The peralsm in aesni-xts-avx512 currently checks for GNU assembler 2.26
or higher. According to reporters it looks like we need 2.30.
This PR just attempts fix version check so people with older
tool chains can build OpenSSL.
Fixes#27049
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27078)
This commit adds a small note about
definitions for
`OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS` and
`OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS`
being first added in OpenSSL 3.5.
PR #26975 added these definitions for OpenSSL 3.5, but the documentation
update omitted a history note for the addition.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27063)
Only a minimum of 2 qp's are necessary: one for the readers,
and at least one that writers can wait on for retirement.
There is no need for one additional qp that is always unused.
Also only one ACQUIRE barrier is necessary in get_hold_current_qp,
so the ATOMIC_LOAD of the reader_idx can be changed to RELAXED.
And finally clarify some comments.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27012)
this adds a dummy atomic release operation to update_qp, which
should make sure that the new value of reader_idx is visible in
get_hold_current_qp, directly after incrementing the users count.
Fixes: #26875
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26964)
Somehow I mistakenly listed clients in the exlude list, when it should
have been servers, resulting in an invalid yml file
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/27066)
1. bn_ppc.c: Used bn_mul_mont_int() instead of bn_mul_mont_300_fixed_n6()
for Montgomery multiplication.
2. ecp_nistp384-ppc64.pl:
- Re-wrote p384_felem_mul and p384_felem_square for easier maintenance with
minumum perl wrapper.
- Implemented p384_felem_reduce, p384_felem_mul_reduce and p384_felem_square_reduce.
- Implemented p384_felem_diff64, felem_diff_128_64 and felem_diff128 in assembly.
3. ecp_nistp384.c:
- Added wrapper function for p384_felem_mul_reduce and p384_felem_square_reduce.
Signed-off-by: Danny Tsen <dtsen@us.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26709)
Fixes: #26724
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/26726)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26976)
- Update allocate_new_qp_group to take unsigned int
- Move id_ctr in rcu_lock_st for better stack alignment
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26972)
With the addition of larger ml-kem keys in our tls handshake, we've
uncovered a interop failure, as described here:
https://github.com/microsoft/msquic/issues/4905
In short, when we send a client hello that spans multiple datagrams, the
servers sends an ACK frame in a datagram prior to sending its server
hello. msquic however, recomputes a new SCID always when sending its
sserver hello, which is fine nominally, but because in this test the
server sends a retry frame to update the SCID, followed by an ACK using
that SCID (which is an initial packet), msquic violates the RFC in
section 7.2 which states:
Once a client has received a valid Initial packet from the server, it MUST
discard any subsequent packet it receives on that connection with a
different Source Connection ID
Because msquic sent an initial packet with that ACK frame, we are
required to discard subsequent frames on the connection containing a
different SCID.
Until msquic fixes that in their implementation we are going to fail the
retry interop test, so for now, lets exclude the test.
Also, while we're at it, re-add chrome into the client list for our
server tests, as that seems to have been lost during the merge.
Fixesopenssl/project#1132
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27014)
Signature schemes like Ed25519 or ML-DSA use "pure" signing,
i.e. they directly sign the tbs data instead of signing a digest.
This is already supported in the X509 code, but not in CMS.
This commit adds support for such schemes to CMS.
This is a minimalistic set of changes, based in the work done
by David von Oheimb.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26867)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26991)
- The default sigalg list now puts ML-DSA-65 first, then ML-DSA-87
and then ML-DSA-44. (87 vs. 44 Subject to bikeshedding).
- The mintls and maxtls versions are now taken into account for
both built-in and provided algorithms.
- Some algorithms have a separate TLSv1.2-specific name for future
reporting via openssl-list(1).
- ML-DSA aside, any new provided algorithms go at the end of the
default list (backwards-compatible inclusion).
- The built-in algorithms now also have min/max DTLS versions.
Though the provider TLS-SIGALG capability was extended to also report
the DTLS version range, the minimum supported DTLS is 1.3, which we
don't yet have, so it is not yet possible to add DTLS sigalgs via a
provider
- The TLS 1.3 brainpool sigalgs got their correct IANA names, with
the legacy names as purported TLS 1.2 alternatives, but since
these are for TLS 1.3 and up those names are for matching only,
the reported value will still be the 1.3 name.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26975)
It may occur that the qrx we allocate in port_default_packet handler to
do AEAD validation isn't the one the channel ultimately uses (like if we
turn off address validation). In that event, we need to ensure that
anything we have on that qrx isn't returned to its free list to avoid
early freeing when we free the qrx at the end of
port_default_packet_handler, while those frames are still pending on the
channel qrx
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27004)
With the addition of larger client hellos, stemming from the use of
larger PQC key shares, it may happen that we get a client hello accross
multiple datagrams. Normally this is not a problem as
port_default_packet_handler allocates a qrx and initializes its initial
secret immediately. But if server address validation is disabled, then
the channel creates the qrx in port_bind_channel itself, without initial
secrets. As a result, we validate the first datagram in
port_default_packet_handler, but the subsequent datagrams containing the
remaining client hello fragments fail decode.
Fix it by ensuring that we add the initial secret in port_bind_channel
if we don't give it a preconfigured qrx
Fixesopenssl/project#1131
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27006)
Windows XP doesn't support setting socket handles to be non-inheritable,
but the rio_notifier attempts to do so. WSASocketA will there return
an error when the NO_INHERIT flag is set. In that case, just retry the
call without the flag.
Fixes#26943
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26970)
The current retirement code for rcu qp's has a race condition,
which can cause use-after-free errors, but only if more than
3 QPs are allocated, which is not the default configuration.
This fixes an oversight in commit 5949918f9a ("Rework and
simplify RCU code")
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26952)
Make CRYPTO_atomic_add consistent with
CRYPTO_atomic_load_int and set the
reader_idx under write_lock since there
is no CRYPTO_atomic_store_int.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26963)
- Apply doc nits suggested by Viktor from https://github.com/openssl/openssl/pull/26762
- Update CHANGES.md & NEWS.md saying there is now support for QUIC server
- Added copyright header in: test/radix/quic_ops.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26944)
The change checks for all HTTP methods in ssl_record, not only GET, POST,
PUT and HEAD. (additionally PATCH, DELETE, OPTIONS and TRACE)
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26968)
The way we're currently handling SAN URIs does not allow for userinfo,
meaning the name constraint check on such URIs will fail. Fix this by
skipping over the userinfo component:
authority = [ userinfo "@" ] host [ ":" port ]
(per RFC 3986).
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25861)
And drop the rest.
The ubuntu-20.04 CI runners are discontinued.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26971)
AIX (at least for 7.1) defines some macros for "events" and "revents" which
interferes with our own use of these names.
Fixes#24236
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26933)
The FIPS providers that support ECX (3.0.x & maybe 3.1.x) do not support ECX
KEM so there is little point to testing these algorithms under FIPS. Consequently,
they are being tested only with the default provider.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
The evppkey_rsa.txt data were only tested against the default provider.
Change this so that they are tested against the FIPS provider too.
Also add the RSA KEM tests.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26946)
This updates the openssl documentation link to the one currently in use,
and removes the standards.txt section as that URL leads to the normal
documentation page and there is no "standards" page in the openssl
documentation site.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26759)
Also specify whether server or client preference
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26897)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26897)
Signed-off-by: Ondrej Moris <omoris@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26899)
We use the coreutils format since 3.4.0.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26907)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26925)
When displaying distinguished names the control characters
are escaped by default.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26932)
The quic_multistream_test occasionally fails script_84, specifically
failing on:
OP_CHECK2(check_write_buf_stat, 0, 0)
which fails due to the send stream buffer not reading zero after data is
sent on the stream
However, the send stream is culled of pending data, not after the stream
is sent, but rather only after the peer sends an ack confirming that the
data has been received. There is no guarantee that ACK will be sent
immediately, so occasionally timing discrepancies result in the test not
getting that ack by the time we check the send stream buffer.
We couldmodify the script to wait longer, or repeatedly tick the quic
stack to wait for that ack to be collected, but since its perfectly
valid for that data to live in the ring buffer for a period, and that
any true erroneous keeping of that data beyond its ack point would
manifest as any number of other duplicate transmissions, it seems more
sane to just remove the check.
Fixesopenssl/project#1117
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26939)
We move ssl_err.c out of libssl and into libcrypto. This file is entirely
self contained and is used to load error strings into the libcrypto error
tables. By moving this file into libcrypto, libssl can be unloaded safely
without having dangling references to this error information.
Fixes#26672
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26931)
