypto/x509/ext_dat.h | 6 ++++ crypto/x509/standard_exts.h | 8 ++++- crypto/x509/v3_group_ac.c | 53 +++++++++++++++++++++++++++++++ crypto/x509/v3_ind_iss.c | 53 +++++++++++++++++++++++++++++++ crypto/x509/v3_no_ass.c | 53 +++++++++++++++++++++++++++++++ crypto/x509/v3_no_rev_avail.c | 53 +++++++++++++++++++++++++++++++ crypto/x509/v3_single_use.c | 53 +++++++++++++++++++++++++++++++ crypto/x509/v3_soa_id.c | 53 +++++++++++++++++++++++++++++++ test/certs/ext-groupAC.pem | 11 +++++++ test/certs/ext-indirectIssuer.pem | 11 +++++++ test/certs/ext-noAssertion.pem | 11 +++++++ test/certs/ext-noRevAvail.pem | 11 +++++++ test/certs/ext-sOAIdentifier.pem | 11 +++++++ test/certs/ext-singleUse.pem | 12 +++++++ test/recipes/25-test_x509.t | 26 ++++++++++++++- 16 files changed, 425 insertions(+), 3 deletions(-) create mode 100644 crypto/x509/v3_group_ac.c create mode 100644 crypto/x509/v3_ind_iss.c create mode 100644 crypto/x509/v3_no_ass.c create mode 100644 crypto/x509/v3_no_rev_avail.c create mode 100644 crypto/x509/v3_single_use.c create mode 100644 crypto/x509/v3_soa_id.c create mode 100644 test/certs/ext-groupAC.pem create mode 100644 test/certs/ext-indirectIssuer.pem create mode 100644 test/certs/ext-noAssertion.pem create mode 100644 test/certs/ext-noRevAvail.pem create mode 100644 test/certs/ext-sOAIdentifier.pem create mode 100644 test/certs/ext-singleUse.pem diff --git a/crypto/x509/build.info b/crypto/x509/build.info index 8820f983bb3d0..3f70f3ff36dfb 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -14,7 +14,8 @@ SOURCE[../../libcrypto]=\ v3_info.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c \ v3_pcia.c v3_pci.c v3_ist.c \ pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \ - v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c + v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \ + v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c IF[{- !$disabled{'deprecated-3.0'} -}] SOURCE[../../libcrypto]=x509type.c diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index a0a7f88ccd8ad..8325aacfa5306 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -25,3 +25,9 @@ extern const X509V3_EXT_METHOD ossl_v3_tls_feature; extern const X509V3_EXT_METHOD ossl_v3_ext_admission; extern const X509V3_EXT_METHOD ossl_v3_utf8_list[1]; extern const X509V3_EXT_METHOD ossl_v3_issuer_sign_tool; +extern const X509V3_EXT_METHOD ossl_v3_group_ac; +extern const X509V3_EXT_METHOD ossl_v3_soa_identifier; +extern const X509V3_EXT_METHOD ossl_v3_no_assertion; +extern const X509V3_EXT_METHOD ossl_v3_no_rev_avail; +extern const X509V3_EXT_METHOD ossl_v3_single_use; +extern const X509V3_EXT_METHOD ossl_v3_indirect_issuer; diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h index 27a99a4b13ed7..e5c9e3f9e01ac 100644 --- a/crypto/x509/standard_exts.h +++ b/crypto/x509/standard_exts.h @@ -53,6 +53,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = { #endif &ossl_v3_sinfo, &ossl_v3_policy_constraints, + &ossl_v3_no_rev_avail, #ifndef OPENSSL_NO_OCSP &ossl_v3_crl_hold, #endif @@ -71,7 +72,12 @@ static const X509V3_EXT_METHOD *standard_exts[] = { &ossl_v3_utf8_list[0], &ossl_v3_issuer_sign_tool, &ossl_v3_tls_feature, - &ossl_v3_ext_admission + &ossl_v3_ext_admission, + &ossl_v3_soa_identifier, + &ossl_v3_indirect_issuer, + &ossl_v3_no_assertion, + &ossl_v3_single_use, + &ossl_v3_group_ac }; /* Number of standard extensions */ diff --git a/crypto/x509/v3_group_ac.c b/crypto/x509/v3_group_ac.c new file mode 100644 index 0000000000000..9a2b69deceb43 --- /dev/null +++ b/crypto/x509/v3_group_ac.c @@ -0,0 +1,53 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ext_dat.h" + +static int i2r_GROUP_AC(X509V3_EXT_METHOD *method, + void *su, BIO *out, + int indent) +{ + return 1; +} + +static void *r2i_GROUP_AC(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, const char *value) +{ + return ASN1_NULL_new(); +} + +static char *i2s_GROUP_AC(const X509V3_EXT_METHOD *method, void *val) +{ + return OPENSSL_strdup("NULL"); +} + +static void *s2i_GROUP_AC(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) +{ + return ASN1_NULL_new(); +} + +/* + * The groupAC X.509v3 extension is defined in ITU Recommendation X.509 + * (2019), Section 17.1.2.6. See: https://www.itu.int/rec/T-REC-X.509-201910-I/en. + */ +const X509V3_EXT_METHOD ossl_v3_group_ac = { + NID_group_ac, 0, ASN1_ITEM_ref(ASN1_NULL), + 0, 0, 0, 0, + (X509V3_EXT_I2S)i2s_GROUP_AC, + (X509V3_EXT_S2I)s2i_GROUP_AC, + 0, 0, + (X509V3_EXT_I2R)i2r_GROUP_AC, + (X509V3_EXT_R2I)r2i_GROUP_AC, + NULL +}; diff --git a/crypto/x509/v3_ind_iss.c b/crypto/x509/v3_ind_iss.c new file mode 100644 index 0000000000000..ff41ba7bed023 --- /dev/null +++ b/crypto/x509/v3_ind_iss.c @@ -0,0 +1,53 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ext_dat.h" + +static int i2r_INDIRECT_ISSUER(X509V3_EXT_METHOD *method, + void *su, BIO *out, + int indent) +{ + return 1; +} + +static void *r2i_INDIRECT_ISSUER(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, const char *value) +{ + return ASN1_NULL_new(); +} + +static char *i2s_INDIRECT_ISSUER(const X509V3_EXT_METHOD *method, void *val) +{ + return OPENSSL_strdup("NULL"); +} + +static void *s2i_INDIRECT_ISSUER(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) +{ + return ASN1_NULL_new(); +} + +/* + * The indirectIssuer X.509v3 extension is defined in ITU Recommendation X.509 + * (2019), Section 17.5.2.5. See: https://www.itu.int/rec/T-REC-X.509-201910-I/en. + */ +const X509V3_EXT_METHOD ossl_v3_indirect_issuer = { + NID_indirect_issuer, 0, ASN1_ITEM_ref(ASN1_NULL), + 0, 0, 0, 0, + (X509V3_EXT_I2S)i2s_INDIRECT_ISSUER, + (X509V3_EXT_S2I)s2i_INDIRECT_ISSUER, + 0, 0, + (X509V3_EXT_I2R)i2r_INDIRECT_ISSUER, + (X509V3_EXT_R2I)r2i_INDIRECT_ISSUER, + NULL +}; diff --git a/crypto/x509/v3_no_ass.c b/crypto/x509/v3_no_ass.c new file mode 100644 index 0000000000000..873e20a751c71 --- /dev/null +++ b/crypto/x509/v3_no_ass.c @@ -0,0 +1,53 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ext_dat.h" + +static int i2r_NO_ASSERTION(X509V3_EXT_METHOD *method, + void *su, BIO *out, + int indent) +{ + return 1; +} + +static void *r2i_NO_ASSERTION(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, const char *value) +{ + return ASN1_NULL_new(); +} + +static char *i2s_NO_ASSERTION(const X509V3_EXT_METHOD *method, void *val) +{ + return OPENSSL_strdup("NULL"); +} + +static void *s2i_NO_ASSERTION(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) +{ + return ASN1_NULL_new(); +} + +/* + * The noAssertion X.509v3 extension is defined in ITU Recommendation X.509 + * (2019), Section 17.5.2.7. See: https://www.itu.int/rec/T-REC-X.509-201910-I/en. + */ +const X509V3_EXT_METHOD ossl_v3_no_assertion = { + NID_no_assertion, 0, ASN1_ITEM_ref(ASN1_NULL), + 0, 0, 0, 0, + (X509V3_EXT_I2S)i2s_NO_ASSERTION, + (X509V3_EXT_S2I)s2i_NO_ASSERTION, + 0, 0, + (X509V3_EXT_I2R)i2r_NO_ASSERTION, + (X509V3_EXT_R2I)r2i_NO_ASSERTION, + NULL +}; diff --git a/crypto/x509/v3_no_rev_avail.c b/crypto/x509/v3_no_rev_avail.c new file mode 100644 index 0000000000000..849feda5ec007 --- /dev/null +++ b/crypto/x509/v3_no_rev_avail.c @@ -0,0 +1,53 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ext_dat.h" + +static int i2r_NO_REV_AVAIL(X509V3_EXT_METHOD *method, + void *su, BIO *out, + int indent) +{ + return 1; +} + +static void *r2i_NO_REV_AVAIL(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, const char *value) +{ + return ASN1_NULL_new(); +} + +static char *i2s_NO_REV_AVAIL(const X509V3_EXT_METHOD *method, void *val) +{ + return OPENSSL_strdup("NULL"); +} + +static void *s2i_NO_REV_AVAIL(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) +{ + return ASN1_NULL_new(); +} + +/* + * The noRevAvail X.509v3 extension is defined in ITU Recommendation X.509 + * (2019), Section 17.2.2.7. See: https://www.itu.int/rec/T-REC-X.509-201910-I/en. + */ +const X509V3_EXT_METHOD ossl_v3_no_rev_avail = { + NID_no_rev_avail, 0, ASN1_ITEM_ref(ASN1_NULL), + 0, 0, 0, 0, + (X509V3_EXT_I2S)i2s_NO_REV_AVAIL, + (X509V3_EXT_S2I)s2i_NO_REV_AVAIL, + 0, 0, + (X509V3_EXT_I2R)i2r_NO_REV_AVAIL, + (X509V3_EXT_R2I)r2i_NO_REV_AVAIL, + NULL +}; diff --git a/crypto/x509/v3_single_use.c b/crypto/x509/v3_single_use.c new file mode 100644 index 0000000000000..50da6e1770074 --- /dev/null +++ b/crypto/x509/v3_single_use.c @@ -0,0 +1,53 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ext_dat.h" + +static int i2r_SINGLE_USE(X509V3_EXT_METHOD *method, + void *su, BIO *out, + int indent) +{ + return 1; +} + +static void *r2i_SINGLE_USE(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, const char *value) +{ + return ASN1_NULL_new(); +} + +static char *i2s_SINGLE_USE(const X509V3_EXT_METHOD *method, void *val) +{ + return OPENSSL_strdup("NULL"); +} + +static void *s2i_SINGLE_USE(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) +{ + return ASN1_NULL_new(); +} + +/* + * The singleUse X.509v3 extension is defined in ITU Recommendation X.509 + * (2019), Section 17.1.2.5. See: https://www.itu.int/rec/T-REC-X.509-201910-I/en. + */ +const X509V3_EXT_METHOD ossl_v3_single_use = { + NID_single_use, 0, ASN1_ITEM_ref(ASN1_NULL), + 0, 0, 0, 0, + (X509V3_EXT_I2S)i2s_SINGLE_USE, + (X509V3_EXT_S2I)s2i_SINGLE_USE, + 0, 0, + (X509V3_EXT_I2R)i2r_SINGLE_USE, + (X509V3_EXT_R2I)r2i_SINGLE_USE, + NULL +}; diff --git a/crypto/x509/v3_soa_id.c b/crypto/x509/v3_soa_id.c new file mode 100644 index 0000000000000..8be5bd8aa5a30 --- /dev/null +++ b/crypto/x509/v3_soa_id.c @@ -0,0 +1,53 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ext_dat.h" + +static int i2r_SOA_IDENTIFIER(X509V3_EXT_METHOD *method, + void *su, BIO *out, + int indent) +{ + return 1; +} + +static void *r2i_SOA_IDENTIFIER(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, const char *value) +{ + return ASN1_NULL_new(); +} + +static char *i2s_SOA_IDENTIFIER(const X509V3_EXT_METHOD *method, void *val) +{ + return OPENSSL_strdup("NULL"); +} + +static void *s2i_SOA_IDENTIFIER(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) +{ + return ASN1_NULL_new(); +} + +/* + * The sOAIdentifier X.509v3 extension is defined in ITU Recommendation X.509 + * (2019), Section 17.3.2.1.1. See: https://www.itu.int/rec/T-REC-X.509-201910-I/en. + */ +const X509V3_EXT_METHOD ossl_v3_soa_identifier = { + NID_soa_identifier, 0, ASN1_ITEM_ref(ASN1_NULL), + 0, 0, 0, 0, + (X509V3_EXT_I2S)i2s_SOA_IDENTIFIER, + (X509V3_EXT_S2I)s2i_SOA_IDENTIFIER, + 0, 0, + (X509V3_EXT_I2R)i2r_SOA_IDENTIFIER, + (X509V3_EXT_R2I)r2i_SOA_IDENTIFIER, + NULL +}; diff --git a/test/certs/ext-groupAC.pem b/test/certs/ext-groupAC.pem new file mode 100644 index 0000000000000..f5325eb2ae6eb --- /dev/null +++ b/test/certs/ext-groupAC.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhjCCAXKgAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMwMDA1 +MzE3WhgPMjAyMTA4MzAwMDUzMTdaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB +CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq +nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir +Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI +qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06 +GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus +pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABow0wCzAJBgNVHUIEAgUAMAsGCSqG +SIb3DQEBBQMBAA== +-----END CERTIFICATE----- diff --git a/test/certs/ext-indirectIssuer.pem b/test/certs/ext-indirectIssuer.pem new file mode 100644 index 0000000000000..afc21806aef02 --- /dev/null +++ b/test/certs/ext-indirectIssuer.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhjCCAXKgAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMxMDIy +NzM4WhgPMjAyMTA4MzEwMjI3MzhaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB +CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq +nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir +Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI +qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06 +GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus +pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABow0wCzAJBgNVHT0EAgUAMAsGCSqG +SIb3DQEBBQMBAA== +-----END CERTIFICATE----- diff --git a/test/certs/ext-noAssertion.pem b/test/certs/ext-noAssertion.pem new file mode 100644 index 0000000000000..1aaa860bdda58 --- /dev/null +++ b/test/certs/ext-noAssertion.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhjCCAXKgAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMwMDA1 +NDMyWhgPMjAyMTA4MzAwMDU0MzJaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB +CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq +nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir +Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI +qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06 +GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus +pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABow0wCzAJBgNVHT4EAgUAMAsGCSqG +SIb3DQEBBQMBAA== +-----END CERTIFICATE----- diff --git a/test/certs/ext-noRevAvail.pem b/test/certs/ext-noRevAvail.pem new file mode 100644 index 0000000000000..23bf49b9852a8 --- /dev/null +++ b/test/certs/ext-noRevAvail.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBiTCCAXWgAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwOTE1MDAw +OTM1WhgPMjAyMTA5MTUwMDA5MzVaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB +CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq +nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir +Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI +qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06 +GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus +pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABoxAwDjAMBgNVHTgBAf8EAgUAMAsG +CSqGSIb3DQEBBQMBAA== +-----END CERTIFICATE----- diff --git a/test/certs/ext-sOAIdentifier.pem b/test/certs/ext-sOAIdentifier.pem new file mode 100644 index 0000000000000..7da3a3b448541 --- /dev/null +++ b/test/certs/ext-sOAIdentifier.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhjCCAXKgAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMwMDA1 +NDA4WhgPMjAyMTA4MzAwMDU0MDhaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB +CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq +nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir +Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI +qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06 +GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus +pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABow0wCzAJBgNVHTIEAgUAMAsGCSqG +SIb3DQEBBQMBAA== +-----END CERTIFICATE----- diff --git a/test/certs/ext-singleUse.pem b/test/certs/ext-singleUse.pem new file mode 100644 index 0000000000000..e72701c305948 --- /dev/null +++ b/test/certs/ext-singleUse.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBrzCCAZmgAwIBAgIEDCI4TjANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDDAZI +aSBtb20wIhgPMjAyMzA3MDExMzA4MDRaGA8yMDIzMDcwMTEzMDgwNFowETEPMA0G +A1UEAwwGSGkgbW9tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtnjL +m1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmqnuGrBOUfgbmH +3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWirGu0oDRzhWLHe +1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqIqpOynJB02thX +rTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06GkwLFJHNv2tU ++tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3VuspVz+6pU2xgl3 +nrAVMQHB4fReQPH0pQIDAQABow0wCzAJBgNVHUEEAgUAMA0GCSqGSIb3DQEBBQUA +AwEA +-----END CERTIFICATE----- diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index 408ac40c7c3e5..9bf011c1885cd 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_x509"); -plan tests => 37; +plan tests => 43; # Prevent MSys2 filename munging for arguments that look like file paths but # aren't @@ -110,6 +110,30 @@ cert_contains(srctop_file(@certs, "fake-gp.pem"), "2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678", 1, 'x500 -- subjectAltName'); +cert_contains(srctop_file(@certs, "ext-noAssertion.pem"), + "No Assertion", + 1, 'X.509 Not Assertion Extension'); + +cert_contains(srctop_file(@certs, "ext-groupAC.pem"), + "Group Attribute Certificate", + 1, 'X.509 Group Attribute Certificate Extension'); + +cert_contains(srctop_file(@certs, "ext-sOAIdentifier.pem"), + "Source of Authority", + 1, 'X.509 Source of Authority Extension'); + +cert_contains(srctop_file(@certs, "ext-noRevAvail.pem"), + "No Revocation Available", + 1, 'X.509 No Revocation Available'); + +cert_contains(srctop_file(@certs, "ext-singleUse.pem"), + "Single Use", + 1, 'X509v3 Single Use'); + +cert_contains(srctop_file(@certs, "ext-indirectIssuer.pem"), + "Indirect Issuer", + 1, 'X.509 Indirect Issuer'); + sub test_errors { # actually tests diagnostics of OSSL_STORE my ($expected, $cert, @opts) = @_; my $infile = srctop_file(@certs, $cert); From c37184f502eb7341e3095ef358a9ebd21facbc46 Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 4 Sep 2023 14:37:09 +1000 Subject: [PATCH 256/324] remove redundant free of NULL Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21964) --- providers/fips/fipsprov.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 0a95d2364d43e..607ee1176316b 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -697,15 +697,8 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, /* Create a context. */ if ((*provctx = ossl_prov_ctx_new()) == NULL - || (libctx = OSSL_LIB_CTX_new()) == NULL) { - /* - * We free libctx separately here and only here because it hasn't - * been attached to *provctx. All other error paths below rely - * solely on fips_teardown. - */ - OSSL_LIB_CTX_free(libctx); + || (libctx = OSSL_LIB_CTX_new()) == NULL) goto err; - } if ((fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX)) == NULL) goto err; From 6935101354e1ebcb43aa8afb158603f94c0f9bc6 Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 4 Sep 2023 10:22:29 +1000 Subject: [PATCH 257/324] fix indentation Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21964) --- providers/implementations/rands/drbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index 348d5f50808ed..1586288692525 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -336,7 +336,7 @@ static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout, memset(&data, 0, sizeof(data)); data.drbg = drbg; if (!CRYPTO_atomic_add(&dngbl->rand_nonce_count, 1, &data.count, - dngbl->rand_nonce_lock)) + dngbl->rand_nonce_lock)) return 0; return ossl_prov_get_nonce(drbg->provctx, pout, min_len, max_len, &data, sizeof(data)); From 54e60d2a05f86e947dface08e5c20b831be17bf8 Mon Sep 17 00:00:00 2001 From: Pauli Date: Wed, 13 Sep 2023 10:54:28 +1000 Subject: [PATCH 258/324] Provider cross version checks warning Add a warning note to the provider cross version checks indicating that a pull request branch will not be used if execution is set to on pull request. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21964) --- .github/workflows/provider-compatibility.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index f118db1aee5f9..e95a8475220c8 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -10,6 +10,10 @@ name: Provider compatibility across versions + +# NOTE: if this is being run on pull_request, it will **not** use the pull +# request's branch. It is hardcoded to use the master branch. +# on: #[pull_request] schedule: - cron: '0 15 * * *' From fffa78c2fd01accd97c9229018d4c380f7a20335 Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 5 Sep 2023 10:16:49 +1000 Subject: [PATCH 259/324] fips selftest: avoid relying on a real RNG for self tests Rather than instantiate the private and primary DRBGs during the selftest, instead use a test RNG. This leaves the DRBG setup pristine and permits later replacement of the seed source despite the very early running power up self tests. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21964) --- crypto/rand/rand_lib.c | 20 ++- include/crypto/rand.h | 4 + providers/fips/self_test.c | 17 +-- providers/fips/self_test_kats.c | 136 +++++++++++++-------- providers/implementations/rands/test_rng.c | 47 +++++-- util/perl/OpenSSL/paramnames.pm | 1 + 6 files changed, 154 insertions(+), 71 deletions(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 8dd1d071e8941..4630f19da0f56 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -345,6 +345,8 @@ int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, } #endif + if (num < 0) + return 0; rand = RAND_get0_private(ctx); if (rand != NULL) return EVP_RAND_generate(rand, buf, num, strength, 0, NULL, 0); @@ -354,8 +356,6 @@ int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, int RAND_priv_bytes(unsigned char *buf, int num) { - if (num < 0) - return 0; return RAND_priv_bytes_ex(NULL, buf, (size_t)num, 0); } @@ -374,6 +374,8 @@ int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, } #endif + if (num < 0) + return 0; rand = RAND_get0_public(ctx); if (rand != NULL) return EVP_RAND_generate(rand, buf, num, strength, 0, NULL, 0); @@ -383,8 +385,6 @@ int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, int RAND_bytes(unsigned char *buf, int num) { - if (num < 0) - return 0; return RAND_bytes_ex(NULL, buf, (size_t)num, 0); } @@ -738,6 +738,18 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx) return rand; } +#ifdef FIPS_MODULE +EVP_RAND_CTX *ossl_rand_get0_private_noncreating(OSSL_LIB_CTX *ctx) +{ + RAND_GLOBAL *dgbl = rand_get_global(ctx); + + if (dgbl == NULL) + return NULL; + + return CRYPTO_THREAD_get_local(&dgbl->private); +} +#endif + int RAND_set0_public(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand) { RAND_GLOBAL *dgbl = rand_get_global(ctx); diff --git a/include/crypto/rand.h b/include/crypto/rand.h index 758aeed4af22c..7345bf625f92d 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -125,4 +125,8 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, size_t ossl_pool_acquire_entropy(RAND_POOL *pool); int ossl_pool_add_nonce_data(RAND_POOL *pool); +# ifdef FIPS_MODULE +EVP_RAND_CTX *ossl_rand_get0_private_noncreating(OSSL_LIB_CTX *ctx); +# endif + #endif diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index 0be314692e887..b8dc9817b283c 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -19,6 +19,7 @@ #include "internal/e_os.h" #include "internal/tsan_assist.h" #include "prov/providercommon.h" +#include "crypto/rand.h" /* * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS @@ -406,14 +407,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) } /* Verify that the RNG has been restored properly */ - testrand = EVP_RAND_fetch(st->libctx, "TEST-RAND", NULL); - if (testrand == NULL - || (rng = RAND_get0_private(st->libctx)) == NULL - || strcmp(EVP_RAND_get0_name(EVP_RAND_CTX_get0_rand(rng)), - EVP_RAND_get0_name(testrand)) == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); - goto end; - } + rng = ossl_rand_get0_private_noncreating(st->libctx); + if (rng != NULL) + if ((testrand = EVP_RAND_fetch(st->libctx, "TEST-RAND", NULL)) == NULL + || strcmp(EVP_RAND_get0_name(EVP_RAND_CTX_get0_rand(rng)), + EVP_RAND_get0_name(testrand)) == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); + goto end; + } ok = 1; end: diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index bdf599aaada41..82a7ac78fb013 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -13,6 +13,7 @@ #include #include #include +#include "crypto/rand.h" #include "internal/cryptlib.h" #include "internal/nelem.h" #include "self_test.h" @@ -22,7 +23,7 @@ static int set_kat_drbg(OSSL_LIB_CTX *ctx, const unsigned char *entropy, size_t entropy_len, const unsigned char *nonce, size_t nonce_len, const unsigned char *persstr, size_t persstr_len); -static int reset_original_drbg(OSSL_LIB_CTX *ctx); +static int reset_main_drbg(OSSL_LIB_CTX *ctx); static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) @@ -701,39 +702,12 @@ static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) return 0; if (!self_test_sign(t, st, libctx)) ret = 0; - if (!reset_original_drbg(libctx)) + if (!reset_main_drbg(libctx)) ret = 0; } return ret; } -/* - * Run the algorithm KAT's. - * Return 1 is successful, otherwise return 0. - * This runs all the tests regardless of if any fail. - */ -int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) -{ - int ret = 1; - - if (!self_test_digests(st, libctx)) - ret = 0; - if (!self_test_ciphers(st, libctx)) - ret = 0; - if (!self_test_signatures(st, libctx)) - ret = 0; - if (!self_test_kdfs(st, libctx)) - ret = 0; - if (!self_test_drbgs(st, libctx)) - ret = 0; - if (!self_test_kas(st, libctx)) - ret = 0; - if (!self_test_asym_ciphers(st, libctx)) - ret = 0; - - return ret; -} - /* * Swap the library context DRBG for KAT testing * @@ -745,13 +719,12 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) */ /* - * The default private DRBG of the library context, saved for the duration - * of KAT testing. + * Replacement "random" sources + * main_rand is used for most tests and it's set to generate mode. + * kat_rand is used for KATs where specific input is mandated. */ -static EVP_RAND_CTX *saved_rand = NULL; - -/* Replacement "random" source */ static EVP_RAND_CTX *kat_rand = NULL; +static EVP_RAND_CTX *main_rand = NULL; static int set_kat_drbg(OSSL_LIB_CTX *ctx, const unsigned char *entropy, size_t entropy_len, @@ -765,7 +738,7 @@ static int set_kat_drbg(OSSL_LIB_CTX *ctx, }; /* If not NULL, we didn't cleanup from last call: BAD */ - if (kat_rand != NULL || saved_rand != NULL) + if (kat_rand != NULL) return 0; rand = EVP_RAND_fetch(ctx, "TEST-RAND", NULL); @@ -777,7 +750,8 @@ static int set_kat_drbg(OSSL_LIB_CTX *ctx, if (parent_rand == NULL) goto err; - drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, &strength); + drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, + &strength); if (!EVP_RAND_CTX_set_params(parent_rand, drbg_params)) goto err; @@ -810,37 +784,30 @@ static int set_kat_drbg(OSSL_LIB_CTX *ctx, if (!EVP_RAND_instantiate(kat_rand, strength, 0, persstr, persstr_len, NULL)) goto err; + /* When we set the new private generator this one is freed, so upref it */ + if (!EVP_RAND_CTX_up_ref(main_rand)) + goto err; + /* Update the library context DRBG */ - if ((saved_rand = RAND_get0_private(ctx)) != NULL) - /* Avoid freeing this since we replace it */ - if (!EVP_RAND_CTX_up_ref(saved_rand)) { - saved_rand = NULL; - goto err; - } if (RAND_set0_private(ctx, kat_rand) > 0) { /* Keeping a copy to verify zeroization */ if (EVP_RAND_CTX_up_ref(kat_rand)) return 1; - if (saved_rand != NULL) - RAND_set0_private(ctx, saved_rand); + RAND_set0_private(ctx, main_rand); } err: EVP_RAND_CTX_free(parent_rand); - EVP_RAND_CTX_free(saved_rand); EVP_RAND_CTX_free(kat_rand); - kat_rand = saved_rand = NULL; + kat_rand = NULL; return 0; } -static int reset_original_drbg(OSSL_LIB_CTX *ctx) { +static int reset_main_drbg(OSSL_LIB_CTX *ctx) { int ret = 1; - if (saved_rand != NULL) { - if (!RAND_set0_private(ctx, saved_rand)) - ret = 0; - saved_rand = NULL; - } + if (!RAND_set0_private(ctx, main_rand)) + ret = 0; if (kat_rand != NULL) { if (!EVP_RAND_uninstantiate(kat_rand) || !EVP_RAND_verify_zeroization(kat_rand)) @@ -851,3 +818,68 @@ static int reset_original_drbg(OSSL_LIB_CTX *ctx) { return ret; } +static int setup_main_random(OSSL_LIB_CTX *libctx) +{ + OSSL_PARAM drbg_params[3] = { + OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END + }; + unsigned int strength = 256, generate = 1; + EVP_RAND *rand; + + rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL); + if (rand == NULL) + return 0; + + main_rand = EVP_RAND_CTX_new(rand, NULL); + EVP_RAND_free(rand); + if (main_rand == NULL) + goto err; + + drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_GENERATE, + &generate); + drbg_params[1] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, + &strength); + + if (!EVP_RAND_instantiate(main_rand, strength, 0, NULL, 0, drbg_params)) + goto err; + return 1; + err: + EVP_RAND_CTX_free(main_rand); + return 0; +} + +/* + * Run the algorithm KAT's. + * Return 1 is successful, otherwise return 0. + * This runs all the tests regardless of if any fail. + */ +int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) +{ + EVP_RAND_CTX *saved_rand = ossl_rand_get0_private_noncreating(libctx); + int ret = 1; + + if (!setup_main_random(libctx) + || !RAND_set0_private(libctx, main_rand)) { + EVP_RAND_CTX_free(main_rand); + return 0; + } + + if (!self_test_digests(st, libctx)) + ret = 0; + if (!self_test_ciphers(st, libctx)) + ret = 0; + if (!self_test_signatures(st, libctx)) + ret = 0; + if (!self_test_kdfs(st, libctx)) + ret = 0; + if (!self_test_drbgs(st, libctx)) + ret = 0; + if (!self_test_kas(st, libctx)) + ret = 0; + if (!self_test_asym_ciphers(st, libctx)) + ret = 0; + + RAND_set0_private(libctx, saved_rand); + return ret; +} + diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index bbea11cd6baf0..0006468d06638 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -8,6 +8,7 @@ */ #include +#include #include #include #include @@ -39,6 +40,7 @@ static OSSL_FUNC_rand_get_seed_fn test_rng_get_seed; typedef struct { void *provctx; + unsigned int generate; int state; unsigned int strength; size_t max_request; @@ -99,16 +101,30 @@ static int test_rng_uninstantiate(void *vtest) return 1; } +static unsigned char gen_byte(PROV_TEST_RNG *t) +{ + return rand() & 0xff; +} + static int test_rng_generate(void *vtest, unsigned char *out, size_t outlen, unsigned int strength, int prediction_resistance, const unsigned char *adin, size_t adin_len) { PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest; + size_t i; - if (strength > t->strength || t->entropy_len - t->entropy_pos < outlen) + if (strength > t->strength) return 0; - memcpy(out, t->entropy + t->entropy_pos, outlen); - t->entropy_pos += outlen; + if (t->generate) { + for (i = 0; i < outlen; i++) + out[i] = gen_byte(t); + } else { + if (t->entropy_len - t->entropy_pos < outlen) + return 0; + + memcpy(out, t->entropy + t->entropy_pos, outlen); + t->entropy_pos += outlen; + } return 1; } @@ -123,15 +139,23 @@ static int test_rng_reseed(ossl_unused void *vtest, } static size_t test_rng_nonce(void *vtest, unsigned char *out, - unsigned int strength, - ossl_unused size_t min_noncelen, + unsigned int strength, size_t min_noncelen, ossl_unused size_t max_noncelen) { PROV_TEST_RNG *t = (PROV_TEST_RNG *)vtest; + size_t i; - if (t->nonce == NULL || strength > t->strength) + if (strength > t->strength) return 0; + if (t->generate) { + for (i = 0; i < min_noncelen; i++) + out[i] = gen_byte(t); + return min_noncelen; + } + + if (t->nonce == NULL) + return 0; if (out != NULL) memcpy(out, t->nonce, t->nonce_len); return t->nonce_len; @@ -153,6 +177,10 @@ static int test_rng_get_ctx_params(void *vtest, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); if (p != NULL && !OSSL_PARAM_set_size_t(p, t->max_request)) return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_GENERATE); + if (p != NULL && OSSL_PARAM_set_uint(p, t->generate)) + return 0; return 1; } @@ -163,6 +191,7 @@ static const OSSL_PARAM *test_rng_gettable_ctx_params(ossl_unused void *vtest, OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), + OSSL_PARAM_uint(OSSL_RAND_PARAM_GENERATE, NULL), OSSL_PARAM_END }; return known_gettable_ctx_params; @@ -203,9 +232,12 @@ static int test_rng_set_ctx_params(void *vtest, const OSSL_PARAM params[]) } p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_MAX_REQUEST); - if (p != NULL && !OSSL_PARAM_get_size_t(p, &t->max_request)) + if (p != NULL && !OSSL_PARAM_get_size_t(p, &t->max_request)) return 0; + p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_GENERATE); + if (p != NULL && !OSSL_PARAM_get_uint(p, &t->generate)) + return 0; return 1; } @@ -217,6 +249,7 @@ static const OSSL_PARAM *test_rng_settable_ctx_params(ossl_unused void *vtest, OSSL_PARAM_octet_string(OSSL_RAND_PARAM_TEST_NONCE, NULL, 0), OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), + OSSL_PARAM_uint(OSSL_RAND_PARAM_GENERATE, NULL), OSSL_PARAM_END }; return known_settable_ctx_params; diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm index a5126858e791a..c37ed7815f350 100644 --- a/util/perl/OpenSSL/paramnames.pm +++ b/util/perl/OpenSSL/paramnames.pm @@ -198,6 +198,7 @@ my %params = ( 'RAND_PARAM_MAX_REQUEST' => "max_request", 'RAND_PARAM_TEST_ENTROPY' => "test_entropy", 'RAND_PARAM_TEST_NONCE' => "test_nonce", + 'RAND_PARAM_GENERATE' => "generate", # RAND/DRBG names 'DRBG_PARAM_RESEED_REQUESTS' => "reseed_requests", From a9483b8aa00753a2a9665273c0e376f3c1d36e65 Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 25 Sep 2023 14:25:58 +1000 Subject: [PATCH 260/324] rand: add extra error code Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21964) --- crypto/err/openssl.txt | 1 + crypto/rand/rand_err.c | 4 +++- include/crypto/randerr.h | 2 +- include/openssl/randerr.h | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 3eeaa6d5d5799..6952560d86610 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1154,6 +1154,7 @@ RAND_R_FWRITE_ERROR:123:Error writing file RAND_R_GENERATE_ERROR:112:generate error RAND_R_INSUFFICIENT_DRBG_STRENGTH:139:insufficient drbg strength RAND_R_INTERNAL_ERROR:113:internal error +RAND_R_INVALID_PROPERTY_QUERY:137:invalid property query RAND_R_IN_ERROR_STATE:114:in error state RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file RAND_R_NOT_INSTANTIATED:115:not instantiated diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c index b9c2bf1760f50..41a4c9cdeacc2 100644 --- a/crypto/rand/rand_err.c +++ b/crypto/rand/rand_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -51,6 +51,8 @@ static const ERR_STRING_DATA RAND_str_reasons[] = { {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INSUFFICIENT_DRBG_STRENGTH), "insufficient drbg strength"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INTERNAL_ERROR), "internal error"}, + {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INVALID_PROPERTY_QUERY), + "invalid property query"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_IN_ERROR_STATE), "in error state"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_A_REGULAR_FILE), "Not a regular file"}, diff --git a/include/crypto/randerr.h b/include/crypto/randerr.h index 832a8b7d36f5c..6e2eb0716fb3d 100644 --- a/include/crypto/randerr.h +++ b/include/crypto/randerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h index b5e08e4362dea..04880374a3b74 100644 --- a/include/openssl/randerr.h +++ b/include/openssl/randerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,6 +41,7 @@ # define RAND_R_GENERATE_ERROR 112 # define RAND_R_INSUFFICIENT_DRBG_STRENGTH 139 # define RAND_R_INTERNAL_ERROR 113 +# define RAND_R_INVALID_PROPERTY_QUERY 137 # define RAND_R_IN_ERROR_STATE 114 # define RAND_R_NOT_A_REGULAR_FILE 122 # define RAND_R_NOT_INSTANTIATED 115 From 4cde7585ce8eb53682256ba79e6af1949498fbfe Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 5 Sep 2023 12:51:05 +1000 Subject: [PATCH 261/324] fips: use seed source requested Fixes #21909 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21964) --- crypto/initthread.c | 2 +- crypto/provider_core.c | 68 +++++++++++-- crypto/rand/prov_seed.c | 66 ++++++++++++- crypto/rand/rand_lib.c | 100 +++++++++++++++++--- doc/internal/man3/ossl_rand_get_entropy.pod | 45 +++++++-- doc/man7/EVP_RAND-TEST-RAND.pod | 7 ++ doc/man7/provider-base.pod | 28 +++++- include/crypto/rand.h | 17 +++- include/openssl/core_dispatch.h | 11 +++ providers/baseprov.c | 8 ++ providers/common/provider_seeding.c | 53 +++++++++-- 11 files changed, 350 insertions(+), 55 deletions(-) diff --git a/crypto/initthread.c b/crypto/initthread.c index 03586bcbca668..54a33c32865f7 100644 --- a/crypto/initthread.c +++ b/crypto/initthread.c @@ -257,7 +257,7 @@ void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx) if (tlocal == NULL) return NULL; - if (!CRYPTO_THREAD_init_local(tlocal, NULL)) { + if (!CRYPTO_THREAD_init_local(tlocal, NULL)) { goto err; } diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 7f5e48f26c68a..266934937cb89 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1930,10 +1930,12 @@ OSSL_FUNC_BIO_free_fn ossl_core_bio_free; OSSL_FUNC_BIO_vprintf_fn ossl_core_bio_vprintf; OSSL_FUNC_BIO_vsnprintf_fn BIO_vsnprintf; static OSSL_FUNC_self_test_cb_fn core_self_test_get_callback; -OSSL_FUNC_get_entropy_fn ossl_rand_get_entropy; -OSSL_FUNC_cleanup_entropy_fn ossl_rand_cleanup_entropy; -OSSL_FUNC_get_nonce_fn ossl_rand_get_nonce; -OSSL_FUNC_cleanup_nonce_fn ossl_rand_cleanup_nonce; +static OSSL_FUNC_get_user_entropy_fn rand_get_user_entropy; +static OSSL_FUNC_get_entropy_fn rand_get_entropy; +static OSSL_FUNC_cleanup_entropy_fn rand_cleanup_entropy; +static OSSL_FUNC_get_user_nonce_fn rand_get_user_nonce; +static OSSL_FUNC_get_nonce_fn rand_get_nonce; +static OSSL_FUNC_cleanup_nonce_fn rand_cleanup_nonce; #endif OSSL_FUNC_CRYPTO_malloc_fn CRYPTO_malloc; OSSL_FUNC_CRYPTO_zalloc_fn CRYPTO_zalloc; @@ -2094,6 +2096,54 @@ static void core_self_test_get_callback(OPENSSL_CORE_CTX *libctx, OSSL_SELF_TEST_get_callback((OSSL_LIB_CTX *)libctx, cb, cbarg); } +static size_t rand_get_entropy(const OSSL_CORE_HANDLE *handle, + unsigned char **pout, int entropy, + size_t min_len, size_t max_len) +{ + return ossl_rand_get_entropy((OSSL_LIB_CTX *)core_get_libctx(handle), + pout, entropy, min_len, max_len); +} + +static size_t rand_get_user_entropy(const OSSL_CORE_HANDLE *handle, + unsigned char **pout, int entropy, + size_t min_len, size_t max_len) +{ + return ossl_rand_get_user_entropy((OSSL_LIB_CTX *)core_get_libctx(handle), + pout, entropy, min_len, max_len); +} + +static void rand_cleanup_entropy(const OSSL_CORE_HANDLE *handle, + unsigned char *buf, size_t len) +{ + ossl_rand_cleanup_entropy((OSSL_LIB_CTX *)core_get_libctx(handle), + buf, len); +} + +static size_t rand_get_nonce(const OSSL_CORE_HANDLE *handle, + unsigned char **pout, + size_t min_len, size_t max_len, + const void *salt, size_t salt_len) +{ + return ossl_rand_get_nonce((OSSL_LIB_CTX *)core_get_libctx(handle), + pout, min_len, max_len, salt, salt_len); +} + +static size_t rand_get_user_nonce(const OSSL_CORE_HANDLE *handle, + unsigned char **pout, + size_t min_len, size_t max_len, + const void *salt, size_t salt_len) +{ + return ossl_rand_get_user_nonce((OSSL_LIB_CTX *)core_get_libctx(handle), + pout, min_len, max_len, salt, salt_len); +} + +static void rand_cleanup_nonce(const OSSL_CORE_HANDLE *handle, + unsigned char *buf, size_t len) +{ + ossl_rand_cleanup_nonce((OSSL_LIB_CTX *)core_get_libctx(handle), + buf, len); +} + static const char *core_provider_get0_name(const OSSL_CORE_HANDLE *prov) { return OSSL_PROVIDER_get0_name((const OSSL_PROVIDER *)prov); @@ -2187,10 +2237,12 @@ static const OSSL_DISPATCH core_dispatch_[] = { { OSSL_FUNC_BIO_VPRINTF, (void (*)(void))ossl_core_bio_vprintf }, { OSSL_FUNC_BIO_VSNPRINTF, (void (*)(void))BIO_vsnprintf }, { OSSL_FUNC_SELF_TEST_CB, (void (*)(void))core_self_test_get_callback }, - { OSSL_FUNC_GET_ENTROPY, (void (*)(void))ossl_rand_get_entropy }, - { OSSL_FUNC_CLEANUP_ENTROPY, (void (*)(void))ossl_rand_cleanup_entropy }, - { OSSL_FUNC_GET_NONCE, (void (*)(void))ossl_rand_get_nonce }, - { OSSL_FUNC_CLEANUP_NONCE, (void (*)(void))ossl_rand_cleanup_nonce }, + { OSSL_FUNC_GET_ENTROPY, (void (*)(void))rand_get_entropy }, + { OSSL_FUNC_CLEANUP_ENTROPY, (void (*)(void))rand_cleanup_entropy }, + { OSSL_FUNC_GET_NONCE, (void (*)(void))rand_get_nonce }, + { OSSL_FUNC_CLEANUP_NONCE, (void (*)(void))rand_cleanup_nonce }, + { OSSL_FUNC_GET_USER_ENTROPY, (void (*)(void))rand_get_user_entropy }, + { OSSL_FUNC_GET_USER_NONCE, (void (*)(void))rand_get_user_nonce }, #endif { OSSL_FUNC_CRYPTO_MALLOC, (void (*)(void))CRYPTO_malloc }, { OSSL_FUNC_CRYPTO_ZALLOC, (void (*)(void))CRYPTO_zalloc }, diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c index 546c2040946ef..96c73f7e66020 100644 --- a/crypto/rand/prov_seed.c +++ b/crypto/rand/prov_seed.c @@ -7,12 +7,14 @@ * https://www.openssl.org/source/license.html */ +#include "rand_local.h" #include "crypto/rand.h" #include "crypto/rand_pool.h" +#include "internal/core.h" #include #include -size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle, +size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) { @@ -38,14 +40,46 @@ size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle, return ret; } -void ossl_rand_cleanup_entropy(ossl_unused const OSSL_CORE_HANDLE *handle, +size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx, + unsigned char **pout, int entropy, + size_t min_len, size_t max_len) +{ + unsigned char *buf; + EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx); + size_t ret; + + if (rng == NULL) + return ossl_rand_get_entropy(ctx, pout, entropy, min_len, max_len); + + /* Determine how many bytes to generate */ + ret = entropy > 0 ? (size_t)(7 + entropy) / 8 : min_len; + if (ret < min_len) + ret = min_len; + else if (ret > max_len) + ret = max_len; + + /* Allocate the return buffer */ + if ((buf = OPENSSL_secure_malloc(ret)) == NULL) + return 0; + + /* Fill the buffer */ + if (!EVP_RAND_generate(rng, buf, ret, entropy, 0, NULL, 0)) { + OPENSSL_free(buf); + return 0; + } + *pout = buf; + return ret; +} + +void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx, unsigned char *buf, size_t len) { OPENSSL_secure_clear_free(buf, len); } -size_t ossl_rand_get_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, - unsigned char **pout, size_t min_len, size_t max_len, +size_t ossl_rand_get_nonce(ossl_unused OSSL_LIB_CTX *ctx, + unsigned char **pout, + size_t min_len, ossl_unused size_t max_len, const void *salt, size_t salt_len) { size_t ret = 0; @@ -69,7 +103,29 @@ size_t ossl_rand_get_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, return ret; } -void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, +size_t ossl_rand_get_user_nonce(OSSL_LIB_CTX *ctx, + unsigned char **pout, + size_t min_len, size_t max_len, + const void *salt, size_t salt_len) +{ + unsigned char *buf; + EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx); + + if (rng == NULL) + return ossl_rand_get_nonce(ctx, pout, min_len, max_len, salt, salt_len); + + if ((buf = OPENSSL_malloc(min_len)) == NULL) + return 0; + + if (!EVP_RAND_generate(rng, buf, min_len, 0, 0, salt, salt_len)) { + OPENSSL_free(buf); + return 0; + } + *pout = buf; + return min_len; +} + +void ossl_rand_cleanup_nonce(ossl_unused OSSL_LIB_CTX *ctx, unsigned char *buf, size_t len) { OPENSSL_clear_free(buf, len); diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 4630f19da0f56..46e294a37835e 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -30,6 +30,7 @@ # include "crypto/rand_pool.h" # include "prov/seeding.h" # include "internal/e_os.h" +# include "internal/property.h" # ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ @@ -345,8 +346,6 @@ int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, } #endif - if (num < 0) - return 0; rand = RAND_get0_private(ctx); if (rand != NULL) return EVP_RAND_generate(rand, buf, num, strength, 0, NULL, 0); @@ -356,6 +355,8 @@ int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, int RAND_priv_bytes(unsigned char *buf, int num) { + if (num < 0) + return 0; return RAND_priv_bytes_ex(NULL, buf, (size_t)num, 0); } @@ -374,8 +375,6 @@ int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, } #endif - if (num < 0) - return 0; rand = RAND_get0_public(ctx); if (rand != NULL) return EVP_RAND_generate(rand, buf, num, strength, 0, NULL, 0); @@ -385,6 +384,8 @@ int RAND_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num, int RAND_bytes(unsigned char *buf, int num) { + if (num < 0) + return 0; return RAND_bytes_ex(NULL, buf, (size_t)num, 0); } @@ -534,29 +535,104 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx) { EVP_RAND *rand; RAND_GLOBAL *dgbl = rand_get_global(libctx); - EVP_RAND_CTX *ctx; - char *name; + EVP_RAND_CTX *ctx = NULL; + const char *propq = dgbl->seed_propq; + char *name, *props = NULL; + size_t props_len; + OSSL_PROPERTY_LIST *pl1, *pl2, *pl3 = NULL; if (dgbl == NULL) return NULL; - name = dgbl->seed_name != NULL ? dgbl->seed_name : "SEED-SRC"; - rand = EVP_RAND_fetch(libctx, name, dgbl->seed_propq); + if (dgbl->seed_name != NULL) { + name = dgbl->seed_name; + } else { + /* + * Default to our internal seed source. This isn't part of the FIPS + * provider so we need to override any FIPS properties. + */ + if (propq == NULL || *propq == '\0') { + propq = "-fips"; + } else { + pl1 = ossl_parse_query(libctx, propq, 1); + if (pl1 == NULL) { + ERR_raise(ERR_LIB_RAND, RAND_R_INVALID_PROPERTY_QUERY); + return NULL; + } + pl2 = ossl_parse_query(libctx, "-fips", 1); + if (pl2 == NULL) { + ossl_property_free(pl1); + ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR); + return NULL; + } + pl3 = ossl_property_merge(pl2, pl1); + ossl_property_free(pl1); + ossl_property_free(pl2); + if (pl3 == NULL) { + ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR); + return NULL; + } + props_len = ossl_property_list_to_string(libctx, pl3, NULL, 0); + if (props_len == 0) { + /* Shouldn't happen since we added a query element */ + ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR); + goto err; + } else { + props = OPENSSL_malloc(props_len); + if (props == NULL) { + ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); + goto err; + } + if (ossl_property_list_to_string(libctx, pl3, + props, props_len) == 0) { + ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR); + goto err; + } + ossl_property_free(pl3); + pl3 = NULL; + propq = props; + } + } + name = "SEED-SRC"; + } + + rand = EVP_RAND_fetch(libctx, name, propq); if (rand == NULL) { ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_FETCH_DRBG); - return NULL; + goto err; } ctx = EVP_RAND_CTX_new(rand, NULL); EVP_RAND_free(rand); if (ctx == NULL) { ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_CREATE_DRBG); - return NULL; + goto err; } if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) { ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG); EVP_RAND_CTX_free(ctx); - return NULL; + goto err; } + OPENSSL_free(props); return ctx; + err: + EVP_RAND_CTX_free(ctx); + ossl_property_free(pl3); + OPENSSL_free(props); + return NULL; +} + +EVP_RAND_CTX *ossl_rand_get0_seed_noncreating(OSSL_LIB_CTX *ctx) +{ + RAND_GLOBAL *dgbl = rand_get_global(ctx); + EVP_RAND_CTX *ret; + + if (dgbl == NULL) + return NULL; + + if (!CRYPTO_THREAD_read_lock(dgbl->lock)) + return NULL; + ret = dgbl->seed; + CRYPTO_THREAD_unlock(dgbl->lock); + return ret; } #endif @@ -882,7 +958,7 @@ int RAND_set_seed_source_type(OSSL_LIB_CTX *ctx, const char *seed, if (dgbl == NULL) return 0; - if (dgbl->primary != NULL) { + if (dgbl->seed != NULL) { ERR_raise(ERR_LIB_CRYPTO, RAND_R_ALREADY_INSTANTIATED); return 0; } diff --git a/doc/internal/man3/ossl_rand_get_entropy.pod b/doc/internal/man3/ossl_rand_get_entropy.pod index 4da3f1f4d9db5..48343b6fe0493 100644 --- a/doc/internal/man3/ossl_rand_get_entropy.pod +++ b/doc/internal/man3/ossl_rand_get_entropy.pod @@ -2,8 +2,8 @@ =head1 NAME -ossl_rand_get_entropy, ossl_rand_cleanup_entropy, -ossl_rand_get_nonce, ossl_rand_cleanup_nonce +ossl_rand_get_entropy, ossl_rand_get_user_entropy, ossl_rand_cleanup_entropy, +ossl_rand_get_nonce, ossl_rand_get_user_nonce, ossl_rand_cleanup_nonce - get seed material from the operating system =head1 SYNOPSIS @@ -13,11 +13,17 @@ ossl_rand_get_nonce, ossl_rand_cleanup_nonce size_t ossl_rand_get_entropy(OSSL_CORE_HANDLE *handle, unsigned char **pout, int entropy, size_t min_len, size_t max_len); + size_t ossl_rand_get_user_entropy(OSSL_CORE_HANDLE *handle, + unsigned char **pout, int entropy, + size_t min_len, size_t max_len); void ossl_rand_cleanup_entropy(OSSL_CORE_HANDLE *handle, unsigned char *buf, size_t len); size_t ossl_rand_get_nonce(OSSL_CORE_HANDLE *handle, unsigned char **pout, size_t min_len, size_t max_len, const void *salt, size_t salt_len); + size_t ossl_rand_get_user_nonce(OSSL_CORE_HANDLE *handle, unsigned char **pout, + size_t min_len, size_t max_len, + const void *salt, size_t salt_len); void ossl_rand_cleanup_nonce(OSSL_CORE_HANDLE *handle, unsigned char *buf, size_t len); @@ -29,9 +35,14 @@ stored in a buffer which contains at least I and at most I bytes. The buffer address is stored in I<*pout> and the buffer length is returned to the caller. +ossl_rand_get_user_entropy() is the same as ossl_rand_get_entropy() +except that it retrieves the seeding material from the library context's +DRBG seed source. By default this is the operating system but it can +be changed by calling L. + ossl_rand_cleanup_entropy() cleanses and frees any storage allocated by -ossl_rand_get_entropy(). The seeding buffer is pointed to by I and is -of length I bytes. +ossl_rand_get_entropy() or ossl_rand_get_user_entropy(). The entropy +buffer is pointed to by I and is of length I bytes. ossl_rand_get_nonce() retrieves a nonce using the passed I parameter of length I and operating system specific information. @@ -41,18 +52,34 @@ The output is stored in a buffer which contains at least I and at most I bytes. The buffer address is stored in I<*pout> and the buffer length returned to the caller. +ossl_rand_get_user_nonce() is the same as ossl_rand_get_nonce() except +that it retrieves the seeding material from the library context's DRBG +seed source. By default this is the operating system but it can be +changed by calling L. + ossl_rand_cleanup_nonce() cleanses and frees any storage allocated by -ossl_rand_get_nonce(). The nonce buffer is pointed to by I and is -of length I bytes. +ossl_rand_get_nonce() or ossl_rand_get_user_nonce(). The nonce buffer +is pointed to by I and is of length I bytes. + +=head1 NOTES + +FIPS providers 3.0.0, 3.0.8 and 3.0.9 incorrectly pass a provider +internal pointer to ossl_rand_get_entropy(), ossl_rand_cleanup_entropy(), +ossl_rand_get_nonce() and ossl_rand_cleanup_nonce(). This pointer cannot +be safely dereferenced. =head1 RETURN VALUES -ossl_rand_get_entropy() and ossl_rand_get_nonce() return the number of bytes -in I<*pout> or 0 on error. +ossl_rand_get_entropy(), ossl_rand_get_user_entropy(), +ossl_rand_get_nonce() and ossl_rand_get_user_nonce() return the number +of bytes in I<*pout> or 0 on error. =head1 HISTORY -The functions described here were all added in OpenSSL 3.0. +The functions ossl_rand_get_user_entropy() and ossl_rand_get_user_nonce() +were added in OpenSSL 3.0.12, 3.1.4 and 3.2.0. + +The remaining functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man7/EVP_RAND-TEST-RAND.pod b/doc/man7/EVP_RAND-TEST-RAND.pod index ff5207565c62c..feab01431d928 100644 --- a/doc/man7/EVP_RAND-TEST-RAND.pod +++ b/doc/man7/EVP_RAND-TEST-RAND.pod @@ -60,6 +60,13 @@ If there are insufficient data present to satisfy a call, an error is returned. Sets the bytes returned when the test generator is sent a nonce request. Each nonce request will return all of the bytes. +=item "generate" (B) + +If this parameter is zero, it will only emit the nonce and entropy data +supplied via the aforementioned parameters. Otherwise, low quality +non-cryptographic pseudorandom output is produced. This parameter defaults +to zero. + =back =head1 NOTES diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index 33d7fe7f55140..eb9e8d35758ff 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -76,11 +76,17 @@ provider-base size_t get_entropy(const OSSL_CORE_HANDLE *handle, unsigned char **pout, int entropy, size_t min_len, size_t max_len); + size_t get_user_entropy(const OSSL_CORE_HANDLE *handle, + unsigned char **pout, int entropy, + size_t min_len, size_t max_len); void cleanup_entropy(const OSSL_CORE_HANDLE *handle, unsigned char *buf, size_t len); size_t get_nonce(const OSSL_CORE_HANDLE *handle, unsigned char **pout, size_t min_len, size_t max_len, const void *salt, size_t salt_len); + size_t get_user_nonce(const OSSL_CORE_HANDLE *handle, + unsigned char **pout, size_t min_len, size_t max_len, + const void *salt, size_t salt_len); void cleanup_nonce(const OSSL_CORE_HANDLE *handle, unsigned char *buf, size_t len); @@ -171,8 +177,10 @@ provider): OPENSSL_cleanse OSSL_FUNC_OPENSSL_CLEANSE OSSL_SELF_TEST_set_callback OSSL_FUNC_SELF_TEST_CB ossl_rand_get_entropy OSSL_FUNC_GET_ENTROPY + ossl_rand_get_user_entropy OSSL_FUNC_GET_USER_ENTROPY ossl_rand_cleanup_entropy OSSL_FUNC_CLEANUP_ENTROPY ossl_rand_get_nonce OSSL_FUNC_GET_NONCE + ossl_rand_get_user_nonce OSSL_FUNC_GET_USER_NONCE ossl_rand_cleanup_nonce OSSL_FUNC_CLEANUP_NONCE provider_register_child_cb OSSL_FUNC_PROVIDER_REGISTER_CHILD_CB provider_deregister_child_cb OSSL_FUNC_PROVIDER_DEREGISTER_CHILD_CB @@ -302,9 +310,14 @@ output will have at least I and at most I bytes. The buffer address is stored in I<*pout> and the buffer length is returned to the caller. On error, zero is returned. +get_user_entropy() is the same as get_entropy() except that it will +attempt to gather seed material via the seed source specified by a call to +L or via L. + cleanup_entropy() is used to clean up and free the buffer returned by -get_entropy(). The entropy pointer returned by get_entropy() is passed in -B and its length in B. +get_entropy() or get_user_entropy(). The entropy pointer returned by +get_entropy() or get_user_entropy() is passed in B and its length +in B. get_nonce() retrieves a nonce using the passed I parameter of length I and operating system specific information. @@ -314,9 +327,14 @@ The output is stored in a buffer which contains at least I and at most I bytes. The buffer address is stored in I<*pout> and the buffer length returned to the caller. On error, zero is returned. -cleanup_nonce() is used to clean up and free the buffer returned by -get_nonce(). The nonce pointer returned by get_nonce() is passed in -B and its length in B. +get_user_nonce() is the same as get_nonce() except that it will attempt +to gather seed material via the seed source specified by a call to +L or via L. + +cleanup_nonce() is used to clean up and free the buffer returned +by get_nonce() or get_user_nonce(). The nonce pointer returned by +get_nonce() or get_user_nonce() is passed in B and its length +in B. provider_register_child_cb() registers callbacks for being informed about the loading and unloading of providers in the application's library context. diff --git a/include/crypto/rand.h b/include/crypto/rand.h index 7345bf625f92d..730be8b5d0245 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -108,15 +108,21 @@ void ossl_random_add_conf_module(void); /* * Get and cleanup random seed material. */ -size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle, +size_t ossl_rand_get_entropy(OSSL_LIB_CTX *ctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len); -void ossl_rand_cleanup_entropy(ossl_unused const OSSL_CORE_HANDLE *handle, +size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx, + unsigned char **pout, int entropy, + size_t min_len, size_t max_len); +void ossl_rand_cleanup_entropy(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t len); -size_t ossl_rand_get_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, +size_t ossl_rand_get_nonce(OSSL_LIB_CTX *ctx, unsigned char **pout, size_t min_len, size_t max_len, const void *salt, size_t salt_len); -void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, +size_t ossl_rand_get_user_nonce(OSSL_LIB_CTX *ctx, unsigned char **pout, + size_t min_len, size_t max_len, + const void *salt, size_t salt_len); +void ossl_rand_cleanup_nonce(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t len); /* @@ -127,6 +133,7 @@ int ossl_pool_add_nonce_data(RAND_POOL *pool); # ifdef FIPS_MODULE EVP_RAND_CTX *ossl_rand_get0_private_noncreating(OSSL_LIB_CTX *ctx); +# else +EVP_RAND_CTX *ossl_rand_get0_seed_noncreating(OSSL_LIB_CTX *ctx); # endif - #endif diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 73f040285cd51..6c952f18aac00 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -176,6 +176,10 @@ OSSL_CORE_MAKE_FUNC(int, BIO_vsnprintf, OSSL_CORE_MAKE_FUNC(int, BIO_ctrl, (OSSL_CORE_BIO *bio, int cmd, long num, void *ptr)) +/* New seeding functions prototypes with the 101-104 series */ +#define OSSL_FUNC_GET_USER_ENTROPY 98 +#define OSSL_FUNC_GET_USER_NONCE 99 + #define OSSL_FUNC_SELF_TEST_CB 100 OSSL_CORE_MAKE_FUNC(void, self_test_cb, (OPENSSL_CORE_CTX *ctx, OSSL_CALLBACK **cb, void **cbarg)) @@ -188,12 +192,19 @@ OSSL_CORE_MAKE_FUNC(void, self_test_cb, (OPENSSL_CORE_CTX *ctx, OSSL_CALLBACK ** OSSL_CORE_MAKE_FUNC(size_t, get_entropy, (const OSSL_CORE_HANDLE *handle, unsigned char **pout, int entropy, size_t min_len, size_t max_len)) +OSSL_CORE_MAKE_FUNC(size_t, get_user_entropy, (const OSSL_CORE_HANDLE *handle, + unsigned char **pout, int entropy, + size_t min_len, size_t max_len)) OSSL_CORE_MAKE_FUNC(void, cleanup_entropy, (const OSSL_CORE_HANDLE *handle, unsigned char *buf, size_t len)) OSSL_CORE_MAKE_FUNC(size_t, get_nonce, (const OSSL_CORE_HANDLE *handle, unsigned char **pout, size_t min_len, size_t max_len, const void *salt, size_t salt_len)) +OSSL_CORE_MAKE_FUNC(size_t, get_user_nonce, (const OSSL_CORE_HANDLE *handle, + unsigned char **pout, size_t min_len, + size_t max_len, const void *salt, + size_t salt_len)) OSSL_CORE_MAKE_FUNC(void, cleanup_nonce, (const OSSL_CORE_HANDLE *handle, unsigned char *buf, size_t len)) diff --git a/providers/baseprov.c b/providers/baseprov.c index 2e5dbe410fece..6b8de7cb367d1 100644 --- a/providers/baseprov.c +++ b/providers/baseprov.c @@ -19,6 +19,7 @@ #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/provider_util.h" +#include "prov/names.h" /* * Forward declarations to ensure that interface functions are correctly @@ -90,6 +91,11 @@ static const OSSL_ALGORITHM base_store[] = { #undef STORE }; +static const OSSL_ALGORITHM base_rands[] = { + { PROV_NAMES_SEED_SRC, "provider=base", ossl_seed_src_functions }, + { NULL, NULL, NULL } +}; + static const OSSL_ALGORITHM *base_query(void *provctx, int operation_id, int *no_cache) { @@ -101,6 +107,8 @@ static const OSSL_ALGORITHM *base_query(void *provctx, int operation_id, return base_decoder; case OSSL_OP_STORE: return base_store; + case OSSL_OP_RAND: + return base_rands; } return NULL; } diff --git a/providers/common/provider_seeding.c b/providers/common/provider_seeding.c index d67ddf7b136d4..f6463f8ada30c 100644 --- a/providers/common/provider_seeding.c +++ b/providers/common/provider_seeding.c @@ -9,12 +9,33 @@ #include #include "prov/seeding.h" +#include "prov/providercommon.h" static OSSL_FUNC_get_entropy_fn *c_get_entropy = NULL; +static OSSL_FUNC_get_user_entropy_fn *c_get_user_entropy = NULL; static OSSL_FUNC_cleanup_entropy_fn *c_cleanup_entropy = NULL; static OSSL_FUNC_get_nonce_fn *c_get_nonce = NULL; +static OSSL_FUNC_get_user_nonce_fn *c_get_user_nonce = NULL; static OSSL_FUNC_cleanup_nonce_fn *c_cleanup_nonce = NULL; +#ifdef FIPS_MODULE +/* + * The FIPS provider uses an internal library context which is what the + * passed provider context references. Since the seed source is external + * to the FIPS provider, this is the wrong one. We need to convert this + * to the correct core handle before up-calling libcrypto. + */ +# define CORE_HANDLE(provctx) \ + FIPS_get_core_handle(ossl_prov_ctx_get0_libctx(provctx)) +#else +/* + * The non-FIPS path *should* be unused because the full DRBG chain including + * seed source is instantiated. However, that might not apply for third + * party providers, so this is retained for compatibility. + */ +# define CORE_HANDLE(provctx) ossl_prov_ctx_get0_handle(provctx) +#endif + int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns) { for (; fns->function_id != 0; fns++) { @@ -29,12 +50,18 @@ int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns) case OSSL_FUNC_GET_ENTROPY: set_func(c_get_entropy, OSSL_FUNC_get_entropy(fns)); break; + case OSSL_FUNC_GET_USER_ENTROPY: + set_func(c_get_user_entropy, OSSL_FUNC_get_user_entropy(fns)); + break; case OSSL_FUNC_CLEANUP_ENTROPY: set_func(c_cleanup_entropy, OSSL_FUNC_cleanup_entropy(fns)); break; case OSSL_FUNC_GET_NONCE: set_func(c_get_nonce, OSSL_FUNC_get_nonce(fns)); break; + case OSSL_FUNC_GET_USER_NONCE: + set_func(c_get_user_nonce, OSSL_FUNC_get_user_nonce(fns)); + break; case OSSL_FUNC_CLEANUP_NONCE: set_func(c_cleanup_nonce, OSSL_FUNC_cleanup_nonce(fns)); break; @@ -47,31 +74,37 @@ int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns) size_t ossl_prov_get_entropy(PROV_CTX *prov_ctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) { - if (c_get_entropy == NULL) - return 0; - return c_get_entropy(ossl_prov_ctx_get0_handle(prov_ctx), - pout, entropy, min_len, max_len); + const OSSL_CORE_HANDLE *handle = CORE_HANDLE(prov_ctx); + + if (c_get_user_entropy != NULL) + return c_get_user_entropy(handle, pout, entropy, min_len, max_len); + if (c_get_entropy != NULL) + return c_get_entropy(handle, pout, entropy, min_len, max_len); + return 0; } void ossl_prov_cleanup_entropy(PROV_CTX *prov_ctx, unsigned char *buf, size_t len) { if (c_cleanup_entropy != NULL) - c_cleanup_entropy(ossl_prov_ctx_get0_handle(prov_ctx), buf, len); + c_cleanup_entropy(CORE_HANDLE(prov_ctx), buf, len); } size_t ossl_prov_get_nonce(PROV_CTX *prov_ctx, unsigned char **pout, size_t min_len, size_t max_len, const void *salt, size_t salt_len) { - if (c_get_nonce == NULL) - return 0; - return c_get_nonce(ossl_prov_ctx_get0_handle(prov_ctx), pout, - min_len, max_len, salt, salt_len); + const OSSL_CORE_HANDLE *handle = CORE_HANDLE(prov_ctx); + + if (c_get_user_nonce != NULL) + return c_get_user_nonce(handle, pout, min_len, max_len, salt, salt_len); + if (c_get_nonce != NULL) + return c_get_nonce(handle, pout, min_len, max_len, salt, salt_len); + return 0; } void ossl_prov_cleanup_nonce(PROV_CTX *prov_ctx, unsigned char *buf, size_t len) { if (c_cleanup_nonce != NULL) - c_cleanup_nonce(ossl_prov_ctx_get0_handle(prov_ctx), buf, len); + c_cleanup_nonce(CORE_HANDLE(prov_ctx), buf, len); } From 1a18596149a325a679f8244bac52b6796dfcc48e Mon Sep 17 00:00:00 2001 From: Pauli Date: Fri, 22 Sep 2023 08:46:31 +1000 Subject: [PATCH 262/324] evp_test: recondition cipher dupctx FIPS version check. Until the cipher dupctx is properly implemented in 3.1 and 3.0 the check is wrong. This should be reverted once the implemenation has been done. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/21964) --- test/evp_test.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index 309ab94c21b54..bd1a7cc122f37 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -739,9 +739,7 @@ static int cipher_test_enc(EVP_TEST *t, int enc, size_t out_misalign, int ok = 0, tmplen, chunklen, tmpflen, i; EVP_CIPHER_CTX *ctx_base = NULL; EVP_CIPHER_CTX *ctx = NULL, *duped; - int fips_dupctx_supported = (fips_provider_version_ge(libctx, 3, 0, 12) - && fips_provider_version_lt(libctx, 3, 1, 0)) - || fips_provider_version_ge(libctx, 3, 1, 4); + int fips_dupctx_supported = fips_provider_version_ge(libctx, 3, 2, 0); t->err = "TEST_FAILURE"; if (!TEST_ptr(ctx_base = EVP_CIPHER_CTX_new())) From be203ea3d3a60a881993d1f7552084996d34ba0a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 25 Sep 2023 16:44:47 +0100 Subject: [PATCH 263/324] Fix a mem leak when the FIPS provider is used in a different thread We were neglecting to register the main thread to receive thread stop notifications. This is important if the thread that starts the FIPS provider is not the same one that is used when OPENSSL_cleanup() is called. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21964) --- crypto/initthread.c | 22 ++++++++++++++++++++-- include/crypto/context.h | 1 + providers/fips/fipsprov.c | 9 +++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/crypto/initthread.c b/crypto/initthread.c index 54a33c32865f7..23ad0a0739107 100644 --- a/crypto/initthread.c +++ b/crypto/initthread.c @@ -249,6 +249,15 @@ void ossl_ctx_thread_stop(OSSL_LIB_CTX *ctx) #else +static void ossl_arg_thread_stop(void *arg); + +/* Register the current thread so that we are informed if it gets stopped */ +int ossl_thread_register_fips(OSSL_LIB_CTX *libctx) +{ + return c_thread_start(FIPS_get_core_handle(libctx), ossl_arg_thread_stop, + libctx); +} + void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx) { THREAD_EVENT_HANDLER **hands = NULL; @@ -268,6 +277,16 @@ void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx) if (!CRYPTO_THREAD_set_local(tlocal, hands)) goto err; + /* + * We should ideally call ossl_thread_register_fips() here. This function + * is called during the startup of the FIPS provider and we need to ensure + * that the main thread is registered to receive thread callbacks in order + * to free |hands| that we allocated above. However we are too early in + * the FIPS provider initialisation that FIPS_get_core_handle() doesn't work + * yet. So we defer this to the main provider OSSL_provider_init_int() + * function. + */ + return tlocal; err: OPENSSL_free(hands); @@ -379,8 +398,7 @@ int ossl_init_thread_start(const void *index, void *arg, * libcrypto to tell us about later thread stop events. c_thread_start * is a callback to libcrypto defined in fipsprov.c */ - if (!c_thread_start(FIPS_get_core_handle(ctx), ossl_arg_thread_stop, - ctx)) + if (!ossl_thread_register_fips(ctx)) return 0; } #endif diff --git a/include/crypto/context.h b/include/crypto/context.h index 56c68f4ec114f..af81e15e1dc51 100644 --- a/include/crypto/context.h +++ b/include/crypto/context.h @@ -21,6 +21,7 @@ void *ossl_child_prov_ctx_new(OSSL_LIB_CTX *); void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *); void *ossl_self_test_set_callback_new(OSSL_LIB_CTX *); void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *); +int ossl_thread_register_fips(OSSL_LIB_CTX *); void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *); void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *); #if defined(OPENSSL_THREADS) diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 607ee1176316b..7ec409710b6cc 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -705,6 +705,15 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, fgbl->handle = handle; + /* + * We need to register this thread to receive thread lifecycle callbacks. + * This wouldn't matter if the current thread is also the same thread that + * closes the FIPS provider down. But if that happens on a different thread + * then memory leaks could otherwise occur. + */ + if (!ossl_thread_register_fips(libctx)) + goto err; + /* * We did initial set up of selftest_params in a local copy, because we * could not create fgbl until c_CRYPTO_zalloc was defined in the loop From b07107e31149bf870bc1ae17e59444859fe4e23a Mon Sep 17 00:00:00 2001 From: "Randall S. Becker" Date: Sat, 23 Sep 2023 15:38:13 +0100 Subject: [PATCH 264/324] Move e_os2.h up in quictestlib.c to allow symbol definition consistency. Fixes: #22178 Signed-of-by: Randall S. Becker Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22179) --- test/helpers/quictestlib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 17da14766fcc0..8d71d6002f660 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -10,6 +10,7 @@ #include #include #include +#include "internal/e_os.h" /* For struct timeval */ #include "quictestlib.h" #include "ssltestlib.h" #include "../testutil.h" From 7f5b29c4bf909964f1a73d80af1474f0e4a95624 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 26 Sep 2023 12:14:56 +0100 Subject: [PATCH 265/324] Fix no-ssl-trace Ensure we use OPENSSL_NO_SSL_TRACE guards where appropriate. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22193) --- test/helpers/quictestlib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 8d71d6002f660..514bb6422a790 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -98,6 +98,7 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, return 0; } +#ifndef OPENSSL_NO_SSL_TRACE if ((flags & QTEST_FLAG_CLIENT_TRACE) != 0) { tmpbio = BIO_new_fp(stdout, BIO_NOCLOSE); if (!TEST_ptr(tmpbio)) @@ -106,6 +107,7 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_set_msg_callback(*cssl, SSL_trace); SSL_set_msg_callback_arg(*cssl, tmpbio); } +#endif if (tracebio != NULL) *tracebio = tmpbio; From 556009c596e0242689df4c26dd7fccdb7f0e1add Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:23:29 +0100 Subject: [PATCH 266/324] Copyright year updates Reviewed-by: Richard Levitte Release: yes --- apps/dhparam.c | 2 +- apps/gendsa.c | 2 +- apps/genrsa.c | 2 +- apps/progs.pl | 2 +- crypto/bio/bio_addr.c | 2 +- crypto/bio/bss_sock.c | 2 +- crypto/cpuid.c | 2 +- crypto/ec/curve448/point_448.h | 2 +- crypto/ec/ecp_s390x_nistp.c | 2 +- crypto/evp/e_chacha20_poly1305.c | 2 +- crypto/evp/legacy_blake2.c | 2 +- crypto/evp/pmeth_gn.c | 2 +- crypto/initthread.c | 2 +- crypto/lhash/lhash.c | 2 +- crypto/o_str.c | 2 +- crypto/pem/pvkfmt.c | 2 +- crypto/pkcs12/p12_crt.c | 2 +- crypto/rand/prov_seed.c | 2 +- crypto/sha/keccak1600.c | 2 +- crypto/srp/srp_vfy.c | 2 +- crypto/store/store_lib.c | 2 +- crypto/x509/ext_dat.h | 2 +- crypto/x509/standard_exts.h | 2 +- doc/internal/man3/ossl_provider_new.pod | 2 +- doc/internal/man3/ossl_rand_get_entropy.pod | 2 +- doc/man1/openssl-cms.pod.in | 2 +- doc/man3/BIO_ADDR.pod | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_SIGNATURE.pod | 2 +- doc/man3/OSSL_CMP_validate_msg.pod | 2 +- doc/man3/OSSL_STORE_open.pod | 2 +- doc/man3/PKCS12_create.pod | 2 +- doc/man3/PKCS12_gen_mac.pod | 2 +- doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod | 2 +- doc/man7/EVP_KDF-PKCS12KDF.pod | 2 +- doc/man7/EVP_RAND-TEST-RAND.pod | 2 +- doc/man7/provider-storemgmt.pod | 2 +- include/crypto/asn1.h | 2 +- include/crypto/context.h | 2 +- include/crypto/rand.h | 2 +- include/openssl/store.h | 2 +- providers/common/provider_seeding.c | 2 +- providers/fips/self_test_kats.c | 2 +- providers/implementations/ciphers/cipher_aes_ccm.c | 2 +- providers/implementations/ciphers/cipher_aes_gcm.c | 2 +- providers/implementations/ciphers/cipher_aria_ccm.c | 2 +- providers/implementations/ciphers/cipher_aria_gcm.c | 2 +- providers/implementations/ciphers/cipher_sm4_ccm.c | 2 +- providers/implementations/ciphers/cipher_sm4_gcm.c | 2 +- ssl/ssl_init.c | 2 +- test/afalgtest.c | 2 +- test/chacha_internal_test.c | 2 +- test/drbgtest.c | 2 +- test/fake_rsaprov.h | 2 +- test/helpers/handshake_srp.c | 2 +- test/ocspapitest.c | 2 +- test/pkcs12_format_test.c | 2 +- test/provider_pkey_test.c | 2 +- test/recipes/15-test_genec.t | 2 +- test/testutil/driver.c | 2 +- test/testutil/tests.c | 2 +- 61 files changed, 61 insertions(+), 61 deletions(-) diff --git a/apps/dhparam.c b/apps/dhparam.c index d14c569503013..ffe6e6cb88930 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/gendsa.c b/apps/gendsa.c index b6d1d0f5b3f76..a655c6ea02b2c 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/genrsa.c b/apps/genrsa.c index f71bc6eeb111d..54d025e24c2cd 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/progs.pl b/apps/progs.pl index 120ae05f07388..4a1e4be47c692 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bio_addr.c b/crypto/bio/bio_addr.c index 2a6f6d522c7a5..0a64d0749a29b 100644 --- a/crypto/bio/bio_addr.c +++ b/crypto/bio/bio_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index 4ff4defadff46..82f7be85ae0c3 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cpuid.c b/crypto/cpuid.c index e5db03f3f6af2..51cbe5ea090ee 100644 --- a/crypto/cpuid.c +++ b/crypto/cpuid.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index 597ded4211409..96a54558d6b30 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c index eae0b52c4e69b..f13f8bed242d9 100644 --- a/crypto/ec/ecp_s390x_nistp.c +++ b/crypto/ec/ecp_s390x_nistp.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index 68b216f10cb45..731c1a1dc70c8 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/legacy_blake2.c b/crypto/evp/legacy_blake2.c index 4301ae4857913..5a5f05044ceed 100644 --- a/crypto/evp/legacy_blake2.c +++ b/crypto/evp/legacy_blake2.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index 6a38fe511a636..74cca96f4d782 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/initthread.c b/crypto/initthread.c index 23ad0a0739107..ae234cd205e5c 100644 --- a/crypto/initthread.c +++ b/crypto/initthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 9d2b284ae0fa2..0a475b71d8e2a 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/o_str.c b/crypto/o_str.c index 274b8476140b1..f1aacda5e3526 100644 --- a/crypto/o_str.c +++ b/crypto/o_str.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index d8aaebe72f586..ed7905661bbfe 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 7681731207b15..2e40dd93c2841 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c index 96c73f7e66020..af35e0247595a 100644 --- a/crypto/rand/prov_seed.c +++ b/crypto/rand/prov_seed.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/keccak1600.c b/crypto/sha/keccak1600.c index 062111b6380ca..c15bc42aaa826 100644 --- a/crypto/sha/keccak1600.c +++ b/crypto/sha/keccak1600.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 2ca515396b718..e89f58b2000ac 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index d0561f636cfde..05a8044f895b9 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index 8325aacfa5306..1ffc816e5eea3 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h index e5c9e3f9e01ac..87a564b238d6b 100644 --- a/crypto/x509/standard_exts.h +++ b/crypto/x509/standard_exts.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index d30e400894376..2c406381e9d86 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -384,7 +384,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_rand_get_entropy.pod b/doc/internal/man3/ossl_rand_get_entropy.pod index 48343b6fe0493..5c7a076336df0 100644 --- a/doc/internal/man3/ossl_rand_get_entropy.pod +++ b/doc/internal/man3/ossl_rand_get_entropy.pod @@ -83,7 +83,7 @@ The remaining functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index a3ef9c0181205..78be2e6c09006 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -915,7 +915,7 @@ The B<-digest> option was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_ADDR.pod b/doc/man3/BIO_ADDR.pod index 20cd364d48aee..eb5a4a8fe7fbd 100644 --- a/doc/man3/BIO_ADDR.pod +++ b/doc/man3/BIO_ADDR.pod @@ -131,7 +131,7 @@ BIO_ADDR_copy() and BIO_ADDR_dup() were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 8fd237599e29d..56ac92a486728 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -481,7 +481,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index a4ee9c4807d7a..1f534ef33810e 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index 7dbe3f74ca1eb..c416a49d77720 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -76,7 +76,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod index 8e4a9a7926785..1b3b0764aeca8 100644 --- a/doc/man3/OSSL_STORE_open.pod +++ b/doc/man3/OSSL_STORE_open.pod @@ -182,7 +182,7 @@ OSSL_STORE_ctrl() and OSSL_STORE_vctrl() were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index 993e50777e1d9..5291338d3c4d0 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -120,7 +120,7 @@ standards. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index 07f8855ecf7f6..a72df145fedd7 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -64,7 +64,7 @@ L =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod index b74c869b83d2d..3913ea9390079 100644 --- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod +++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod @@ -55,7 +55,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 05d4e902bd30f..9865365698642 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -80,7 +80,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_RAND-TEST-RAND.pod b/doc/man7/EVP_RAND-TEST-RAND.pod index feab01431d928..b7a0e0b43c481 100644 --- a/doc/man7/EVP_RAND-TEST-RAND.pod +++ b/doc/man7/EVP_RAND-TEST-RAND.pod @@ -113,7 +113,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod index a8ce43c4bb2b5..81d407a4b8b91 100644 --- a/doc/man7/provider-storemgmt.pod +++ b/doc/man7/provider-storemgmt.pod @@ -212,7 +212,7 @@ OSSL_FUNC_store_delete() callback was added in OpenSSL 3.2 =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h index 180238526b92d..36af1d7689293 100644 --- a/include/crypto/asn1.h +++ b/include/crypto/asn1.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/context.h b/include/crypto/context.h index af81e15e1dc51..7369a730fb812 100644 --- a/include/crypto/context.h +++ b/include/crypto/context.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/rand.h b/include/crypto/rand.h index 730be8b5d0245..5841cccaa66e9 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/store.h b/include/openssl/store.h index 46fb4d40f0fd4..e6ea3cf87886a 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/provider_seeding.c b/providers/common/provider_seeding.c index f6463f8ada30c..c7b2ea6da62a3 100644 --- a/providers/common/provider_seeding.c +++ b/providers/common/provider_seeding.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index 82a7ac78fb013..f13c41abd671a 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c index 3930f52d60650..8c96328096ac7 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm.c +++ b/providers/implementations/ciphers/cipher_aes_ccm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index edc3cc262ef95..1114bd874063c 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c index 5fae5934698a2..0a0f52cdcc1b0 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.c +++ b/providers/implementations/ciphers/cipher_aria_ccm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index f9eb64cc194f6..e794a80a00a49 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c index 47fc6e103cce0..3af84d85b7dc1 100644 --- a/providers/implementations/ciphers/cipher_sm4_ccm.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c index e8fcf5787e489..1128f659393e0 100644 --- a/providers/implementations/ciphers/cipher_sm4_gcm.c +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index a2d7595089559..70e567b72c149 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/afalgtest.c b/test/afalgtest.c index 429e2da3c9e46..764f07e927709 100644 --- a/test/afalgtest.c +++ b/test/afalgtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/chacha_internal_test.c b/test/chacha_internal_test.c index d52479b6584d8..d316bfd7b3617 100644 --- a/test/chacha_internal_test.c +++ b/test/chacha_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/drbgtest.c b/test/drbgtest.c index bb2a9f1b99a68..13bc62a4c0db5 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h index 9c353b386f3b6..cb2e66eb68ef2 100644 --- a/test/fake_rsaprov.h +++ b/test/fake_rsaprov.h @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c index 95fb101059f2e..8522388a47f00 100644 --- a/test/helpers/handshake_srp.c +++ b/test/helpers/handshake_srp.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ocspapitest.c b/test/ocspapitest.c index a448731380ecc..13026d6b4a42b 100644 --- a/test/ocspapitest.c +++ b/test/ocspapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index e2048bc27e75b..2c28040a3e9f6 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c index 7d5fcfa647e78..4abbdd33ec4d6 100644 --- a/test/provider_pkey_test.c +++ b/test/provider_pkey_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t index 3e8c55071c4b1..4d5090fa398a8 100644 --- a/test/recipes/15-test_genec.t +++ b/test/recipes/15-test_genec.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/testutil/driver.c b/test/testutil/driver.c index 033be2fcc5e0e..346092b0046d8 100644 --- a/test/testutil/driver.c +++ b/test/testutil/driver.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/testutil/tests.c b/test/testutil/tests.c index efc4fd2b649a7..42afab1ada1f1 100644 --- a/test/testutil/tests.c +++ b/test/testutil/tests.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy From 746b95cc38d7c85a406ee34b609069c3da616e08 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:24:31 +0100 Subject: [PATCH 267/324] make update Reviewed-by: Richard Levitte Release: yes --- providers/fips-sources.checksums | 66 ++++++++++++++++---------------- providers/fips.checksum | 2 +- 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index db0dda5af6d5c..fc38dce27e395 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -117,7 +117,7 @@ a6e8cf30340ffaec8aec41dfbef7341afe21e7b13e48899403c529368c0ec6fa crypto/context 67c2367871b9350a7f7af5be903d6bcca9ebdbff0e9a9bd9f61b56bef5b76696 crypto/core_algorithm.c f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c 2f03908edadddc55a61e4cfb4d76751a342f61aad564971df37a6b90c7b2a26f crypto/core_namemap.c -fe83e1d30a9ef0aa86c1342b4228380dea7e90f9f3cc8d28f5423dfbc1ded011 crypto/cpuid.c +a7f86c1495a140e5dc2acb737c5ff835691ead833842e0a37bbfc2116530b246 crypto/cpuid.c a6732e22ccb49cf51fc9dbf23f6059774b70ecc3d7e848c5df112a2d3c179027 crypto/cryptlib.c 66dbfc58916709d5a6913777346083247942a8d9458ee9b2bf443f0ea4988d64 crypto/ctype.c 51e56541daea6d4a26d5bae2ea458414063bf08b045bab8df370f6695903e0a5 crypto/der_writer.c @@ -161,7 +161,7 @@ ee897e230964511baa0d1bf95fb938312407a40a88ebe01476879c2763e5f732 crypto/ec/asm/ 063dac1e4a9573c47532123e9e03e3532a7473cc3e146521ba9ec6f486ddf3b1 crypto/ec/curve448/arch_64/arch_intrinsics.h 43423b7ee85a5c740c1d81499ee06f4a17732c7731a598e7429d5e402ee77cf4 crypto/ec/curve448/arch_64/f_impl.h c3146bb6777776d39b89647e3dd3e8afc3d19338c75ff294d6986289cef59c40 crypto/ec/curve448/arch_64/f_impl64.c -a3803940dcb1e53358edac1bc05fe8777b8007668d5aa11af5812b97d4f94c63 crypto/ec/curve448/curve448.c +cba11345e742cd4eedead0505f92062916ece6fa688cdbdf6466fbea12a7b16c crypto/ec/curve448/curve448.c a6c70707c520234ccd111562f012e1abf83c43b20b3b36c339ef1ea0369a9e5f crypto/ec/curve448/curve448_local.h 178fb9863c33174b633c2e7607160b1bedb506d66cc06d53382d87431441f306 crypto/ec/curve448/curve448_tables.c f30e13bba5a136ab9ba5225c98b9b94c2cd73fb3aef60f9dcde3cd471cfa1ca4 crypto/ec/curve448/curve448utils.h @@ -169,7 +169,7 @@ f30e13bba5a136ab9ba5225c98b9b94c2cd73fb3aef60f9dcde3cd471cfa1ca4 crypto/ec/curv 498fda3e0f2d261ab9729ae4de05ff1b496af4582aa019f507570f852d5a2726 crypto/ec/curve448/eddsa.c 9f712e7397b10f1dc88a6d18ff38dcda13d09c02775f3682f2b8698715b1095a crypto/ec/curve448/f_generic.c 070daafb9a532ebb8bc0af8b1341254f0cd3e8932a8c8a2dca7baeef6678768b crypto/ec/curve448/field.h -2ad8331e893b5db33198e27603891587686c0dfdab29706dc52a7097c5d6f219 crypto/ec/curve448/point_448.h +514014f9fa7835056aab1e6df5511fd7de8ecef3cfcada8e0eadec9b727b419c crypto/ec/curve448/point_448.h 1ff6e467d72530c71d21c310180d04a24f0a9cb41168fba94b43309ecdda3888 crypto/ec/curve448/scalar.c 3052a044afae2e91b677542fc8b34b3ec9d033e0c6562b0d43098cfb34ab3c9d crypto/ec/curve448/word.h ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_oct.c @@ -222,7 +222,7 @@ c4c8a30541a51d50872f03994829419a72d52c8207f9047fdc6fd28dfd43c057 crypto/evp/key 759573aea2a4cc7b6f763b440e6868bfcfcb7ca94d812fa61ab24a194be2cb36 crypto/evp/pmeth_gn.c 7d9dfc974d15a2b7e2c1c6c54a594f0a14ccdfe5e2e1afe84a3a52130ac8097b crypto/evp/pmeth_lib.c 76d005962440945c127571ca3b3ece7c55944828b41d48c0bd1b819bd40408ab crypto/evp/signature.c -49059c31a933b2cc173ea0e3b5778e3cde9cf209fff624827c0915dc9f0324d7 crypto/ex_data.c +64f7e366e681930ba10267272b87dba223b9744a01c27ba0504a4941802a580d crypto/ex_data.c d986ec74995b05ff65a68df320ab45894ba35d7be4906f8d78ca5fca294a4e6c crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c @@ -233,8 +233,8 @@ c9c635805b26d85e8c0c7720592fb04b674cde4339fcd94712a4403e8677cb41 crypto/ffc/ffc 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88 crypto/hmac/hmac.c 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h 0e2d6129504d15ffaf5baa63158ccec0e4b6193a8275333956d8f868ef35127e crypto/ia64cpuid.S -5b38180a8ed150ab1be44a86cacd0c6668d2e6ba3de6b0c3420c8056543af54d crypto/initthread.c -6259c0e543faadc1c06a16095df38e9e4ce74a25b74e2951e601f9d4ea9bfb77 crypto/lhash/lhash.c +3f123f7de496711fa60c47aeaef96640571dbcb1657b23901307e04c3d712579 crypto/initthread.c +ee895c071ffb217e0f223d5546ae84cadde6701af67e718e9af7f06af531fa42 crypto/lhash/lhash.c 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h a4f8f200ca749db91da97735c107836dfb2b623424b15c020ec6e48d874f4564 crypto/loongarch64cpuid.pl 460a7af09cde89a820b091522ada1310cfcec99c60aee505f94c48c35e9a29e8 crypto/loongarchcap.c @@ -265,14 +265,14 @@ bdf25257b15eca206be4d950d2dd807ca5f058f91f54edbd7a0d312ed83eef8e crypto/modes/o e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/wrap128.c 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c fb874ea18e9754dde11ef1c2993818074ff7cd8a74a981598745f7e11317bb91 crypto/modes/xts128gb.c -e49f44c0c91789015fd45f9260eafe3139e6b73ca2af612df4aa21b71c637ca1 crypto/o_str.c +f89e6864ebbff6321e360a6543d45b5f30773a86217ef37c7dfc146b7aa49d4b crypto/o_str.c b0decda3aae1d3e07cf3cbe9153cdde9deafe65fae346cd208951b4d7dec512e crypto/packet.c fb60966da0d636a59921c7eeadebedb79caa9667eb1622330ab7e1f31a8d24eb crypto/param_build.c fa2062acdb901c9b15904b5c8f805247bba8b0eaa935c35fdfbe8d53ff463a7a crypto/param_build_set.c a267f41a7dead2b1f7ea35ad7d2d04db50cb75d0fb20fbc2fa72ba7ea4dc34a0 crypto/params.c bb7b79b5a070050f5e7dfc66b5635f0891bc278e3e24eec3583b769b33bef657 crypto/params_dup.c b2bd2b5cf3de2fe130223470da22fe4c1b08e75f0c10fcb7d0c089c9f9851f78 crypto/params_from_text.c -e7bdda0dcbf7aa6d4b9d55efd7c59e78bc68aca644d64a7c316a044bccf20505 crypto/params_idx.c +9e9b831ae8f2f2ef75b29152a0b65bc157f4717f928d23a403fa49e11432daf8 crypto/params_idx.c c27b8c1659274be74e2d6e9fd76980df499d1331c0c2d51f41b3ad547ba88d59 crypto/ppccap.c 46fa4994a6234a98a2845d9337475913f6bc229f1928abc82224de7edf2784b8 crypto/ppccpuid.pl 467c416422ecf61e3b713c5eb259fdbcb4aa73ae8dee61804d0b85cfd3fff4f7 crypto/property/defn_cache.c @@ -284,7 +284,7 @@ a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/propert bf5e9f8e49672afc09f4130ba300844d4412f9e3467985f693da70e34f1a4f3a crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c -ba5c07983cb1d18e6d3e97f8ea16f99175c5461efe99d160051c6bd2886c0217 crypto/rand/rand_lib.c +d2851ce0930b36e6f1fbc593a756d9a7c8097eb6b0ace163cecd917c8e9637dd crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h f67fcf8351b046a00cf1baea29aefab3b4fc9521e0ba508abdd1a9ca44de40c3 crypto/riscv32cpuid.pl c0ff6a8ca7f52f759a945c4d475d00168b12386324e8177f301127b405ca793e crypto/riscv64cpuid.pl @@ -352,7 +352,7 @@ fb06844e7c3b014a58dccc8ec6020c71843cfdc5be08288bc7d204f0a840c474 crypto/sha/asm 0611845c52091b0208dd41f22ddef9dd1e68d3d92fa4c4360738b840a6314de6 crypto/sha/asm/sha512-sparcv9.pl f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm/sha512-x86_64.pl 8725cabb8d695c576619f19283b034074a3fa0f1c0be952a9dbe9793be15b907 crypto/sha/asm/sha512p8-ppc.pl -b69b8a21115f4167641ef94f30846e367f479a2153a5de2991f0a34c564ce4b1 crypto/sha/keccak1600.c +83d52563e8b85ebf9e3448392c0b535a8564b7aaafc595e7a6653035a4511155 crypto/sha/keccak1600.c 306cacd3f86e5cacaca74c58ef862516515e5c0cafaff48636d537fd84f1c2fb crypto/sha/sha1dgst.c af4756bfeeabca490834f51e45e3fd726b5bbb35bb682b73d857a8c2e080c64f crypto/sha/sha256.c 3d972a11be18bfbfcd45790028635d63548bfe0a2e45d2fc56b6051b759d22f0 crypto/sha/sha3.c @@ -375,13 +375,13 @@ e29e0fc64feaa71c68da6e5f2fa8a00853f9b2d6a8b516eb474bde51e23065f6 crypto/threads 8b45f948303045d8f753858b1b892e3da13bebe1bdac500db91fbb54a0ac07da crypto/time.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl -f24620e63469b36f9e015841fdabde2af35982268e61183fafcbd6fbdeeeca1d include/crypto/aes_platform.h -99e3f29e2f7f78a4f43f634c5c56a74e3b64b05ad077249eba64976bc47d6d37 include/crypto/asn1.h +492e7ba619c2e23a454503a7eaccf455af638484090d4671258203739666c644 include/crypto/aes_platform.h +68f6c521b1dbfacb99d75cb1ffdbcd1795d6e0157df69c6c6a7c04f85ea715ec include/crypto/asn1.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h d95af0a278bc2edef9c3e1129fc6e7b1577b1ea95249b05ef39c4a4847e9ddac include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h -9a7c2ed3703a83e14d25440dc63ef933b21a7225dfc28314a2a23e31706153e9 include/crypto/context.h +a6957475e4c7ae80c06537c3fd3b63f2368b664da54a96befd0a6fa38de27b4a include/crypto/context.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c include/crypto/ctype.h 09a27585de4638577b482ec9102a0e70d843dee6297a2d45e27d888f6de5e27f include/crypto/decoder.h @@ -394,7 +394,7 @@ c7aafee54cc3ace0c563f15aa5af2cdce13e2cfc4f9a9a133952825fb7c8faf5 include/crypto bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 906bc2316e4f4651e5db7a8273ec3bb4bcbfb55f0f484bebdae4f6d0ce033bdf include/crypto/md32_common.h 6e7762e7fb63f56d25b24f70209f4dc834c59a87f74467531ec81646f565dbe3 include/crypto/modes.h -8aa4f71ebd9753baceed428e323d5f550d74aff43ab9a55eda7c096d838b8f49 include/crypto/rand.h +38fdd544efa495426cc684894727cf05a0f125f5cf6e11de133d43f785d5bcce include/crypto/rand.h 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h 2f502340909e531a9a7c71451400eb68a53bf62015c17b0169b1efffb0703882 include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h @@ -411,7 +411,7 @@ dc5afb955d810feb5af9f8d25cd8a92118abef320fee95c07b04f301c4e0d96c include/intern 8059e715f981fbe02b5731610ed24bb6ae617a55e90b03f4260cbb6ccd71e8de include/internal/deterministic_nonce.h fd1722d6b79520ee4ac477280d5131eb1b744c3b422fd15f5e737ef966a97c3b include/internal/dso.h f144daebef828a5bd4416466257a50f06b894e0ce0adf1601aa381f34f25a9e7 include/internal/dsoerr.h -6b15a2abd526a0c09aedd122b4e7bd4a1c132d586f7ac11837b05549a28a4b31 include/internal/e_os.h +99276e4650bfdcddac06eaa70dd2e255b30b61ebd8ef948384e28b1dd17ddb61 include/internal/e_os.h 70d3e0d5a1bd8db58dcc57bea4d1c3ed816c735fe0e6b2f4b07073712d2dc5ef include/internal/endian.h 19b0b6356921484359c2e5e7839ffc476fe48a31fbae31595545a58c920ae224 include/internal/ffc.h 55c4102496ed5ab16de11afe38c328a1396c3b6e2c7e44add4a38855103c19da include/internal/namemap.h @@ -440,7 +440,7 @@ ef96b731db0e0998c11a297d601f5b37c02525774d532fb4f92160e9069c7dfc include/intern 47fd81a330f042baf3675f4154c6276ab7a8cf76efaf01288abe41f119ec5588 include/openssl/asn1.h.in d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openssl/asn1err.h 1550474ee05423896ec4abfb6346f1bc44c7be22329efac9ea25de10e81d549c include/openssl/asn1t.h.in -96c3b90a890f5dce1c9186c8d5bc26769bb8e1f0254d304fc9f1ae018344b497 include/openssl/bio.h.in +5610c3cb39f1c6d6dc071836b4b92f686f1c5931bfc11de0ba9a9bcd0bdc995b include/openssl/bio.h.in fe5ab4bc904b7c77e5411c4b7dda6d29595eb60a87f00e30ab32f48391f98b44 include/openssl/bioerr.h 9caa80699882befcce556446a45e5ffde5aa938aa2aae0e8ecd46c9c6a3fe419 include/openssl/bn.h 9ad8b04764797f5138f01f549ba18b44cf698ffc7fe795fef42c1822d84a6ff4 include/openssl/bnerr.h @@ -452,7 +452,7 @@ f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3 include/openss 69d98c5230b1c2a1b70c3e6b244fcfd8460a80ebf548542ea43bb1a57fe6cf57 include/openssl/configuration.h.in 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h 28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1 include/openssl/core.h -99d507e9aa0b4ad94b191b1aba2cb5d426b8fe130910e6f9c86a8ca62f42f8cc include/openssl/core_dispatch.h +6876672a5dc96fbf25162b48615ea8f827f3ac3e7982bd09b0d0a7a2dd74cfc0 include/openssl/core_dispatch.h 8b4027cf19ce2a7cbad506cde61552123818b6eae62d5fbdae34e9f68660e6f8 include/openssl/core_names.h.in 371413ef13841f1245a225c8ec1cec463629c42bfc33254f979d2a8672112f9a include/openssl/crypto.h.in 2f9570c2514b4d1b2a86fbdf30ced879e5c52e62f1d3691cb3da37ce4f6a98dd include/openssl/cryptoerr.h @@ -491,7 +491,7 @@ ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d include/openss 08980b1dbc01e2926fc59707d867030fc7a3d37dc625c0e1edf2d31bdf71b2fb include/openssl/proverr.h 03bda8974476f0f038a7cfa0cb30f0b8210d55c74c6e7e853fd1564dca3e2b14 include/openssl/provider.h e512ab2e492d968a9bf8b2b048f79ac5dfe11bddf3c00f2eec6e9c6ecc57d330 include/openssl/rand.h -108966f56c82fedff53df76a4aa7861c82be4db1fd1ddafb59dc086ea155831c include/openssl/randerr.h +5be9d723cf368b48ab35bda5db1a3e83bda6e9e38218dd0b020be1a5427e7488 include/openssl/randerr.h 2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in @@ -533,29 +533,29 @@ e1ef8b2be828a54312d6561b37751a5b6e9d5ebdb6c3e63589728c3d8adca7dc providers/comm c2b4301a9f835c0b3776ad3afba7121d00cd7ae6387fe11c96269a37da08027c providers/common/include/prov/securitycheck.h 737cc1228106e555e9bab24e3c2438982e04e05b0d5b9ee6995d71df16c49143 providers/common/provider_ctx.c 3f5656c405ec57a261df7af940c1512990555361f69488a28d65e16f6b865a1d providers/common/provider_err.c -2f334bf2292bc394778eacaec57e7419e62d0918c166098cc65a09e8c3f5171e providers/common/provider_seeding.c +101d50bfdd8a9aaf096f5d0d80b874d9c59f9c0c4433159cda96426777aae09f providers/common/provider_seeding.c 6e833d259d04cdedc007e6cda52fd706527edcf4b4432dbd88cbf45c3f7a4442 providers/common/provider_util.c 5b94312727ca33e4f5c038f4caaae8417bf584cfde22df83d91f3c55c30c81ee providers/common/securitycheck.c bc4370324c4c8791ea6de8641d255073c6745ee984e18912d535e155d9815244 providers/common/securitycheck_fips.c abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c -5d4c2e93c2aef3f74aea56e6680bc1735081f680102f09d7d0b22d1df53767fb providers/fips/fipsprov.c -bf247e11ce05e274ab668e80e6e86ed3747b2848570e20b993e68b54559334a3 providers/fips/self_test.c +42cd9a91e687784eb44be472075f3ed5f6ec60a47fc1db7ef5b577949cbbee85 providers/fips/fipsprov.c +029fad3c27617c725e516621c2f6c3a0e1dca0fa22f4e89a1a6b9a977c8d935d providers/fips/self_test.c f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h 551631b909f8d173eafcccac782a44c8aed92bb8463bfccdb936b7f3aee2a48b providers/fips/self_test_data.inc -ed6dc106e223a422b133f774f94079fcd404899d7fad624179dd152354dbb500 providers/fips/self_test_kats.c +5b6d8dbc1365974eb9a5d417b2276d40fa7b9e733bb224200d20a61b4b025973 providers/fips/self_test_kats.c 4428a56f5d195547348c743df0c14ac9c97cd7b60ce09b76cffe5e7c9296daec providers/implementations/asymciphers/rsa_enc.c c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879 providers/implementations/ciphers/cipher_aes.c f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h -480c1f44157dff5fc65369f5c29a5369528061576c00a6454f3e54b37f9f8af1 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +20494fb9eb9f0578a3a574e0c6406108cfb28d7895a1891d57b3238420ec4f7b providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c 7668e5c1cac474ad7b0f28aa78ca885edf44815fe4a606a6cd328b3c02fac25a providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.h 26e0f28523b416ba4067e471061f5a11fd76f5dc8bfe57ce37a137cf5667630b providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c 6d2ab2e059ef38fad342d4c65eebd533c08a2092bb174ff3566c6604e175c5a4 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c -6d6bf36329af3b77f457898294be05fea3940a61cdaf0ed60cfb8d091a94186e providers/implementations/ciphers/cipher_aes_ccm.c +f37c3cf9e2e6fcfcbed941f3670b790fe09990349db72eb065bef51705d46e96 providers/implementations/ciphers/cipher_aes_ccm.c 00f36bf48e522dbb5ec71df0ec13e387955fa3672e6ff90e8a412ae95c4a642f providers/implementations/ciphers/cipher_aes_ccm.h 17b9d63357824c24b48c889e27f74e8882bfce740f4c755ae5843def46abe650 providers/implementations/ciphers/cipher_aes_ccm_hw.c 302b3819ff9fdfed750185421616b248b0e1233d75b45a065490fe4762b42f55 providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc a8eaca99a71521ff8ac4ffcf08315e59220f7e0b7f505ecddad04fadd021ec14 providers/implementations/ciphers/cipher_aes_cts.inc -710ee60704dd9dffa2a11e2e96596af1f7f84f915cedcedeec7292e0d978317a providers/implementations/ciphers/cipher_aes_gcm.c +7e886ecc088b5903aa082eac72a4c46f9064392bdf5723a592368ecebfeb71c0 providers/implementations/ciphers/cipher_aes_gcm.c 79f5a732820d2512a7f4fc2a99ece7e6e2523a51e62561eb67a4b70d5538b0c4 providers/implementations/ciphers/cipher_aes_gcm.h 986450da9f87b3cea00880c5bb5b0908b201ba27f68942b9f8bfff393610b3bb providers/implementations/ciphers/cipher_aes_gcm_hw.c be18c20e0197f25fe7b9e0268657a2271a69d216b89cb100f082fa5fcaad1e07 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc @@ -565,7 +565,7 @@ be18c20e0197f25fe7b9e0268657a2271a69d216b89cb100f082fa5fcaad1e07 providers/impl 5eb2b02ac65ed2c537c5be65779065077d141dd16730666a2bb00ca08b05f861 providers/implementations/ciphers/cipher_aes_ocb.c 88138a1aff9705e608c0557653be92eb4de65b152555a2b79ec8b2a8fae73e8f providers/implementations/ciphers/cipher_aes_ocb.h 5840571376d5e32681644224ef25e70ca771357f9e8ce152eada6a15df113731 providers/implementations/ciphers/cipher_aes_ocb_hw.c -be3e7c7069aa177f8a3485cf3e2d0e2f5ac28196372e8b6471e756580b7ac3ae providers/implementations/ciphers/cipher_aes_wrp.c +110f14e06311883d5e312b37e9d87c51f809592d3092ecd8eb449ea4bc7cac38 providers/implementations/ciphers/cipher_aes_wrp.c a79fde91348c9df6bb359e5353a442800ca514a1ffcb68e5cc5f7afe7d57d5ec providers/implementations/ciphers/cipher_aes_xts.c c4a2499b214d7cf786dafaaee5c8c6963b3d5d1c27c144eec4b460f839074a3b providers/implementations/ciphers/cipher_aes_xts.h 281157d1da4d7285d878978e6d42d0d33b3a6bc16e3bc5b6879e39093a7d70da providers/implementations/ciphers/cipher_aes_xts_fips.c @@ -586,13 +586,13 @@ bb67eaa7a98494ca938726f9218213870fc97dd87b56bda950626cc794baf20b providers/impl c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/implementations/ciphers/ciphercommon_local.h 39b47b6ef9d71852964c26e07ef0e9b23f04c7493b1b16ba7c3dba7074b6b70d providers/implementations/digests/digestcommon.c 5f41dd1bf77bd08d287a875f9d6e5a423bf286524694ae7ee133cdd03ee763c0 providers/implementations/digests/sha2_prov.c -9aa1ab14059f0b3db8091c7bb900e5f1487c0d0e925a71d79d7575f4a7a60444 providers/implementations/digests/sha3_prov.c +66a8eef0ecb12df2d38111735a7cb3257b85039c34fda6fc0e41db96e2d328cb providers/implementations/digests/sha3_prov.c 4b774bf9267ebe05bf90076bc18e19a21e03ee2716bdb8fc4e6458774e9a820c providers/implementations/exchange/dh_exch.c b2d80c38dd62b46f2dd71e81a5684f54f43200d3ddbb86178081760ecc93525c providers/implementations/exchange/ecdh_exch.c 4994df237719649b086a032bd64c1cf38ceb4e67dd8ec98da20edf5bc3eadb0b providers/implementations/exchange/ecx_exch.c 2c8421ca27626472fd263172c76188b8b3eeda996dc925d052a8809543a33c11 providers/implementations/exchange/kdf_exch.c 24b784d29c46f6f7fd6d775ecef6a96bfd5faaa7a555f0aa0c97e94b74f09bc1 providers/implementations/include/prov/ciphercommon.h -c83f3f7a45738aa10465b8371ad38827009273322bcd62969322bc4ab4bc81a2 providers/implementations/include/prov/ciphercommon_aead.h +a5ea831a23c0f52a37660437f6c61f129c3f8428daf6f8cd8dd458f358c56937 providers/implementations/include/prov/ciphercommon_aead.h a07b9c86346100feef15c9abb57e48a6099bc9fa782724a2283f17910ef192fb providers/implementations/include/prov/ciphercommon_ccm.h 45e45a82a91751b27cf5160f14b6407bce3372591dc965e565d8091e46179e6b providers/implementations/include/prov/ciphercommon_gcm.h b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/implementations/include/prov/digestcommon.h @@ -627,11 +627,11 @@ f29f282463f5bc432129850619edc427fe1d6cc8aa107b5703b11858b48790da providers/impl 145f3d5d5ebd5fb3bbe32705d7d71ff03e35b776f1c77d2f43781263ccc6a808 providers/implementations/macs/kmac_prov.c 3034074f99b02db045f2ccecc8782322e876dad07a3c169bdb24168b6b1f8cbd providers/implementations/rands/crngt.c 51688b34a8ba14234cf91c318ce9f97b8a54dbb501d6f56aa53d472f877d3660 providers/implementations/rands/drbg.c -b436b9f1c5525884e9adcc941726e0cf4bb135517f4dc403f24fec128c9cae8c providers/implementations/rands/drbg_ctr.c -118c2f62f765c0324695cb286670ae024cbeaacd989666da8e3daa8d0ec44c65 providers/implementations/rands/drbg_hash.c -3096525926ee80fec225c16e89fc9d58867de5f63b1e7a0736ed56ca09f19f2b providers/implementations/rands/drbg_hmac.c -e65a6972711303a71636ee7e31cab6dfd1734a97e25b4dce119060c1487bbe33 providers/implementations/rands/drbg_local.h -26d86b55837f515684865cb0e327aea435a9b7f27bf296287d44209f9a5df6ff providers/implementations/rands/test_rng.c +c18ec061bfb908dadebd47ee49fd4aa3fd0d320a0ed85a0f8ae841be4be787d6 providers/implementations/rands/drbg_ctr.c +52df0b9fa3d9357364a27773418aba82def6ac3a3bf027f0e14398cf4e10a247 providers/implementations/rands/drbg_hash.c +989aae213883f4d21480a09273cc21b0ca5d482f4e2ebf6e513ce8853a7c727f providers/implementations/rands/drbg_hmac.c +df266cab55613a7515fa1eed7212bd07281d1d36bffcab436d2cb01cf514dd3d providers/implementations/rands/drbg_local.h +9fd2c79b264eed85ae750a70354fa9dfdfc54e8df72df6ceff403d68772214e8 providers/implementations/rands/test_rng.c a9aa31d091df5b8f6710dd36761dfe7d32b6da1881f8581bed85ad4e171b0969 providers/implementations/signature/dsa_sig.c 6c8b5f325c997014bd71331c9eb6c185838cd81c10c3ad74dd65289ae923d629 providers/implementations/signature/ecdsa_sig.c d9d4bbbb0af0d1db6f586a36fd63236e4becdd52468a1e6510994e80988400aa providers/implementations/signature/eddsa_sig.c diff --git a/providers/fips.checksum b/providers/fips.checksum index 5697105a43261..844a7f7b2bd72 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -91f820645394cd8895d6fef399ee8e0df13817aa5430eda3ce8fbfb14ccfd3fc providers/fips-sources.checksums +179decb772ecd0063d75b578b699896a9b795033b891f520cc3577a2590d98b9 providers/fips-sources.checksums From 1e6b4baf546f46211e4f5c389c961d9878bbd198 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:24:32 +0100 Subject: [PATCH 268/324] Prepare for release of 3.2 alpha 2 Reviewed-by: Richard Levitte Release: yes --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index f0b6898511ce1..aad65d78e58e3 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,7 +23,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Changes between 3.1 and 3.2 [xx XXX xxxx] +### Changes between 3.1 and 3.2 alpha 2 [28 Sep 2023] * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. diff --git a/NEWS.md b/NEWS.md index d0312961dfdc8..e326020c89fb4 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Major changes between OpenSSL 3.1 and OpenSSL 3.2 [under development] +### Major changes between OpenSSL 3.1 and OpenSSL 3.2 alpha 2 [in pre-release] * Added client side support for QUIC. * Added multiple tutorials on the OpenSSL library and in particular diff --git a/VERSION.dat b/VERSION.dat index 584de32867eb5..72674dea692d5 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=2 PATCH=0 -PRE_RELEASE_TAG=alpha2-dev +PRE_RELEASE_TAG=alpha2 BUILD_METADATA= -RELEASE_DATE="" +RELEASE_DATE="28 Sep 2023" SHLIB_VERSION=3 From 219bd6ac7061c40bd24f896f8652994d62d109de Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:24:47 +0100 Subject: [PATCH 269/324] Prepare for 3.2 alpha 3 Reviewed-by: Richard Levitte Release: yes --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index aad65d78e58e3..f0b6898511ce1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,7 +23,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Changes between 3.1 and 3.2 alpha 2 [28 Sep 2023] +### Changes between 3.1 and 3.2 [xx XXX xxxx] * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. diff --git a/NEWS.md b/NEWS.md index e326020c89fb4..d0312961dfdc8 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Major changes between OpenSSL 3.1 and OpenSSL 3.2 alpha 2 [in pre-release] +### Major changes between OpenSSL 3.1 and OpenSSL 3.2 [under development] * Added client side support for QUIC. * Added multiple tutorials on the OpenSSL library and in particular diff --git a/VERSION.dat b/VERSION.dat index 72674dea692d5..1969c68c3819f 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=2 PATCH=0 -PRE_RELEASE_TAG=alpha2 +PRE_RELEASE_TAG=alpha3-dev BUILD_METADATA= -RELEASE_DATE="28 Sep 2023" +RELEASE_DATE="" SHLIB_VERSION=3 From 9f6eb62221358fe84b3d70e63378ae651bbc9705 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 27 Sep 2023 14:32:50 +0200 Subject: [PATCH 270/324] Test client certificate authentication with QUIC Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/22207) --- test/quicapitest.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/test/quicapitest.c b/test/quicapitest.c index b02db15d65cbc..8452ba4b62daf 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -24,7 +24,10 @@ static OSSL_LIB_CTX *libctx = NULL; static OSSL_PROVIDER *defctxnull = NULL; static char *certsdir = NULL; static char *cert = NULL; +static char *ccert = NULL; +static char *cauthca = NULL; static char *privkey = NULL; +static char *cprivkey = NULL; static char *datadir = NULL; static int is_fips = 0; @@ -1192,6 +1195,83 @@ static int test_quic_psk(void) return testresult; } +static int test_client_auth(int idx) +{ + SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()); + SSL *clientquic = NULL; + QUIC_TSERVER *qtserv = NULL; + int testresult = 0; + unsigned char buf[20]; + static char *msg = "A test message"; + size_t msglen = strlen(msg); + size_t numbytes = 0; + + if (!TEST_ptr(cctx) || !TEST_ptr(sctx)) + goto err; + + SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT + | SSL_VERIFY_CLIENT_ONCE, NULL); + + if (!TEST_true(SSL_CTX_load_verify_file(sctx, cauthca))) + goto err; + + if (idx > 0 + && (!TEST_true(SSL_CTX_use_certificate_chain_file(cctx, ccert)) + || !TEST_true(SSL_CTX_use_PrivateKey_file(cctx, cprivkey, + SSL_FILETYPE_PEM)))) + goto err; + + if (!TEST_true(qtest_create_quic_objects(libctx, cctx, sctx, cert, + privkey, 0, &qtserv, + &clientquic, NULL, NULL))) + goto err; + + if (idx == 0) { + if (!TEST_false(qtest_create_quic_connection(qtserv, clientquic))) + goto err; + + /* negative test passed */ + testresult = 1; + goto err; + } + + if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))) + goto err; + + /* Check that sending and receiving app data is ok */ + if (!TEST_true(SSL_write_ex(clientquic, msg, msglen, &numbytes)) + || !TEST_size_t_eq(numbytes, msglen)) + goto err; + + ossl_quic_tserver_tick(qtserv); + if (!TEST_true(ossl_quic_tserver_write(qtserv, 0, + (unsigned char *)msg, + msglen, &numbytes))) + goto err; + + ossl_quic_tserver_tick(qtserv); + SSL_handle_events(clientquic); + + if (!TEST_true(SSL_read_ex(clientquic, buf, sizeof(buf), &numbytes)) + || !TEST_size_t_eq(numbytes, msglen) + || !TEST_mem_eq(buf, numbytes, msg, msglen)) + goto err; + + if (!TEST_true(qtest_shutdown(qtserv, clientquic))) + goto err; + + testresult = 1; + + err: + SSL_free(clientquic); + ossl_quic_tserver_free(qtserv); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + /* * Test that we correctly handle ALPN supplied by the application * Test 0: ALPN is provided @@ -1465,10 +1545,22 @@ int setup_tests(void) if (cert == NULL) goto err; + ccert = test_mk_file_path(certsdir, "ee-client-chain.pem"); + if (ccert == NULL) + goto err; + + cauthca = test_mk_file_path(certsdir, "root-cert.pem"); + if (cauthca == NULL) + goto err; + privkey = test_mk_file_path(certsdir, "serverkey.pem"); if (privkey == NULL) goto err; + cprivkey = test_mk_file_path(certsdir, "ee-key.pem"); + if (privkey == NULL) + goto err; + ADD_ALL_TESTS(test_quic_write_read, 3); ADD_TEST(test_fin_only_blocking); ADD_TEST(test_ciphersuites); @@ -1486,6 +1578,7 @@ int setup_tests(void) ADD_TEST(test_multiple_dgrams); ADD_ALL_TESTS(test_non_io_retry, 2); ADD_TEST(test_quic_psk); + ADD_ALL_TESTS(test_client_auth, 2); ADD_ALL_TESTS(test_alpn, 2); ADD_ALL_TESTS(test_noisy_dgram, 2); @@ -1501,6 +1594,9 @@ void cleanup_tests(void) bio_f_pkt_split_dgram_filter_free(); OPENSSL_free(cert); OPENSSL_free(privkey); + OPENSSL_free(ccert); + OPENSSL_free(cauthca); + OPENSSL_free(cprivkey); OSSL_PROVIDER_unload(defctxnull); OSSL_LIB_CTX_free(libctx); } From 8ed76c62b5d3214e807e684c06efd69c6471c800 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 26 Sep 2023 17:39:50 +0200 Subject: [PATCH 271/324] Optimize out unneeded up_ref/free of EVP_CIPHER Fixes #22189 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22198) --- crypto/evp/evp_enc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 84ce108b2540e..e1d3eeef641f8 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -200,7 +200,12 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, #endif } - if (cipher->prov != NULL) { + if (!ossl_assert(cipher->prov != NULL)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } + + if (cipher != ctx->fetched_cipher) { if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); return 0; From 15410839c668f97b5c03ee1a1bc1a2bf4315715f Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 28 Sep 2023 11:34:48 +1000 Subject: [PATCH 272/324] Coverity 1545176: dereference before NULL check Reviewed-by: Tomas Mraz Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22211) --- crypto/rand/rand_lib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 46e294a37835e..7fbbb0275b0bc 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -536,13 +536,14 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx) EVP_RAND *rand; RAND_GLOBAL *dgbl = rand_get_global(libctx); EVP_RAND_CTX *ctx = NULL; - const char *propq = dgbl->seed_propq; + const char *propq; char *name, *props = NULL; size_t props_len; OSSL_PROPERTY_LIST *pl1, *pl2, *pl3 = NULL; if (dgbl == NULL) return NULL; + propq = dgbl->seed_propq; if (dgbl->seed_name != NULL) { name = dgbl->seed_name; } else { From eaf08794398ac3caaadffcfd670854bf51f610fa Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 28 Sep 2023 11:45:01 +1000 Subject: [PATCH 273/324] Coverity 1545174: calling risky function Remove the call to rand() and replace with an xor-shift RNG. There are no security implications to worry about here. This RNG is used during testing only. Reviewed-by: Tomas Mraz Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22211) --- providers/implementations/rands/test_rng.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index 0006468d06638..57b36469caa58 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -47,6 +47,7 @@ typedef struct { unsigned char *entropy, *nonce; size_t entropy_len, entropy_pos, nonce_len; CRYPTO_RWLOCK *lock; + uint32_t seed; } PROV_TEST_RNG; static void *test_rng_new(void *provctx, void *parent, @@ -88,6 +89,7 @@ static int test_rng_instantiate(void *vtest, unsigned int strength, t->state = EVP_RAND_STATE_READY; t->entropy_pos = 0; + t->seed = 221953166; /* Value doesn't matter, so long as it isn't zero */ return 1; } @@ -103,7 +105,22 @@ static int test_rng_uninstantiate(void *vtest) static unsigned char gen_byte(PROV_TEST_RNG *t) { - return rand() & 0xff; + uint32_t n; + + /* + * Implement the 32 bit xorshift as suggested by George Marsaglia in: + * https://doi.org/10.18637/jss.v008.i14 + * + * This is a very fast PRNG so there is no need to extract bytes one at a + * time and use the entire value each time. + */ + n = t->seed; + n ^= n << 13; + n ^= n >> 17; + n ^= n << 5; + t->seed = n; + + return n & 0xff; } static int test_rng_generate(void *vtest, unsigned char *out, size_t outlen, From 6bd07949e54f9958eb8a0f9a597ceb3910753ab0 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 28 Sep 2023 11:47:35 +1000 Subject: [PATCH 274/324] Coverity 1545175: use after free Reviewed-by: Tomas Mraz Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22211) --- crypto/rand/rand_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 7fbbb0275b0bc..14999540abc29 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -609,7 +609,6 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx) } if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) { ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG); - EVP_RAND_CTX_free(ctx); goto err; } OPENSSL_free(props); From b07a0b1ac272c4a75c5115e10f274e2d7a477658 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 26 Sep 2023 14:56:02 +0200 Subject: [PATCH 275/324] Avoid having ecp_sm2p256-armv8.pl in fips.module.sources Reviewed-by: Paul Dale Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22194) --- Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 881310cf08976..6bdbf31d08025 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1264,7 +1264,7 @@ providers/fips.module.sources.new: configdata.pm crypto/*cap.c; do \ echo "$$x"; \ done \ - ) | sort | uniq > providers/fips.module.sources.new + ) | grep -v sm2p256 | sort | uniq > providers/fips.module.sources.new rm -rf sources-tmp # Set to -force to force a rebuild From 5995dc37197dd85baa749325ba23f5aa8ccbe1f6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 2 Oct 2023 10:22:24 +0200 Subject: [PATCH 276/324] [DOCS] Fix table inconsistencies detected by mdl Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/22240) --- doc/designs/quic-design/quic-api-ssl-funcs.md | 1476 ++++++++--------- doc/designs/quic-design/tx-packetiser.md | 66 +- 2 files changed, 771 insertions(+), 771 deletions(-) diff --git a/doc/designs/quic-design/quic-api-ssl-funcs.md b/doc/designs/quic-design/quic-api-ssl-funcs.md index 6b226b089705e..ab8d68f912e6c 100644 --- a/doc/designs/quic-design/quic-api-ssl-funcs.md +++ b/doc/designs/quic-design/quic-api-ssl-funcs.md @@ -91,744 +91,744 @@ Notes: which is never used for QUIC, they do not require changes, and we can allow applications to configure these lists freely, as they will be ignored. -| API Item | Cat. | Sema. | Appl. | Impl. Req. | Status | -|----------|----------|-----------|---------------|----------------|--------| -| **⇒ Global Information and Functions** | | -| `OSSL_default_cipher_list` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OSSL_default_ciphersuites` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `ERR_load_SSL_strings` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OPENSSL_init_ssl` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OPENSSL_cipher_name` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_desc_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_desc_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_type_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_type_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_extension_supported` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_add_ssl_module` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_test_functions` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_select_next_proto` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| **⇒ Methods** | | -| `SSLv3_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSLv3_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSLv3_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OSSL_QUIC_client_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | -| `OSSL_QUIC_client_thread_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | -| `OSSL_QUIC_server_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟠Design TBD | -| **⇒ Instantiation** | | -| `BIO_f_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `BIO_new_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_new` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_new_ex` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_free` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_new` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_dup` | Object | 🟩U | 🟩A | 🟥FC | 🟢Done | -| `SSL_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_free` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_is_dtls` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| **⇒ Method Manipulation** | | -| `SSL_CTX_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_ssl_method` | Object | 🟩U | 🟥FC | 🟧QSI | 🟢Done | -| **⇒ SRTP** | | -| `SSL_get_selected_srtp_profile` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | -| `SSL_get_srtp_profiles` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | -| `SSL_CTX_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟨C\* | 🟢Done | -| `SSL_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | -| **⇒ Ciphersuite Configuration** | | -| `SSL_CTX_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | -| `SSL_CTX_set_ciphersuites` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | -| `SSL_CTX_get_ciphers` | HL | 🟩U | 🟩A |🟩NC\* | 🟢Done | -| `SSL_set_ciphersuites` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_supported_ciphers` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | -| `SSL_bytes_to_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | -| `SSL_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | -| **⇒ Negotiated Ciphersuite Queries** | | -| `SSL_get_current_cipher` | HL | 🟩U | 🟩A |🟩NC\* †9 | 🟢Done | -| `SSL_get_pending_cipher` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | -| `SSL_get_shared_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | -| `SSL_get_client_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | -| `SSL_get_current_compression` | HL | 🟩U | 🟩A | 🟩HLNC | 🟢Done | -| `SSL_get_current_expansion` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_shared_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ ALPN** | †2 | -| `SSL_SESSION_set1_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_SESSION_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_CTX_set_alpn_select_cb` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_CTX_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| **⇒ NPN** | †3 | -| `SSL_CTX_set_next_proto_select_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | -| `SSL_CTX_set_next_protos_advertised_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | -| `SSL_get0_next_proto_negotiated` | HL | 🟩U | 🟥FC | 🟩NC\* †3 | 🟢Done | -| **⇒ Narrow Waist Interface** | †4 | -| `SSL_CTX_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| `SSL_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| `SSL_CTX_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| `SSL_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| **⇒ Miscellaneous Accessors** | | -| `SSL_get_server_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_client_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Ciphersuite Information** | | -| `SSL_CIPHER_description` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_find` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_auth_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_bits` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_cipher_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_digest_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_handshake_digest` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_kx_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_protocol_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_version` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_is_aead` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_standard_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_group_to_name` | Global | 🟩U | 🟦U | 🟩NC\* | 🟢Done | -| **⇒ Version Queries** | | -| `SSL_get_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Chain Management** | | -| `SSL_get_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_locations` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `CertSSL_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_paths` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_check_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_dir_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_file_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_store_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_load_client_CA_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_load_client_CA_file_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dup_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set1_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Compression** | | -| `SSL_CTX_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Verification** | | -| `SSL_set1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_hostflags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peer_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_verified_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_cert_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_certs_clear` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ PSK** | | -| `SSL_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_psk_identity` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ SRP** | | -| `SSL_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_client_pwd_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_password` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_g` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_cb_arg` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_N` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_username_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_srp_server_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_userinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_srp_server_param_with_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_strength` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_verify_param_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_srp_server_param_pw` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SRP_Calc_A_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ DANE** | | -| `SSL_CTX_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_dane_tlsa` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_dane` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_dane_authority` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_dane_mtype_set` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_tlsa_add` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Transparency** | | -| `SSL_CTX_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peer_scts` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Compression** | | -| `SSL_COMP_add_compression_method` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get0_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get_id` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_set0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| **⇒ Exporters** | | -| `SSL_export_keying_material` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_export_keying_material_early` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Renegotiation** | | -| `SSL_renegotiate` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | -| `SSL_renegotiate_abbreviated` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | -| `SSL_renegotiate_pending` | HL | 🟩U | 🟧NO | 🟩NC\* †5 | 🟢Done | -| **⇒ Options** | | -| `SSL_CTX_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_CTX_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_CTX_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Configuration** | | -| `SSL_CONF_CTX_new` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_free` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set_ssl` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set_ssl_ctx` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set1_prefix` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_clear_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_finish` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_cmd` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_cmd_argv` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_cmd_value_type` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Callbacks** | | -| `SSL_CTX_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cert_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_cert_engine` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_hello_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cookie_generate_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cookie_verify_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_read_buffer_len` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_msg_callback` | HL | 🟩U | 🟩A | 🟩NC\* †6 | 🟢Done | -| `SSL_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session_secret_cb` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| **⇒ Session Management** | | -| `d2i_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `i2d_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_read_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_read_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_write_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_write_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_new` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_up_ref` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_dup` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_print` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_print_fp` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_print_keylog` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_peer` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_has_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_compress_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_is_resumable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_max_fragment_length` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_ticket_lifetime_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_remove_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_get_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_set_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_get_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_set_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_get_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_set_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_has_matching_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_flush_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_session_reused` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_default_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Session Ticket Management** | | -| `SSL_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_CTX_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_CTX_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_new_session_ticket` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_set_session_ticket_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session_ticket_ext_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_tlsext_ticket_key_evp_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Security Levels** | | -| `SSL_CTX_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SS_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SS_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Custom Extensions** | | -| `SSL_CTX_add_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_server_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_has_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Early ClientHello Processing** | | -| `SSL_client_hello_get_extension_order` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_legacy_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get1_extensions_present` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_isv2` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ SNI** | | -| `SSL_get_servername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_servername_type` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Server Info** | | -| `SSL_CTX_use_serverinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_serverinfo_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_serverinfo_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Post-Handshake Authentication** | | -| `SSL_verify_client_post_handshake` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | -| `SSL_CTX_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | -| `SSL_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | -| **⇒ DH Parameters** | | -| `SSL_CTX_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ State Queries** | | -| `SSL_in_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_in_before` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_is_init_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_state` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_rstate_string` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_rstate_string_long` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_state_string` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_state_string_long` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Data Path and CSSM** | | -| `SSL_set_connect_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_accept_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_is_server` | CSSM | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_peek` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_peek_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_read` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_read_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_write` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_write_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_sendfile` | ADP | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | -| `SSL_pending` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_has_pending` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_accept` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_connect` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_do_handshake` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set0_wbio` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set0_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_bio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_wbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_error` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_rfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_wfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_fd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_rfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_wfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_fd` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_key_update` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_key_update_type` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_clear` (connection) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | -| `SSL_clear` (stream) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | -| `SSL_shutdown` | CSSM | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_want` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `BIO_new_ssl_connect` | Global | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `BIO_new_buffer_ssl_connect` | Global | 🟩U | 🟦U | 🟧QSI | 🟢Done | -| `SSL_get_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| **⇒ New APIs** | | -| `SSL_is_tls` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_is_quic` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_handle_events` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_event_timeout` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_rpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_wpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_net_read_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_net_write_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set1_initial_peer_addr` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_shutdown_ex` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_stream_conclude` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_stream_reset` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_read_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_write_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_read_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_write_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_conn_close_info` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_inject_net_dgram` | NDP | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| **⇒ New APIs for Multi-Stream** | | -| `SSL_get0_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_is_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_id` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_type` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_is_stream_local` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_new_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_accept_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_accept_stream_queue_len` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set_default_stream_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set_incoming_stream_policy` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| **⇒ Currently Not Supported** | | -| `SSL_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `BIO_ssl_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_set_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_CTX_get_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_set_quiet_shutdown` | CSSM | 🟩U | 🟥FC | 🟨C | 🟢Done | -| `SSL_get_quiet_shutdown` | CSSM | 🟩U | 🟧NO | 🟨C | 🟢Done | -| `SSL_CTX_set_ssl_version` | HL | 🟩U | 🟥FC | 🟨C | 🟢Done | -| **⇒ Async** | | -| `SSL_CTX_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_CTX_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_waiting_for_async` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_get_async_status` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_get_all_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_get_changed_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| **⇒ Readahead** | | -| `SSL_CTX_get_default_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTX_get_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* |🟢Done | -| `SSL_CTX_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* |🟢Done | -| `SSL_get_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* |🟢Done | -| `SSL_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | -| `SSL_CTX_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | -| **⇒ Record Padding and Fragmentation** | | -| `SSL_CTX_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC |🟩NC* | 🟢Done | -| `SSL_CTX_set_block_padding` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_block_padding` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| **⇒ Stateless/HelloRetryRequest** | | -| `SSL_stateless` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_set_stateless_cookie_generate_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_stateless_cookie_verify_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| **⇒ Early Data/0-RTT** | | -| `SSL_CTX_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟨C* |🟢Done | -| `SSL_CTX_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_read_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_write_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_get_early_data_status` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| **⇒ Miscellaneous** | | -| `DTLSv1_listen` | RL | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_set_timer_cb` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_get_data_mtu` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_get_ex_data_X509_STORE_CTX_idx` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `BIO_ssl_shutdown` | Global | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_alloc_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_free_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_trace` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_debug` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Controls** | | -| `SSL_CTRL_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_CTRL_CLEAR_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TOTAL_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_RI_SUPPORT` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_READ_AHEAD` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_READ_AHEAD` | HL | 🟩U | 🟥FC | 🟨C* |🟢Done | -| `SSL_CTRL_SET_MAX_PIPELINES` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_MAX_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_SPLIT_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_MTU` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_BUILD_CERT_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CLEAR_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_EXTRA_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CLIENT_CERT_REQUEST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_EC_POINT_FORMATS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_EXTMS_SUPPORT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_IANA_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_NEGOTIATED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_PEER_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_PEER_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_RAW_CIPHERLIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SHARED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SELECT_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_ACCEPT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_ACCEPT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_ACCEPT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CACHE_FULL` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CB_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CONNECT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CONNECT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CONNECT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_MISSES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_NUMBER` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_TIMEOUTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CLIENT_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CLIENT_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_DH_AUTO` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_GROUPS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MSG_CALLBACK` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MSG_CALLBACK_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_RETRY_VERIFY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SRP_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SRP_VERIFY_PARAM_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_DEBUG_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_DEBUG_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_HOSTNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_SERVERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TMP_DH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TMP_DH_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TMP_ECDH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| **⇒ SSL Modes** | | -| `SSL_MODE_ENABLE_PARTIAL_WRITE` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_MODE_RELEASE_BUFFERS` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | -| `SSL_MODE_ASYNC` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | -| `SSL_MODE_AUTO_RETRY` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | -| `SSL_MODE_SEND_FALLBACK_SCSV` | HL | 🟩U | 🟩U | 🟩NC | 🟢Done | +| API Item | Cat. | Sema. | Appl. | Impl. Req. | Status | +|----------------------------------------------|---------|-------|-------|------------|--------------| +| **⇒ Global Information and Functions** | | | | | | +| `OSSL_default_cipher_list` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OSSL_default_ciphersuites` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `ERR_load_SSL_strings` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OPENSSL_init_ssl` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OPENSSL_cipher_name` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_desc_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_desc_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_type_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_type_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_extension_supported` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_add_ssl_module` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_test_functions` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_select_next_proto` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| **⇒ Methods** | | | | | | +| `SSLv3_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSLv3_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSLv3_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OSSL_QUIC_client_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | +| `OSSL_QUIC_client_thread_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | +| `OSSL_QUIC_server_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟠Design TBD | +| **⇒ Instantiation** | | | | | | +| `BIO_f_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `BIO_new_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_new` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_new_ex` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_free` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_new` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_dup` | Object | 🟩U | 🟩A | 🟥FC | 🟢Done | +| `SSL_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_free` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_is_dtls` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| **⇒ Method Manipulation** | | | | | | +| `SSL_CTX_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_ssl_method` | Object | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| **⇒ SRTP** | | | | | | +| `SSL_get_selected_srtp_profile` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | +| `SSL_get_srtp_profiles` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | +| `SSL_CTX_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟨C\* | 🟢Done | +| `SSL_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | +| **⇒ Ciphersuite Configuration** | | | | | | +| `SSL_CTX_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | +| `SSL_CTX_set_ciphersuites` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | +| `SSL_CTX_get_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_ciphersuites` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_supported_ciphers` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | +| `SSL_bytes_to_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | +| `SSL_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | +| **⇒ Negotiated Ciphersuite Queries** | | | | | | +| `SSL_get_current_cipher` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_pending_cipher` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_shared_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_client_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_current_compression` | HL | 🟩U | 🟩A | 🟩HLNC | 🟢Done | +| `SSL_get_current_expansion` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_shared_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ ALPN** | †2 | | | | | +| `SSL_SESSION_set1_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_SESSION_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_CTX_set_alpn_select_cb` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_CTX_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| **⇒ NPN** | †3 | | | | | +| `SSL_CTX_set_next_proto_select_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | +| `SSL_CTX_set_next_protos_advertised_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | +| `SSL_get0_next_proto_negotiated` | HL | 🟩U | 🟥FC | 🟩NC\* †3 | 🟢Done | +| **⇒ Narrow Waist Interface** | †4 | | | | | +| `SSL_CTX_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| `SSL_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| `SSL_CTX_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| `SSL_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| **⇒ Miscellaneous Accessors** | | | | | | +| `SSL_get_server_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_client_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Ciphersuite Information** | | | | | | +| `SSL_CIPHER_description` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_find` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_auth_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_bits` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_cipher_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_digest_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_handshake_digest` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_kx_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_protocol_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_version` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_is_aead` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_standard_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_group_to_name` | Global | 🟩U | 🟦U | 🟩NC\* | 🟢Done | +| **⇒ Version Queries** | | | | | | +| `SSL_get_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Chain Management** | | | | | | +| `SSL_get_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_locations` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `CertSSL_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_paths` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_check_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_dir_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_file_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_store_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_load_client_CA_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_load_client_CA_file_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dup_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set1_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Compression** | | | | | | +| `SSL_CTX_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Verification** | | | | | | +| `SSL_set1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_hostflags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peer_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_verified_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_cert_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_certs_clear` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ PSK** | | | | | | +| `SSL_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_psk_identity` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ SRP** | | | | | | +| `SSL_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_client_pwd_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_password` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_g` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_cb_arg` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_N` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_username_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_srp_server_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_userinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_srp_server_param_with_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_strength` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_verify_param_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_srp_server_param_pw` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SRP_Calc_A_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ DANE** | | | | | | +| `SSL_CTX_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_dane_tlsa` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_dane` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_dane_authority` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_dane_mtype_set` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_tlsa_add` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Transparency** | | | | | | +| `SSL_CTX_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peer_scts` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Compression** | | | | | | +| `SSL_COMP_add_compression_method` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get0_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get_id` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_set0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| **⇒ Exporters** | | | | | | +| `SSL_export_keying_material` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_export_keying_material_early` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Renegotiation** | | | | | | +| `SSL_renegotiate` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | +| `SSL_renegotiate_abbreviated` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | +| `SSL_renegotiate_pending` | HL | 🟩U | 🟧NO | 🟩NC\* †5 | 🟢Done | +| **⇒ Options** | | | | | | +| `SSL_CTX_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_CTX_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_CTX_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Configuration** | | | | | | +| `SSL_CONF_CTX_new` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_free` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set_ssl` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set_ssl_ctx` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set1_prefix` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_clear_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_finish` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_cmd` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_cmd_argv` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_cmd_value_type` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Callbacks** | | | | | | +| `SSL_CTX_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cert_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_cert_engine` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_hello_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cookie_generate_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cookie_verify_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_read_buffer_len` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_msg_callback` | HL | 🟩U | 🟩A | 🟩NC\* †6 | 🟢Done | +| `SSL_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session_secret_cb` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| **⇒ Session Management** | | | | | | +| `d2i_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `i2d_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_read_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_read_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_write_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_write_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_new` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_up_ref` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_dup` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_print` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_print_fp` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_print_keylog` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_peer` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_has_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_compress_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_is_resumable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_max_fragment_length` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_ticket_lifetime_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_remove_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_get_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_set_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_get_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_set_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_get_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_set_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_has_matching_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_flush_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_session_reused` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_default_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Session Ticket Management** | | | | | | +| `SSL_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_CTX_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_CTX_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_new_session_ticket` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_set_session_ticket_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session_ticket_ext_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_tlsext_ticket_key_evp_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Security Levels** | | | | | | +| `SSL_CTX_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Custom Extensions** | | | | | | +| `SSL_CTX_add_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_server_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_has_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Early ClientHello Processing** | | | | | | +| `SSL_client_hello_get_extension_order` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_legacy_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get1_extensions_present` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_isv2` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ SNI** | | | | | | +| `SSL_get_servername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_servername_type` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Server Info** | | | | | | +| `SSL_CTX_use_serverinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_serverinfo_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_serverinfo_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Post-Handshake Authentication** | | | | | | +| `SSL_verify_client_post_handshake` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | +| `SSL_CTX_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | +| `SSL_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | +| **⇒ DH Parameters** | | | | | | +| `SSL_CTX_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ State Queries** | | | | | | +| `SSL_in_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_in_before` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_is_init_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_state` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_rstate_string` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_rstate_string_long` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_state_string` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_state_string_long` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Data Path and CSSM** | | | | | | +| `SSL_set_connect_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_accept_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_is_server` | CSSM | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_peek` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_peek_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_read` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_read_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_write` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_write_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_sendfile` | ADP | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | +| `SSL_pending` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_has_pending` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_accept` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_connect` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_do_handshake` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set0_wbio` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set0_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_bio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_wbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_error` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_rfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_wfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_fd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_rfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_wfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_fd` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_key_update` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_key_update_type` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_clear` (connection) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| `SSL_clear` (stream) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| `SSL_shutdown` | CSSM | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_want` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `BIO_new_ssl_connect` | Global | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `BIO_new_buffer_ssl_connect` | Global | 🟩U | 🟦U | 🟧QSI | 🟢Done | +| `SSL_get_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| **⇒ New APIs** | | | | | | +| `SSL_is_tls` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_quic` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_handle_events` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_event_timeout` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_rpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_wpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_net_read_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_net_write_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set1_initial_peer_addr` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_shutdown_ex` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_stream_conclude` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_stream_reset` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_read_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_write_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_read_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_write_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_conn_close_info` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_inject_net_dgram` | NDP | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| **⇒ New APIs for Multi-Stream** | | | | | | +| `SSL_get0_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_id` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_type` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_stream_local` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_new_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_accept_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_accept_stream_queue_len` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_default_stream_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_incoming_stream_policy` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| **⇒ Currently Not Supported** | | | | | | +| `SSL_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `BIO_ssl_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_set_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_CTX_get_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_set_quiet_shutdown` | CSSM | 🟩U | 🟥FC | 🟨C | 🟢Done | +| `SSL_get_quiet_shutdown` | CSSM | 🟩U | 🟧NO | 🟨C | 🟢Done | +| `SSL_CTX_set_ssl_version` | HL | 🟩U | 🟥FC | 🟨C | 🟢Done | +| **⇒ Async** | | | | | | +| `SSL_CTX_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_CTX_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_waiting_for_async` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_get_async_status` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_get_all_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_get_changed_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| **⇒ Readahead** | | | | | | +| `SSL_CTX_get_default_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTX_get_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTX_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| `SSL_get_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| `SSL_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| `SSL_CTX_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| **⇒ Record Padding and Fragmentation** | | | | | | +| `SSL_CTX_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_block_padding` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_block_padding` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| **⇒ Stateless/HelloRetryRequest** | | | | | | +| `SSL_stateless` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_set_stateless_cookie_generate_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_stateless_cookie_verify_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| **⇒ Early Data/0-RTT** | | | | | | +| `SSL_CTX_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_read_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_write_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_get_early_data_status` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| **⇒ Miscellaneous** | | | | | | +| `DTLSv1_listen` | RL | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_set_timer_cb` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_get_data_mtu` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_get_ex_data_X509_STORE_CTX_idx` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `BIO_ssl_shutdown` | Global | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_alloc_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_free_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_trace` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_debug` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Controls** | | | | | | +| `SSL_CTRL_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_CTRL_CLEAR_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TOTAL_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_RI_SUPPORT` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_READ_AHEAD` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_READ_AHEAD` | HL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MAX_PIPELINES` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MAX_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_SPLIT_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MTU` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_BUILD_CERT_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CLEAR_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_EXTRA_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CLIENT_CERT_REQUEST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_EC_POINT_FORMATS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_EXTMS_SUPPORT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_IANA_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_NEGOTIATED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_PEER_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_PEER_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_RAW_CIPHERLIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SHARED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SELECT_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_ACCEPT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_ACCEPT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_ACCEPT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CACHE_FULL` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CB_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CONNECT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CONNECT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CONNECT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_MISSES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_NUMBER` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_TIMEOUTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CLIENT_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CLIENT_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_DH_AUTO` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_GROUPS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MSG_CALLBACK` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MSG_CALLBACK_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_RETRY_VERIFY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SRP_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SRP_VERIFY_PARAM_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_DEBUG_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_DEBUG_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_HOSTNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_SERVERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TMP_DH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TMP_DH_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TMP_ECDH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| **⇒ SSL Modes** | | | | | | +| `SSL_MODE_ENABLE_PARTIAL_WRITE` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_MODE_RELEASE_BUFFERS` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | +| `SSL_MODE_ASYNC` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | +| `SSL_MODE_AUTO_RETRY` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | +| `SSL_MODE_SEND_FALLBACK_SCSV` | HL | 🟩U | 🟩U | 🟩NC | 🟢Done | Q&A For TLS-Related Calls ------------------------- diff --git a/doc/designs/quic-design/tx-packetiser.md b/doc/designs/quic-design/tx-packetiser.md index f2d7e69a160a6..38e9def5e9233 100644 --- a/doc/designs/quic-design/tx-packetiser.md +++ b/doc/designs/quic-design/tx-packetiser.md @@ -258,39 +258,39 @@ Packetisation and Processing Frames are taken from [RFC 9000 12.4 Frames and Frame Types]. -| Type | Name | I | H | 0 | 1 | N | C | P | F | -| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | -| 0x00 | padding | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ -| 0x01 | ping | ✓ | ✓ | ✓ | ✓ | | | | | -| 0x02 | ack 0x02 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | -| 0x03 | ack 0x03 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | -| 0x04 | reset_stream | | | ✓ | ✓ | | | | | -| 0x05 | stop_sending | | | ✓ | ✓ | | | | | -| 0x06 | crypto | ✓ | ✓ | | ✓ | | | | | -| 0x07 | new_token | | | | ✓ | | | | | -| 0x08 | stream 0x08 | | | ✓ | ✓ | | | | ✓ | -| 0x09 | stream 0x09 | | | ✓ | ✓ | | | | ✓ | -| 0x0A | stream 0x0A | | | ✓ | ✓ | | | | ✓ | -| 0x0B | stream 0x0B | | | ✓ | ✓ | | | | ✓ | -| 0x0C | stream 0x0C | | | ✓ | ✓ | | | | ✓ | -| 0x0D | stream 0x0D | | | ✓ | ✓ | | | | ✓ | -| 0x0E | stream 0x0E | | | ✓ | ✓ | | | | ✓ | -| 0x0F | stream 0x0F | | | ✓ | ✓ | | | | ✓ | -| 0x10 | max_data | | | ✓ | ✓ | | | | | -| 0x11 | max_stream_data | | | ✓ | ✓ | | | | | -| 0x12 | max_streams 0x12 | | | ✓ | ✓ | | | | | -| 0x13 | max_streams 0x13 | | | ✓ | ✓ | | | | | -| 0x14 | data_blocked | | | ✓ | ✓ | | | | | -| 0x15 | stream_data_blocked | | | ✓ | ✓ | | | | | -| 0x16 | streams_blocked 0x16 | | | ✓ | ✓ | | | | | -| 0x17 | streams_blocked 0x17 | | | ✓ | ✓ | | | | | -| 0x18 | new_connection_id | | | ✓ | ✓ | | | ✓ | | -| 0x19 | retire_connection_id | | | ✓ | ✓ | | | | | -| 0x1A | path_challenge | | | ✓ | ✓ | | | ✓ | | -| 0x1B | path_response | | | | ✓ | | | ✓ | | -| 0x1C | connection_close 0x1C | ✓ | ✓ | ✓ | ✓ | ✓ -| 0x1D | connection_close 0x1D | | | ✓ | ✓ | ✓ | | | | -| 0x1E | handshake_done | | | | ✓ | | | | | +| Type | Name | I | H | 0 | 1 | N | C | P | F | +|------|-----------------------|---------|---------|---------|---------|---------|---------|---------|---------| +| 0x00 | padding | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ | | +| 0x01 | ping | ✓ | ✓ | ✓ | ✓ | | | | | +| 0x02 | ack 0x02 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | +| 0x03 | ack 0x03 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | +| 0x04 | reset_stream | | | ✓ | ✓ | | | | | +| 0x05 | stop_sending | | | ✓ | ✓ | | | | | +| 0x06 | crypto | ✓ | ✓ | | ✓ | | | | | +| 0x07 | new_token | | | | ✓ | | | | | +| 0x08 | stream 0x08 | | | ✓ | ✓ | | | | ✓ | +| 0x09 | stream 0x09 | | | ✓ | ✓ | | | | ✓ | +| 0x0A | stream 0x0A | | | ✓ | ✓ | | | | ✓ | +| 0x0B | stream 0x0B | | | ✓ | ✓ | | | | ✓ | +| 0x0C | stream 0x0C | | | ✓ | ✓ | | | | ✓ | +| 0x0D | stream 0x0D | | | ✓ | ✓ | | | | ✓ | +| 0x0E | stream 0x0E | | | ✓ | ✓ | | | | ✓ | +| 0x0F | stream 0x0F | | | ✓ | ✓ | | | | ✓ | +| 0x10 | max_data | | | ✓ | ✓ | | | | | +| 0x11 | max_stream_data | | | ✓ | ✓ | | | | | +| 0x12 | max_streams 0x12 | | | ✓ | ✓ | | | | | +| 0x13 | max_streams 0x13 | | | ✓ | ✓ | | | | | +| 0x14 | data_blocked | | | ✓ | ✓ | | | | | +| 0x15 | stream_data_blocked | | | ✓ | ✓ | | | | | +| 0x16 | streams_blocked 0x16 | | | ✓ | ✓ | | | | | +| 0x17 | streams_blocked 0x17 | | | ✓ | ✓ | | | | | +| 0x18 | new_connection_id | | | ✓ | ✓ | | | ✓ | | +| 0x19 | retire_connection_id | | | ✓ | ✓ | | | | | +| 0x1A | path_challenge | | | ✓ | ✓ | | | ✓ | | +| 0x1B | path_response | | | | ✓ | | | ✓ | | +| 0x1C | connection_close 0x1C | ✓ | ✓ | ✓ | ✓ | ✓ | | | | +| 0x1D | connection_close 0x1D | | | ✓ | ✓ | ✓ | | | | +| 0x1E | handshake_done | | | | ✓ | | | | | The various fields are as defined in RFC 9000. From 0c74339c730dc74f9f7aeac866f02c780f39b3a9 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 2 Oct 2023 10:24:38 +0200 Subject: [PATCH 277/324] Configurations/unix-Makefile.tmpl: Ensure that md-nits always works The body of the "md-nits" Makefile target assumed an in source build tree. This change ensures that it works correctly when called from an out-of-source build tree as well. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/22240) --- Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 6bdbf31d08025..3d9ce086f9496 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1146,7 +1146,7 @@ doc-nits: build_generated_pods ## Evaluate OpenSSL documentation # Finally, there's a Node.js version, which we haven't tried, that # can be found at https://github.com/DavidAnson/markdownlint md-nits: ## Evaluate markdown files via "mdl" - mdl -s util/markdownlint.rb . + mdl -s $(SRCDIR)/util/markdownlint.rb . # Test coverage is a good idea for the future #coverage: $(PROGRAMS) $(TESTPROGRAMS) From 98e0755511fbb5e2563dfe0017f011803d57f51d Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 19 Sep 2023 17:23:23 +0200 Subject: [PATCH 278/324] obj_xref: ecdsa support sha3 hash function Signed-off-by: Mathieu Tortuyaux Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22147) --- crypto/objects/obj_xref.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt index 2a61d4db59275..31c6eb9928169 100644 --- a/crypto/objects/obj_xref.txt +++ b/crypto/objects/obj_xref.txt @@ -42,6 +42,10 @@ ecdsa_with_SHA384 sha384 X9_62_id_ecPublicKey ecdsa_with_SHA512 sha512 X9_62_id_ecPublicKey ecdsa_with_Recommended undef X9_62_id_ecPublicKey ecdsa_with_Specified undef X9_62_id_ecPublicKey +ecdsa_with_SHA3_224 sha3_224 X9_62_id_ecPublicKey +ecdsa_with_SHA3_256 sha3_256 X9_62_id_ecPublicKey +ecdsa_with_SHA3_384 sha3_384 X9_62_id_ecPublicKey +ecdsa_with_SHA3_512 sha3_512 X9_62_id_ecPublicKey dsa_with_SHA224 sha224 dsa dsa_with_SHA256 sha256 dsa From de4aa81faaaddcacf0608166406d07bcd641e92b Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 19 Sep 2023 17:24:43 +0200 Subject: [PATCH 279/324] obj_xref.h: make update Signed-off-by: Mathieu Tortuyaux Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22147) --- crypto/objects/obj_xref.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index fff70400757e5..913606f1754d4 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -75,6 +75,10 @@ static const nid_triple sigoid_srt[] = { NID_id_GostR3410_2012_512}, {NID_ED25519, NID_undef, NID_ED25519}, {NID_ED448, NID_undef, NID_ED448}, + {NID_ecdsa_with_SHA3_224, NID_sha3_224, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA3_256, NID_sha3_256, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA3_384, NID_sha3_384, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA3_512, NID_sha3_512, NID_X9_62_id_ecPublicKey}, {NID_RSA_SHA3_224, NID_sha3_224, NID_rsaEncryption}, {NID_RSA_SHA3_256, NID_sha3_256, NID_rsaEncryption}, {NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption}, @@ -122,9 +126,13 @@ static const nid_triple *const sigoid_srt_xref[] = { &sigoid_srt[28], &sigoid_srt[40], &sigoid_srt[41], + &sigoid_srt[48], &sigoid_srt[44], + &sigoid_srt[49], &sigoid_srt[45], + &sigoid_srt[50], &sigoid_srt[46], + &sigoid_srt[51], &sigoid_srt[47], - &sigoid_srt[48], + &sigoid_srt[52], }; From fd27a7e4f829e6a9b0d240efcabc39a971b8f511 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 22 Sep 2023 22:09:33 +0200 Subject: [PATCH 280/324] test: add verify test for EC cert signed with SHA3 Signed-off-by: Mathieu Tortuyaux Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22147) --- test/certs/ee-cert-ec-sha3-224.pem | 10 ++++++++++ test/certs/ee-cert-ec-sha3-256.pem | 10 ++++++++++ test/certs/ee-cert-ec-sha3-384.pem | 10 ++++++++++ test/certs/ee-cert-ec-sha3-512.pem | 10 ++++++++++ test/certs/setup.sh | 6 ++++++ test/recipes/25-test_verify.t | 22 +++++++++++++++++++--- 6 files changed, 65 insertions(+), 3 deletions(-) create mode 100644 test/certs/ee-cert-ec-sha3-224.pem create mode 100644 test/certs/ee-cert-ec-sha3-256.pem create mode 100644 test/certs/ee-cert-ec-sha3-384.pem create mode 100644 test/certs/ee-cert-ec-sha3-512.pem diff --git a/test/certs/ee-cert-ec-sha3-224.pem b/test/certs/ee-cert-ec-sha3-224.pem new file mode 100644 index 0000000000000..047517d0253cc --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-224.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBezCCASCgAwIBAgIBAjALBglghkgBZQMEAwkwDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI4MDk1NjI1WhgPMjEyMzA5MjkwOTU2MjVaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMJA0gAMEUCIG/6DFqC+WzrYaZzZ4RbsZNNtb1Z +MwN3GXj+S8LM4c83AiEA3V5/mXHWaDi2JfjycScqnDC++awvc26rMa9vk9ZwVYM= +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-sha3-256.pem b/test/certs/ee-cert-ec-sha3-256.pem new file mode 100644 index 0000000000000..2112ba15ced95 --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBejCCASCgAwIBAgIBAjALBglghkgBZQMEAwowDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI4MDk1NjI1WhgPMjEyMzA5MjkwOTU2MjVaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMKA0cAMEQCIFToMNgLf3+sW1oHDhDrCQWpIzLE +PgAdgDdtbBO7OerTAiB3vkCvu/Vs8v/6Ys/OQOsHbX0tT5NUMWZfP3X8CYUfmA== +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-sha3-384.pem b/test/certs/ee-cert-ec-sha3-384.pem new file mode 100644 index 0000000000000..0397280f294b4 --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-384.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBezCCASCgAwIBAgIBAjALBglghkgBZQMEAwswDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI1MTU0NTIxWhgPMjEyMzA5MjYxNTQ1MjFaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMLA0gAMEUCIGq8RYriO3scZLij8fglpZOZdZRZ +DfzsopaAvzQrwcS9AiEA0JDYvat1hiygjXUxZmWPD2cDrxogvCSsoi3QW7YtP/o= +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-sha3-512.pem b/test/certs/ee-cert-ec-sha3-512.pem new file mode 100644 index 0000000000000..f528f8fd95d45 --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-512.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBezCCASCgAwIBAgIBAjALBglghkgBZQMEAwwwDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI4MDk1NjQyWhgPMjEyMzA5MjkwOTU2NDJaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMMA0gAMEUCIQCXnpYI3xKBcJkb5M/3vo4/xf2a +Cdurg8zR8WyPRXdS8QIgT0DMnX5W3ZbVK4p2nd+uyZ/o29TKBLpEtsyuiiZCsS0= +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index bd8d49337d91a..d517384301975 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -471,3 +471,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ ./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" # We can create a cert with a duplicate policy oid - but its actually invalid! ./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" + +# EC cert signed by curve ca with SHA3-224, SHA3-256, SHA3-384, SHA3-512 +OPENSSL_SIGALG="sha3-224" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-224 ca-key-ec-named ca-cert-ec-named +OPENSSL_SIGALG="sha3-256" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-256 ca-key-ec-named ca-cert-ec-named +OPENSSL_SIGALG="sha3-384" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-384 ca-key-ec-named ca-cert-ec-named +OPENSSL_SIGALG="sha3-512" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-512 ca-key-ec-named ca-cert-ec-named diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index c69dcb2239319..48af75ab2eb4f 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -29,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 185; +plan tests => 193; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -339,7 +339,7 @@ ok(!verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"]), # Explicit vs named curve tests SKIP: { - skip "EC is not supported by this OpenSSL build", 3 + skip "EC is not supported by this OpenSSL build", 7 if disabled("ec"); ok(!verify("ee-cert-ec-explicit", "", ["root-cert"], ["ca-cert-ec-named"]), @@ -350,6 +350,14 @@ SKIP: { ok(verify("ee-cert-ec-named-named", "", ["root-cert"], ["ca-cert-ec-named"]), "accept named curve leaf with named curve intermediate"); + ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-224"); + ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-256"); + ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-384"); + ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-512"); } # Same as above but with base provider used for decoding SKIP: { @@ -358,7 +366,7 @@ SKIP: { my $provpath = bldtop_dir("providers"); my @prov = ("-provider-path", $provpath); - skip "EC is not supported or FIPS is disabled", 3 + skip "EC is not supported or FIPS is disabled", 7 if disabled("ec") || $no_fips; run(test(["fips_version_test", "-config", $provconf, ">3.0.0"]), @@ -377,6 +385,14 @@ SKIP: { ok(verify("ee-cert-ec-named-named", "", ["root-cert"], ["ca-cert-ec-named"], @prov), "accept named curve leaf with named curve intermediate w/fips"); + ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-224 w/fips"); + ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-256 w/fips"); + ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-384 w/fips"); + ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-512 w/fips"); delete $ENV{OPENSSL_CONF}; } From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001 From: Danny Tsen Date: Tue, 22 Aug 2023 15:58:53 -0400 Subject: [PATCH 281/324] Improve performance for 6x unrolling with vpermxor instruction Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21812) --- crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++------------- 1 file changed, 95 insertions(+), 50 deletions(-) diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl index 60cf86f52aed2..38b9405a283b7 100755 --- a/crypto/aes/asm/aesp8-ppc.pl +++ b/crypto/aes/asm/aesp8-ppc.pl @@ -99,11 +99,12 @@ .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev .long 0,0,0,0 ?asis +.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe Lconsts: mflr r0 bcl 20,31,\$+4 mflr $ptr #vvvvv "distance between . and rcon - addi $ptr,$ptr,-0x48 + addi $ptr,$ptr,-0x58 mtlr r0 blr .long 0 @@ -2405,7 +2406,7 @@ () my $key_=$key2; my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); $x00=0 if ($flavour =~ /osx/); -my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); +my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys @@ -2460,6 +2461,18 @@ () li $x70,0x70 mtspr 256,r0 + # Reverse eighty7 to 0x010101..87 + xxlor 2, 32+$eighty7, 32+$eighty7 + vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 + xxlor 1, 32+$eighty7, 32+$eighty7 + + # Load XOR contents. 0xf102132435465768798a9bacbdcedfe + mr $x70, r6 + bl Lconsts + lxvw4x 0, $x40, r6 # load XOR contents + mr r6, $x70 + li $x70,0x70 + subi $rounds,$rounds,3 # -4 in total lvx $rndkey0,$x00,$key1 # load key schedule @@ -2502,69 +2515,77 @@ () ?vperm v31,v31,$twk5,$keyperm lvx v25,$x10,$key_ # pre-load round[2] + # Switch to use the following codes with 0x010101..87 to generate tweak. + # eighty7 = 0x010101..87 + # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits + # vand tmp, tmp, eighty7 # last byte with carry + # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) + # xxlor vsx, 0, 0 + # vpermxor tweak, tweak, tmp, vsx + vperm $in0,$inout,$inptail,$inpperm subi $inp,$inp,31 # undo "caller" vxor $twk0,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vand $tmp,$tmp,$eighty7 vxor $out0,$in0,$twk0 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 lvx_u $in1,$x10,$inp vxor $twk1,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in1,$in1,$in1,$leperm vand $tmp,$tmp,$eighty7 vxor $out1,$in1,$twk1 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 lvx_u $in2,$x20,$inp andi. $taillen,$len,15 vxor $twk2,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in2,$in2,$in2,$leperm vand $tmp,$tmp,$eighty7 vxor $out2,$in2,$twk2 - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 lvx_u $in3,$x30,$inp sub $len,$len,$taillen vxor $twk3,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in3,$in3,$in3,$leperm vand $tmp,$tmp,$eighty7 vxor $out3,$in3,$twk3 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 lvx_u $in4,$x40,$inp subi $len,$len,0x60 vxor $twk4,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in4,$in4,$in4,$leperm vand $tmp,$tmp,$eighty7 vxor $out4,$in4,$twk4 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 lvx_u $in5,$x50,$inp addi $inp,$inp,0x60 vxor $twk5,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in5,$in5,$in5,$leperm vand $tmp,$tmp,$eighty7 vxor $out5,$in5,$twk5 - vxor $tweak,$tweak,$tmp + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 vxor v31,v31,$rndkey0 mtctr $rounds @@ -2590,6 +2611,8 @@ () lvx v25,$x10,$key_ # round[4] bdnz Loop_xts_enc6x + xxlor 32+$eighty7, 1, 1 # 0x010101..87 + subic $len,$len,96 # $len-=96 vxor $in0,$twk0,v31 # xor with last round key vcipher $out0,$out0,v24 @@ -2599,7 +2622,6 @@ () vaddubm $tweak,$tweak,$tweak vcipher $out2,$out2,v24 vcipher $out3,$out3,v24 - vsldoi $tmp,$tmp,$tmp,15 vcipher $out4,$out4,v24 vcipher $out5,$out5,v24 @@ -2607,7 +2629,8 @@ () vand $tmp,$tmp,$eighty7 vcipher $out0,$out0,v25 vcipher $out1,$out1,v25 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 vcipher $out2,$out2,v25 vcipher $out3,$out3,v25 vxor $in1,$twk1,v31 @@ -2618,13 +2641,13 @@ () and r0,r0,$len vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipher $out0,$out0,v26 vcipher $out1,$out1,v26 vand $tmp,$tmp,$eighty7 vcipher $out2,$out2,v26 vcipher $out3,$out3,v26 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 vcipher $out4,$out4,v26 vcipher $out5,$out5,v26 @@ -2638,7 +2661,6 @@ () vaddubm $tweak,$tweak,$tweak vcipher $out0,$out0,v27 vcipher $out1,$out1,v27 - vsldoi $tmp,$tmp,$tmp,15 vcipher $out2,$out2,v27 vcipher $out3,$out3,v27 vand $tmp,$tmp,$eighty7 @@ -2646,7 +2668,8 @@ () vcipher $out5,$out5,v27 addi $key_,$sp,$FRAME+15 # rewind $key_ - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 vcipher $out0,$out0,v28 vcipher $out1,$out1,v28 vxor $in3,$twk3,v31 @@ -2655,7 +2678,6 @@ () vcipher $out2,$out2,v28 vcipher $out3,$out3,v28 vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipher $out4,$out4,v28 vcipher $out5,$out5,v28 lvx v24,$x00,$key_ # re-pre-load round[1] @@ -2663,7 +2685,8 @@ () vcipher $out0,$out0,v29 vcipher $out1,$out1,v29 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 vcipher $out2,$out2,v29 vcipher $out3,$out3,v29 vxor $in4,$twk4,v31 @@ -2673,14 +2696,14 @@ () vcipher $out5,$out5,v29 lvx v25,$x10,$key_ # re-pre-load round[2] vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipher $out0,$out0,v30 vcipher $out1,$out1,v30 vand $tmp,$tmp,$eighty7 vcipher $out2,$out2,v30 vcipher $out3,$out3,v30 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 vcipher $out4,$out4,v30 vcipher $out5,$out5,v30 vxor $in5,$twk5,v31 @@ -2690,7 +2713,6 @@ () vcipherlast $out0,$out0,$in0 lvx_u $in0,$x00,$inp # load next input block vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipherlast $out1,$out1,$in1 lvx_u $in1,$x10,$inp vcipherlast $out2,$out2,$in2 @@ -2703,7 +2725,10 @@ () vcipherlast $out4,$out4,$in4 le?vperm $in2,$in2,$in2,$leperm lvx_u $in4,$x40,$inp - vxor $tweak,$tweak,$tmp + xxlor 10, 32+$in0, 32+$in0 + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 + xxlor 32+$in0, 10, 10 vcipherlast $tmp,$out5,$in5 # last block might be needed # in stealing mode le?vperm $in3,$in3,$in3,$leperm @@ -2736,6 +2761,8 @@ () mtctr $rounds beq Loop_xts_enc6x # did $len-=96 borrow? + xxlor 32+$eighty7, 2, 2 # 0x870101..01 + addic. $len,$len,0x60 beq Lxts_enc6x_zero cmpwi $len,0x20 @@ -3112,6 +3139,18 @@ () li $x70,0x70 mtspr 256,r0 + # Reverse eighty7 to 0x010101..87 + xxlor 2, 32+$eighty7, 32+$eighty7 + vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 + xxlor 1, 32+$eighty7, 32+$eighty7 + + # Load XOR contents. 0xf102132435465768798a9bacbdcedfe + mr $x70, r6 + bl Lconsts + lxvw4x 0, $x40, r6 # load XOR contents + mr r6, $x70 + li $x70,0x70 + subi $rounds,$rounds,3 # -4 in total lvx $rndkey0,$x00,$key1 # load key schedule @@ -3159,64 +3198,64 @@ () vxor $twk0,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vand $tmp,$tmp,$eighty7 vxor $out0,$in0,$twk0 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 lvx_u $in1,$x10,$inp vxor $twk1,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in1,$in1,$in1,$leperm vand $tmp,$tmp,$eighty7 vxor $out1,$in1,$twk1 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 lvx_u $in2,$x20,$inp andi. $taillen,$len,15 vxor $twk2,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in2,$in2,$in2,$leperm vand $tmp,$tmp,$eighty7 vxor $out2,$in2,$twk2 - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 lvx_u $in3,$x30,$inp sub $len,$len,$taillen vxor $twk3,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in3,$in3,$in3,$leperm vand $tmp,$tmp,$eighty7 vxor $out3,$in3,$twk3 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 lvx_u $in4,$x40,$inp subi $len,$len,0x60 vxor $twk4,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in4,$in4,$in4,$leperm vand $tmp,$tmp,$eighty7 vxor $out4,$in4,$twk4 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 lvx_u $in5,$x50,$inp addi $inp,$inp,0x60 vxor $twk5,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in5,$in5,$in5,$leperm vand $tmp,$tmp,$eighty7 vxor $out5,$in5,$twk5 - vxor $tweak,$tweak,$tmp + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 vxor v31,v31,$rndkey0 mtctr $rounds @@ -3242,6 +3281,8 @@ () lvx v25,$x10,$key_ # round[4] bdnz Loop_xts_dec6x + xxlor 32+$eighty7, 1, 1 + subic $len,$len,96 # $len-=96 vxor $in0,$twk0,v31 # xor with last round key vncipher $out0,$out0,v24 @@ -3251,7 +3292,6 @@ () vaddubm $tweak,$tweak,$tweak vncipher $out2,$out2,v24 vncipher $out3,$out3,v24 - vsldoi $tmp,$tmp,$tmp,15 vncipher $out4,$out4,v24 vncipher $out5,$out5,v24 @@ -3259,7 +3299,8 @@ () vand $tmp,$tmp,$eighty7 vncipher $out0,$out0,v25 vncipher $out1,$out1,v25 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 vncipher $out2,$out2,v25 vncipher $out3,$out3,v25 vxor $in1,$twk1,v31 @@ -3270,13 +3311,13 @@ () and r0,r0,$len vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipher $out0,$out0,v26 vncipher $out1,$out1,v26 vand $tmp,$tmp,$eighty7 vncipher $out2,$out2,v26 vncipher $out3,$out3,v26 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 vncipher $out4,$out4,v26 vncipher $out5,$out5,v26 @@ -3290,7 +3331,6 @@ () vaddubm $tweak,$tweak,$tweak vncipher $out0,$out0,v27 vncipher $out1,$out1,v27 - vsldoi $tmp,$tmp,$tmp,15 vncipher $out2,$out2,v27 vncipher $out3,$out3,v27 vand $tmp,$tmp,$eighty7 @@ -3298,7 +3338,8 @@ () vncipher $out5,$out5,v27 addi $key_,$sp,$FRAME+15 # rewind $key_ - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 vncipher $out0,$out0,v28 vncipher $out1,$out1,v28 vxor $in3,$twk3,v31 @@ -3307,7 +3348,6 @@ () vncipher $out2,$out2,v28 vncipher $out3,$out3,v28 vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipher $out4,$out4,v28 vncipher $out5,$out5,v28 lvx v24,$x00,$key_ # re-pre-load round[1] @@ -3315,7 +3355,8 @@ () vncipher $out0,$out0,v29 vncipher $out1,$out1,v29 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 vncipher $out2,$out2,v29 vncipher $out3,$out3,v29 vxor $in4,$twk4,v31 @@ -3325,14 +3366,14 @@ () vncipher $out5,$out5,v29 lvx v25,$x10,$key_ # re-pre-load round[2] vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipher $out0,$out0,v30 vncipher $out1,$out1,v30 vand $tmp,$tmp,$eighty7 vncipher $out2,$out2,v30 vncipher $out3,$out3,v30 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 vncipher $out4,$out4,v30 vncipher $out5,$out5,v30 vxor $in5,$twk5,v31 @@ -3342,7 +3383,6 @@ () vncipherlast $out0,$out0,$in0 lvx_u $in0,$x00,$inp # load next input block vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipherlast $out1,$out1,$in1 lvx_u $in1,$x10,$inp vncipherlast $out2,$out2,$in2 @@ -3355,7 +3395,10 @@ () vncipherlast $out4,$out4,$in4 le?vperm $in2,$in2,$in2,$leperm lvx_u $in4,$x40,$inp - vxor $tweak,$tweak,$tmp + xxlor 10, 32+$in0, 32+$in0 + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 + xxlor 32+$in0, 10, 10 vncipherlast $out5,$out5,$in5 le?vperm $in3,$in3,$in3,$leperm lvx_u $in5,$x50,$inp @@ -3386,6 +3429,8 @@ () mtctr $rounds beq Loop_xts_dec6x # did $len-=96 borrow? + xxlor 32+$eighty7, 2, 2 + addic. $len,$len,0x60 beq Lxts_dec6x_zero cmpwi $len,0x20 From 92986c0be56bc8bf9c414dab59d4f1e128f1e843 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Fri, 29 Sep 2023 15:31:37 +0200 Subject: [PATCH 282/324] doc: correct the SSL_CTX_set_info_callback(3) manual page The info callback is not prototyped correctly, and the code example fails to compile because of const-incorrectness. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22224) --- doc/man3/SSL_CTX_set_info_callback.pod | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set_info_callback.pod b/doc/man3/SSL_CTX_set_info_callback.pod index 9cee642073848..99f59b063c224 100644 --- a/doc/man3/SSL_CTX_set_info_callback.pod +++ b/doc/man3/SSL_CTX_set_info_callback.pod @@ -12,11 +12,15 @@ SSL_get_info_callback #include - void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)()); - void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))(); + void SSL_CTX_set_info_callback(SSL_CTX *ctx, + void (*callback) (const SSL *ssl, int type, int val)); - void SSL_set_info_callback(SSL *ssl, void (*callback)()); - void (*SSL_get_info_callback(const SSL *ssl))(); + void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, int val); + + void SSL_set_info_callback(SSL *ssl, + void (*callback) (const SSL *ssl, int type, int val)); + + void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type, int val); =head1 DESCRIPTION @@ -119,7 +123,7 @@ SSL_get_info_callback() returns the current setting. The following example callback function prints state strings, information about alerts being handled and error messages to the B BIO. - void apps_ssl_info_callback(SSL *s, int where, int ret) + void apps_ssl_info_callback(const SSL *s, int where, int ret) { const char *str; int w = where & ~SSL_ST_MASK; From febe8cf4dee9939ee3e5523b6f14d9dc1ec74153 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 28 Sep 2023 14:21:37 +0300 Subject: [PATCH 283/324] remove files under test directory from coverage report Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22212) --- .github/workflows/coveralls.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index bdb576fd650a5..5330984c71c4d 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -64,7 +64,13 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS='-test_external_krb5' - name: generate coverage info - run: lcov -d . -c -o ./lcov.info + run: lcov -d . -c \ + --exclude "${PWD}/test/*" \ + --exclude "${PWD}/test/helpers/*" \ + --exclude "${PWD}/test/testutil/*" \ + --exclude "${PWD}/fuzz/*" \ + --exclude "/usr/include/*" \ + -o ./lcov.info - name: Coveralls upload uses: coverallsapp/github-action@v2.2.3 with: From ad4af6dfca8344516bb658b1745a530635af9433 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 13:59:45 +0100 Subject: [PATCH 284/324] Fix timeouts in the quic_multistream test script 13 Script 13 is a stress test which can timeout on some low powered platforms or with some options that significantly slow performance. We increase the timeout. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22214) --- test/quic_multistream_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 2ad4ef292e2d8..58b0831ebb9ae 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -1053,7 +1053,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, first = 0; offset = 0; op_start_time = ossl_time_now(); - op_deadline = ossl_time_add(op_start_time, ossl_ms2time(8000)); + op_deadline = ossl_time_add(op_start_time, ossl_ms2time(60000)); } if (!TEST_int_le(ossl_time_compare(ossl_time_now(), op_deadline), 0)) { From f7e7bbcd7850b96d02dd0f4dd49b3365b320776c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 17:23:41 +0000 Subject: [PATCH 285/324] Bump actions/setup-python from 4.7.0 to 4.7.1 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.0 to 4.7.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4.7.0...v4.7.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22254) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 596a82a560a72..1eeaa69ba2c6a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -442,7 +442,7 @@ jobs: - name: make run: make -s -j4 - name: Setup Python - uses: actions/setup-python@v4.7.0 + uses: actions/setup-python@v4.7.1 with: python-version: ${{ matrix.PYTHON }} - uses: actions-rs/toolchain@v1 From 07829409b6fb40ce4f5c4ec633180280909c732b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 08:39:31 +0200 Subject: [PATCH 286/324] coveralls: Fix invocation of lcov Fixes recent regression from commit febe8cf4dee9939ee3e5523b6f14d9dc1ec74153 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22258) --- .github/workflows/coveralls.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 5330984c71c4d..e22c0099c024d 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -64,12 +64,12 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS='-test_external_krb5' - name: generate coverage info - run: lcov -d . -c \ - --exclude "${PWD}/test/*" \ - --exclude "${PWD}/test/helpers/*" \ - --exclude "${PWD}/test/testutil/*" \ - --exclude "${PWD}/fuzz/*" \ - --exclude "/usr/include/*" \ + run: lcov -d . -c + --exclude "${PWD}/test/*" + --exclude "${PWD}/test/helpers/*" + --exclude "${PWD}/test/testutil/*" + --exclude "${PWD}/fuzz/*" + --exclude "/usr/include/*" -o ./lcov.info - name: Coveralls upload uses: coverallsapp/github-action@v2.2.3 From 2d374e1c665a79af6e0939afe37fcc657af91357 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 28 Sep 2023 11:50:55 +0300 Subject: [PATCH 287/324] GH action workflows: Add cpu report before 'make test' Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22232) --- .github/workflows/ci.yml | 91 ++++++++++++++++++++ .github/workflows/compiler-zoo.yml | 4 + .github/workflows/coveralls.yml | 4 + .github/workflows/cross-compiles.yml | 3 + .github/workflows/fuzz-checker.yml | 4 + .github/workflows/os-zoo.yml | 23 +++++ .github/workflows/provider-compatibility.yml | 13 ++- .github/workflows/run-checker-ci.yml | 4 + .github/workflows/run-checker-daily-sctp.yml | 5 ++ .github/workflows/run-checker-daily.yml | 4 + .github/workflows/run-checker-merge.yml | 4 + .github/workflows/windows.yml | 33 +++++++ .github/workflows/windows_comp.yml | 22 +++++ 13 files changed, 213 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1eeaa69ba2c6a..6c89c650961dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -83,6 +83,10 @@ jobs: run: CC=gcc ./config --banner=Configured enable-fips enable-quic --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -96,6 +100,10 @@ jobs: run: CC=clang ./config --banner=Configured no-fips --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -109,6 +117,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump - name: make run: make -j4 # verbose, so no -s here + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -122,6 +134,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-deprecated enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -138,6 +154,8 @@ jobs: run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -151,6 +169,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" @@ -164,6 +186,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -178,6 +204,10 @@ jobs: run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -191,6 +221,10 @@ jobs: run: CC=clang ./config --banner=Configured no-fips --strict-warnings -fsanitize=thread && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*" test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -206,6 +240,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -221,6 +259,10 @@ jobs: run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -239,6 +281,10 @@ jobs: run: ./config enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -257,6 +303,10 @@ jobs: run: ./config enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -276,6 +326,10 @@ jobs: run: ./config enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -294,6 +348,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -DPEDANTIC && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -312,6 +370,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -DPEDANTIC && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -325,6 +387,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-legacy enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -338,6 +404,10 @@ jobs: run: ./config --banner=Configured -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -354,6 +424,8 @@ jobs: run: CC=gcc ./config --banner=Configured enable-tfo --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -367,6 +439,10 @@ jobs: run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -389,6 +465,9 @@ jobs: - name: make run: make -s -j4 working-directory: ./build + - name: get cpu info + run: ./util/opensslwrap.sh version -c + working-directory: ./build - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} working-directory: ./build @@ -416,6 +495,10 @@ jobs: run: ./config --banner=Configured --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: test external gost-engine run: make test TESTS="test_external_gost_engine" - name: test external krb5 @@ -451,6 +534,10 @@ jobs: toolchain: ${{ matrix.RUST }} override: true default: true + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: test external pyca run: make test TESTS="test_external_pyca" VERBOSE=1 @@ -469,5 +556,9 @@ jobs: profile: default toolchain: stable default: true + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: test external Cloudflare quiche run: make test TESTS="test_external_cf_quiche" VERBOSE=1 diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 658d33f082a45..30634fccc3ffe 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -127,5 +127,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index e22c0099c024d..d321bc483a662 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -61,6 +61,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS='-test_external_krb5' - name: generate coverage info diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index e2cd6cbb003a9..79af07c701678 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -195,6 +195,9 @@ jobs: run: echo "OPENSSL_${{ matrix.platform.opensslcapsname }}=\ ${{ matrix.platform.opensslcaps }}" >> $GITHUB_ENV + - name: get cpu info + run: cat /proc/cpuinfo + - name: make all tests if: github.event_name == 'push' && matrix.platform.tests == '' run: | diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 3e84fdbac6fc6..766a4a1326ecb 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -63,6 +63,10 @@ jobs: - name: make sans explicit linker if: matrix.fuzzy.linker == '' run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test restricted if: matrix.fuzzy.tests != '' run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS="${{ matrix.fuzzy.tests }}" diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index 98fe0c744cc42..d3dc6770c31f1 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -43,6 +43,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -89,6 +93,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -111,6 +119,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + sysctl machdep.cpu + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -141,6 +153,17 @@ jobs: - name: build working-directory: _build run: nmake /S + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4 diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index e95a8475220c8..ccb0fbdd7d803 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -10,7 +10,6 @@ name: Provider compatibility across versions - # NOTE: if this is being run on pull_request, it will **not** use the pull # request's branch. It is hardcoded to use the master branch. # @@ -160,6 +159,12 @@ jobs: -providers working-directory: ${{ matrix.branch.dir }} + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + working-directory: ${{ matrix.branch.dir }} + - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} working-directory: ${{ matrix.branch.dir }} @@ -230,6 +235,12 @@ jobs: -providers working-directory: ${{ matrix.tree_b }} + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + working-directory: ${{ matrix.branch.dir }} + - name: run cross validation tests of FIPS from A with tree from B if: steps.early_exit.outcome == 'success' run: | diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index b4a20bcedd936..2b7ca84d86e76 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -50,5 +50,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily-sctp.yml b/.github/workflows/run-checker-daily-sctp.yml index d258847e7e5f6..ba9a5178f02f1 100644 --- a/.github/workflows/run-checker-daily-sctp.yml +++ b/.github/workflows/run-checker-daily-sctp.yml @@ -43,6 +43,11 @@ jobs: if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index fe8a3a8e66c79..fdd07294a4a14 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -144,5 +144,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 31148bf0b82d5..461f16527d557 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -46,5 +46,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 9c32d2689bd2e..29ad9689e943e 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -47,6 +47,17 @@ jobs: - name: build working-directory: _build run: nmake /S + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4 @@ -80,6 +91,17 @@ jobs: - name: build working-directory: _build run: nmake /S + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4 @@ -106,6 +128,17 @@ jobs: - name: build working-directory: _build run: nmake # verbose, so no /S here + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4 diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index 8f19b812a7350..3ffd5f2e720a0 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -41,6 +41,17 @@ jobs: - name: build working-directory: _build run: nmake + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: | @@ -68,6 +79,17 @@ jobs: - name: build working-directory: _build run: nmake + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: | From 4a1bdb0b7a3d04c1f18a27a10a1aab354eef608b Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 29 Sep 2023 12:09:10 +0200 Subject: [PATCH 288/324] coveralls: Drop no-shared and -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22222) --- .github/workflows/coveralls.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index d321bc483a662..6df0543e5d863 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -26,13 +26,13 @@ jobs: branches: [ { branch: openssl-3.1, - extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 + extra_config: no-afalgeng enable-fips }, { branch: openssl-3.0, - extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 + extra_config: no-afalgeng enable-fips }, { branch: master, - extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 enable-tfo + extra_config: no-afalgeng enable-fips enable-tfo } ] runs-on: ubuntu-latest @@ -56,7 +56,7 @@ jobs: - name: setup hostname workaround run: sudo hostname localhost - name: config - run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-buildtest-c++ enable-ssl-trace enable-trace - name: config dump run: ./configdata.pm --dump - name: make From d2751ee3932e72b848c22ee2ebddce2e9c93a7ed Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 29 Sep 2023 14:55:05 +0200 Subject: [PATCH 289/324] quicapitest: Enable test_ssl_trace with enable-zlib To improve Coverage mapping in Coveralls make it possible to run test_ssl_trace() with enable-zlib Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22222) --- test/quicapitest.c | 11 +- .../75-test_quicapi_data/ssltraceref-zlib.txt | 302 ++++++++++++++++++ 2 files changed, 309 insertions(+), 4 deletions(-) create mode 100644 test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt diff --git a/test/quicapitest.c b/test/quicapitest.c index 8452ba4b62daf..273f1421e7926 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -33,10 +33,9 @@ static char *datadir = NULL; static int is_fips = 0; /* The ssltrace test assumes some options are switched on/off */ -#if !defined(OPENSSL_NO_SSL_TRACE) && !defined(OPENSSL_NO_EC) \ - && defined(OPENSSL_NO_ZLIB) && defined(OPENSSL_NO_BROTLI) \ - && defined(OPENSSL_NO_ZSTD) && !defined(OPENSSL_NO_ECX) \ - && !defined(OPENSSL_NO_DH) +#if !defined(OPENSSL_NO_SSL_TRACE) \ + && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) \ + && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH) # define DO_SSL_TRACE_TEST #endif @@ -426,7 +425,11 @@ static int compare_with_file(BIO *membio) int ret = 0; size_t i; +#ifdef OPENSSL_NO_ZLIB reffile = test_mk_file_path(datadir, "ssltraceref.txt"); +#else + reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt"); +#endif if (!TEST_ptr(reffile)) goto err; diff --git a/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt b/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt new file mode 100644 index 0000000000000..e8bdee624fbcc --- /dev/null +++ b/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt @@ -0,0 +1,302 @@ +Sent TLS Record +Header: + Version = TLS 1.0 (0x301) + Content Type = Handshake (22) + Length = 263 + ClientHello, Length=259 + client_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x???????? + random_bytes (len=28): ???????????????????????????????????????????????????????? + session_id (len=0): + cipher_suites (len=2) + {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_methods (len=1) + No Compression (0x00) + extensions, length = 216 + extension_type=UNKNOWN(57), length=49 + 0000 - 0c 00 0f 00 01 04 80 00-75 30 03 02 44 b0 0e ........u0..D.. + 000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06 ............... + 001e - 04 80 08 00 00 07 04 80-08 00 00 08 02 40 64 .............@d + 002d - 09 02 40 64 ..@d + extension_type=ec_point_formats(11), length=4 + uncompressed (0) + ansiX962_compressed_prime (1) + ansiX962_compressed_char2 (2) + extension_type=supported_groups(10), length=22 + ecdh_x25519 (29) + secp256r1 (P-256) (23) + ecdh_x448 (30) + secp521r1 (P-521) (25) + secp384r1 (P-384) (24) + ffdhe2048 (256) + ffdhe3072 (257) + ffdhe4096 (258) + ffdhe6144 (259) + ffdhe8192 (260) + extension_type=session_ticket(35), length=0 + extension_type=application_layer_protocol_negotiation(16), length=11 + ossltest + extension_type=encrypt_then_mac(22), length=0 + extension_type=extended_master_secret(23), length=0 + extension_type=signature_algorithms(13), length=36 + ecdsa_secp256r1_sha256 (0x0403) + ecdsa_secp384r1_sha384 (0x0503) + ecdsa_secp521r1_sha512 (0x0603) + ed25519 (0x0807) + ed448 (0x0808) + ecdsa_brainpoolP256r1_sha256 (0x081a) + ecdsa_brainpoolP384r1_sha384 (0x081b) + ecdsa_brainpoolP512r1_sha512 (0x081c) + rsa_pss_pss_sha256 (0x0809) + rsa_pss_pss_sha384 (0x080a) + rsa_pss_pss_sha512 (0x080b) + rsa_pss_rsae_sha256 (0x0804) + rsa_pss_rsae_sha384 (0x0805) + rsa_pss_rsae_sha512 (0x0806) + rsa_pkcs1_sha256 (0x0401) + rsa_pkcs1_sha384 (0x0501) + rsa_pkcs1_sha512 (0x0601) + extension_type=supported_versions(43), length=3 + TLS 1.3 (772) + extension_type=psk_key_exchange_modes(45), length=2 + psk_dhe_ke (1) + extension_type=key_share(51), length=38 + NamedGroup: ecdh_x25519 (29) + key_exchange: (len=32): ???????????????????????????????????????????????????????????????? + extension_type=compress_certificate(27), length=3 + zlib (1) + +Sent Frame: Crypto + Offset: 0 + Len: 263 +Sent Frame: Padding +Sent Packet + Packet Type: Initial + Version: 0x00000001 + Destination Conn Id: 0x???????????????? + Source Conn Id: + Payload length: 1178 + Token: + Packet Number: 0x00000000 +Sent Datagram + Length: 1200 +Received Datagram + Length: 1200 +Received Datagram + Length: 234 +Received Packet + Packet Type: Initial + Version: 0x00000001 + Destination Conn Id: + Source Conn Id: 0x???????????????? + Payload length: 115 + Token: + Packet Number: 0x00000000 +Received Frame: Ack (without ECN) + Largest acked: 0 + Ack delay (raw) 0 + Ack range count: 0 + First ack range: 0 +Received Frame: Crypto + Offset: 0 + Len: 90 +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = Handshake (22) + Length = 90 + Inner Content Type = Handshake (22) + ServerHello, Length=86 + server_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x???????? + random_bytes (len=28): ???????????????????????????????????????????????????????? + session_id (len=0): + cipher_suite {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_method: No Compression (0x00) + extensions, length = 46 + extension_type=supported_versions(43), length=2 + TLS 1.3 (772) + extension_type=key_share(51), length=36 + NamedGroup: ecdh_x25519 (29) + key_exchange: (len=32): ???????????????????????????????????????????????????????????????? + +Received Packet + Packet Type: Handshake + Version: 0x00000001 + Destination Conn Id: + Source Conn Id: 0x???????????????? + Payload length: 213 + Packet Number: 0x00000001 +Received Packet + Packet Type: Handshake + Version: 0x00000001 + Destination Conn Id: + Source Conn Id: 0x???????????????? + Payload length: 1042 + Packet Number: 0x00000000 +Received Frame: Crypto + Offset: 1022 + Len: 192 +Received Frame: Crypto + Offset: 0 + Len: 1022 +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 1022 + Inner Content Type = Handshake (22) + EncryptedExtensions, Length=88 + extensions, length = 86 + extension_type=UNKNOWN(57), length=67 + 0000 - 0c 00 00 08 ?? ?? ?? ??-?? ?? ?? ?? 0f 08 ?? ....????????..? + 000f - ?? ?? ?? ?? ?? ?? ?? 01-04 80 00 75 30 03 02 ???????....u0.. + 001e - 44 b0 0e 01 02 04 04 80-0c 00 00 05 04 80 08 D.............. + 002d - 00 00 06 04 80 08 00 00-07 04 80 08 00 00 08 ............... + 003c - 02 40 64 09 02 40 64 .@d..@d + extension_type=application_layer_protocol_negotiation(16), length=11 + ossltest + + Certificate, Length=818 + context (len=0): + certificate_list, length=814 + ASN.1Cert, length=809 +------details----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Root CA + Validity + Not Before: Jan 14 22:29:46 2016 GMT + Not After : Jan 15 22:29:46 2116 GMT + Subject: CN = server.example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:5d:60:6a:df:fc:61:ee:48:aa:8c:11:48:43: + a5:6d:b6:52:5d:aa:98:49:b1:61:92:35:b1:fc:3a: + 04:25:0c:6d:79:ff:b4:d5:c9:e9:5c:1c:3b:e0:ab: + b3:b8:7d:a3:de:6d:bd:e0:dd:d7:5a:bf:14:47:11: + 42:5e:a6:82:d0:61:c1:7f:dd:13:46:e6:09:85:07: + 0e:f2:d4:fc:1a:64:d2:0a:ad:20:ab:20:6b:96:f0: + ad:cc:c4:19:53:55:dc:01:1d:a4:b3:ef:8a:b4:49: + 53:5d:8a:05:1c:f1:dc:e1:44:bf:c5:d7:e2:77:19: + 57:5c:97:0b:75:ee:88:43:71:0f:ca:6c:c1:b4:b2: + 50:a7:77:46:6c:58:0f:11:bf:f1:76:24:5a:ae:39: + 42:b7:51:67:29:e1:d0:55:30:6f:17:e4:91:ea:ad: + f8:28:c2:43:6f:a2:64:a9:fb:9d:98:92:62:48:3e: + eb:0d:4f:82:4a:8a:ff:3f:72:ee:96:b5:ae:a1:c1: + 98:ba:ef:7d:90:75:6d:ff:5a:52:9e:ab:f5:c0:7e: + d0:87:43:db:85:07:07:0f:7d:38:7a:fd:d1:d3:ee: + 65:1d:d3:ea:39:6a:87:37:ee:4a:d3:e0:0d:6e:f5: + 70:ac:c2:bd:f1:6e:f3:92:95:5e:a9:f0:a1:65:95: + 93:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C0:E7:84:BF:E8:59:27:33:10:B0:52:4F:51:52:2F:06:D6:C0:7A:CD + X509v3 Authority Key Identifier: + 70:7F:2E:AE:83:68:59:98:04:23:2A:CD:EB:3E:17:CD:24:DD:01:49 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:server.example + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 7b:d3:04:43:75:8a:0f:11:ae:c4:fb:d7:a1:a2:9e:fe:20:18: + d5:f4:2f:31:88:46:b6:75:8c:ee:e5:9b:97:a6:b9:a3:cd:60: + 9a:46:c3:48:97:e5:97:68:f7:5a:86:35:73:d9:69:9e:f9:5f: + 74:b9:e6:94:13:01:cb:6a:dc:e3:c4:04:e9:65:da:9c:a4:8b: + 28:f3:f9:9a:7f:bf:97:1f:45:92:e5:05:b1:56:e6:0b:f6:47: + de:1e:89:b6:2b:e1:4d:df:4a:7e:01:d3:23:dc:97:8c:47:fe: + 5f:c7:cc:98:46:0e:c4:83:5b:ca:8a:f1:52:09:be:6b:ec:3f: + 09:8b:d0:93:02:bf:e1:51:e7:d1:7e:34:56:19:74:d0:ff:28: + 25:de:b7:9f:56:52:91:7d:20:29:85:0a:80:44:5f:71:32:25: + 71:0f:c2:16:e2:5f:6b:1d:3f:32:5b:0a:3c:74:1c:b9:62:f1: + ed:07:50:a3:6d:b4:b4:31:0a:c0:53:44:6a:3a:88:84:8b:2d: + a9:b0:37:8e:e6:18:36:bd:9a:20:40:0f:01:92:8b:3d:aa:61: + e7:ae:2c:ed:36:cd:3a:07:86:74:3a:29:b3:d7:3a:b4:00:a9: + c2:f5:92:78:0e:e2:0f:a3:fe:bb:be:e0:06:53:84:59:1d:90: + 69:e5:b6:f9 +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +-----END CERTIFICATE----- +------------------ + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 192 + Inner Content Type = Handshake (22) + CertificateVerify, Length=260 + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature (len=256): ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? + + Finished, Length=32 + verify_data (len=32): ???????????????????????????????????????????????????????????????? + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 36 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ???????????????????????????????????????????????????????????????? + +Sent Frame: Ack (without ECN) + Largest acked: 0 + Ack delay (raw) 0 + Ack range count: 0 + First ack range: 0 +Sent Frame: Ack (without ECN) + Largest acked: 1 + Ack delay (raw) 0 + Ack range count: 0 + First ack range: 1 +Sent Frame: Crypto + Offset: 0 + Len: 36 +Sent Frame: Padding +Sent Packet + Packet Type: Initial + Version: 0x00000001 + Destination Conn Id: 0x???????????????? + Source Conn Id: + Payload length: 1097 + Token: + Packet Number: 0x00000001 +Sent Packet + Packet Type: Handshake + Version: 0x00000001 + Destination Conn Id: 0x???????????????? + Source Conn Id: + Payload length: 60 + Packet Number: 0x00000000 +Sent Datagram + Length: 1200 From 6a92159d01116495e5e642e55fe0f6e4c821696e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 2 Oct 2023 15:38:12 +0200 Subject: [PATCH 290/324] All lh_stats functions were deprecated in 3.1 Reviewed-by: Matthias St. Pierre Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22247) --- crypto/lhash/lh_stats.c | 4 ++-- doc/internal/man7/deprecation.pod | 2 +- doc/man3/OPENSSL_LH_COMPFUNC.pod | 2 +- doc/man3/OPENSSL_LH_stats.pod | 18 +++++++++--------- include/openssl/lhash.h.in | 18 +++++++++--------- util/libcrypto.num | 12 ++++++------ 6 files changed, 28 insertions(+), 28 deletions(-) diff --git a/crypto/lhash/lh_stats.c b/crypto/lhash/lh_stats.c index 36a177129ec45..ea0a3252a6ba8 100644 --- a/crypto/lhash/lh_stats.c +++ b/crypto/lhash/lh_stats.c @@ -23,7 +23,7 @@ #include "lhash_local.h" # ifndef OPENSSL_NO_STDIO -# ifndef OPENSSL_NO_DEPRECATED_3_2 +# ifndef OPENSSL_NO_DEPRECATED_3_1 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp) { BIO *bp; @@ -62,7 +62,7 @@ void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp) # endif # endif -# ifndef OPENSSL_NO_DEPRECATED_3_2 +# ifndef OPENSSL_NO_DEPRECATED_3_1 /* * These functions are implemented as separate static functions as they are * called from the stdio functions above and calling deprecated functions will diff --git a/doc/internal/man7/deprecation.pod b/doc/internal/man7/deprecation.pod index 87cdcb13c8117..de34c30fa22f2 100644 --- a/doc/internal/man7/deprecation.pod +++ b/doc/internal/man7/deprecation.pod @@ -2,7 +2,7 @@ =head1 NAME -OPENSSL_NO_DEPRECATED_3_2, OSSL_DEPRECATEDIN_3_2, +OPENSSL_NO_DEPRECATED_3_1, OSSL_DEPRECATEDIN_3_1, OPENSSL_NO_DEPRECATED_3_0, OSSL_DEPRECATEDIN_3_0, OPENSSL_NO_DEPRECATED_1_1_1, OSSL_DEPRECATEDIN_1_1_1, OPENSSL_NO_DEPRECATED_1_1_0, OSSL_DEPRECATEDIN_1_1_0, diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod index e1eba6b965fc4..d3091f6a562a3 100644 --- a/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -280,7 +280,7 @@ L In OpenSSL 1.0.0, the lhash interface was revamped for better type checking. -In OpenSSL 3.2, B() was introduced and B() +In OpenSSL 3.1, B() was introduced and B() was deprecated. =head1 COPYRIGHT diff --git a/doc/man3/OPENSSL_LH_stats.pod b/doc/man3/OPENSSL_LH_stats.pod index 01381e92167c2..fb95928d8f200 100644 --- a/doc/man3/OPENSSL_LH_stats.pod +++ b/doc/man3/OPENSSL_LH_stats.pod @@ -10,16 +10,16 @@ OPENSSL_LH_node_stats_bio, OPENSSL_LH_node_usage_stats_bio - LHASH statistics #include +The following functions have been deprecated since OpenSSL 3.1, and can be +hidden entirely by defining B with a suitable version value, +see L: + void OPENSSL_LH_node_stats(LHASH *table, FILE *out); void OPENSSL_LH_node_usage_stats(LHASH *table, FILE *out); void OPENSSL_LH_node_stats_bio(LHASH *table, BIO *out); void OPENSSL_LH_node_usage_stats_bio(LHASH *table, BIO *out); -The following functions have been deprecated since OpenSSL 3.2, and can be -hidden entirely by defining B with a suitable version value, -see L: - void OPENSSL_LH_stats(LHASH *table, FILE *out); void OPENSSL_LH_stats_bio(LHASH *table, BIO *out); @@ -48,8 +48,7 @@ record a miss. OPENSSL_LH_stats_bio(), OPENSSL_LH_node_stats_bio() and OPENSSL_LH_node_usage_stats_bio() are the same as the above, except that the output goes to a B. -OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() are deprecated and should no -longer be used. +These functions are deprecated and should no longer be used. =head1 RETURN VALUES @@ -61,13 +60,14 @@ These calls should be made under a read lock. Refer to L for more details about the locks required when using the LHASH data structure. -The functions OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() were deprecated in -version 3.2. - =head1 SEE ALSO L, L +=head1 HISTORY + +These functions were deprecated in version 3.1. + =head1 COPYRIGHT Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/lhash.h.in b/include/openssl/lhash.h.in index 780639bd49083..97dd3a4b84b24 100644 --- a/include/openssl/lhash.h.in +++ b/include/openssl/lhash.h.in @@ -97,16 +97,16 @@ unsigned long OPENSSL_LH_get_down_load(const OPENSSL_LHASH *lh); void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long down_load); # ifndef OPENSSL_NO_STDIO -# ifndef OPENSSL_NO_DEPRECATED_3_2 -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp); +# ifndef OPENSSL_NO_DEPRECATED_3_1 +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp); # endif # endif -# ifndef OPENSSL_NO_DEPRECATED_3_2 -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +# ifndef OPENSSL_NO_DEPRECATED_3_1 +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); # endif # ifndef OPENSSL_NO_DEPRECATED_1_1_0 @@ -181,7 +181,7 @@ OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH * } \ LHASH_OF(type) -# ifndef OPENSSL_NO_DEPRECATED_3_2 +# ifndef OPENSSL_NO_DEPRECATED_3_1 # define DEFINE_LHASH_OF_DEPRECATED(type) \ static ossl_unused ossl_inline void \ lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ diff --git a/util/libcrypto.num b/util/libcrypto.num index 6af1fe1707b9a..a16f93db47ee4 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -1178,7 +1178,7 @@ OPENSSL_uni2asc 1205 3_0_0 EXIST::FUNCTION: SCT_validation_status_string 1206 3_0_0 EXIST::FUNCTION:CT PKCS7_add_attribute 1207 3_0_0 EXIST::FUNCTION: ENGINE_register_DSA 1208 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OPENSSL_LH_node_stats 1209 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2,STDIO +OPENSSL_LH_node_stats 1209 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO X509_policy_tree_free 1210 3_0_0 EXIST::FUNCTION: EC_GFp_simple_method 1211 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC X509_it 1212 3_0_0 EXIST::FUNCTION: @@ -1317,7 +1317,7 @@ BIO_f_linebuffer 1346 3_0_0 EXIST::FUNCTION: ASN1_item_d2i_bio 1347 3_0_0 EXIST::FUNCTION: ENGINE_get_flags 1348 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE OCSP_resp_find 1349 3_0_0 EXIST::FUNCTION:OCSP -OPENSSL_LH_node_usage_stats_bio 1350 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2 +OPENSSL_LH_node_usage_stats_bio 1350 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 EVP_PKEY_encrypt 1351 3_0_0 EXIST::FUNCTION: CRYPTO_cfb128_8_encrypt 1352 3_0_0 EXIST::FUNCTION: SXNET_get_id_INTEGER 1353 3_0_0 EXIST::FUNCTION: @@ -1790,7 +1790,7 @@ X509V3_EXT_REQ_add_conf 1832 3_0_0 EXIST::FUNCTION: ASN1_STRING_to_UTF8 1833 3_0_0 EXIST::FUNCTION: EVP_MD_meth_set_update 1835 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_camellia_192_cbc 1836 3_0_0 EXIST::FUNCTION:CAMELLIA -OPENSSL_LH_stats_bio 1837 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2 +OPENSSL_LH_stats_bio 1837 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 PKCS7_set_signed_attributes 1838 3_0_0 EXIST::FUNCTION: EC_KEY_priv2buf 1839 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC BN_BLINDING_free 1840 3_0_0 EXIST::FUNCTION: @@ -1973,7 +1973,7 @@ i2d_TS_REQ_fp 2019 3_0_0 EXIST::FUNCTION:STDIO,TS i2d_OTHERNAME 2020 3_0_0 EXIST::FUNCTION: EC_KEY_get0_private_key 2021 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC SCT_get0_extensions 2022 3_0_0 EXIST::FUNCTION:CT -OPENSSL_LH_node_stats_bio 2023 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2 +OPENSSL_LH_node_stats_bio 2023 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 i2d_DIRECTORYSTRING 2024 3_0_0 EXIST::FUNCTION: BN_X931_derive_prime_ex 2025 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ENGINE_get_pkey_asn1_meth_str 2026 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE @@ -2553,7 +2553,7 @@ EVP_DecodeUpdate 2609 3_0_0 EXIST::FUNCTION: ENGINE_get_default_RAND 2610 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE ERR_peek_last_error_line 2611 3_0_0 EXIST::FUNCTION: ENGINE_get_ssl_client_cert_function 2612 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OPENSSL_LH_node_usage_stats 2613 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2,STDIO +OPENSSL_LH_node_usage_stats 2613 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO DIRECTORYSTRING_it 2614 3_0_0 EXIST::FUNCTION: BIO_write 2615 3_0_0 EXIST::FUNCTION: OCSP_ONEREQ_get_ext_by_OBJ 2616 3_0_0 EXIST::FUNCTION:OCSP @@ -3073,7 +3073,7 @@ TXT_DB_free 3139 3_0_0 EXIST::FUNCTION: ASN1_STRING_set 3140 3_0_0 EXIST::FUNCTION: d2i_ESS_CERT_ID 3141 3_0_0 EXIST::FUNCTION: EVP_PKEY_meth_set_derive 3142 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2,STDIO +OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO NCONF_dump_fp 3144 3_0_0 EXIST::FUNCTION:STDIO TS_STATUS_INFO_print_bio 3145 3_0_0 EXIST::FUNCTION:TS OPENSSL_sk_dup 3146 3_0_0 EXIST::FUNCTION: From 6f66602eaa0a034847e9b1347c108b82c60b41d7 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 2 Oct 2023 15:49:42 +0200 Subject: [PATCH 291/324] macros.h: There are just 3.1 deprecations, no 3.2 deprecations Reviewed-by: Matthias St. Pierre Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22247) --- include/openssl/macros.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/openssl/macros.h b/include/openssl/macros.h index 66fa4eec2e730..e9ef9387470c1 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -169,7 +169,7 @@ * 'no-deprecated'. */ -# undef OPENSSL_NO_DEPRECATED_3_2 +# undef OPENSSL_NO_DEPRECATED_3_1 # undef OPENSSL_NO_DEPRECATED_3_0 # undef OPENSSL_NO_DEPRECATED_1_1_1 # undef OPENSSL_NO_DEPRECATED_1_1_0 @@ -178,16 +178,16 @@ # undef OPENSSL_NO_DEPRECATED_1_0_0 # undef OPENSSL_NO_DEPRECATED_0_9_8 -# if OPENSSL_API_LEVEL >= 30200 +# if OPENSSL_API_LEVEL >= 30100 # ifndef OPENSSL_NO_DEPRECATED -# define OSSL_DEPRECATEDIN_3_2 OSSL_DEPRECATED(3.2) -# define OSSL_DEPRECATEDIN_3_2_FOR(msg) OSSL_DEPRECATED_FOR(3.2, msg) +# define OSSL_DEPRECATEDIN_3_1 OSSL_DEPRECATED(3.1) +# define OSSL_DEPRECATEDIN_3_1_FOR(msg) OSSL_DEPRECATED_FOR(3.1, msg) # else -# define OPENSSL_NO_DEPRECATED_3_2 +# define OPENSSL_NO_DEPRECATED_3_1 # endif # else -# define OSSL_DEPRECATEDIN_3_2 -# define OSSL_DEPRECATEDIN_3_2_FOR(msg) +# define OSSL_DEPRECATEDIN_3_1 +# define OSSL_DEPRECATEDIN_3_1_FOR(msg) # endif # if OPENSSL_API_LEVEL >= 30000 # ifndef OPENSSL_NO_DEPRECATED From 4b5b2239d8752f8dd413872057c57ef9e1a1a591 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 09:49:34 +0200 Subject: [PATCH 292/324] Occupy the rec_version field of a decoded dtls record Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22238) --- ssl/record/methods/dtls_meth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index fd89038eb0c46..7205283173a8b 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -383,7 +383,6 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) size_t more, n; TLS_RL_RECORD *rr; unsigned char *p = NULL; - unsigned short version; DTLS_BITMAP *bitmap; unsigned int is_next_epoch; @@ -438,7 +437,7 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) rr->type = *(p++); ssl_major = *(p++); ssl_minor = *(p++); - version = (ssl_major << 8) | ssl_minor; + rr->rec_version = (ssl_major << 8) | ssl_minor; /* sequence number is 64 bits, with top 2 bytes = epoch */ n2s(p, rr->epoch); @@ -453,7 +452,7 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) * version number (e.g. because of protocol version errors) */ if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) { - if (version != rl->version) { + if (rr->rec_version != rl->version) { /* unexpected version, silently discard */ rr->length = 0; rl->packet_length = 0; From cda2e7c914bffc904e3ee79f360953fd370e19e9 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Mon, 2 Oct 2023 20:53:52 +0530 Subject: [PATCH 293/324] Add openssl/pem.h inclusion for d2i_PKCS8PrivateKey Include the necessary header file openssl/pem.h in the documentation to ensure that all functions related to d2i_PKCS8PrivateKey are correctly defined. Closes openssl#22188 Signed-off-by: Sumitra Sharma Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22253) --- doc/man3/d2i_PKCS8PrivateKey_bio.pod | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/man3/d2i_PKCS8PrivateKey_bio.pod b/doc/man3/d2i_PKCS8PrivateKey_bio.pod index 5b5371b70f19c..e84283f63e6c2 100644 --- a/doc/man3/d2i_PKCS8PrivateKey_bio.pod +++ b/doc/man3/d2i_PKCS8PrivateKey_bio.pod @@ -9,6 +9,7 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private =head1 SYNOPSIS #include + #include EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); From 3f8b7b98759553336dbdfc29f9cc4118046afede Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 2 Oct 2023 17:07:52 +0200 Subject: [PATCH 294/324] CHANGES.md: Mention new features added after 3.2 alpha1 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22251) --- CHANGES.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index f0b6898511ce1..af5f3cd2aba9b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -25,6 +25,17 @@ OpenSSL 3.2 ### Changes between 3.1 and 3.2 [xx XXX xxxx] + * Added a function to delete objects from store by URI - OSSL_STORE_delete() + and the corresponding provider-storemgmt API function + OSSL_FUNC_store_delete(). + + *Dmitry Belyavskiy* + + * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass + a passphrase callback when opening a store. + + *Simo Sorce* + * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and From 21d2041da02c67218c94cef6792d8b84d810710b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 2 Oct 2023 11:47:08 +0100 Subject: [PATCH 295/324] Back off on generating noise in the event of a PING frame If either endpoint issues a PING frame while we are introducing noise into the communication then there is a danger that the connection itself will fail. We detect the PING and then back off on generating noise for a short while. It should be sufficient to just ensure that the next datagram does not get dropped for each endpoint. Fixes #22199 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22243) --- test/helpers/noisydgrambio.c | 22 ++++++++++ test/helpers/quictestlib.c | 80 +++++++++++++++++++++++++++++++----- test/helpers/quictestlib.h | 2 + test/quicapitest.c | 4 +- 4 files changed, 97 insertions(+), 11 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index 8b68726dd2b4c..33cf84c3c6c0a 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -17,6 +17,7 @@ struct noisy_dgram_st { uint64_t this_dgram; BIO_MSG msg; uint64_t reinject_dgram; + int backoff; }; static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) @@ -31,6 +32,16 @@ static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) case BIO_CTRL_DUP: ret = 0L; break; + case BIO_CTRL_NOISE_BACK_OFF: { + struct noisy_dgram_st *data; + + data = BIO_get_data(bio); + if (!TEST_ptr(data)) + return 0; + data->backoff = 1; + ret = 1; + break; + } default: ret = BIO_ctrl(next, cmd, num, ptr); break; @@ -195,6 +206,17 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, } get_noise(&reinject, &should_drop); + if (data->backoff) { + /* + * We might be asked to back off on introducing too much noise if + * there is a danger that the connection will fail. In that case + * we always ensure that the next datagram does not get dropped so + * that the connection always survives. After that we can resume + * with normal noise + */ + should_drop = 0; + data->backoff = 0; + } /* * We ignore reinjection if a message is already waiting to be diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 514bb6422a790..0ae05e5701e29 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -26,6 +26,13 @@ #define GROWTH_ALLOWANCE 1024 +struct noise_args_data_st { + BIO *cbio; + BIO *sbio; + BIO *tracebio; + int flags; +}; + struct qtest_fault { QUIC_TSERVER *qtserv; @@ -62,6 +69,7 @@ struct qtest_fault { BIO_MSG msg; /* Allocated size of msg data buffer */ size_t msgalloc; + struct noise_args_data_st noiseargs; }; static void packet_plain_finish(void *arg); @@ -75,6 +83,41 @@ static OSSL_TIME fake_now_cb(void *arg) return fake_now; } +static void noise_msg_callback(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, + void *arg) +{ + struct noise_args_data_st *noiseargs = (struct noise_args_data_st *)arg; + + if (content_type == SSL3_RT_QUIC_FRAME_FULL) { + PACKET pkt; + uint64_t frame_type; + + if (!PACKET_buf_init(&pkt, buf, len)) + return; + + if (!ossl_quic_wire_peek_frame_header(&pkt, &frame_type, NULL)) + return; + + if (frame_type == OSSL_QUIC_FRAME_TYPE_PING) { + /* + * If either endpoint issues a ping frame then we are in danger + * of our noise being too much such that the connection itself + * fails. We back off on the noise for a bit to avoid that. + */ + BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + } + } + +#ifndef OPENSSL_NO_SSL_TRACE + if ((noiseargs->flags & QTEST_FLAG_CLIENT_TRACE) != 0 + && !SSL_is_server(ssl)) + SSL_trace(write_p, version, content_type, buf, len, ssl, + noiseargs->tracebio); +#endif +} + int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_CTX *serverctx, char *certfile, char *keyfile, int flags, QUIC_TSERVER **qtserv, SSL **cssl, @@ -89,15 +132,18 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, BIO *tmpbio = NULL; *qtserv = NULL; - if (fault != NULL) - *fault = NULL; - if (*cssl == NULL) { *cssl = SSL_new(clientctx); if (!TEST_ptr(*cssl)) return 0; } + if (fault != NULL) { + *fault = OPENSSL_zalloc(sizeof(**fault)); + if (*fault == NULL) + goto err; + } + #ifndef OPENSSL_NO_SSL_TRACE if ((flags & QTEST_FLAG_CLIENT_TRACE) != 0) { tmpbio = BIO_new_fp(stdout, BIO_NOCLOSE); @@ -170,7 +216,15 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, } if ((flags & QTEST_FLAG_NOISE) != 0) { - BIO *noisebio = BIO_new(bio_f_noisy_dgram_filter()); + BIO *noisebio; + + /* + * It is an error to not have a QTEST_FAULT object when introducing noise + */ + if (!TEST_ptr(fault)) + goto err; + + noisebio = BIO_new(bio_f_noisy_dgram_filter()); if (!TEST_ptr(noisebio)) goto err; @@ -181,6 +235,14 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_ptr(noisebio)) goto err; sbio = BIO_push(noisebio, sbio); + + (*fault)->noiseargs.cbio = cbio; + (*fault)->noiseargs.sbio = sbio; + (*fault)->noiseargs.tracebio = tmpbio; + (*fault)->noiseargs.flags = flags; + + SSL_set_msg_callback(*cssl, noise_msg_callback); + SSL_set_msg_callback_arg(*cssl, &(*fault)->noiseargs); } SSL_set_bio(*cssl, cbio, cbio); @@ -192,12 +254,6 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_true(SSL_set1_initial_peer_addr(*cssl, peeraddr))) goto err; - if (fault != NULL) { - *fault = OPENSSL_zalloc(sizeof(**fault)); - if (*fault == NULL) - goto err; - } - fisbio = BIO_new(qtest_get_bio_method()); if (!TEST_ptr(fisbio)) goto err; @@ -237,6 +293,10 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, sbio = NULL; fisbio = NULL; + if ((flags & QTEST_FLAG_NOISE) != 0) + ossl_quic_tserver_set_msg_callback(*qtserv, noise_msg_callback, + &(*fault)->noiseargs); + if (fault != NULL) (*fault)->qtserv = *qtserv; diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index f090299b22798..d1ac350c24461 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -245,6 +245,8 @@ int qtest_fault_resize_datagram(QTEST_FAULT *fault, size_t newlen); /* Copy a BIO_MSG */ int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src); +#define BIO_CTRL_NOISE_BACK_OFF 1001 + /* BIO filter for simulating a noisy UDP socket */ const BIO_METHOD *bio_f_noisy_dgram_filter(void); diff --git a/test/quicapitest.c b/test/quicapitest.c index 273f1421e7926..7739cbcb24b0e 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1410,6 +1410,7 @@ static int test_noisy_dgram(int idx) size_t msglen = strlen(msg), written, readbytes, i, j; unsigned char buf[80]; int flags = QTEST_FLAG_NOISE | QTEST_FLAG_FAKE_TIME; + QTEST_FAULT *fault = NULL; if (idx == 1) flags |= QTEST_FLAG_PACKET_SPLIT; @@ -1418,7 +1419,7 @@ static int test_noisy_dgram(int idx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, flags, &qtserv, - &clientquic, NULL, NULL))) + &clientquic, &fault, NULL))) goto err; if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))) @@ -1492,6 +1493,7 @@ static int test_noisy_dgram(int idx) SSL_free(stream[1]); SSL_free(clientquic); SSL_CTX_free(cctx); + qtest_fault_free(fault); return testresult; } From 515856f5ceb1ef0065466ac85164766623457000 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Tue, 26 Sep 2023 18:25:27 +0200 Subject: [PATCH 296/324] doc/man3: fix misnamed function name Rename `DSA_generate_prime[_ex]` to `DSA_generate_parameters[_ex]`, fixing a copy&paste error from the `BN_generate_prime[_ex]` paragraph in commit b3696a55a5ed. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22242) --- doc/man3/DSA_generate_parameters.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/DSA_generate_parameters.pod b/doc/man3/DSA_generate_parameters.pod index 415c4c8b82ce7..32eecb6891fa8 100644 --- a/doc/man3/DSA_generate_parameters.pod +++ b/doc/man3/DSA_generate_parameters.pod @@ -51,7 +51,7 @@ called as shown below. For information on the BN_GENCB structure and the BN_GENCB_call function discussed below, refer to L. -DSA_generate_prime() is similar to DSA_generate_prime_ex() but +DSA_generate_parameters() is similar to DSA_generate_parameters_ex() but expects an old-style callback function; see L for information on the old-style callback. From 1d3f266446eb5b12a4162804536b7356024977e3 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 09:58:30 +0200 Subject: [PATCH 297/324] Call post_process_record for dtls records Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22239) --- ssl/record/methods/dtls_meth.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index 7205283173a8b..e71730eba65d9 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -568,6 +568,11 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) goto again; /* get another record */ } + if (rl->funcs->post_process_record && !rl->funcs->post_process_record(rl, rr)) { + /* RLAYERfatal already called */ + return OSSL_RECORD_RETURN_FATAL; + } + rl->num_recs = 1; return OSSL_RECORD_RETURN_SUCCESS; } From 5c20c202699ba9c08183c5227df0ad4352e0974b Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 10:58:48 +0200 Subject: [PATCH 298/324] Remove duplicates of EVP_aes_xxx_wrap() from EVP_aes_128_gcm.pod Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22236) --- doc/man3/EVP_aes_128_gcm.pod | 6 ------ 1 file changed, 6 deletions(-) diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod index 09cae99129504..067f17e8fc183 100644 --- a/doc/man3/EVP_aes_128_gcm.pod +++ b/doc/man3/EVP_aes_128_gcm.pod @@ -134,13 +134,7 @@ section for details. EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_128_wrap_pad(), -EVP_aes_128_wrap(), -EVP_aes_192_wrap(), -EVP_aes_256_wrap(), EVP_aes_192_wrap_pad(), -EVP_aes_128_wrap(), -EVP_aes_192_wrap(), -EVP_aes_256_wrap(), EVP_aes_256_wrap_pad() AES key wrap with 128, 192 and 256 bit keys, as according to RFC 3394 section From 2b74e75331a27fc89cad9c8ea6a26c70019300b5 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 26 Dec 2022 20:38:44 +0100 Subject: [PATCH 299/324] Improved detection of engine-provided private "classic" keys Resolves #17092 (?) Resolves #17286 (?) Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19965) --- crypto/engine/eng_pkey.c | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/crypto/engine/eng_pkey.c b/crypto/engine/eng_pkey.c index 6e6d6df35b2b9..a8f1371a792fe 100644 --- a/crypto/engine/eng_pkey.c +++ b/crypto/engine/eng_pkey.c @@ -79,6 +79,48 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); return NULL; } + /* We enforce check for legacy key */ + switch (EVP_PKEY_get_id(pkey)) { + case EVP_PKEY_RSA: + { + RSA *rsa = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } + break; +# ifndef OPENSSL_NO_EC + case EVP_PKEY_SM2: + case EVP_PKEY_EC: + { + EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); + EVP_PKEY_set1_EC_KEY(pkey, ec); + EC_KEY_free(ec); + } + break; +# endif +# ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + { + DSA *dsa = EVP_PKEY_get1_DSA(pkey); + EVP_PKEY_set1_DSA(pkey, dsa); + DSA_free(dsa); + } + break; +#endif +# ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + { + DH *dh = EVP_PKEY_get1_DH(pkey); + EVP_PKEY_set1_DH(pkey, dh); + DH_free(dh); + } + break; +#endif + default: + /*Do nothing */ + break; + } + return pkey; } From 1296c2ec7866a4f2f4d210432c771142e8de33a0 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 2 Oct 2023 09:12:12 +0200 Subject: [PATCH 300/324] Restore the meaning of EVP_PKEY_print_private() With pre-3.0 OpenSSL, EVP_PKEY_print_private() calls the EVP_PKEY_ASN1_METHOD function "priv_print", effectively asking the backend to print whatever it regards as private key components. In all backends that were built into libcrypto, this function printed what was included in the private key structure, which usually includes the public key components as well. With OpenSSL 3.0, some of the corresponding key2text encoders got a slightly different behavior, where the presence of the selector OSSL_KEYMGMT_SELECT_PRIVATE_KEY without the presence of the selector OSSL_KEYMGMT_SELECT_PUBLIC_KEY would only get what would intuitively be regarded as private key components printed. This isn't entirely consistent, though, as the RSA key2text encoder will still print the public key components regardless. To compensate for the changed backend behavior, EVP_PKEY_print_private() was made to ask the encoder to print the keypair rather than just the private key, thereby moving the backend semantics to the application API. Unfortunately, this causes confusion for providers where the key2text encoder really should print the private key only. This change restores the built-in 1.1.1 backend behavior in the encoders that OpenSSL provides, and renders EVP_PKEY_print_private() more true to its documented behavior, leaving it to the backend to decide what it regards as "private key components". Fixes #22233 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22237) --- crypto/evp/p_lib.c | 2 +- include/openssl/evp.h | 2 + .../encode_decode/encode_key2text.c | 63 ++++++++----------- 3 files changed, 28 insertions(+), 39 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index bd9e5a91003f8..eb937d52ca5f6 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1201,7 +1201,7 @@ int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey, int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx) { - return print_pkey(pkey, out, indent, EVP_PKEY_KEYPAIR, NULL, + return print_pkey(pkey, out, indent, EVP_PKEY_PRIVATE_KEY, NULL, (pkey->ameth != NULL ? pkey->ameth->priv_print : NULL), pctx); } diff --git a/include/openssl/evp.h b/include/openssl/evp.h index f343eccbffa19..dbe6c72969fed 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -85,6 +85,8 @@ /* Easy to use macros for EVP_PKEY related selections */ # define EVP_PKEY_KEY_PARAMETERS \ ( OSSL_KEYMGMT_SELECT_ALL_PARAMETERS ) +# define EVP_PKEY_PRIVATE_KEY \ + ( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PRIVATE_KEY ) # define EVP_PKEY_PUBLIC_KEY \ ( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PUBLIC_KEY ) # define EVP_PKEY_KEYPAIR \ diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index f335870a4cf5d..c0c292328592f 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -241,7 +241,7 @@ static int dh_to_text(BIO *out, const void *key, int selection) return 0; } } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { pub_key = DH_get0_pub_key(dh); if (pub_key == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY); @@ -316,7 +316,7 @@ static int dsa_to_text(BIO *out, const void *key, int selection) return 0; } } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { pub_key = DSA_get0_pub_key(dsa); if (pub_key == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY); @@ -526,7 +526,7 @@ static int ec_to_text(BIO *out, const void *key, int selection) if (priv_len == 0) goto err; } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { const EC_POINT *pub_pt = EC_KEY_get0_public_key(ec); if (pub_pt == NULL) { @@ -577,26 +577,31 @@ static int ecx_to_text(BIO *out, const void *key, int selection) return 0; } + switch (ecx->type) { + case ECX_KEY_TYPE_X25519: + type_label = "X25519"; + break; + case ECX_KEY_TYPE_X448: + type_label = "X448"; + break; + case ECX_KEY_TYPE_ED25519: + type_label = "ED25519"; + break; + case ECX_KEY_TYPE_ED448: + type_label = "ED448"; + break; + } + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { if (ecx->privkey == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY); return 0; } - switch (ecx->type) { - case ECX_KEY_TYPE_X25519: - type_label = "X25519 Private-Key"; - break; - case ECX_KEY_TYPE_X448: - type_label = "X448 Private-Key"; - break; - case ECX_KEY_TYPE_ED25519: - type_label = "ED25519 Private-Key"; - break; - case ECX_KEY_TYPE_ED448: - type_label = "ED448 Private-Key"; - break; - } + if (BIO_printf(out, "%s Private-Key:\n", type_label) <= 0) + return 0; + if (!print_labeled_buf(out, "priv:", ecx->privkey, ecx->keylen)) + return 0; } else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { /* ecx->pubkey is an array, not a pointer... */ if (!ecx->haspubkey) { @@ -604,29 +609,11 @@ static int ecx_to_text(BIO *out, const void *key, int selection) return 0; } - switch (ecx->type) { - case ECX_KEY_TYPE_X25519: - type_label = "X25519 Public-Key"; - break; - case ECX_KEY_TYPE_X448: - type_label = "X448 Public-Key"; - break; - case ECX_KEY_TYPE_ED25519: - type_label = "ED25519 Public-Key"; - break; - case ECX_KEY_TYPE_ED448: - type_label = "ED448 Public-Key"; - break; - } + if (BIO_printf(out, "%s Public-Key:\n", type_label) <= 0) + return 0; } - if (BIO_printf(out, "%s:\n", type_label) <= 0) - return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 - && !print_labeled_buf(out, "priv:", ecx->privkey, ecx->keylen)) - return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0 - && !print_labeled_buf(out, "pub:", ecx->pubkey, ecx->keylen)) + if (!print_labeled_buf(out, "pub:", ecx->pubkey, ecx->keylen)) return 0; return 1; From 82496b8663f20ff12f02adbe46a060a94b0cbfc5 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Tue, 3 Oct 2023 09:28:44 +0530 Subject: [PATCH 301/324] Correct documentation for PKCS5_PBKDF2_HMAC In OpenSSL 3.x, the documentation for PKCS5_PBKDF2_HMAC incorrectly states that an iter value less than 1 is treated as a single iteration. Upon further investigation in providers/implementations/kdfs/pbkdf2.c, it appears that invalid iter values will result in failure and raise the PROV_R_INVALID_ITERATION_COUNT error. This commit corrects the documentation to accurately reflect the behavior in OpenSSL 3.x. Closes openssl#22168 Signed-off-by: Sumitra Sharma Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22252) --- doc/man3/PKCS5_PBKDF2_HMAC.pod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/man3/PKCS5_PBKDF2_HMAC.pod b/doc/man3/PKCS5_PBKDF2_HMAC.pod index 0984e993daefa..3da271bdbff77 100644 --- a/doc/man3/PKCS5_PBKDF2_HMAC.pod +++ b/doc/man3/PKCS5_PBKDF2_HMAC.pod @@ -33,7 +33,8 @@ be NULL terminated. B is the iteration count and its value should be greater than or equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any -B less than 1 is treated as a single iteration. +B value less than 1 is invalid; such values will result in failure +and raise the PROV_R_INVALID_ITERATION_COUNT error. B is the message digest function used in the derivation. PKCS5_PBKDF2_HMAC_SHA1() calls PKCS5_PBKDF2_HMAC() with EVP_sha1(). From b49cafd86b295aa5e177d6c1368b06a1202ec2b3 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Sun, 24 Sep 2023 01:24:59 +0200 Subject: [PATCH 302/324] test: evp_extra: fix indentation error Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22185) --- test/evp_extra_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index bec16144f994a..41de4af6abd87 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1267,11 +1267,11 @@ static int test_EVP_PKEY_sign(int tst) if (tst == 0) { if (!TEST_ptr(pkey = load_example_rsa_key())) - goto out; + goto out; } else if (tst == 1) { #ifndef OPENSSL_NO_DSA if (!TEST_ptr(pkey = load_example_dsa_key())) - goto out; + goto out; #else ret = 1; goto out; @@ -1279,7 +1279,7 @@ static int test_EVP_PKEY_sign(int tst) } else { #ifndef OPENSSL_NO_EC if (!TEST_ptr(pkey = load_example_ec_key())) - goto out; + goto out; #else ret = 1; goto out; From 860e36d0dd72f4aa4791e88aa185cb42065a30c4 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Sun, 24 Sep 2023 01:13:20 +0200 Subject: [PATCH 303/324] test: evp_extra: test signing with legacy app method based keys This commit adds `test_EVP_PKEY_sign_with_app_method`, a regression test for the bug fix in commit 1acc3e8cc3c6 (pull request #22163). It is analogous to `test_EVP_PKEY_sign`, only with a fake app method based key. (The EC key test case was omitted, because there is no `EC_KEY_METHOD_dup` method.) Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22185) --- test/evp_extra_test.c | 85 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 41de4af6abd87..a0724981de34e 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1313,6 +1313,88 @@ static int test_EVP_PKEY_sign(int tst) return ret; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 +static int test_EVP_PKEY_sign_with_app_method(int tst) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + RSA *rsa = NULL; + RSA_METHOD *rsa_meth = NULL; +#ifndef OPENSSL_NO_DSA + DSA *dsa = NULL; + DSA_METHOD *dsa_meth = NULL; +#endif + unsigned char *sig = NULL; + size_t sig_len = 0, shortsig_len = 1; + EVP_PKEY_CTX *ctx = NULL; + unsigned char tbs[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13 + }; + + if (tst == 0) { + if (!TEST_ptr(pkey = load_example_rsa_key())) + goto out; + if (!TEST_ptr(rsa_meth = RSA_meth_dup(RSA_get_default_method()))) + goto out; + + if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey)) + || !TEST_int_gt(RSA_set_method(rsa, rsa_meth), 0) + || !TEST_int_gt(EVP_PKEY_assign_RSA(pkey, rsa), 0)) + goto out; + rsa = NULL; /* now owned by the pkey */ + } else { +#ifndef OPENSSL_NO_DSA + if (!TEST_ptr(pkey = load_example_dsa_key())) + goto out; + if (!TEST_ptr(dsa_meth = DSA_meth_dup(DSA_get_default_method()))) + goto out; + + if (!TEST_ptr(dsa = EVP_PKEY_get1_DSA(pkey)) + || !TEST_int_gt(DSA_set_method(dsa, dsa_meth), 0) + || !TEST_int_gt(EVP_PKEY_assign_DSA(pkey, dsa), 0)) + goto out; + dsa = NULL; /* now owned by the pkey */ +#else + ret = 1; + goto out; +#endif + } + + ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL); + if (!TEST_ptr(ctx) + || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0) + || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs, + sizeof(tbs)), 0)) + goto out; + sig = OPENSSL_malloc(sig_len); + if (!TEST_ptr(sig) + /* Test sending a signature buffer that is too short is rejected */ + || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs, + sizeof(tbs)), 0) + || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)), + 0) + /* Test the signature round-trips */ + || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0) + || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)), + 0)) + goto out; + + ret = 1; + out: + EVP_PKEY_CTX_free(ctx); + OPENSSL_free(sig); + EVP_PKEY_free(pkey); + RSA_free(rsa); + RSA_meth_free(rsa_meth); +#ifndef OPENSSL_NO_DSA + DSA_free(dsa); + DSA_meth_free(dsa_meth); +#endif + return ret; +} +#endif /* !OPENSSL_NO_DEPRECATED_3_0 */ + /* * n = 0 => test using legacy cipher * n = 1 => test using fetched cipher @@ -4973,6 +5055,9 @@ int setup_tests(void) ADD_TEST(test_EVP_Digest); ADD_TEST(test_EVP_md_null); ADD_ALL_TESTS(test_EVP_PKEY_sign, 3); +#ifndef OPENSSL_NO_DEPRECATED_3_0 + ADD_ALL_TESTS(test_EVP_PKEY_sign_with_app_method, 2); +#endif ADD_ALL_TESTS(test_EVP_Enveloped, 2); ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata)); ADD_TEST(test_privatekey_to_pkcs8); From 706512ecbc31585d447b53c3aa89acdf6951f996 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Mon, 2 Oct 2023 12:10:01 +0200 Subject: [PATCH 304/324] Don't (re-)initialize the FFC_PARAMs in dh_init and dsa_init The initialization was introduced in commit dc8de3e6f1ee and changes the behaviour of the `init` method for DSA and DH between 1.1.1 and 3.0, while the behaviour for RSA and EC_KEY remains unchanged. The initialization is not necessary in 3.x and master imho and breaks the use-case of intercepting the methods of an existing key. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22185) --- crypto/dh/dh_key.c | 1 - crypto/dh/dh_lib.c | 2 ++ crypto/dsa/dsa_lib.c | 2 ++ crypto/dsa/dsa_ossl.c | 1 - 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index bc26cee303e97..8ab75e06d719e 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -194,7 +194,6 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, static int dh_init(DH *dh) { dh->flags |= DH_FLAG_CACHE_MONT_P; - ossl_ffc_params_init(&dh->params); dh->dirty_cnt++; return 1; } diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index e2eb53961cb65..9d5a6b0b6c2ba 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -119,6 +119,8 @@ static DH *dh_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) goto err; #endif /* FIPS_MODULE */ + ossl_ffc_params_init(&ret->params); + if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { ERR_raise(ERR_LIB_DH, ERR_R_INIT_FAIL); goto err; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index b18fda3378270..7997c2ac25e45 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -179,6 +179,8 @@ static DSA *dsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) goto err; #endif + ossl_ffc_params_init(&ret->params); + if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { ERR_raise(ERR_LIB_DSA, ERR_R_INIT_FAIL); goto err; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 29e2a8057250b..234362b6d7499 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -462,7 +462,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, static int dsa_init(DSA *dsa) { dsa->flags |= DSA_FLAG_CACHE_MONT_P; - ossl_ffc_params_init(&dsa->params); dsa->dirty_cnt++; return 1; } From b31597d989f422a0d341be4946d4d64a9251047f Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 11:11:29 +0200 Subject: [PATCH 305/324] Pass the dtls record version to the record layer msg_callback function. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) --- ssl/record/methods/dtls_meth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index e71730eba65d9..258dbd3b14a0b 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -429,10 +429,6 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) p = rl->packet; - if (rl->msg_callback != NULL) - rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, - rl->cbarg); - /* Pull apart the header into the DTLS1_RECORD */ rr->type = *(p++); ssl_major = *(p++); @@ -447,6 +443,10 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) n2s(p, rr->length); + if (rl->msg_callback != NULL) + rl->msg_callback(0, rr->rec_version, SSL3_RT_HEADER, rl->packet, DTLS1_RT_HEADER_LENGTH, + rl->cbarg); + /* * Lets check the version. We tolerate alerts that don't have the exact * version number (e.g. because of protocol version errors) From 5f79670f7b9b0354a5f6ccac9474f7a12f86407e Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 12:00:58 +0200 Subject: [PATCH 306/324] Print record version for DTLSv1_listen() Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) --- ssl/d1_lib.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 8bbabd8f413ef..be4ff02a897cd 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -411,7 +411,7 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) const unsigned char *data; unsigned char *buf = NULL, *wbuf; size_t fragoff, fraglen, msglen; - unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen; + unsigned int rectype, versmajor, versminor, msgseq, msgtype, clientvers, cookielen; BIO *rbio, *wbio; BIO_ADDR *tmpclient = NULL; PACKET pkt, msgpkt, msgpayload, session, cookiepkt; @@ -496,17 +496,18 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) goto end; } - if (s->msg_callback) - s->msg_callback(0, 0, SSL3_RT_HEADER, buf, - DTLS1_RT_HEADER_LENGTH, ssl, s->msg_callback_arg); - /* Get the record header */ if (!PACKET_get_1(&pkt, &rectype) - || !PACKET_get_1(&pkt, &versmajor)) { + || !PACKET_get_1(&pkt, &versmajor) + || !PACKET_get_1(&pkt, &versminor)) { ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); goto end; } + if (s->msg_callback) + s->msg_callback(0, (versmajor << 8) | versminor, SSL3_RT_HEADER, buf, + DTLS1_RT_HEADER_LENGTH, ssl, s->msg_callback_arg); + if (rectype != SSL3_RT_HANDSHAKE) { ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE); goto end; @@ -521,9 +522,8 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) goto end; } - if (!PACKET_forward(&pkt, 1) - /* Save the sequence number: 64 bits, with top 2 bytes = epoch */ - || !PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE) + /* Save the sequence number: 64 bits, with top 2 bytes = epoch */ + if (!PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE) || !PACKET_get_length_prefixed_2(&pkt, &msgpkt)) { ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); goto end; From fac54a65c0f4ede37d884b8304a2fdbd94df11ea Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 13:08:56 +0200 Subject: [PATCH 307/324] Update documentation on SSL_CTX_set_msg_callback() to match the actual functionality. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) --- doc/man3/SSL_CTX_set_msg_callback.pod | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/man3/SSL_CTX_set_msg_callback.pod b/doc/man3/SSL_CTX_set_msg_callback.pod index 7484773afe653..559f53d4089c7 100644 --- a/doc/man3/SSL_CTX_set_msg_callback.pod +++ b/doc/man3/SSL_CTX_set_msg_callback.pod @@ -58,8 +58,9 @@ when a protocol message has been sent. The protocol version according to which the protocol message is interpreted by the library such as B, B, -B etc. This is set to 0 for the SSL3_RT_HEADER pseudo -content type (see NOTES below). +B etc. For the SSL3_RT_HEADER pseudo +content type (see NOTES below) this value will be the decoded +version/legacy_version field of the record header. =item I From 74f8d9ce081a512777ae1f4abe015b7fd1a4a686 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 15:53:28 +0200 Subject: [PATCH 308/324] Added info on change to HISTORY of SSL_CTX_set_msg_callback() Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) --- doc/man3/SSL_CTX_set_msg_callback.pod | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/man3/SSL_CTX_set_msg_callback.pod b/doc/man3/SSL_CTX_set_msg_callback.pod index 559f53d4089c7..f046c77b535b9 100644 --- a/doc/man3/SSL_CTX_set_msg_callback.pod +++ b/doc/man3/SSL_CTX_set_msg_callback.pod @@ -173,6 +173,12 @@ The pseudo content types B, B, B, B and B were added in OpenSSL 3.2. +In versions previous to OpenSSL 3.0 I was called with 0 as I for +the pseudo content type B for TLS records. + +In versions previous to OpenSSL 3.2 I was called with 0 as I for +the pseudo content type B for DTLS records. + =head1 COPYRIGHT Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. From 831602922f19a8f39d0c0fae425b81e9ab402c69 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 4 Oct 2023 12:30:22 +0200 Subject: [PATCH 309/324] d2i_PKCS8PrivateKey_bio.pod: evp.h include is unnecessary It is also not allowed by doc nits check to have multiple includes. Reviewed-by: Matt Caswell Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22276) --- doc/man3/d2i_PKCS8PrivateKey_bio.pod | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/man3/d2i_PKCS8PrivateKey_bio.pod b/doc/man3/d2i_PKCS8PrivateKey_bio.pod index e84283f63e6c2..55ec346575040 100644 --- a/doc/man3/d2i_PKCS8PrivateKey_bio.pod +++ b/doc/man3/d2i_PKCS8PrivateKey_bio.pod @@ -8,7 +8,6 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private =head1 SYNOPSIS - #include #include EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); From 456e6ca5d73972cdb4228e6c5ec9acdf19237308 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Oct 2023 17:03:39 +0000 Subject: [PATCH 310/324] Bump suisei-cn/actions-download-file from 1.3.0 to 1.4.0 Bumps [suisei-cn/actions-download-file](https://github.com/suisei-cn/actions-download-file) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/suisei-cn/actions-download-file/releases) - [Commits](https://github.com/suisei-cn/actions-download-file/compare/v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: suisei-cn/actions-download-file dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22268) --- .github/workflows/os-zoo.yml | 2 +- .github/workflows/windows.yml | 6 +++--- .github/workflows/windows_comp.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index d3dc6770c31f1..29137bd7c7d89 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -154,7 +154,7 @@ jobs: working-directory: _build run: nmake /S - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 29ad9689e943e..806bc25f558d3 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -48,7 +48,7 @@ jobs: working-directory: _build run: nmake /S - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ @@ -92,7 +92,7 @@ jobs: working-directory: _build run: nmake /S - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ @@ -129,7 +129,7 @@ jobs: working-directory: _build run: nmake # verbose, so no /S here - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index 3ffd5f2e720a0..bf2e89ed71537 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -42,7 +42,7 @@ jobs: working-directory: _build run: nmake - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ @@ -80,7 +80,7 @@ jobs: working-directory: _build run: nmake - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ From fb20e66c6b2651067f50bab8cf098c71e2caed4b Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 25 Sep 2023 09:34:07 +1000 Subject: [PATCH 311/324] ossl_property_list_to_string: handle quoted strings ossl_property_list_to_string() didn't quote strings correctly which could result in a generated property string being unparsable. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22182) --- crypto/property/property_parse.c | 32 +++++++++++++++++++++++++++++--- test/property_test.c | 3 +++ 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c index b2bf3cd63180a..983f07e070cab 100644 --- a/crypto/property/property_parse.c +++ b/crypto/property/property_parse.c @@ -588,15 +588,38 @@ static void put_char(char ch, char **buf, size_t *remain, size_t *needed) static void put_str(const char *str, char **buf, size_t *remain, size_t *needed) { - size_t olen, len; + size_t olen, len, i; + char quote = '\0'; + int quotes; len = olen = strlen(str); *needed += len; - if (*remain == 0) + /* + * Check to see if we need quotes or not. + * Characters that are legal in a PropertyName don't need quoting. + * We simply assume all others require quotes. + */ + for (i = 0; i < len; i++) + if (!ossl_isalnum(str[i]) && str[i] != '.' && str[i] != '_') { + /* Default to single quotes ... */ + if (quote == '\0') + quote = '\''; + /* ... but use double quotes if a single is present */ + if (str[i] == '\'') + quote = '"'; + } + + quotes = quote != '\0'; + if (*remain == 0) { + *needed += 2 * quotes; return; + } - if (*remain < len + 1) + if (quotes) + put_char(quote, buf, remain, needed); + + if (*remain < len + 1 + quotes) len = *remain - 1; if (len > 0) { @@ -605,6 +628,9 @@ static void put_str(const char *str, char **buf, size_t *remain, size_t *needed) *remain -= len; } + if (quotes) + put_char(quote, buf, remain, needed); + if (len < olen && *remain == 1) { **buf = '\0'; ++*buf; diff --git a/test/property_test.c b/test/property_test.c index 45b1db3e855b6..bba96fac0a019 100644 --- a/test/property_test.c +++ b/test/property_test.c @@ -645,6 +645,9 @@ static struct { { "", "" }, { "fips=3", "fips=3" }, { "fips=-3", "fips=-3" }, + { "provider='foo bar'", "provider='foo bar'" }, + { "provider=\"foo bar'\"", "provider=\"foo bar'\"" }, + { "provider=abc***", "provider='abc***'" }, { NULL, "" } }; From 11f69aa50771d50151fa24c55fd0858db30517df Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 21 Sep 2023 14:39:30 +0200 Subject: [PATCH 312/324] [design] Make it possible to pass AlgorithmIdentifier parameter data This design is to allow passing AlgorithmIdentifier parameter data to and from any cryptograpfic operation, with convenience functions for them all, not just for symmetric ciphers. This is crucial to support CMS, among others. Ref: openssl/project#172 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22162) --- .../passing-algorithmidentifier-parameters.md | 156 ++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 doc/designs/passing-algorithmidentifier-parameters.md diff --git a/doc/designs/passing-algorithmidentifier-parameters.md b/doc/designs/passing-algorithmidentifier-parameters.md new file mode 100644 index 0000000000000..bb3821e33713b --- /dev/null +++ b/doc/designs/passing-algorithmidentifier-parameters.md @@ -0,0 +1,156 @@ +Passing AlgorithmIdentifier parameters to operations +==================================================== + +Quick background +---------------- + +We currently only support passing the AlgorithmIdentifier (`X509_ALGOR`) +parameter field to symmetric cipher provider implementations. + +We do support passing them to legacy implementations of other types of +operation algorithms as well, but it's done in a way that can't be supported +with providers, because it involves sharing specific structures between +libcrypto and the backend implementation. + +For a longer background and explanation, see +[Background / tl;dr](#background-tldr) at the end of this design. + +Establish an OSSL_PARAM key that any algorithms may become aware of +------------------------------------------------------------------- + +We already have a parameter key, but it's currently only specified for +`EVP_CIPHER`, in support of `EVP_CIPHER_param_to_asn1()` and +`EVP_CIPHER_asn1_to_param()`. + +"alg_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS` + +This parameter can be used in the exact same manner with other operations, +with the value of the AlgorithmIdentifier parameter as an octet string, to +be interpreted by the implementations in whatever way they see fit. + +Applications can choose to add these in an `OSSL_PARAM` array, to be passed +with the multitude of initialization functions that take such an array, or +using specific operation `OSSL_PARAM` setters and getters (such as +`EVP_PKEY_CTX_set_params`), or using other available convenience functions +(see below). + +This parameter will have to be documented in the following files: + +- `doc/man7/provider-asym_cipher.pod` +- `doc/man7/provider-cipher.pod` +- `doc/man7/provider-digest.pod` +- `doc/man7/provider-kdf.pod` +- `doc/man7/provider-kem.pod` +- `doc/man7/provider-keyexch.pod` +- `doc/man7/provider-mac.pod` +- `doc/man7/provider-signature.pod` + +That should cover all algorithms that are, or should be possible to fetch by +AlgorithmIdentifier.algorithm, and for which there's potentially a relevant +AlgorithmIdentifier.parameters field. + +We may arguably want to consider `doc/man7/provider-keymgmt.pod` too, but +an AlgorithmIdentifier that's attached directly to a key is usually part of +a PrivKeyInfo or SubjectPublicKeyInfo structure, and those are handled by +encoders and decoders as those see fit, and there's no tangible reason why +that would have to change. + +Public convenience API +---------------------- + +For convenience, the following set of functions would be added to pass the +AlgorithmIdentifier parameter data to diverse operations, or to retrieve +such parameter data from them. + +``` C +/* + * These two would essentially be aliases for EVP_CIPHER_param_to_asn1() + * and EVP_CIPHER_asn1_to_param(). + */ +EVP_CIPHER_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_CIPHER_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_MD_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_MD_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_MAC_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_MAC_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_KDF_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_KDF_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_PKEY_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_PKEY_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +``` + +Note that all might not need to be added immediately, depending on if they +are considered useful or not. For future proofing, however, they should +probably all be added. + +Requirements on the providers +----------------------------- + +Providers that implement ciphers or any operation that uses asymmetric keys +will have to implement support for passing AlgorithmIdentifier parameter +data, and will have to process that data in whatever manner that's necessary +to meet the standards for that operation. + +Fallback strategies +------------------- + +There are no possible fallback strategies, which is fine, considering that +current provider functionality doesn't support passing AlgorithmIdentifier +parameter data at all (except for `EVP_CIPHER`), and therefore do not work +at all when such parameter data needs to be passed. + +----- + +----- + +Background / tl;dr +------------------ + +### AlgorithmIdenfier parameter and how it's used + +OpenSSL has historically done a few tricks to not have to pass +AlgorithmIdenfier parameter data to the backend implementations of +cryptographic operations: + +- In some cases, they were passed as part of the lower level key structure + (for example, the `RSA` structure can also carry RSA-PSS parameters). +- In the `EVP_CIPHER` case, there is functionality to pass the parameter + data specifically. +- For asymmetric key operations, PKCS#7 and CMS support was added as + `EVP_PKEY` ctrls. + +With providers, some of that support was retained, but not others. Most +crucially, the `EVP_PKEY` ctrls for PKCS#7 and CMS were not retained, +because the way they were implemented violated the principle that provider +implementations *MUST NOT* share complex OpenSSL specific structures with +libcrypto. + +### Usage examples + +Quite a lot of the available examples today revolve around CMS, with a +number of RFCs that specify what parameters should be passed with certain +operations / algorithms. This list is not exhaustive, the reader is +encouraged to research further usages. + +- [DSA](https://www.rfc-editor.org/rfc/rfc3370#section-3.1) signatures + typically have the domain parameters *p*, *q* and *g*. +- [RC2 key wrap](https://www.rfc-editor.org/rfc/rfc3370#section-4.3.2) +- [PBKDF2](https://www.rfc-editor.org/rfc/rfc3370#section-4.4.1) +- [3DES-CBC](https://www.rfc-editor.org/rfc/rfc3370#section-5.1) +- [RC2-CBC](https://www.rfc-editor.org/rfc/rfc3370#section-5.2) + +- [GOST 28147-89](https://www.rfc-editor.org/rfc/rfc4490.html#section-5.1) + +- [RSA-OAEP](https://www.rfc-editor.org/rfc/rfc8017#appendix-A.2.1) +- [RSA-PSS](https://www.rfc-editor.org/rfc/rfc8017#appendix-A.2.3) + +- [XOR-MD5](https://www.rfc-editor.org/rfc/rfc6210.html) is experimental, + but it does demonstrate the possibility of a parametrized hash algorithm. + +Some of it can be claimed to already have support in OpenSSL. However, this +is with old libcrypto code that has special knowledge of the algorithms that +are involved. From e8e2b131ca253f9e28c511c8294e27ddbd0b60c6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 18 Sep 2023 09:30:13 +0200 Subject: [PATCH 313/324] [design] Make it possible to use explicitly fetched signature implementation This design is to allow the use of explicitly fetched EVP_SIGNATURE implementations. Ref: openssl/project#171 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22129) --- doc/designs/fetching-composite-algorithms.md | 187 +++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 doc/designs/fetching-composite-algorithms.md diff --git a/doc/designs/fetching-composite-algorithms.md b/doc/designs/fetching-composite-algorithms.md new file mode 100644 index 0000000000000..1e3fa9996876d --- /dev/null +++ b/doc/designs/fetching-composite-algorithms.md @@ -0,0 +1,187 @@ +Fetching composite algorithms and using them - adding the bits still missing +============================================================================ + +Quick background +---------------- + +We currently support - at least in the public libcrypto API - explicitly +fetching composite algorithms (such as AES-128-CBC or HMAC-SHA256), and +using them in most cases. In some cases (symmetric ciphers), our providers +also provide them. + +However, there is one class of algorithms where the support for *using* +explicitly fetched algorithms is lacking: asymmetric algorithms. + +For a longer background and explanation, see +[Background / tl;dr](#background-tldr) at the end of this design. + +Public API - Add variants of `EVP_PKEY_CTX` initializers +-------------------------------------------------------- + +As far as this design is concerned, these API sets are affected: + +- SIGNATURE (DigestSign and DigestVerify) +- ASYM_CIPHER +- KEYEXCH + +The proposal is to add these functions: + +``` C +EVP_DigestSignInit_ex2(EVP_PKEY_CTX **pctx, + EVP_SIGNATURE *sig, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const OSSL_PARAM params[]); +EVP_DigestVerifyInit_ex2(EVP_PKEY_CTX **pctx, + EVP_SIGNATURE *sig, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const OSSL_PARAM params[]); + +int EVP_PKEY_encrypt_init_ex2(EVP_PKEY_CTX *ctx, EVP_ASYM_CIPHER *asymciph, + const OSSL_PARAM params[]); +int EVP_PKEY_decrypt_init_ex2(EVP_PKEY_CTX *ctx, EVP_ASYM_CIPHER *asymciph, + const OSSL_PARAM params[]); + +int EVP_PKEY_derive_init_ex2(EVP_PKEY_CTX *ctx, EVP_KEYEXCH *exchange, + const OSSL_PARAM params[]); +``` + +Because `EVP_SIGNATURE`, `EVP_ASYM_CIPHER` and `EVP_KEYEXCH` aren't limited +to composite algorithms, these functions can be used just as well with +explicit fetches of simple algorithms, say "RSA". In that case, the caller +will need to pass necessary auxiliary parameters through the `OSSL_PARAM` or +a call to a corresponding `set_params` function. + +Requirements on the providers +----------------------------- + +Because it's not immediately obvious from a composite algorithm name what +key type it requires / supports, at least in code, allowing the use of an +explicitly fetched implementation of a composite algorithm requires that +providers cooperate by declaring what key type is required / supported by +each algorithm. + +For non-composite operation algorithms (like "RSA"), this is not necessary, +see the fallback strategies below. + +There are two ways this could be implemented: + +1. through an added provider function that would work like keymgmt's + `query_operation_name` function, but would return a key type name + instead: + + ``` C + # define OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPE 26 + OSSL_CORE_MAKE_FUNC(const char *, signature_query_key_type, (void)) + + # define OSSL_FUNC ASYM_CIPHER_QUERY_KEY_TYPE 12 + OSSL_CORE_MAKE_FUNC(const char *, asym_cipher_query_key_type, (void)) + + # define OSSL_FUNC_KEYEXCH_QUERY_KEY_TYPE 11 + OSSL_CORE_MAKE_FUNC(const char *, keyexch_query_key_type, (void)) + ``` + +2. through a gettable `OSSL_PARAM`, using the param identity "keytype" + +Fallback strategies +------------------- + +Because existing providers haven't been updated to declare composite +algorithms, or to respond to the key type query, some fallback strategies +will be needed to find out if the `EVP_PKEY` key type is possible to use +with the fetched algorithm: + +- Check if the fetched operation name matches the key type (keymgmt name) + of the `EVP_PKEY` that's involved in the operation. For example, this + is useful when someone fetched the `EVP_SIGNATURE` "RSA". +- Check if the fetched algorithm name matches the name returned by the + keymgmt's `query_operation_name` function. For example, this is useful + when someone fetched the `EVP_SIGNATURE` "ECDSA", for which the key type + to use is "EC". +- libcrypto currently has knowledge of some composite algorithm names and + what they are composed of, accessible with `OBJ_find_sigid_algs` and + similar functionality. This knowledge is regarded legacy, but can be + used to figure out the key type. + +If none of these strategies work out, the operation initialization should +fail. + +These strategies have their limitations, but the built-in legacy knowledge +we currently have in libcrypto should be enough to cover most bases. + +----- + +----- + +Background / tl;dr +------------------ + +### What is a composite algorithm? + +A composite algorithm is an algorithm that's composed of more than one other +algorithm. In OpenSSL parlance with a focus on signatures, they have been +known as "sigalgs", but this is really broader than just signature algorithms. +Examples are: + +- AES-128-CBC +- hmacWithSHA256 +- sha256WithRSAEncryption + +### The connection with AlgorithmIdentifiers + +AlgorithmIdentifier is an ASN.1 structure that defines an algorithm as an +OID, along with parameters that should be passed to that algorithm. + +It is expected that an application should be able to take that OID and +fetch it directly, after conversion to string form (either a name if the +application or libcrypto happens to know it, or the OID itself in canonical +numerical form). To enable this, explicit fetching is necessary. + +### What we have today + +As a matter of fact, we already have built-in support for fetching +composite algorithms, although our providers do not fully participate in +that support, and *most of the time*, we also have public APIs to use the +fetched result, commonly known as support for explicit fetching. + +The idea is that providers can declare the different compositions of a base +algorithm in the `OSSL_ALGORITHM` array, each pointing to different +`OSSL_DISPATCH` tables, which would in turn refer to pretty much the same +functions, apart from the constructor function. + +For example, we already do this with symmetric ciphers. + +Another example, which we could implement in our providers today, would be +compositions of HMAC: + +``` C +static const OSSL_ALGORITHM deflt_macs[] = { + /* ... */ + { "HMAC-SHA1:hmacWithSHA1:1.2.840.113549.2.7", + "provider=default", ossl_hmac_sha1_functions }, + { "HMAC-SHA224:hmacWithSHA224:1.2.840.113549.2.8", + "provider=default", ossl_hmac_sha224_functions }, + { "HMAC-SHA256:hmacWithSHA256:1.2.840.113549.2.9", + "provider=default", ossl_hmac_sha256_functions }, + { "HMAC-SHA384:hmacWithSHA384:1.2.840.113549.2.10", + "provider=default", ossl_hmac_sha384_functions }, + { "HMAC-SHA512:hmacWithSHA512:1.2.840.113549.2.11", + "provider=default", ossl_hmac_sha512_functions }, + /* ... */ +``` + +### What we don't have today + +There are some classes of algorithms for which we have no support for using +the result of explicit fetching. So for example, while it's possible for a +provider to declare composite algorithms through the `OSSL_ALGORITHM` array, +there's currently no way for an application to use them. + +This all revolves around asymmetric algorithms, where we currently only +support implicit fetching. + +This is hurtful in multiple ways: + +- It fails the provider authors in terms being able to consistently + declare all algorithms through `OSSL_ALGORITHM` arrays. +- It fails the applications in terms of being able to fetch algorithms and + use the result. +- It fails discoverability, for example through the `openssl list` + command. From f7b80136a3df4396b19ebb86d4814d8cefe6d6db Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 14:43:13 +0200 Subject: [PATCH 314/324] DH_check: Emphasize the importance of return value check Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22262) --- doc/man3/DH_generate_parameters.pod | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/man3/DH_generate_parameters.pod b/doc/man3/DH_generate_parameters.pod index bbcfe24ae6b4d..e677885597ae6 100644 --- a/doc/man3/DH_generate_parameters.pod +++ b/doc/man3/DH_generate_parameters.pod @@ -128,6 +128,10 @@ The parameter B is invalid. =back +If 0 is returned or B<*codes> is set to a nonzero value the supplied +parameters should not be used for Diffie-Hellman operations otherwise +the security properties of the key exchange are not guaranteed. + DH_check_ex(), DH_check_params() and DH_check_pub_key_ex() are similar to DH_check() and DH_check_params() respectively, but the error reasons are added to the thread's error queue instead of provided as return values from the From 0f7a3b0caa33a87c900536dc1c02fa553d2193cc Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 4 Oct 2023 09:30:43 +0200 Subject: [PATCH 315/324] BN_gcd(): Avoid shifts of negative values Fixes #22216 Thanks to Leland Mills for investigation and testing. Reviewed-by: Tom Cosgrove Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22272) --- crypto/bn/bn_gcd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c index 519bb4e951d7d..2cd8ee35e034a 100644 --- a/crypto/bn/bn_gcd.c +++ b/crypto/bn/bn_gcd.c @@ -642,9 +642,9 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) for (i = 0; i < m; i++) { /* conditionally flip signs if delta is positive and g is odd */ - cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1 + cond = ((unsigned int)-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1 /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */ - & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))); + & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1))); delta = (-cond & -delta) | ((cond - 1) & delta); r->neg ^= cond; /* swap */ @@ -656,7 +656,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) goto err; BN_consttime_swap(g->d[0] & 1 /* g is odd */ /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */ - & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))), + & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1))), g, temp, top); if (!BN_rshift1(g, g)) goto err; From 31fc8a83bc9aa435ae40c3eff713ced441eaa011 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 4 Oct 2023 16:32:31 +0100 Subject: [PATCH 316/324] Fix coverity alert on use of uninitialised data The function `ossl_blake2b_param_init` should initialise only, and not read the data it is initialising Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22282) --- providers/implementations/digests/blake2_prov.c | 3 +++ providers/implementations/digests/blake2b_prov.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c index 298bc66de65a5..34bbd7ed37d54 100644 --- a/providers/implementations/digests/blake2_prov.c +++ b/providers/implementations/digests/blake2_prov.c @@ -23,8 +23,11 @@ static int ossl_blake2s256_init(void *ctx) static int ossl_blake2b512_init(void *ctx) { struct blake2b_md_data_st *mdctx = ctx; + uint8_t digest_length = mdctx->params.digest_length; ossl_blake2b_param_init(&mdctx->params); + if (digest_length != 0) + mdctx->params.digest_length = digest_length; return ossl_blake2b_init(&mdctx->ctx, &mdctx->params); } diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index 8125dab41f415..0e3e894a43bd4 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -121,8 +121,7 @@ static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P) /* Initialize the parameter block with default values */ void ossl_blake2b_param_init(BLAKE2B_PARAM *P) { - if (P->digest_length == 0) - P->digest_length = BLAKE2B_DIGEST_LENGTH; + P->digest_length = BLAKE2B_DIGEST_LENGTH; P->key_length = 0; P->fanout = 1; P->depth = 1; From 4bad474746472f08b0247b5afa81ddc71df98d5f Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 4 Oct 2023 09:48:37 -0400 Subject: [PATCH 317/324] embed bio_dgram_data inside bio_dgram_sctp_data the sctp BIO implementation uses the generic BIO dgram implementation under the covers for some operations. However, the private data for each bio is incongruous, leading to segfaults when doing things like passing a dgram_sctp_ctrl operation to the underlying dgram_ctrl method. Fix this by removing the common fields between the two strcutres and embedding a bio_dgram_data as the first member of the bio_dgram_sctp_data struct. This allows implicit casting when that call path is taken, avoiding any memory mis-use Fixes #20643 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22278) --- crypto/bio/bss_dgram.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 3f57de539f451..5195634fdfa76 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -216,11 +216,13 @@ typedef struct bio_dgram_sctp_save_message_st { int length; } bio_dgram_sctp_save_message; +/* + * Note: bio_dgram_data must be first here + * as we use dgram_ctrl for underlying dgram operations + * which will cast this struct to a bio_dgram_data + */ typedef struct bio_dgram_sctp_data_st { - BIO_ADDR peer; - unsigned int connected; - unsigned int _errno; - unsigned int mtu; + bio_dgram_data dgram; struct bio_dgram_sctp_sndinfo sndinfo; struct bio_dgram_sctp_rcvinfo rcvinfo; struct bio_dgram_sctp_prinfo prinfo; @@ -2101,7 +2103,7 @@ static int dgram_sctp_read(BIO *b, char *out, int outl) if (ret < 0) { if (BIO_dgram_should_retry(ret)) { BIO_set_retry_read(b); - data->_errno = get_last_socket_error(); + data->dgram._errno = get_last_socket_error(); } } @@ -2253,7 +2255,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl) if (ret <= 0) { if (BIO_dgram_should_retry(ret)) { BIO_set_retry_write(b); - data->_errno = get_last_socket_error(); + data->dgram._errno = get_last_socket_error(); } } return ret; @@ -2275,16 +2277,16 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr) * Set to maximum (2^14) and ignore user input to enable transport * protocol fragmentation. Returns always 2^14. */ - data->mtu = 16384; - ret = data->mtu; + data->dgram.mtu = 16384; + ret = data->dgram.mtu; break; case BIO_CTRL_DGRAM_SET_MTU: /* * Set to maximum (2^14) and ignore input to enable transport * protocol fragmentation. Returns always 2^14. */ - data->mtu = 16384; - ret = data->mtu; + data->dgram.mtu = 16384; + ret = data->dgram.mtu; break; case BIO_CTRL_DGRAM_SET_CONNECTED: case BIO_CTRL_DGRAM_CONNECT: From 4ca56f51803a8ae010423180ac80ef991cf78fc5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 15:45:13 +0200 Subject: [PATCH 318/324] d2i_X509.pod: Better document using the reuse capability for libctx setup Reviewed-by: Matt Caswell Reviewed-by: Viktor Dukhovni Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22265) --- doc/man3/d2i_X509.pod | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index 9226ef77c3946..00efb60358166 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -390,10 +390,12 @@ to the returned structure is also written to I<*a>. If an error occurred then NULL is returned. On a successful return, if I<*a> is not NULL then it is assumed that I<*a> -contains a valid B> structure and an attempt is made to reuse it. This -"reuse" capability is present for historical compatibility but its use is -B (see BUGS below, and the discussion in the RETURN -VALUES section). +contains a valid B> structure and an attempt is made to reuse it. +For B> structures where it matters it is possible to set up a library +context on the decoded structure this way (see the B section). +However using the "reuse" capability for other purposes is B (see B below, and the discussion in the B +section). B_bio>() is similar to B>() except it attempts to parse data from BIO I. @@ -538,6 +540,22 @@ Alternative technique: if (d2i_X509(&x, &p, len) == NULL) /* error */ +Setting up a library context and property query: + + X509 *x; + unsigned char *buf; + const unsigned char *p; + int len; + OSSL_LIB_CTX *libctx = ....; + const char *propq = ....; + + /* Set up buf and len to point to the input buffer. */ + p = buf; + x = X509_new_ex(libctx, propq); + + if (d2i_X509(&x, &p, len) == NULL) + /* error, x was freed and NULL assigned to it (see RETURN VALUES) */ + =head1 WARNINGS Using a temporary variable is mandatory. A common From 7ae31586a77c09d45838fff73b589b2958fbd18b Mon Sep 17 00:00:00 2001 From: Vladimir Kotal Date: Wed, 4 Oct 2023 16:11:42 +0200 Subject: [PATCH 319/324] avoid sun as variable name Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22281) --- test/bio_addr_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/bio_addr_test.c b/test/bio_addr_test.c index a985d03b14c1a..9ca007e51195d 100644 --- a/test/bio_addr_test.c +++ b/test/bio_addr_test.c @@ -31,7 +31,7 @@ static BIO_ADDR *make_dummy_addr(int family) struct sockaddr_in6 sin6; #endif #ifndef OPENSSL_NO_UNIX_SOCK - struct sockaddr_un sun; + struct sockaddr_un sunaddr; #endif } sa; void *where; @@ -51,9 +51,9 @@ static BIO_ADDR *make_dummy_addr(int family) #endif #ifndef OPENSSL_NO_UNIX_SOCK case AF_UNIX: - where = &(sa.sun.sun_path); + where = &(sa.sunaddr.sun_path); /* BIO_ADDR_rawmake needs an extra byte for a NUL-terminator*/ - wherelen = sizeof(sa.sun.sun_path) - 1; + wherelen = sizeof(sa.sunaddr.sun_path) - 1; break; #endif default: From 6dfc57f8a901f2cb40664a9f2060a91943a7982c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 17:19:16 +0200 Subject: [PATCH 320/324] Add testing of bitflips in packet headers A new type of noise is introduced in the noisy dgram bio filter. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22267) --- test/helpers/noisydgrambio.c | 63 +++++++++++++++++++++++++++++++----- test/quicapitest.c | 28 ++++++++-------- 2 files changed, 69 insertions(+), 22 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index 33cf84c3c6c0a..445ae3c4ad1b3 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -75,7 +75,8 @@ static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, #define NOISE_TYPE_DROP 0 #define NOISE_TYPE_DUPLICATE 1 #define NOISE_TYPE_DELAY 2 -#define NUM_NOISE_TYPES 3 +#define NOISE_TYPE_BITFLIPS 3 +#define NUM_NOISE_TYPES 4 /* * When a duplicate occurs we reinject the new datagram after up to @@ -89,10 +90,13 @@ static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, */ #define MAX_DGRAM_REINJECT 4 -static void get_noise(uint64_t *reinject, int *should_drop) +static void get_noise(int long_header, uint64_t *reinject, int *should_drop, + uint16_t *flip, size_t *flip_offset) { uint32_t type; + *flip = 0; + if (test_random() % NOISE_RATE != 0) { *reinject = 0; *should_drop = 0; @@ -102,7 +106,7 @@ static void get_noise(uint64_t *reinject, int *should_drop) type = test_random() % NUM_NOISE_TYPES; /* - * Of noisy datagrams, 33% drop, 33% duplicate, 33% delay + * Of noisy datagrams, 25% drop, 25% duplicate, 25% delay, 25% flip bits * A duplicated datagram keeps the current datagram and reinjects a new * identical one after up to MAX_DGRAM_DELAY datagrams have been sent. * A delayed datagram is implemented as both a reinject and a drop, i.e. an @@ -115,16 +119,50 @@ static void get_noise(uint64_t *reinject, int *should_drop) * Where a duplicate occurs we reinject the copy of the datagram up to * MAX_DGRAM_DELAY datagrams later */ - *reinject = (type == NOISE_TYPE_DROP) - ? 0 - : (uint64_t)((test_random() % MAX_DGRAM_REINJECT) + 1); + *reinject = (type == NOISE_TYPE_DUPLICATE || type == NOISE_TYPE_DELAY) + ? (uint64_t)((test_random() % MAX_DGRAM_REINJECT) + 1) + : 0; /* * No point in reinjecting after 1 datagram if the current datagram is also * dropped (i.e. this is a delay not a duplicate), so we reinject after an * extra datagram in that case */ - *reinject += (uint64_t)(*should_drop); + *reinject += type == NOISE_TYPE_DELAY; + + /* flip some bits in the header */ + if (type == NOISE_TYPE_BITFLIPS) { + /* we flip at most 8 bits of the 16 bit value at once */ + *flip = (test_random() % 255 + 1) << (test_random() % 8); + /* + * 25/50 bytes of guesstimated header size (it depends on CID length) + * It does not matter much if it is overestimated. + */ + *flip_offset = test_random() % (25 * (1 + long_header)); + } +} + +static void flip_bits(unsigned char *msg, size_t msg_len, uint16_t flip, + size_t flip_offset) +{ + if (flip == 0) + return; + + /* None of these border conditions should happen but check them anyway */ + if (msg_len < 2) + return; + if (msg_len < flip_offset + 2) + flip_offset = msg_len - 2; + +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("**Flipping bits in a datagram at offset %u\n", + (unsigned int)flip_offset); + BIO_dump_fp(stdout, msg, msg_len); + printf("\n"); +#endif + + msg[flip_offset] ^= flip >> 8; + msg[flip_offset + 1] ^= flip & 0xff; } static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, @@ -181,6 +219,8 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, i++, thismsg++, data->this_dgram++) { uint64_t reinject; int should_drop; + uint16_t flip; + size_t flip_offset; /* If we have a message to reinject then insert it now */ if (data->reinject_dgram > 0 @@ -205,7 +245,8 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, data->reinject_dgram = 0; } - get_noise(&reinject, &should_drop); + get_noise(/* long header */ (((uint8_t *)thismsg->data)[0] & 0x80) != 0, + &reinject, &should_drop, &flip, &flip_offset); if (data->backoff) { /* * We might be asked to back off on introducing too much noise if @@ -214,10 +255,16 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, * that the connection always survives. After that we can resume * with normal noise */ +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("**Back off applied\n"); +#endif should_drop = 0; + flip = 0; data->backoff = 0; } + flip_bits(thismsg->data, thismsg->data_len, flip, flip_offset); + /* * We ignore reinjection if a message is already waiting to be * reinjected diff --git a/test/quicapitest.c b/test/quicapitest.c index 7739cbcb24b0e..81c8c215bd43a 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1439,11 +1439,11 @@ static int test_noisy_dgram(int idx) qtest_add_time(1); /* - * Send data from the server to the client. Some datagrams may get lost, - * dropped or re-ordered. We repeat 10 times to ensure we are sending - * enough datagrams for problems to be noticed. - */ - for (i = 0; i < 10; i++) { + * Send data from the server to the client. Some datagrams may get + * lost, modified, dropped or re-ordered. We repeat 20 times to ensure + * we are sending enough datagrams for problems to be noticed. + */ + for (i = 0; i < 20; i++) { if (!TEST_true(ossl_quic_tserver_write(qtserv, sid, (unsigned char *)msg, msglen, &written)) @@ -1453,10 +1453,10 @@ static int test_noisy_dgram(int idx) qtest_add_time(1); /* - * Since the underlying BIO is now noisy we may get failures that - * need to be retried - so we use unreliable_client_read() to handle - * that - */ + * Since the underlying BIO is now noisy we may get failures that + * need to be retried - so we use unreliable_client_read() to + * handle that + */ if (!TEST_true(unreliable_client_read(clientquic, &stream[j], buf, sizeof(buf), &readbytes, qtserv)) @@ -1465,7 +1465,7 @@ static int test_noisy_dgram(int idx) } /* Send data from the client to the server */ - for (i = 0; i < 10; i++) { + for (i = 0; i < 20; i++) { if (!TEST_true(SSL_write_ex(stream[j], (unsigned char *)msg, msglen, &written)) || !TEST_size_t_eq(msglen, written)) @@ -1475,10 +1475,10 @@ static int test_noisy_dgram(int idx) qtest_add_time(1); /* - * Since the underlying BIO is now noisy we may get failures that - * need to be retried - so we use unreliable_server_read() to handle - * that - */ + * Since the underlying BIO is now noisy we may get failures that + * need to be retried - so we use unreliable_server_read() to + * handle that + */ if (!TEST_true(unreliable_server_read(qtserv, sid, buf, sizeof(buf), &readbytes, clientquic)) || !TEST_mem_eq(msg, msglen, buf, readbytes)) From 8f67c6bb7cab70bbcc231ee3e18d140a2857ebdb Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 4 Oct 2023 17:23:27 +0200 Subject: [PATCH 321/324] Always back off on the first packet noise from client to server The test server cannot really cope with modifications Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22267) --- test/helpers/quictestlib.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 0ae05e5701e29..26cd67e23630a 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -105,8 +105,8 @@ static void noise_msg_callback(int write_p, int version, int content_type, * of our noise being too much such that the connection itself * fails. We back off on the noise for a bit to avoid that. */ - BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); - BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + (void)BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + (void)BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); } } @@ -235,6 +235,14 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_ptr(noisebio)) goto err; sbio = BIO_push(noisebio, sbio); + /* + * TODO(QUIC SERVER): + * Currently the simplistic handler of the quic tserver cannot cope + * with noise introduced in the first packet received from the + * client. This needs to be removed once we have proper server side + * handling. + */ + (void)BIO_ctrl(sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); (*fault)->noiseargs.cbio = cbio; (*fault)->noiseargs.sbio = sbio; From 4ace824852f385002facf077c5be2815b0780032 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 5 Oct 2023 15:24:38 +0200 Subject: [PATCH 322/324] Windows CI: Continue on error during cpuinfo Reviewed-by: Tom Cosgrove Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22293) --- .github/workflows/windows.yml | 3 +++ .github/workflows/windows_comp.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 806bc25f558d3..7125b91f75e54 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -54,6 +54,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f @@ -98,6 +99,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f @@ -135,6 +137,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index bf2e89ed71537..abcc0ad0190b5 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -48,6 +48,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f @@ -86,6 +87,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f From 2e62b07a41cca299f7abb69c892053b99ec762b2 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 4 Oct 2023 17:50:53 +0100 Subject: [PATCH 323/324] Don't wait in the tesrver idle testing every time around the loop If we wait for 100ms 600 times - then the test takes a minute to complete which is far too long. The purpose of the wait is to give the assistance thread a chance to catch up. We only do that if the event timeout has actually expired - otherwise we are waiting for no reason. Fixes #22156 Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22284) --- test/quic_tserver_test.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/test/quic_tserver_test.c b/test/quic_tserver_test.c index 980c9a83ff0ac..6ed84f0ae67d2 100644 --- a/test/quic_tserver_test.c +++ b/test/quic_tserver_test.c @@ -305,6 +305,9 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) if (c_start_idle_test && !c_done_idle_test) { /* This is more than our default idle timeout of 30s. */ if (idle_units_done < 600) { + struct timeval tv; + int isinf; + if (!TEST_true(CRYPTO_THREAD_write_lock(fake_time_lock))) goto err; fake_time = ossl_time_add(fake_time, ossl_ms2time(100)); @@ -312,7 +315,16 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) ++idle_units_done; ossl_quic_conn_force_assist_thread_wake(c_ssl); - OSSL_sleep(100); /* Ensure CPU scheduling for test purposes */ + + /* + * If the event timeout has expired then give the assistance + * thread a chance to catch up + */ + if (!TEST_true(SSL_get_event_timeout(c_ssl, &tv, &isinf))) + goto err; + if (!isinf && ossl_time_compare(ossl_time_zero(), + ossl_time_from_timeval(tv)) >= 0) + OSSL_sleep(100); /* Ensure CPU scheduling for test purposes */ } else { c_done_idle_test = 1; } From 79997a919f6cf3823d04fa9b34adaaa5aadd871a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 4 Oct 2023 17:55:33 +0100 Subject: [PATCH 324/324] Timeout in the tserver test using real time When running the tserver test we bail out if a timeout expires. We shouldn't use fake time for that timeout, because fake time might never actually get incremented. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22284) --- test/quic_tserver_test.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/test/quic_tserver_test.c b/test/quic_tserver_test.c index 6ed84f0ae67d2..b2b09354bb6c6 100644 --- a/test/quic_tserver_test.c +++ b/test/quic_tserver_test.c @@ -73,7 +73,6 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) int s_begin_write = 0; OSSL_TIME start_time; unsigned char alpn[] = { 8, 'o', 's', 's', 'l', 't', 'e', 's', 't' }; - OSSL_TIME (*now_cb)(void *arg) = use_fake_time ? fake_now : real_now; size_t limit_ms = 1000; #if defined(OPENSSL_NO_QUIC_THREAD_ASSIST) @@ -194,10 +193,14 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) if (!TEST_true(SSL_set_blocking_mode(c_ssl, 0))) goto err; - start_time = now_cb(NULL); + /* + * We use real time for the timeout not fake time. Otherwise with fake time + * we could hit a hang if we never increment the fake time + */ + start_time = real_now(NULL); for (;;) { - if (ossl_time_compare(ossl_time_subtract(now_cb(NULL), start_time), + if (ossl_time_compare(ossl_time_subtract(real_now(NULL), start_time), ossl_ms2time(limit_ms)) >= 0) { TEST_error("timeout while attempting QUIC server test"); goto err;