From 2d194808abd442d25957e6c3770f3e8e26b7130b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 26 Sep 2023 12:14:56 +0100 Subject: [PATCH 01/60] Fix no-ssl-trace Ensure we use OPENSSL_NO_SSL_TRACE guards where appropriate. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22193) Signed-off-by: fly2x --- test/helpers/quictestlib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 8d71d6002f..514bb6422a 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -98,6 +98,7 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, return 0; } +#ifndef OPENSSL_NO_SSL_TRACE if ((flags & QTEST_FLAG_CLIENT_TRACE) != 0) { tmpbio = BIO_new_fp(stdout, BIO_NOCLOSE); if (!TEST_ptr(tmpbio)) @@ -106,6 +107,7 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_set_msg_callback(*cssl, SSL_trace); SSL_set_msg_callback_arg(*cssl, tmpbio); } +#endif if (tracebio != NULL) *tracebio = tmpbio; -- Gitee From 533ccdcbe671686197cae39a9fe8a48ebec68626 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:23:29 +0100 Subject: [PATCH 02/60] Copyright year updates Reviewed-by: Richard Levitte Release: yes Signed-off-by: fly2x --- apps/dhparam.c | 2 +- apps/gendsa.c | 2 +- apps/genrsa.c | 2 +- apps/progs.pl | 2 +- crypto/bio/bio_addr.c | 2 +- crypto/bio/bss_sock.c | 2 +- crypto/cpuid.c | 2 +- crypto/ec/curve448/point_448.h | 2 +- crypto/ec/ecp_s390x_nistp.c | 2 +- crypto/evp/e_chacha20_poly1305.c | 2 +- crypto/evp/legacy_blake2.c | 2 +- crypto/evp/pmeth_gn.c | 2 +- crypto/initthread.c | 2 +- crypto/lhash/lhash.c | 2 +- crypto/o_str.c | 2 +- crypto/pem/pvkfmt.c | 2 +- crypto/pkcs12/p12_crt.c | 2 +- crypto/rand/prov_seed.c | 2 +- crypto/sha/keccak1600.c | 2 +- crypto/srp/srp_vfy.c | 2 +- crypto/store/store_lib.c | 2 +- crypto/x509/ext_dat.h | 2 +- crypto/x509/standard_exts.h | 2 +- doc/internal/man3/ossl_provider_new.pod | 2 +- doc/internal/man3/ossl_rand_get_entropy.pod | 2 +- doc/man1/openssl-cms.pod.in | 2 +- doc/man3/BIO_ADDR.pod | 2 +- doc/man3/EVP_MAC.pod | 2 +- doc/man3/EVP_SIGNATURE.pod | 2 +- doc/man3/OSSL_CMP_validate_msg.pod | 2 +- doc/man3/OSSL_STORE_open.pod | 2 +- doc/man3/PKCS12_create.pod | 2 +- doc/man3/PKCS12_gen_mac.pod | 2 +- doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod | 2 +- doc/man7/EVP_KDF-PKCS12KDF.pod | 2 +- doc/man7/EVP_RAND-TEST-RAND.pod | 2 +- doc/man7/provider-storemgmt.pod | 2 +- include/crypto/asn1.h | 2 +- include/crypto/context.h | 2 +- include/crypto/rand.h | 2 +- include/openssl/store.h | 2 +- providers/common/provider_seeding.c | 2 +- providers/fips/self_test_kats.c | 2 +- providers/implementations/ciphers/cipher_aes_ccm.c | 2 +- providers/implementations/ciphers/cipher_aes_gcm.c | 2 +- providers/implementations/ciphers/cipher_aria_ccm.c | 2 +- providers/implementations/ciphers/cipher_aria_gcm.c | 2 +- providers/implementations/ciphers/cipher_sm4_ccm.c | 2 +- providers/implementations/ciphers/cipher_sm4_gcm.c | 2 +- ssl/ssl_init.c | 2 +- test/afalgtest.c | 2 +- test/chacha_internal_test.c | 2 +- test/drbgtest.c | 2 +- test/fake_rsaprov.h | 2 +- test/helpers/handshake_srp.c | 2 +- test/ocspapitest.c | 2 +- test/pkcs12_format_test.c | 2 +- test/provider_pkey_test.c | 2 +- test/recipes/15-test_genec.t | 2 +- test/testutil/driver.c | 2 +- test/testutil/tests.c | 2 +- 61 files changed, 61 insertions(+), 61 deletions(-) diff --git a/apps/dhparam.c b/apps/dhparam.c index d14c569503..ffe6e6cb88 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/gendsa.c b/apps/gendsa.c index b6d1d0f5b3..a655c6ea02 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/genrsa.c b/apps/genrsa.c index f71bc6eeb1..54d025e24c 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/progs.pl b/apps/progs.pl index 120ae05f07..4a1e4be47c 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bio_addr.c b/crypto/bio/bio_addr.c index 2a6f6d522c..0a64d0749a 100644 --- a/crypto/bio/bio_addr.c +++ b/crypto/bio/bio_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index 4ff4defadf..82f7be85ae 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cpuid.c b/crypto/cpuid.c index e5db03f3f6..51cbe5ea09 100644 --- a/crypto/cpuid.c +++ b/crypto/cpuid.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/curve448/point_448.h b/crypto/ec/curve448/point_448.h index 597ded4211..96a54558d6 100644 --- a/crypto/ec/curve448/point_448.h +++ b/crypto/ec/curve448/point_448.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2015-2016 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c index eae0b52c4e..f13f8bed24 100644 --- a/crypto/ec/ecp_s390x_nistp.c +++ b/crypto/ec/ecp_s390x_nistp.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index 68b216f10c..731c1a1dc7 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/legacy_blake2.c b/crypto/evp/legacy_blake2.c index 4301ae4857..5a5f05044c 100644 --- a/crypto/evp/legacy_blake2.c +++ b/crypto/evp/legacy_blake2.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index 6a38fe511a..74cca96f4d 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/initthread.c b/crypto/initthread.c index 23ad0a0739..ae234cd205 100644 --- a/crypto/initthread.c +++ b/crypto/initthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 9d2b284ae0..0a475b71d8 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/o_str.c b/crypto/o_str.c index 274b847614..f1aacda5e3 100644 --- a/crypto/o_str.c +++ b/crypto/o_str.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index d8aaebe72f..ed7905661b 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 7681731207..2e40dd93c2 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c index 96c73f7e66..af35e02475 100644 --- a/crypto/rand/prov_seed.c +++ b/crypto/rand/prov_seed.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/keccak1600.c b/crypto/sha/keccak1600.c index 062111b638..c15bc42aaa 100644 --- a/crypto/sha/keccak1600.c +++ b/crypto/sha/keccak1600.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 2ca515396b..e89f58b200 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index d0561f636c..05a8044f89 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index 8325aacfa5..1ffc816e5e 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h index e5c9e3f9e0..87a564b238 100644 --- a/crypto/x509/standard_exts.h +++ b/crypto/x509/standard_exts.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index d30e400894..2c406381e9 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -384,7 +384,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_rand_get_entropy.pod b/doc/internal/man3/ossl_rand_get_entropy.pod index 48343b6fe0..5c7a076336 100644 --- a/doc/internal/man3/ossl_rand_get_entropy.pod +++ b/doc/internal/man3/ossl_rand_get_entropy.pod @@ -83,7 +83,7 @@ The remaining functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index a3ef9c0181..78be2e6c09 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -915,7 +915,7 @@ The B<-digest> option was added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_ADDR.pod b/doc/man3/BIO_ADDR.pod index 20cd364d48..eb5a4a8fe7 100644 --- a/doc/man3/BIO_ADDR.pod +++ b/doc/man3/BIO_ADDR.pod @@ -131,7 +131,7 @@ BIO_ADDR_copy() and BIO_ADDR_dup() were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 8fd237599e..56ac92a486 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -481,7 +481,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index a4ee9c4807..1f534ef338 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index 7dbe3f74ca..c416a49d77 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -76,7 +76,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod index 8e4a9a7926..1b3b0764ae 100644 --- a/doc/man3/OSSL_STORE_open.pod +++ b/doc/man3/OSSL_STORE_open.pod @@ -182,7 +182,7 @@ OSSL_STORE_ctrl() and OSSL_STORE_vctrl() were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index 993e50777e..5291338d3c 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -120,7 +120,7 @@ standards. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index 07f8855ecf..a72df145fe 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -64,7 +64,7 @@ L =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod index b74c869b83..3913ea9390 100644 --- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod +++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod @@ -55,7 +55,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 05d4e902bd..9865365698 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -80,7 +80,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_RAND-TEST-RAND.pod b/doc/man7/EVP_RAND-TEST-RAND.pod index feab01431d..b7a0e0b43c 100644 --- a/doc/man7/EVP_RAND-TEST-RAND.pod +++ b/doc/man7/EVP_RAND-TEST-RAND.pod @@ -113,7 +113,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod index a8ce43c4bb..81d407a4b8 100644 --- a/doc/man7/provider-storemgmt.pod +++ b/doc/man7/provider-storemgmt.pod @@ -212,7 +212,7 @@ OSSL_FUNC_store_delete() callback was added in OpenSSL 3.2 =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h index 180238526b..36af1d7689 100644 --- a/include/crypto/asn1.h +++ b/include/crypto/asn1.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/context.h b/include/crypto/context.h index af81e15e1d..7369a730fb 100644 --- a/include/crypto/context.h +++ b/include/crypto/context.h @@ -1,5 +1,5 @@ /* - * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/rand.h b/include/crypto/rand.h index 730be8b5d0..5841cccaa6 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/store.h b/include/openssl/store.h index 46fb4d40f0..e6ea3cf878 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/provider_seeding.c b/providers/common/provider_seeding.c index f6463f8ada..c7b2ea6da6 100644 --- a/providers/common/provider_seeding.c +++ b/providers/common/provider_seeding.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index 82a7ac78fb..f13c41abd6 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c index 3930f52d60..8c96328096 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm.c +++ b/providers/implementations/ciphers/cipher_aes_ccm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index edc3cc262e..1114bd8740 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c index 5fae593469..0a0f52cdcc 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.c +++ b/providers/implementations/ciphers/cipher_aria_ccm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index f9eb64cc19..e794a80a00 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c index 47fc6e103c..3af84d85b7 100644 --- a/providers/implementations/ciphers/cipher_sm4_ccm.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c index e8fcf5787e..1128f65939 100644 --- a/providers/implementations/ciphers/cipher_sm4_gcm.c +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index a2d7595089..70e567b72c 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/afalgtest.c b/test/afalgtest.c index 429e2da3c9..764f07e927 100644 --- a/test/afalgtest.c +++ b/test/afalgtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/chacha_internal_test.c b/test/chacha_internal_test.c index d52479b658..d316bfd7b3 100644 --- a/test/chacha_internal_test.c +++ b/test/chacha_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/drbgtest.c b/test/drbgtest.c index bb2a9f1b99..13bc62a4c0 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h index 9c353b386f..cb2e66eb68 100644 --- a/test/fake_rsaprov.h +++ b/test/fake_rsaprov.h @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c index 95fb101059..8522388a47 100644 --- a/test/helpers/handshake_srp.c +++ b/test/helpers/handshake_srp.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ocspapitest.c b/test/ocspapitest.c index a448731380..13026d6b4a 100644 --- a/test/ocspapitest.c +++ b/test/ocspapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index e2048bc27e..2c28040a3e 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c index 7d5fcfa647..4abbdd33ec 100644 --- a/test/provider_pkey_test.c +++ b/test/provider_pkey_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t index 3e8c55071c..4d5090fa39 100644 --- a/test/recipes/15-test_genec.t +++ b/test/recipes/15-test_genec.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/testutil/driver.c b/test/testutil/driver.c index 033be2fcc5..346092b004 100644 --- a/test/testutil/driver.c +++ b/test/testutil/driver.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/testutil/tests.c b/test/testutil/tests.c index efc4fd2b64..42afab1ada 100644 --- a/test/testutil/tests.c +++ b/test/testutil/tests.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy -- Gitee From a062aad93948cc1c24ead15cfde7c63bc19dc635 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:24:31 +0100 Subject: [PATCH 03/60] make update Reviewed-by: Richard Levitte Release: yes Signed-off-by: fly2x --- providers/fips-sources.checksums | 66 ++++++++++++++++---------------- providers/fips.checksum | 2 +- 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index db0dda5af6..fc38dce27e 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -117,7 +117,7 @@ a6e8cf30340ffaec8aec41dfbef7341afe21e7b13e48899403c529368c0ec6fa crypto/context 67c2367871b9350a7f7af5be903d6bcca9ebdbff0e9a9bd9f61b56bef5b76696 crypto/core_algorithm.c f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c 2f03908edadddc55a61e4cfb4d76751a342f61aad564971df37a6b90c7b2a26f crypto/core_namemap.c -fe83e1d30a9ef0aa86c1342b4228380dea7e90f9f3cc8d28f5423dfbc1ded011 crypto/cpuid.c +a7f86c1495a140e5dc2acb737c5ff835691ead833842e0a37bbfc2116530b246 crypto/cpuid.c a6732e22ccb49cf51fc9dbf23f6059774b70ecc3d7e848c5df112a2d3c179027 crypto/cryptlib.c 66dbfc58916709d5a6913777346083247942a8d9458ee9b2bf443f0ea4988d64 crypto/ctype.c 51e56541daea6d4a26d5bae2ea458414063bf08b045bab8df370f6695903e0a5 crypto/der_writer.c @@ -161,7 +161,7 @@ ee897e230964511baa0d1bf95fb938312407a40a88ebe01476879c2763e5f732 crypto/ec/asm/ 063dac1e4a9573c47532123e9e03e3532a7473cc3e146521ba9ec6f486ddf3b1 crypto/ec/curve448/arch_64/arch_intrinsics.h 43423b7ee85a5c740c1d81499ee06f4a17732c7731a598e7429d5e402ee77cf4 crypto/ec/curve448/arch_64/f_impl.h c3146bb6777776d39b89647e3dd3e8afc3d19338c75ff294d6986289cef59c40 crypto/ec/curve448/arch_64/f_impl64.c -a3803940dcb1e53358edac1bc05fe8777b8007668d5aa11af5812b97d4f94c63 crypto/ec/curve448/curve448.c +cba11345e742cd4eedead0505f92062916ece6fa688cdbdf6466fbea12a7b16c crypto/ec/curve448/curve448.c a6c70707c520234ccd111562f012e1abf83c43b20b3b36c339ef1ea0369a9e5f crypto/ec/curve448/curve448_local.h 178fb9863c33174b633c2e7607160b1bedb506d66cc06d53382d87431441f306 crypto/ec/curve448/curve448_tables.c f30e13bba5a136ab9ba5225c98b9b94c2cd73fb3aef60f9dcde3cd471cfa1ca4 crypto/ec/curve448/curve448utils.h @@ -169,7 +169,7 @@ f30e13bba5a136ab9ba5225c98b9b94c2cd73fb3aef60f9dcde3cd471cfa1ca4 crypto/ec/curv 498fda3e0f2d261ab9729ae4de05ff1b496af4582aa019f507570f852d5a2726 crypto/ec/curve448/eddsa.c 9f712e7397b10f1dc88a6d18ff38dcda13d09c02775f3682f2b8698715b1095a crypto/ec/curve448/f_generic.c 070daafb9a532ebb8bc0af8b1341254f0cd3e8932a8c8a2dca7baeef6678768b crypto/ec/curve448/field.h -2ad8331e893b5db33198e27603891587686c0dfdab29706dc52a7097c5d6f219 crypto/ec/curve448/point_448.h +514014f9fa7835056aab1e6df5511fd7de8ecef3cfcada8e0eadec9b727b419c crypto/ec/curve448/point_448.h 1ff6e467d72530c71d21c310180d04a24f0a9cb41168fba94b43309ecdda3888 crypto/ec/curve448/scalar.c 3052a044afae2e91b677542fc8b34b3ec9d033e0c6562b0d43098cfb34ab3c9d crypto/ec/curve448/word.h ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_oct.c @@ -222,7 +222,7 @@ c4c8a30541a51d50872f03994829419a72d52c8207f9047fdc6fd28dfd43c057 crypto/evp/key 759573aea2a4cc7b6f763b440e6868bfcfcb7ca94d812fa61ab24a194be2cb36 crypto/evp/pmeth_gn.c 7d9dfc974d15a2b7e2c1c6c54a594f0a14ccdfe5e2e1afe84a3a52130ac8097b crypto/evp/pmeth_lib.c 76d005962440945c127571ca3b3ece7c55944828b41d48c0bd1b819bd40408ab crypto/evp/signature.c -49059c31a933b2cc173ea0e3b5778e3cde9cf209fff624827c0915dc9f0324d7 crypto/ex_data.c +64f7e366e681930ba10267272b87dba223b9744a01c27ba0504a4941802a580d crypto/ex_data.c d986ec74995b05ff65a68df320ab45894ba35d7be4906f8d78ca5fca294a4e6c crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c @@ -233,8 +233,8 @@ c9c635805b26d85e8c0c7720592fb04b674cde4339fcd94712a4403e8677cb41 crypto/ffc/ffc 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88 crypto/hmac/hmac.c 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h 0e2d6129504d15ffaf5baa63158ccec0e4b6193a8275333956d8f868ef35127e crypto/ia64cpuid.S -5b38180a8ed150ab1be44a86cacd0c6668d2e6ba3de6b0c3420c8056543af54d crypto/initthread.c -6259c0e543faadc1c06a16095df38e9e4ce74a25b74e2951e601f9d4ea9bfb77 crypto/lhash/lhash.c +3f123f7de496711fa60c47aeaef96640571dbcb1657b23901307e04c3d712579 crypto/initthread.c +ee895c071ffb217e0f223d5546ae84cadde6701af67e718e9af7f06af531fa42 crypto/lhash/lhash.c 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h a4f8f200ca749db91da97735c107836dfb2b623424b15c020ec6e48d874f4564 crypto/loongarch64cpuid.pl 460a7af09cde89a820b091522ada1310cfcec99c60aee505f94c48c35e9a29e8 crypto/loongarchcap.c @@ -265,14 +265,14 @@ bdf25257b15eca206be4d950d2dd807ca5f058f91f54edbd7a0d312ed83eef8e crypto/modes/o e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/wrap128.c 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c fb874ea18e9754dde11ef1c2993818074ff7cd8a74a981598745f7e11317bb91 crypto/modes/xts128gb.c -e49f44c0c91789015fd45f9260eafe3139e6b73ca2af612df4aa21b71c637ca1 crypto/o_str.c +f89e6864ebbff6321e360a6543d45b5f30773a86217ef37c7dfc146b7aa49d4b crypto/o_str.c b0decda3aae1d3e07cf3cbe9153cdde9deafe65fae346cd208951b4d7dec512e crypto/packet.c fb60966da0d636a59921c7eeadebedb79caa9667eb1622330ab7e1f31a8d24eb crypto/param_build.c fa2062acdb901c9b15904b5c8f805247bba8b0eaa935c35fdfbe8d53ff463a7a crypto/param_build_set.c a267f41a7dead2b1f7ea35ad7d2d04db50cb75d0fb20fbc2fa72ba7ea4dc34a0 crypto/params.c bb7b79b5a070050f5e7dfc66b5635f0891bc278e3e24eec3583b769b33bef657 crypto/params_dup.c b2bd2b5cf3de2fe130223470da22fe4c1b08e75f0c10fcb7d0c089c9f9851f78 crypto/params_from_text.c -e7bdda0dcbf7aa6d4b9d55efd7c59e78bc68aca644d64a7c316a044bccf20505 crypto/params_idx.c +9e9b831ae8f2f2ef75b29152a0b65bc157f4717f928d23a403fa49e11432daf8 crypto/params_idx.c c27b8c1659274be74e2d6e9fd76980df499d1331c0c2d51f41b3ad547ba88d59 crypto/ppccap.c 46fa4994a6234a98a2845d9337475913f6bc229f1928abc82224de7edf2784b8 crypto/ppccpuid.pl 467c416422ecf61e3b713c5eb259fdbcb4aa73ae8dee61804d0b85cfd3fff4f7 crypto/property/defn_cache.c @@ -284,7 +284,7 @@ a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/propert bf5e9f8e49672afc09f4130ba300844d4412f9e3467985f693da70e34f1a4f3a crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c -ba5c07983cb1d18e6d3e97f8ea16f99175c5461efe99d160051c6bd2886c0217 crypto/rand/rand_lib.c +d2851ce0930b36e6f1fbc593a756d9a7c8097eb6b0ace163cecd917c8e9637dd crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h f67fcf8351b046a00cf1baea29aefab3b4fc9521e0ba508abdd1a9ca44de40c3 crypto/riscv32cpuid.pl c0ff6a8ca7f52f759a945c4d475d00168b12386324e8177f301127b405ca793e crypto/riscv64cpuid.pl @@ -352,7 +352,7 @@ fb06844e7c3b014a58dccc8ec6020c71843cfdc5be08288bc7d204f0a840c474 crypto/sha/asm 0611845c52091b0208dd41f22ddef9dd1e68d3d92fa4c4360738b840a6314de6 crypto/sha/asm/sha512-sparcv9.pl f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm/sha512-x86_64.pl 8725cabb8d695c576619f19283b034074a3fa0f1c0be952a9dbe9793be15b907 crypto/sha/asm/sha512p8-ppc.pl -b69b8a21115f4167641ef94f30846e367f479a2153a5de2991f0a34c564ce4b1 crypto/sha/keccak1600.c +83d52563e8b85ebf9e3448392c0b535a8564b7aaafc595e7a6653035a4511155 crypto/sha/keccak1600.c 306cacd3f86e5cacaca74c58ef862516515e5c0cafaff48636d537fd84f1c2fb crypto/sha/sha1dgst.c af4756bfeeabca490834f51e45e3fd726b5bbb35bb682b73d857a8c2e080c64f crypto/sha/sha256.c 3d972a11be18bfbfcd45790028635d63548bfe0a2e45d2fc56b6051b759d22f0 crypto/sha/sha3.c @@ -375,13 +375,13 @@ e29e0fc64feaa71c68da6e5f2fa8a00853f9b2d6a8b516eb474bde51e23065f6 crypto/threads 8b45f948303045d8f753858b1b892e3da13bebe1bdac500db91fbb54a0ac07da crypto/time.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl -f24620e63469b36f9e015841fdabde2af35982268e61183fafcbd6fbdeeeca1d include/crypto/aes_platform.h -99e3f29e2f7f78a4f43f634c5c56a74e3b64b05ad077249eba64976bc47d6d37 include/crypto/asn1.h +492e7ba619c2e23a454503a7eaccf455af638484090d4671258203739666c644 include/crypto/aes_platform.h +68f6c521b1dbfacb99d75cb1ffdbcd1795d6e0157df69c6c6a7c04f85ea715ec include/crypto/asn1.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h d95af0a278bc2edef9c3e1129fc6e7b1577b1ea95249b05ef39c4a4847e9ddac include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h -9a7c2ed3703a83e14d25440dc63ef933b21a7225dfc28314a2a23e31706153e9 include/crypto/context.h +a6957475e4c7ae80c06537c3fd3b63f2368b664da54a96befd0a6fa38de27b4a include/crypto/context.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c include/crypto/ctype.h 09a27585de4638577b482ec9102a0e70d843dee6297a2d45e27d888f6de5e27f include/crypto/decoder.h @@ -394,7 +394,7 @@ c7aafee54cc3ace0c563f15aa5af2cdce13e2cfc4f9a9a133952825fb7c8faf5 include/crypto bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 906bc2316e4f4651e5db7a8273ec3bb4bcbfb55f0f484bebdae4f6d0ce033bdf include/crypto/md32_common.h 6e7762e7fb63f56d25b24f70209f4dc834c59a87f74467531ec81646f565dbe3 include/crypto/modes.h -8aa4f71ebd9753baceed428e323d5f550d74aff43ab9a55eda7c096d838b8f49 include/crypto/rand.h +38fdd544efa495426cc684894727cf05a0f125f5cf6e11de133d43f785d5bcce include/crypto/rand.h 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h 2f502340909e531a9a7c71451400eb68a53bf62015c17b0169b1efffb0703882 include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h @@ -411,7 +411,7 @@ dc5afb955d810feb5af9f8d25cd8a92118abef320fee95c07b04f301c4e0d96c include/intern 8059e715f981fbe02b5731610ed24bb6ae617a55e90b03f4260cbb6ccd71e8de include/internal/deterministic_nonce.h fd1722d6b79520ee4ac477280d5131eb1b744c3b422fd15f5e737ef966a97c3b include/internal/dso.h f144daebef828a5bd4416466257a50f06b894e0ce0adf1601aa381f34f25a9e7 include/internal/dsoerr.h -6b15a2abd526a0c09aedd122b4e7bd4a1c132d586f7ac11837b05549a28a4b31 include/internal/e_os.h +99276e4650bfdcddac06eaa70dd2e255b30b61ebd8ef948384e28b1dd17ddb61 include/internal/e_os.h 70d3e0d5a1bd8db58dcc57bea4d1c3ed816c735fe0e6b2f4b07073712d2dc5ef include/internal/endian.h 19b0b6356921484359c2e5e7839ffc476fe48a31fbae31595545a58c920ae224 include/internal/ffc.h 55c4102496ed5ab16de11afe38c328a1396c3b6e2c7e44add4a38855103c19da include/internal/namemap.h @@ -440,7 +440,7 @@ ef96b731db0e0998c11a297d601f5b37c02525774d532fb4f92160e9069c7dfc include/intern 47fd81a330f042baf3675f4154c6276ab7a8cf76efaf01288abe41f119ec5588 include/openssl/asn1.h.in d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openssl/asn1err.h 1550474ee05423896ec4abfb6346f1bc44c7be22329efac9ea25de10e81d549c include/openssl/asn1t.h.in -96c3b90a890f5dce1c9186c8d5bc26769bb8e1f0254d304fc9f1ae018344b497 include/openssl/bio.h.in +5610c3cb39f1c6d6dc071836b4b92f686f1c5931bfc11de0ba9a9bcd0bdc995b include/openssl/bio.h.in fe5ab4bc904b7c77e5411c4b7dda6d29595eb60a87f00e30ab32f48391f98b44 include/openssl/bioerr.h 9caa80699882befcce556446a45e5ffde5aa938aa2aae0e8ecd46c9c6a3fe419 include/openssl/bn.h 9ad8b04764797f5138f01f549ba18b44cf698ffc7fe795fef42c1822d84a6ff4 include/openssl/bnerr.h @@ -452,7 +452,7 @@ f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3 include/openss 69d98c5230b1c2a1b70c3e6b244fcfd8460a80ebf548542ea43bb1a57fe6cf57 include/openssl/configuration.h.in 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h 28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1 include/openssl/core.h -99d507e9aa0b4ad94b191b1aba2cb5d426b8fe130910e6f9c86a8ca62f42f8cc include/openssl/core_dispatch.h +6876672a5dc96fbf25162b48615ea8f827f3ac3e7982bd09b0d0a7a2dd74cfc0 include/openssl/core_dispatch.h 8b4027cf19ce2a7cbad506cde61552123818b6eae62d5fbdae34e9f68660e6f8 include/openssl/core_names.h.in 371413ef13841f1245a225c8ec1cec463629c42bfc33254f979d2a8672112f9a include/openssl/crypto.h.in 2f9570c2514b4d1b2a86fbdf30ced879e5c52e62f1d3691cb3da37ce4f6a98dd include/openssl/cryptoerr.h @@ -491,7 +491,7 @@ ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d include/openss 08980b1dbc01e2926fc59707d867030fc7a3d37dc625c0e1edf2d31bdf71b2fb include/openssl/proverr.h 03bda8974476f0f038a7cfa0cb30f0b8210d55c74c6e7e853fd1564dca3e2b14 include/openssl/provider.h e512ab2e492d968a9bf8b2b048f79ac5dfe11bddf3c00f2eec6e9c6ecc57d330 include/openssl/rand.h -108966f56c82fedff53df76a4aa7861c82be4db1fd1ddafb59dc086ea155831c include/openssl/randerr.h +5be9d723cf368b48ab35bda5db1a3e83bda6e9e38218dd0b020be1a5427e7488 include/openssl/randerr.h 2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in @@ -533,29 +533,29 @@ e1ef8b2be828a54312d6561b37751a5b6e9d5ebdb6c3e63589728c3d8adca7dc providers/comm c2b4301a9f835c0b3776ad3afba7121d00cd7ae6387fe11c96269a37da08027c providers/common/include/prov/securitycheck.h 737cc1228106e555e9bab24e3c2438982e04e05b0d5b9ee6995d71df16c49143 providers/common/provider_ctx.c 3f5656c405ec57a261df7af940c1512990555361f69488a28d65e16f6b865a1d providers/common/provider_err.c -2f334bf2292bc394778eacaec57e7419e62d0918c166098cc65a09e8c3f5171e providers/common/provider_seeding.c +101d50bfdd8a9aaf096f5d0d80b874d9c59f9c0c4433159cda96426777aae09f providers/common/provider_seeding.c 6e833d259d04cdedc007e6cda52fd706527edcf4b4432dbd88cbf45c3f7a4442 providers/common/provider_util.c 5b94312727ca33e4f5c038f4caaae8417bf584cfde22df83d91f3c55c30c81ee providers/common/securitycheck.c bc4370324c4c8791ea6de8641d255073c6745ee984e18912d535e155d9815244 providers/common/securitycheck_fips.c abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c -5d4c2e93c2aef3f74aea56e6680bc1735081f680102f09d7d0b22d1df53767fb providers/fips/fipsprov.c -bf247e11ce05e274ab668e80e6e86ed3747b2848570e20b993e68b54559334a3 providers/fips/self_test.c +42cd9a91e687784eb44be472075f3ed5f6ec60a47fc1db7ef5b577949cbbee85 providers/fips/fipsprov.c +029fad3c27617c725e516621c2f6c3a0e1dca0fa22f4e89a1a6b9a977c8d935d providers/fips/self_test.c f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h 551631b909f8d173eafcccac782a44c8aed92bb8463bfccdb936b7f3aee2a48b providers/fips/self_test_data.inc -ed6dc106e223a422b133f774f94079fcd404899d7fad624179dd152354dbb500 providers/fips/self_test_kats.c +5b6d8dbc1365974eb9a5d417b2276d40fa7b9e733bb224200d20a61b4b025973 providers/fips/self_test_kats.c 4428a56f5d195547348c743df0c14ac9c97cd7b60ce09b76cffe5e7c9296daec providers/implementations/asymciphers/rsa_enc.c c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879 providers/implementations/ciphers/cipher_aes.c f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h -480c1f44157dff5fc65369f5c29a5369528061576c00a6454f3e54b37f9f8af1 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +20494fb9eb9f0578a3a574e0c6406108cfb28d7895a1891d57b3238420ec4f7b providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c 7668e5c1cac474ad7b0f28aa78ca885edf44815fe4a606a6cd328b3c02fac25a providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.h 26e0f28523b416ba4067e471061f5a11fd76f5dc8bfe57ce37a137cf5667630b providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c 6d2ab2e059ef38fad342d4c65eebd533c08a2092bb174ff3566c6604e175c5a4 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c -6d6bf36329af3b77f457898294be05fea3940a61cdaf0ed60cfb8d091a94186e providers/implementations/ciphers/cipher_aes_ccm.c +f37c3cf9e2e6fcfcbed941f3670b790fe09990349db72eb065bef51705d46e96 providers/implementations/ciphers/cipher_aes_ccm.c 00f36bf48e522dbb5ec71df0ec13e387955fa3672e6ff90e8a412ae95c4a642f providers/implementations/ciphers/cipher_aes_ccm.h 17b9d63357824c24b48c889e27f74e8882bfce740f4c755ae5843def46abe650 providers/implementations/ciphers/cipher_aes_ccm_hw.c 302b3819ff9fdfed750185421616b248b0e1233d75b45a065490fe4762b42f55 providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc a8eaca99a71521ff8ac4ffcf08315e59220f7e0b7f505ecddad04fadd021ec14 providers/implementations/ciphers/cipher_aes_cts.inc -710ee60704dd9dffa2a11e2e96596af1f7f84f915cedcedeec7292e0d978317a providers/implementations/ciphers/cipher_aes_gcm.c +7e886ecc088b5903aa082eac72a4c46f9064392bdf5723a592368ecebfeb71c0 providers/implementations/ciphers/cipher_aes_gcm.c 79f5a732820d2512a7f4fc2a99ece7e6e2523a51e62561eb67a4b70d5538b0c4 providers/implementations/ciphers/cipher_aes_gcm.h 986450da9f87b3cea00880c5bb5b0908b201ba27f68942b9f8bfff393610b3bb providers/implementations/ciphers/cipher_aes_gcm_hw.c be18c20e0197f25fe7b9e0268657a2271a69d216b89cb100f082fa5fcaad1e07 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc @@ -565,7 +565,7 @@ be18c20e0197f25fe7b9e0268657a2271a69d216b89cb100f082fa5fcaad1e07 providers/impl 5eb2b02ac65ed2c537c5be65779065077d141dd16730666a2bb00ca08b05f861 providers/implementations/ciphers/cipher_aes_ocb.c 88138a1aff9705e608c0557653be92eb4de65b152555a2b79ec8b2a8fae73e8f providers/implementations/ciphers/cipher_aes_ocb.h 5840571376d5e32681644224ef25e70ca771357f9e8ce152eada6a15df113731 providers/implementations/ciphers/cipher_aes_ocb_hw.c -be3e7c7069aa177f8a3485cf3e2d0e2f5ac28196372e8b6471e756580b7ac3ae providers/implementations/ciphers/cipher_aes_wrp.c +110f14e06311883d5e312b37e9d87c51f809592d3092ecd8eb449ea4bc7cac38 providers/implementations/ciphers/cipher_aes_wrp.c a79fde91348c9df6bb359e5353a442800ca514a1ffcb68e5cc5f7afe7d57d5ec providers/implementations/ciphers/cipher_aes_xts.c c4a2499b214d7cf786dafaaee5c8c6963b3d5d1c27c144eec4b460f839074a3b providers/implementations/ciphers/cipher_aes_xts.h 281157d1da4d7285d878978e6d42d0d33b3a6bc16e3bc5b6879e39093a7d70da providers/implementations/ciphers/cipher_aes_xts_fips.c @@ -586,13 +586,13 @@ bb67eaa7a98494ca938726f9218213870fc97dd87b56bda950626cc794baf20b providers/impl c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/implementations/ciphers/ciphercommon_local.h 39b47b6ef9d71852964c26e07ef0e9b23f04c7493b1b16ba7c3dba7074b6b70d providers/implementations/digests/digestcommon.c 5f41dd1bf77bd08d287a875f9d6e5a423bf286524694ae7ee133cdd03ee763c0 providers/implementations/digests/sha2_prov.c -9aa1ab14059f0b3db8091c7bb900e5f1487c0d0e925a71d79d7575f4a7a60444 providers/implementations/digests/sha3_prov.c +66a8eef0ecb12df2d38111735a7cb3257b85039c34fda6fc0e41db96e2d328cb providers/implementations/digests/sha3_prov.c 4b774bf9267ebe05bf90076bc18e19a21e03ee2716bdb8fc4e6458774e9a820c providers/implementations/exchange/dh_exch.c b2d80c38dd62b46f2dd71e81a5684f54f43200d3ddbb86178081760ecc93525c providers/implementations/exchange/ecdh_exch.c 4994df237719649b086a032bd64c1cf38ceb4e67dd8ec98da20edf5bc3eadb0b providers/implementations/exchange/ecx_exch.c 2c8421ca27626472fd263172c76188b8b3eeda996dc925d052a8809543a33c11 providers/implementations/exchange/kdf_exch.c 24b784d29c46f6f7fd6d775ecef6a96bfd5faaa7a555f0aa0c97e94b74f09bc1 providers/implementations/include/prov/ciphercommon.h -c83f3f7a45738aa10465b8371ad38827009273322bcd62969322bc4ab4bc81a2 providers/implementations/include/prov/ciphercommon_aead.h +a5ea831a23c0f52a37660437f6c61f129c3f8428daf6f8cd8dd458f358c56937 providers/implementations/include/prov/ciphercommon_aead.h a07b9c86346100feef15c9abb57e48a6099bc9fa782724a2283f17910ef192fb providers/implementations/include/prov/ciphercommon_ccm.h 45e45a82a91751b27cf5160f14b6407bce3372591dc965e565d8091e46179e6b providers/implementations/include/prov/ciphercommon_gcm.h b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/implementations/include/prov/digestcommon.h @@ -627,11 +627,11 @@ f29f282463f5bc432129850619edc427fe1d6cc8aa107b5703b11858b48790da providers/impl 145f3d5d5ebd5fb3bbe32705d7d71ff03e35b776f1c77d2f43781263ccc6a808 providers/implementations/macs/kmac_prov.c 3034074f99b02db045f2ccecc8782322e876dad07a3c169bdb24168b6b1f8cbd providers/implementations/rands/crngt.c 51688b34a8ba14234cf91c318ce9f97b8a54dbb501d6f56aa53d472f877d3660 providers/implementations/rands/drbg.c -b436b9f1c5525884e9adcc941726e0cf4bb135517f4dc403f24fec128c9cae8c providers/implementations/rands/drbg_ctr.c -118c2f62f765c0324695cb286670ae024cbeaacd989666da8e3daa8d0ec44c65 providers/implementations/rands/drbg_hash.c -3096525926ee80fec225c16e89fc9d58867de5f63b1e7a0736ed56ca09f19f2b providers/implementations/rands/drbg_hmac.c -e65a6972711303a71636ee7e31cab6dfd1734a97e25b4dce119060c1487bbe33 providers/implementations/rands/drbg_local.h -26d86b55837f515684865cb0e327aea435a9b7f27bf296287d44209f9a5df6ff providers/implementations/rands/test_rng.c +c18ec061bfb908dadebd47ee49fd4aa3fd0d320a0ed85a0f8ae841be4be787d6 providers/implementations/rands/drbg_ctr.c +52df0b9fa3d9357364a27773418aba82def6ac3a3bf027f0e14398cf4e10a247 providers/implementations/rands/drbg_hash.c +989aae213883f4d21480a09273cc21b0ca5d482f4e2ebf6e513ce8853a7c727f providers/implementations/rands/drbg_hmac.c +df266cab55613a7515fa1eed7212bd07281d1d36bffcab436d2cb01cf514dd3d providers/implementations/rands/drbg_local.h +9fd2c79b264eed85ae750a70354fa9dfdfc54e8df72df6ceff403d68772214e8 providers/implementations/rands/test_rng.c a9aa31d091df5b8f6710dd36761dfe7d32b6da1881f8581bed85ad4e171b0969 providers/implementations/signature/dsa_sig.c 6c8b5f325c997014bd71331c9eb6c185838cd81c10c3ad74dd65289ae923d629 providers/implementations/signature/ecdsa_sig.c d9d4bbbb0af0d1db6f586a36fd63236e4becdd52468a1e6510994e80988400aa providers/implementations/signature/eddsa_sig.c diff --git a/providers/fips.checksum b/providers/fips.checksum index 5697105a43..844a7f7b2b 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -91f820645394cd8895d6fef399ee8e0df13817aa5430eda3ce8fbfb14ccfd3fc providers/fips-sources.checksums +179decb772ecd0063d75b578b699896a9b795033b891f520cc3577a2590d98b9 providers/fips-sources.checksums -- Gitee From 86361f1dbdad9da2c954fba5062e1ea98fa3b61a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:24:32 +0100 Subject: [PATCH 04/60] Prepare for release of 3.2 alpha 2 Reviewed-by: Richard Levitte Release: yes Signed-off-by: fly2x --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index f0b6898511..aad65d78e5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,7 +23,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Changes between 3.1 and 3.2 [xx XXX xxxx] +### Changes between 3.1 and 3.2 alpha 2 [28 Sep 2023] * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. diff --git a/NEWS.md b/NEWS.md index d0312961df..e326020c89 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Major changes between OpenSSL 3.1 and OpenSSL 3.2 [under development] +### Major changes between OpenSSL 3.1 and OpenSSL 3.2 alpha 2 [in pre-release] * Added client side support for QUIC. * Added multiple tutorials on the OpenSSL library and in particular diff --git a/VERSION.dat b/VERSION.dat index 584de32867..72674dea69 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=2 PATCH=0 -PRE_RELEASE_TAG=alpha2-dev +PRE_RELEASE_TAG=alpha2 BUILD_METADATA= -RELEASE_DATE="" +RELEASE_DATE="28 Sep 2023" SHLIB_VERSION=3 -- Gitee From 40d0439b10ae7a1e79520c137514f41c3ae70e91 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 14:24:47 +0100 Subject: [PATCH 05/60] Prepare for 3.2 alpha 3 Reviewed-by: Richard Levitte Release: yes Signed-off-by: fly2x --- CHANGES.md | 2 +- NEWS.md | 2 +- VERSION.dat | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index aad65d78e5..f0b6898511 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,7 +23,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Changes between 3.1 and 3.2 alpha 2 [28 Sep 2023] +### Changes between 3.1 and 3.2 [xx XXX xxxx] * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. diff --git a/NEWS.md b/NEWS.md index e326020c89..d0312961df 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,7 @@ OpenSSL Releases OpenSSL 3.2 ----------- -### Major changes between OpenSSL 3.1 and OpenSSL 3.2 alpha 2 [in pre-release] +### Major changes between OpenSSL 3.1 and OpenSSL 3.2 [under development] * Added client side support for QUIC. * Added multiple tutorials on the OpenSSL library and in particular diff --git a/VERSION.dat b/VERSION.dat index 72674dea69..1969c68c38 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=2 PATCH=0 -PRE_RELEASE_TAG=alpha2 +PRE_RELEASE_TAG=alpha3-dev BUILD_METADATA= -RELEASE_DATE="28 Sep 2023" +RELEASE_DATE="" SHLIB_VERSION=3 -- Gitee From b392b07c7bcb07916cd5cda61c5420906e20a3dc Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 27 Sep 2023 14:32:50 +0200 Subject: [PATCH 06/60] Test client certificate authentication with QUIC Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/22207) Signed-off-by: fly2x --- test/quicapitest.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/test/quicapitest.c b/test/quicapitest.c index b02db15d65..8452ba4b62 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -24,7 +24,10 @@ static OSSL_LIB_CTX *libctx = NULL; static OSSL_PROVIDER *defctxnull = NULL; static char *certsdir = NULL; static char *cert = NULL; +static char *ccert = NULL; +static char *cauthca = NULL; static char *privkey = NULL; +static char *cprivkey = NULL; static char *datadir = NULL; static int is_fips = 0; @@ -1192,6 +1195,83 @@ static int test_quic_psk(void) return testresult; } +static int test_client_auth(int idx) +{ + SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method()); + SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()); + SSL *clientquic = NULL; + QUIC_TSERVER *qtserv = NULL; + int testresult = 0; + unsigned char buf[20]; + static char *msg = "A test message"; + size_t msglen = strlen(msg); + size_t numbytes = 0; + + if (!TEST_ptr(cctx) || !TEST_ptr(sctx)) + goto err; + + SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT + | SSL_VERIFY_CLIENT_ONCE, NULL); + + if (!TEST_true(SSL_CTX_load_verify_file(sctx, cauthca))) + goto err; + + if (idx > 0 + && (!TEST_true(SSL_CTX_use_certificate_chain_file(cctx, ccert)) + || !TEST_true(SSL_CTX_use_PrivateKey_file(cctx, cprivkey, + SSL_FILETYPE_PEM)))) + goto err; + + if (!TEST_true(qtest_create_quic_objects(libctx, cctx, sctx, cert, + privkey, 0, &qtserv, + &clientquic, NULL, NULL))) + goto err; + + if (idx == 0) { + if (!TEST_false(qtest_create_quic_connection(qtserv, clientquic))) + goto err; + + /* negative test passed */ + testresult = 1; + goto err; + } + + if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))) + goto err; + + /* Check that sending and receiving app data is ok */ + if (!TEST_true(SSL_write_ex(clientquic, msg, msglen, &numbytes)) + || !TEST_size_t_eq(numbytes, msglen)) + goto err; + + ossl_quic_tserver_tick(qtserv); + if (!TEST_true(ossl_quic_tserver_write(qtserv, 0, + (unsigned char *)msg, + msglen, &numbytes))) + goto err; + + ossl_quic_tserver_tick(qtserv); + SSL_handle_events(clientquic); + + if (!TEST_true(SSL_read_ex(clientquic, buf, sizeof(buf), &numbytes)) + || !TEST_size_t_eq(numbytes, msglen) + || !TEST_mem_eq(buf, numbytes, msg, msglen)) + goto err; + + if (!TEST_true(qtest_shutdown(qtserv, clientquic))) + goto err; + + testresult = 1; + + err: + SSL_free(clientquic); + ossl_quic_tserver_free(qtserv); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + /* * Test that we correctly handle ALPN supplied by the application * Test 0: ALPN is provided @@ -1465,10 +1545,22 @@ int setup_tests(void) if (cert == NULL) goto err; + ccert = test_mk_file_path(certsdir, "ee-client-chain.pem"); + if (ccert == NULL) + goto err; + + cauthca = test_mk_file_path(certsdir, "root-cert.pem"); + if (cauthca == NULL) + goto err; + privkey = test_mk_file_path(certsdir, "serverkey.pem"); if (privkey == NULL) goto err; + cprivkey = test_mk_file_path(certsdir, "ee-key.pem"); + if (privkey == NULL) + goto err; + ADD_ALL_TESTS(test_quic_write_read, 3); ADD_TEST(test_fin_only_blocking); ADD_TEST(test_ciphersuites); @@ -1486,6 +1578,7 @@ int setup_tests(void) ADD_TEST(test_multiple_dgrams); ADD_ALL_TESTS(test_non_io_retry, 2); ADD_TEST(test_quic_psk); + ADD_ALL_TESTS(test_client_auth, 2); ADD_ALL_TESTS(test_alpn, 2); ADD_ALL_TESTS(test_noisy_dgram, 2); @@ -1501,6 +1594,9 @@ void cleanup_tests(void) bio_f_pkt_split_dgram_filter_free(); OPENSSL_free(cert); OPENSSL_free(privkey); + OPENSSL_free(ccert); + OPENSSL_free(cauthca); + OPENSSL_free(cprivkey); OSSL_PROVIDER_unload(defctxnull); OSSL_LIB_CTX_free(libctx); } -- Gitee From 715c2bb4892c51f511a8e647eb8196b526ae95ae Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 26 Sep 2023 17:39:50 +0200 Subject: [PATCH 07/60] Optimize out unneeded up_ref/free of EVP_CIPHER Fixes #22189 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22198) Signed-off-by: fly2x --- crypto/evp/evp_enc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 84ce108b25..e1d3eeef64 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -200,7 +200,12 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, #endif } - if (cipher->prov != NULL) { + if (!ossl_assert(cipher->prov != NULL)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } + + if (cipher != ctx->fetched_cipher) { if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); return 0; -- Gitee From f8fb6bfe228231c0a6b1d2654619eeb52b5646dd Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 28 Sep 2023 11:34:48 +1000 Subject: [PATCH 08/60] Coverity 1545176: dereference before NULL check Reviewed-by: Tomas Mraz Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22211) Signed-off-by: fly2x --- crypto/rand/rand_lib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 46e294a378..7fbbb0275b 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -536,13 +536,14 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx) EVP_RAND *rand; RAND_GLOBAL *dgbl = rand_get_global(libctx); EVP_RAND_CTX *ctx = NULL; - const char *propq = dgbl->seed_propq; + const char *propq; char *name, *props = NULL; size_t props_len; OSSL_PROPERTY_LIST *pl1, *pl2, *pl3 = NULL; if (dgbl == NULL) return NULL; + propq = dgbl->seed_propq; if (dgbl->seed_name != NULL) { name = dgbl->seed_name; } else { -- Gitee From 78b92a88f655aeb35179bd9f591a589d2338dd14 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 28 Sep 2023 11:45:01 +1000 Subject: [PATCH 09/60] Coverity 1545174: calling risky function Remove the call to rand() and replace with an xor-shift RNG. There are no security implications to worry about here. This RNG is used during testing only. Reviewed-by: Tomas Mraz Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22211) Signed-off-by: fly2x --- providers/implementations/rands/test_rng.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index 0006468d06..57b36469ca 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -47,6 +47,7 @@ typedef struct { unsigned char *entropy, *nonce; size_t entropy_len, entropy_pos, nonce_len; CRYPTO_RWLOCK *lock; + uint32_t seed; } PROV_TEST_RNG; static void *test_rng_new(void *provctx, void *parent, @@ -88,6 +89,7 @@ static int test_rng_instantiate(void *vtest, unsigned int strength, t->state = EVP_RAND_STATE_READY; t->entropy_pos = 0; + t->seed = 221953166; /* Value doesn't matter, so long as it isn't zero */ return 1; } @@ -103,7 +105,22 @@ static int test_rng_uninstantiate(void *vtest) static unsigned char gen_byte(PROV_TEST_RNG *t) { - return rand() & 0xff; + uint32_t n; + + /* + * Implement the 32 bit xorshift as suggested by George Marsaglia in: + * https://doi.org/10.18637/jss.v008.i14 + * + * This is a very fast PRNG so there is no need to extract bytes one at a + * time and use the entire value each time. + */ + n = t->seed; + n ^= n << 13; + n ^= n >> 17; + n ^= n << 5; + t->seed = n; + + return n & 0xff; } static int test_rng_generate(void *vtest, unsigned char *out, size_t outlen, -- Gitee From 5c0100f0db32a7d26fe92adc8a6236a8f81f65a3 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 28 Sep 2023 11:47:35 +1000 Subject: [PATCH 10/60] Coverity 1545175: use after free Reviewed-by: Tomas Mraz Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22211) Signed-off-by: fly2x --- crypto/rand/rand_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 7fbbb0275b..14999540ab 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -609,7 +609,6 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx) } if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) { ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG); - EVP_RAND_CTX_free(ctx); goto err; } OPENSSL_free(props); -- Gitee From b113cd54e66f5360b555bb0c526b6d987cc51c2e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 26 Sep 2023 14:56:02 +0200 Subject: [PATCH 11/60] Avoid having ecp_sm2p256-armv8.pl in fips.module.sources Reviewed-by: Paul Dale Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22194) Signed-off-by: fly2x --- Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 881310cf08..6bdbf31d08 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1264,7 +1264,7 @@ providers/fips.module.sources.new: configdata.pm crypto/*cap.c; do \ echo "$$x"; \ done \ - ) | sort | uniq > providers/fips.module.sources.new + ) | grep -v sm2p256 | sort | uniq > providers/fips.module.sources.new rm -rf sources-tmp # Set to -force to force a rebuild -- Gitee From 76db470d6e7025f2faae0a3f76f50caa9f48af0f Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 2 Oct 2023 10:22:24 +0200 Subject: [PATCH 12/60] [DOCS] Fix table inconsistencies detected by mdl Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/22240) Signed-off-by: fly2x --- doc/designs/quic-design/quic-api-ssl-funcs.md | 1476 ++++++++--------- doc/designs/quic-design/tx-packetiser.md | 66 +- 2 files changed, 771 insertions(+), 771 deletions(-) diff --git a/doc/designs/quic-design/quic-api-ssl-funcs.md b/doc/designs/quic-design/quic-api-ssl-funcs.md index 6b226b0897..ab8d68f912 100644 --- a/doc/designs/quic-design/quic-api-ssl-funcs.md +++ b/doc/designs/quic-design/quic-api-ssl-funcs.md @@ -91,744 +91,744 @@ Notes: which is never used for QUIC, they do not require changes, and we can allow applications to configure these lists freely, as they will be ignored. -| API Item | Cat. | Sema. | Appl. | Impl. Req. | Status | -|----------|----------|-----------|---------------|----------------|--------| -| **⇒ Global Information and Functions** | | -| `OSSL_default_cipher_list` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OSSL_default_ciphersuites` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `ERR_load_SSL_strings` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OPENSSL_init_ssl` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OPENSSL_cipher_name` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_desc_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_desc_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_type_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_alert_type_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_extension_supported` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_add_ssl_module` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_test_functions` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_select_next_proto` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| **⇒ Methods** | | -| `SSLv3_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSLv3_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSLv3_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `TLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `OSSL_QUIC_client_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | -| `OSSL_QUIC_client_thread_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | -| `OSSL_QUIC_server_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟠Design TBD | -| **⇒ Instantiation** | | -| `BIO_f_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `BIO_new_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_new` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_new_ex` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_free` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_new` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_dup` | Object | 🟩U | 🟩A | 🟥FC | 🟢Done | -| `SSL_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_free` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_is_dtls` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_CTX_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| **⇒ Method Manipulation** | | -| `SSL_CTX_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_ssl_method` | Object | 🟩U | 🟥FC | 🟧QSI | 🟢Done | -| **⇒ SRTP** | | -| `SSL_get_selected_srtp_profile` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | -| `SSL_get_srtp_profiles` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | -| `SSL_CTX_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟨C\* | 🟢Done | -| `SSL_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | -| **⇒ Ciphersuite Configuration** | | -| `SSL_CTX_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | -| `SSL_CTX_set_ciphersuites` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | -| `SSL_CTX_get_ciphers` | HL | 🟩U | 🟩A |🟩NC\* | 🟢Done | -| `SSL_set_ciphersuites` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_supported_ciphers` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | -| `SSL_bytes_to_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | -| `SSL_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | -| **⇒ Negotiated Ciphersuite Queries** | | -| `SSL_get_current_cipher` | HL | 🟩U | 🟩A |🟩NC\* †9 | 🟢Done | -| `SSL_get_pending_cipher` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | -| `SSL_get_shared_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | -| `SSL_get_client_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | -| `SSL_get_current_compression` | HL | 🟩U | 🟩A | 🟩HLNC | 🟢Done | -| `SSL_get_current_expansion` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_shared_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ ALPN** | †2 | -| `SSL_SESSION_set1_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_SESSION_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_CTX_set_alpn_select_cb` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| `SSL_CTX_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | -| **⇒ NPN** | †3 | -| `SSL_CTX_set_next_proto_select_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | -| `SSL_CTX_set_next_protos_advertised_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | -| `SSL_get0_next_proto_negotiated` | HL | 🟩U | 🟥FC | 🟩NC\* †3 | 🟢Done | -| **⇒ Narrow Waist Interface** | †4 | -| `SSL_CTX_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| `SSL_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| `SSL_CTX_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| `SSL_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | -| **⇒ Miscellaneous Accessors** | | -| `SSL_get_server_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_client_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Ciphersuite Information** | | -| `SSL_CIPHER_description` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_find` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_auth_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_bits` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_cipher_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_digest_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_handshake_digest` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_kx_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_protocol_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_get_version` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_is_aead` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CIPHER_standard_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_group_to_name` | Global | 🟩U | 🟦U | 🟩NC\* | 🟢Done | -| **⇒ Version Queries** | | -| `SSL_get_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Chain Management** | | -| `SSL_get_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_load_verify_locations` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `CertSSL_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_paths` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_check_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_dir_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_file_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add_store_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_load_client_CA_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_load_client_CA_file_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dup_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set1_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Compression** | | -| `SSL_CTX_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Verification** | | -| `SSL_set1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_add1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_hostflags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peer_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_verified_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_cert_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_certs_clear` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ PSK** | | -| `SSL_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_psk_identity` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ SRP** | | -| `SSL_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_client_pwd_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_password` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_g` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_cb_arg` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_N` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_username_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_srp_server_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_srp_userinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_srp_server_param_with_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_strength` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_verify_param_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_srp_server_param_pw` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SRP_Calc_A_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ DANE** | | -| `SSL_CTX_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_dane_tlsa` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_dane` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_dane_authority` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_dane_mtype_set` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_dane_tlsa_add` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Certificate Transparency** | | -| `SSL_CTX_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_peer_scts` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Compression** | | -| `SSL_COMP_add_compression_method` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get0_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get_id` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_get_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| `SSL_COMP_set0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | -| **⇒ Exporters** | | -| `SSL_export_keying_material` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_export_keying_material_early` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Renegotiation** | | -| `SSL_renegotiate` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | -| `SSL_renegotiate_abbreviated` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | -| `SSL_renegotiate_pending` | HL | 🟩U | 🟧NO | 🟩NC\* †5 | 🟢Done | -| **⇒ Options** | | -| `SSL_CTX_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_CTX_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_CTX_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Configuration** | | -| `SSL_CONF_CTX_new` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_free` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set_ssl` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set_ssl_ctx` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set1_prefix` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_set_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_clear_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_CTX_finish` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_cmd` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_cmd_argv` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CONF_cmd_value_type` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Callbacks** | | -| `SSL_CTX_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cert_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_cert_engine` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_client_hello_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cookie_generate_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_cookie_verify_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_default_read_buffer_len` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_msg_callback` | HL | 🟩U | 🟩A | 🟩NC\* †6 | 🟢Done | -| `SSL_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session_secret_cb` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| **⇒ Session Management** | | -| `d2i_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `i2d_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_read_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_read_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_write_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `PEM_write_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_new` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_up_ref` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_dup` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_print` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_print_fp` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_print_keylog` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_peer` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_has_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_compress_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_is_resumable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_max_fragment_length` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_SESSION_get_ticket_lifetime_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_remove_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get1_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_get_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_set_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_get_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_set_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_get_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sess_set_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_has_matching_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_flush_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_session_reused` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_default_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Session Ticket Management** | | -| `SSL_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_CTX_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_CTX_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_new_session_ticket` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | -| `SSL_set_session_ticket_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_session_ticket_ext_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_tlsext_ticket_key_evp_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Security Levels** | | -| `SSL_CTX_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SS_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SS_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Custom Extensions** | | -| `SSL_CTX_add_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_add_server_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_has_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Early ClientHello Processing** | | -| `SSL_client_hello_get_extension_order` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_legacy_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get0_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_get1_extensions_present` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_client_hello_isv2` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ SNI** | | -| `SSL_get_servername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_servername_type` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Server Info** | | -| `SSL_CTX_use_serverinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_serverinfo_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_use_serverinfo_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Post-Handshake Authentication** | | -| `SSL_verify_client_post_handshake` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | -| `SSL_CTX_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | -| `SSL_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | -| **⇒ DH Parameters** | | -| `SSL_CTX_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_CTX_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ State Queries** | | -| `SSL_in_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_in_before` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_is_init_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_get_state` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_rstate_string` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_rstate_string_long` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_state_string` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_state_string_long` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Data Path and CSSM** | | -| `SSL_set_connect_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_accept_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_is_server` | CSSM | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_peek` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_peek_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_read` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_read_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_write` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_write_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_sendfile` | ADP | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | -| `SSL_pending` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_has_pending` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_accept` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_connect` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_do_handshake` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set0_wbio` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set0_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_bio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_wbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_error` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_rfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_wfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_get_fd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_set_rfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_wfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_fd` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_key_update` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_get_key_update_type` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_clear` (connection) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | -| `SSL_clear` (stream) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | -| `SSL_shutdown` | CSSM | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `SSL_want` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | -| `BIO_new_ssl_connect` | Global | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `BIO_new_buffer_ssl_connect` | Global | 🟩U | 🟦U | 🟧QSI | 🟢Done | -| `SSL_get_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_set_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| **⇒ New APIs** | | -| `SSL_is_tls` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_is_quic` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_handle_events` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_event_timeout` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_rpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_wpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_net_read_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_net_write_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set1_initial_peer_addr` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_shutdown_ex` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_stream_conclude` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_stream_reset` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_read_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_write_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_read_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_write_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_conn_close_info` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_inject_net_dgram` | NDP | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| **⇒ New APIs for Multi-Stream** | | -| `SSL_get0_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_is_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_id` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_stream_type` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_is_stream_local` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_new_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_accept_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_get_accept_stream_queue_len` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set_default_stream_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| `SSL_set_incoming_stream_policy` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | -| **⇒ Currently Not Supported** | | -| `SSL_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `BIO_ssl_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_set_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_CTX_get_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_set_quiet_shutdown` | CSSM | 🟩U | 🟥FC | 🟨C | 🟢Done | -| `SSL_get_quiet_shutdown` | CSSM | 🟩U | 🟧NO | 🟨C | 🟢Done | -| `SSL_CTX_set_ssl_version` | HL | 🟩U | 🟥FC | 🟨C | 🟢Done | -| **⇒ Async** | | -| `SSL_CTX_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_CTX_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_waiting_for_async` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_get_async_status` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_get_all_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| `SSL_get_changed_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | -| **⇒ Readahead** | | -| `SSL_CTX_get_default_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTX_get_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* |🟢Done | -| `SSL_CTX_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* |🟢Done | -| `SSL_get_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* |🟢Done | -| `SSL_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | -| `SSL_CTX_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | -| **⇒ Record Padding and Fragmentation** | | -| `SSL_CTX_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC |🟩NC* | 🟢Done | -| `SSL_CTX_set_block_padding` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_block_padding` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| **⇒ Stateless/HelloRetryRequest** | | -| `SSL_stateless` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_set_stateless_cookie_generate_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_stateless_cookie_verify_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| **⇒ Early Data/0-RTT** | | -| `SSL_CTX_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟨C* |🟢Done | -| `SSL_CTX_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTX_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTX_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_read_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_write_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_get_early_data_status` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| **⇒ Miscellaneous** | | -| `DTLSv1_listen` | RL | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_set_timer_cb` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `DTLS_get_data_mtu` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `SSL_get_ex_data_X509_STORE_CTX_idx` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | -| `BIO_ssl_shutdown` | Global | 🟩U | 🟩A | 🟩NC | 🟢Done | -| `SSL_alloc_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_free_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | -| `SSL_trace` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| `SSL_set_debug` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | -| **⇒ Controls** | | -| `SSL_CTRL_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_CTRL_CLEAR_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TOTAL_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_RI_SUPPORT` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_READ_AHEAD` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_READ_AHEAD` | HL | 🟩U | 🟥FC | 🟨C* |🟢Done | -| `SSL_CTRL_SET_MAX_PIPELINES` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_MAX_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_SPLIT_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_MTU` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟨C* | 🟢Done | -| `SSL_CTRL_SET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_BUILD_CERT_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CLEAR_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_EXTRA_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CLIENT_CERT_REQUEST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_EC_POINT_FORMATS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_EXTMS_SUPPORT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_IANA_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_NEGOTIATED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_PEER_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_PEER_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_RAW_CIPHERLIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SHARED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_GET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SELECT_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_ACCEPT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_ACCEPT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_ACCEPT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CACHE_FULL` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CB_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CONNECT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CONNECT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_CONNECT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_MISSES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_NUMBER` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SESS_TIMEOUTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CLIENT_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CLIENT_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_DH_AUTO` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_GROUPS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MSG_CALLBACK` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_MSG_CALLBACK_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_RETRY_VERIFY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SRP_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_SRP_VERIFY_PARAM_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_DEBUG_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_DEBUG_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_HOSTNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_SERVERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TMP_DH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TMP_DH_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_TMP_ECDH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| `SSL_CTRL_SET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | -| **⇒ SSL Modes** | | -| `SSL_MODE_ENABLE_PARTIAL_WRITE` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | -| `SSL_MODE_RELEASE_BUFFERS` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | -| `SSL_MODE_ASYNC` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | -| `SSL_MODE_AUTO_RETRY` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | -| `SSL_MODE_SEND_FALLBACK_SCSV` | HL | 🟩U | 🟩U | 🟩NC | 🟢Done | +| API Item | Cat. | Sema. | Appl. | Impl. Req. | Status | +|----------------------------------------------|---------|-------|-------|------------|--------------| +| **⇒ Global Information and Functions** | | | | | | +| `OSSL_default_cipher_list` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OSSL_default_ciphersuites` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `ERR_load_SSL_strings` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OPENSSL_init_ssl` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OPENSSL_cipher_name` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_desc_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_desc_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_type_string` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_alert_type_string_long` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_extension_supported` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_add_ssl_module` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_test_functions` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_select_next_proto` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| **⇒ Methods** | | | | | | +| `SSLv3_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSLv3_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSLv3_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `TLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_2_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_2_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLSv1_2_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `OSSL_QUIC_client_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | +| `OSSL_QUIC_client_thread_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟢Done | +| `OSSL_QUIC_server_method` | Global | 🟩U | 🟦U | 🟥QSA | 🟠Design TBD | +| **⇒ Instantiation** | | | | | | +| `BIO_f_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `BIO_new_ssl` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_new` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_new_ex` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_free` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_new` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_dup` | Object | 🟩U | 🟩A | 🟥FC | 🟢Done | +| `SSL_up_ref` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_free` | Object | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_is_dtls` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_CTX_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_ex_data` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_SSL_CTX` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| **⇒ Method Manipulation** | | | | | | +| `SSL_CTX_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_ssl_method` | Object | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_ssl_method` | Object | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| **⇒ SRTP** | | | | | | +| `SSL_get_selected_srtp_profile` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | +| `SSL_get_srtp_profiles` | HL | 🟩U | 🟧NO | 🟨C\* | 🟢Done | +| `SSL_CTX_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟨C\* | 🟢Done | +| `SSL_set_tlsext_use_srtp` | HL | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | +| **⇒ Ciphersuite Configuration** | | | | | | +| `SSL_CTX_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | +| `SSL_CTX_set_ciphersuites` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | +| `SSL_CTX_get_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_ciphersuites` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_supported_ciphers` | HL | 🟩U | 🟩A | 🟨C\* †1 | 🟢Done | +| `SSL_bytes_to_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | +| `SSL_set_cipher_list` | HL | 🟩U | 🟩A | 🟩NC\* †11 | 🟢Done | +| **⇒ Negotiated Ciphersuite Queries** | | | | | | +| `SSL_get_current_cipher` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_pending_cipher` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_shared_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_client_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* †9 | 🟢Done | +| `SSL_get_current_compression` | HL | 🟩U | 🟩A | 🟩HLNC | 🟢Done | +| `SSL_get_current_expansion` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_shared_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_sigalgs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_signature_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_signature_type_nid` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ ALPN** | †2 | | | | | +| `SSL_SESSION_set1_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_SESSION_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_CTX_set_alpn_select_cb` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_get0_alpn_selected` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| `SSL_CTX_set_alpn_protos` | HL | 🟩U | 🟩A | 🟨C\* †2 | 🟢Done | +| **⇒ NPN** | †3 | | | | | +| `SSL_CTX_set_next_proto_select_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | +| `SSL_CTX_set_next_protos_advertised_cb` | HL | 🟩U | 🟥FC | 🟨C\* †3 | 🟢Done | +| `SSL_get0_next_proto_negotiated` | HL | 🟩U | 🟥FC | 🟩NC\* †3 | 🟢Done | +| **⇒ Narrow Waist Interface** | †4 | | | | | +| `SSL_CTX_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| `SSL_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| `SSL_CTX_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| `SSL_callback_ctrl` | Object | 🟩U | 🟩A | 🟩NC\* †4 | 🟢Done | +| **⇒ Miscellaneous Accessors** | | | | | | +| `SSL_get_server_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_client_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Ciphersuite Information** | | | | | | +| `SSL_CIPHER_description` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_find` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_auth_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_bits` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_cipher_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_digest_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_handshake_digest` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_kx_nid` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_protocol_id` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_get_version` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_is_aead` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CIPHER_standard_name` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_group_to_name` | Global | 🟩U | 🟦U | 🟩NC\* | 🟢Done | +| **⇒ Version Queries** | | | | | | +| `SSL_get_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Chain Management** | | | | | | +| `SSL_get_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate_chain_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_load_verify_locations` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `CertSSL_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_dir` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_paths` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_verify_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_cert_and_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_certificate_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_PrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_PrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_PrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_RSAPrivateKey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_RSAPrivateKey_ASN1` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_RSAPrivateKey_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_check_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_check_private_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_dir_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_file_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add_store_cert_subjects_to_stack` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_load_client_CA_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_load_client_CA_file_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dup_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_client_CA` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set1_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add1_to_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_privatekey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Compression** | | | | | | +| `SSL_CTX_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set1_cert_comp_preference` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_compress_certs` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_compressed_cert` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Verification** | | | | | | +| `SSL_set1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_add1_host` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_hostflags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_verify` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_verify_result` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peer_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_verified_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_cert_chain` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_peer_certificate` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_certs_clear` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_verify_mode` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_verify_depth` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set1_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_purpose` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_trust` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ PSK** | | | | | | +| `SSL_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_psk_identity` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_psk_identity_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ SRP** | | | | | | +| `SSL_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_SRP_CTX_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SRP_CTX_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_client_pwd_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_password` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_g` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_cb_arg` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_N` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_username_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_srp_server_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_srp_userinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_srp_server_param_with_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_strength` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_verify_param_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_srp_server_param_pw` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_srp_username` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SRP_Calc_A_param` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ DANE** | | | | | | +| `SSL_CTX_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_dane_tlsa` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_set_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_clear_flags` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_dane` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_enable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_dane_authority` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_dane_mtype_set` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_dane_tlsa_add` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Certificate Transparency** | | | | | | +| `SSL_CTX_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_ctlog_list_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_ctlog_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_enable_ct` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_ct_is_enabled` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_peer_scts` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_ct_validation_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Compression** | | | | | | +| `SSL_COMP_add_compression_method` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get0_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get_id` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_get_name` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| `SSL_COMP_set0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* †5 | 🟢Done | +| **⇒ Exporters** | | | | | | +| `SSL_export_keying_material` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_export_keying_material_early` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Renegotiation** | | | | | | +| `SSL_renegotiate` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | +| `SSL_renegotiate_abbreviated` | HL | 🟩U | 🟥FC | 🟩NC\* †5 | 🟢Done | +| `SSL_renegotiate_pending` | HL | 🟩U | 🟧NO | 🟩NC\* †5 | 🟢Done | +| **⇒ Options** | | | | | | +| `SSL_CTX_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_CTX_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_CTX_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_clear_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_set_options` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_get_options` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Configuration** | | | | | | +| `SSL_CONF_CTX_new` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_free` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set_ssl` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set_ssl_ctx` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set1_prefix` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_set_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_clear_flags` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_CTX_finish` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_cmd` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_cmd_argv` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CONF_cmd_value_type` | Global | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_config` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Callbacks** | | | | | | +| `SSL_CTX_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cert_store` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cert_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_CA_list` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_cert_engine` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_client_hello_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cookie_generate_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_cookie_verify_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_default_read_buffer_len` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_info_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_msg_callback` | HL | 🟩U | 🟩A | 🟩NC\* †6 | 🟢Done | +| `SSL_set_cert_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_default_passwd_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_default_passwd_cb_userdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_keylog_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_client_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_find_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_server_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_psk_use_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_verify_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_not_resumable_session_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session_secret_cb` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| **⇒ Session Management** | | | | | | +| `d2i_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `i2d_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_read_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_read_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_write_bio_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `PEM_write_SSL_SESSION` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_new` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_up_ref` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_dup` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_free` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_print` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_print_fp` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_print_keylog` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_cipher` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_peer` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_ticket_appdata` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_has_ticket` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_protocol_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_compress_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_time` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get0_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_set1_hostname` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_master_key` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_is_resumable` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_max_early_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_max_fragment_length` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_SESSION_get_ticket_lifetime_hint` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_remove_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get1_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_get_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_set_get_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_get_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_set_new_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_get_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sess_set_remove_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session_id_context` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_generate_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_has_matching_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_flush_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_session_reused` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_default_timeout` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_sessions` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Session Ticket Management** | | | | | | +| `SSL_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_CTX_get_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_CTX_set_num_tickets` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_new_session_ticket` | HL | 🟩U | 🟩A | 🟩NC\* †7 | 🟢Done | +| `SSL_set_session_ticket_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_session_ticket_ext_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_tlsext_ticket_key_evp_cb` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Security Levels** | | | | | | +| `SSL_CTX_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_security_level` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_security_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set0_security_ex_data` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Custom Extensions** | | | | | | +| `SSL_CTX_add_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_add_server_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_has_client_custom_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Early ClientHello Processing** | | | | | | +| `SSL_client_hello_get_extension_order` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_ciphers` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_compression_methods` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_ext` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_legacy_version` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_random` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get0_session_id` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_get1_extensions_present` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_client_hello_isv2` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ SNI** | | | | | | +| `SSL_get_servername` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_servername_type` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Server Info** | | | | | | +| `SSL_CTX_use_serverinfo` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_serverinfo_ex` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_use_serverinfo_file` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Post-Handshake Authentication** | | | | | | +| `SSL_verify_client_post_handshake` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | +| `SSL_CTX_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | +| `SSL_set_post_handshake_auth` | HL | 🟩U | 🟥FC | 🟨C* †8 | 🟢Done | +| **⇒ DH Parameters** | | | | | | +| `SSL_CTX_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_dh_auto` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set0_tmp_dh_pkey` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_tmp_dh_callback` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_CTX_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_tmp_dh` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ State Queries** | | | | | | +| `SSL_in_init` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_in_before` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_is_init_finished` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_get_state` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_rstate_string` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_rstate_string_long` | HL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_state_string` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_state_string_long` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Data Path and CSSM** | | | | | | +| `SSL_set_connect_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_accept_state` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_is_server` | CSSM | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_peek` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_peek_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_read` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_read_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_write` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_write_ex` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_sendfile` | ADP | 🟩U | 🟥FC | 🟩NC\* | 🟢Done | +| `SSL_pending` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_has_pending` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_accept` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_connect` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_do_handshake` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set0_wbio` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set0_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_bio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_wbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_rbio` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_error` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_rfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_wfd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_get_fd` | NDP | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_set_rfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_wfd` | NDP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_fd` | NDP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_key_update` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_get_key_update_type` | RL | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_clear` (connection) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| `SSL_clear` (stream) | CSSM | 🟩U | 🟥FC | 🟧QSI | 🟢Done | +| `SSL_shutdown` | CSSM | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `SSL_want` | ADP | 🟧C | 🟩A | 🟧QSI | 🟢Done | +| `BIO_new_ssl_connect` | Global | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `BIO_new_buffer_ssl_connect` | Global | 🟩U | 🟦U | 🟧QSI | 🟢Done | +| `SSL_get_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_set_shutdown` | CSSM | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| **⇒ New APIs** | | | | | | +| `SSL_is_tls` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_quic` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_handle_events` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_event_timeout` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_blocking_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_rpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_wpoll_descriptor` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_net_read_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_net_write_desired` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set1_initial_peer_addr` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_shutdown_ex` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_stream_conclude` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_stream_reset` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_read_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_write_state` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_read_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_write_error_code` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_conn_close_info` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_inject_net_dgram` | NDP | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| **⇒ New APIs for Multi-Stream** | | | | | | +| `SSL_get0_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_connection` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_id` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_stream_type` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_is_stream_local` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_new_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_accept_stream` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_get_accept_stream_queue_len` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_default_stream_mode` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| `SSL_set_incoming_stream_policy` | CSSM | 🟦N | 🟩A | 🟥QSA | 🟢Done | +| **⇒ Currently Not Supported** | | | | | | +| `SSL_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `BIO_ssl_copy_session_id` | Special | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_set_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_CTX_get_quiet_shutdown` | CSSM | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_set_quiet_shutdown` | CSSM | 🟩U | 🟥FC | 🟨C | 🟢Done | +| `SSL_get_quiet_shutdown` | CSSM | 🟩U | 🟧NO | 🟨C | 🟢Done | +| `SSL_CTX_set_ssl_version` | HL | 🟩U | 🟥FC | 🟨C | 🟢Done | +| **⇒ Async** | | | | | | +| `SSL_CTX_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_set_async_callback` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_CTX_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_set_async_callback_arg` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_waiting_for_async` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_get_async_status` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_get_all_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| `SSL_get_changed_async_fds` | Async | 🟩U | 🟧NO | 🟩NC* †10 | 🟢Done | +| **⇒ Readahead** | | | | | | +| `SSL_CTX_get_default_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTX_get_read_ahead` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTX_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| `SSL_get_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| `SSL_set_read_ahead` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| `SSL_CTX_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_set_default_read_buffer_len` | RL | 🟩U | 🟧NO | 🟨C* | 🟢Done | +| **⇒ Record Padding and Fragmentation** | | | | | | +| `SSL_CTX_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_record_padding_callback` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_get_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_record_padding_callback_arg` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_block_padding` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_block_padding` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_tlsext_max_fragment_length` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| **⇒ Stateless/HelloRetryRequest** | | | | | | +| `SSL_stateless` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_set_stateless_cookie_generate_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_stateless_cookie_verify_cb` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| **⇒ Early Data/0-RTT** | | | | | | +| `SSL_CTX_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_allow_early_data_cb` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_get_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_recv_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTX_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTX_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_get_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_set_max_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_read_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_write_early_data` | 0-RTT | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_get_early_data_status` | 0-RTT | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| **⇒ Miscellaneous** | | | | | | +| `DTLSv1_listen` | RL | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_set_timer_cb` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `DTLS_get_data_mtu` | NDP | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `SSL_get_ex_data_X509_STORE_CTX_idx` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done | +| `BIO_ssl_shutdown` | Global | 🟩U | 🟩A | 🟩NC | 🟢Done | +| `SSL_alloc_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_free_buffers` | HL | 🟩U | 🟩A | 🟨C\* | 🟢Done | +| `SSL_trace` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| `SSL_set_debug` | HL | 🟩U | 🟩A | 🟩NC\* | 🟢Done | +| **⇒ Controls** | | | | | | +| `SSL_CTRL_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_CTRL_CLEAR_MODE` | Special | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_NUM_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TOTAL_RENEGOTIATIONS` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_RI_SUPPORT` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_READ_AHEAD` | HL | 🟩U | 🟧NO | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_READ_AHEAD` | HL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MAX_PIPELINES` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MAX_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_SPLIT_SEND_FRAGMENT` | RL | 🟩U | 🟥FC | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MTU` | RL | 🟩U | 🟥FC | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟨C* | 🟢Done | +| `SSL_CTRL_SET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_MAX_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_MIN_PROTO_VERSION` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_BUILD_CERT_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CHAIN` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CLEAR_CERT_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_EXTRA_CHAIN_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CLIENT_CERT_REQUEST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_EC_POINT_FORMATS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_EXTMS_SUPPORT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_EXTRA_CHAIN_CERTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_FLAGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_IANA_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_NEGOTIATED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_PEER_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_PEER_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_RAW_CIPHERLIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SHARED_GROUP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_SIGNATURE_NID` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_TMP_KEY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_GET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SELECT_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_ACCEPT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_ACCEPT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_ACCEPT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CACHE_FULL` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CB_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CONNECT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CONNECT_GOOD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_CONNECT_RENEGOTIATE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_HIT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_MISSES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_NUMBER` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SESS_TIMEOUTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CHAIN_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CLIENT_CERT_TYPES` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CLIENT_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CLIENT_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_CURRENT_CERT` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_DH_AUTO` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_GROUPS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_GROUPS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MAX_CERT_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MSG_CALLBACK` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_MSG_CALLBACK_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_RETRY_VERIFY` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SESS_CACHE_MODE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SESS_CACHE_SIZE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SIGALGS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SIGALGS_LIST` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SRP_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_SRP_VERIFY_PARAM_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_DEBUG_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_DEBUG_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_HOSTNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_SERVERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TLSEXT_TICKET_KEYS` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TMP_DH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TMP_DH_CB` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_TMP_ECDH` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| `SSL_CTRL_SET_VERIFY_CERT_STORE` | HL | 🟩U | 🟩A | 🟩NC* | 🟢Done | +| **⇒ SSL Modes** | | | | | | +| `SSL_MODE_ENABLE_PARTIAL_WRITE` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER` | ADP | 🟩U | 🟩A | 🟧QSI | 🟢Done | +| `SSL_MODE_RELEASE_BUFFERS` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | +| `SSL_MODE_ASYNC` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | +| `SSL_MODE_AUTO_RETRY` | ADP | 🟩U | 🟧NO | 🟩NC | 🟢Done | +| `SSL_MODE_SEND_FALLBACK_SCSV` | HL | 🟩U | 🟩U | 🟩NC | 🟢Done | Q&A For TLS-Related Calls ------------------------- diff --git a/doc/designs/quic-design/tx-packetiser.md b/doc/designs/quic-design/tx-packetiser.md index f2d7e69a16..38e9def5e9 100644 --- a/doc/designs/quic-design/tx-packetiser.md +++ b/doc/designs/quic-design/tx-packetiser.md @@ -258,39 +258,39 @@ Packetisation and Processing Frames are taken from [RFC 9000 12.4 Frames and Frame Types]. -| Type | Name | I | H | 0 | 1 | N | C | P | F | -| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | -| 0x00 | padding | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ -| 0x01 | ping | ✓ | ✓ | ✓ | ✓ | | | | | -| 0x02 | ack 0x02 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | -| 0x03 | ack 0x03 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | -| 0x04 | reset_stream | | | ✓ | ✓ | | | | | -| 0x05 | stop_sending | | | ✓ | ✓ | | | | | -| 0x06 | crypto | ✓ | ✓ | | ✓ | | | | | -| 0x07 | new_token | | | | ✓ | | | | | -| 0x08 | stream 0x08 | | | ✓ | ✓ | | | | ✓ | -| 0x09 | stream 0x09 | | | ✓ | ✓ | | | | ✓ | -| 0x0A | stream 0x0A | | | ✓ | ✓ | | | | ✓ | -| 0x0B | stream 0x0B | | | ✓ | ✓ | | | | ✓ | -| 0x0C | stream 0x0C | | | ✓ | ✓ | | | | ✓ | -| 0x0D | stream 0x0D | | | ✓ | ✓ | | | | ✓ | -| 0x0E | stream 0x0E | | | ✓ | ✓ | | | | ✓ | -| 0x0F | stream 0x0F | | | ✓ | ✓ | | | | ✓ | -| 0x10 | max_data | | | ✓ | ✓ | | | | | -| 0x11 | max_stream_data | | | ✓ | ✓ | | | | | -| 0x12 | max_streams 0x12 | | | ✓ | ✓ | | | | | -| 0x13 | max_streams 0x13 | | | ✓ | ✓ | | | | | -| 0x14 | data_blocked | | | ✓ | ✓ | | | | | -| 0x15 | stream_data_blocked | | | ✓ | ✓ | | | | | -| 0x16 | streams_blocked 0x16 | | | ✓ | ✓ | | | | | -| 0x17 | streams_blocked 0x17 | | | ✓ | ✓ | | | | | -| 0x18 | new_connection_id | | | ✓ | ✓ | | | ✓ | | -| 0x19 | retire_connection_id | | | ✓ | ✓ | | | | | -| 0x1A | path_challenge | | | ✓ | ✓ | | | ✓ | | -| 0x1B | path_response | | | | ✓ | | | ✓ | | -| 0x1C | connection_close 0x1C | ✓ | ✓ | ✓ | ✓ | ✓ -| 0x1D | connection_close 0x1D | | | ✓ | ✓ | ✓ | | | | -| 0x1E | handshake_done | | | | ✓ | | | | | +| Type | Name | I | H | 0 | 1 | N | C | P | F | +|------|-----------------------|---------|---------|---------|---------|---------|---------|---------|---------| +| 0x00 | padding | ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ | | +| 0x01 | ping | ✓ | ✓ | ✓ | ✓ | | | | | +| 0x02 | ack 0x02 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | +| 0x03 | ack 0x03 | ✓ | ✓ | | ✓ | ✓ | ✓ | | | +| 0x04 | reset_stream | | | ✓ | ✓ | | | | | +| 0x05 | stop_sending | | | ✓ | ✓ | | | | | +| 0x06 | crypto | ✓ | ✓ | | ✓ | | | | | +| 0x07 | new_token | | | | ✓ | | | | | +| 0x08 | stream 0x08 | | | ✓ | ✓ | | | | ✓ | +| 0x09 | stream 0x09 | | | ✓ | ✓ | | | | ✓ | +| 0x0A | stream 0x0A | | | ✓ | ✓ | | | | ✓ | +| 0x0B | stream 0x0B | | | ✓ | ✓ | | | | ✓ | +| 0x0C | stream 0x0C | | | ✓ | ✓ | | | | ✓ | +| 0x0D | stream 0x0D | | | ✓ | ✓ | | | | ✓ | +| 0x0E | stream 0x0E | | | ✓ | ✓ | | | | ✓ | +| 0x0F | stream 0x0F | | | ✓ | ✓ | | | | ✓ | +| 0x10 | max_data | | | ✓ | ✓ | | | | | +| 0x11 | max_stream_data | | | ✓ | ✓ | | | | | +| 0x12 | max_streams 0x12 | | | ✓ | ✓ | | | | | +| 0x13 | max_streams 0x13 | | | ✓ | ✓ | | | | | +| 0x14 | data_blocked | | | ✓ | ✓ | | | | | +| 0x15 | stream_data_blocked | | | ✓ | ✓ | | | | | +| 0x16 | streams_blocked 0x16 | | | ✓ | ✓ | | | | | +| 0x17 | streams_blocked 0x17 | | | ✓ | ✓ | | | | | +| 0x18 | new_connection_id | | | ✓ | ✓ | | | ✓ | | +| 0x19 | retire_connection_id | | | ✓ | ✓ | | | | | +| 0x1A | path_challenge | | | ✓ | ✓ | | | ✓ | | +| 0x1B | path_response | | | | ✓ | | | ✓ | | +| 0x1C | connection_close 0x1C | ✓ | ✓ | ✓ | ✓ | ✓ | | | | +| 0x1D | connection_close 0x1D | | | ✓ | ✓ | ✓ | | | | +| 0x1E | handshake_done | | | | ✓ | | | | | The various fields are as defined in RFC 9000. -- Gitee From 97458285200251daf3fcdafd51fd2bc45a602240 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 2 Oct 2023 10:24:38 +0200 Subject: [PATCH 13/60] Configurations/unix-Makefile.tmpl: Ensure that md-nits always works The body of the "md-nits" Makefile target assumed an in source build tree. This change ensures that it works correctly when called from an out-of-source build tree as well. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/22240) Signed-off-by: fly2x --- Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 6bdbf31d08..3d9ce086f9 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1146,7 +1146,7 @@ doc-nits: build_generated_pods ## Evaluate OpenSSL documentation # Finally, there's a Node.js version, which we haven't tried, that # can be found at https://github.com/DavidAnson/markdownlint md-nits: ## Evaluate markdown files via "mdl" - mdl -s util/markdownlint.rb . + mdl -s $(SRCDIR)/util/markdownlint.rb . # Test coverage is a good idea for the future #coverage: $(PROGRAMS) $(TESTPROGRAMS) -- Gitee From 4a825ef277e1d17a704a990eb28185fcab8db37f Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 19 Sep 2023 17:23:23 +0200 Subject: [PATCH 14/60] obj_xref: ecdsa support sha3 hash function Signed-off-by: Mathieu Tortuyaux Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22147) Signed-off-by: fly2x --- crypto/objects/obj_xref.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt index 2a61d4db59..31c6eb9928 100644 --- a/crypto/objects/obj_xref.txt +++ b/crypto/objects/obj_xref.txt @@ -42,6 +42,10 @@ ecdsa_with_SHA384 sha384 X9_62_id_ecPublicKey ecdsa_with_SHA512 sha512 X9_62_id_ecPublicKey ecdsa_with_Recommended undef X9_62_id_ecPublicKey ecdsa_with_Specified undef X9_62_id_ecPublicKey +ecdsa_with_SHA3_224 sha3_224 X9_62_id_ecPublicKey +ecdsa_with_SHA3_256 sha3_256 X9_62_id_ecPublicKey +ecdsa_with_SHA3_384 sha3_384 X9_62_id_ecPublicKey +ecdsa_with_SHA3_512 sha3_512 X9_62_id_ecPublicKey dsa_with_SHA224 sha224 dsa dsa_with_SHA256 sha256 dsa -- Gitee From 811cac8d98adf0d487ad217d0af67bf4c39078eb Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 19 Sep 2023 17:24:43 +0200 Subject: [PATCH 15/60] obj_xref.h: make update Signed-off-by: Mathieu Tortuyaux Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22147) Signed-off-by: fly2x --- crypto/objects/obj_xref.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index fff7040075..913606f175 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -75,6 +75,10 @@ static const nid_triple sigoid_srt[] = { NID_id_GostR3410_2012_512}, {NID_ED25519, NID_undef, NID_ED25519}, {NID_ED448, NID_undef, NID_ED448}, + {NID_ecdsa_with_SHA3_224, NID_sha3_224, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA3_256, NID_sha3_256, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA3_384, NID_sha3_384, NID_X9_62_id_ecPublicKey}, + {NID_ecdsa_with_SHA3_512, NID_sha3_512, NID_X9_62_id_ecPublicKey}, {NID_RSA_SHA3_224, NID_sha3_224, NID_rsaEncryption}, {NID_RSA_SHA3_256, NID_sha3_256, NID_rsaEncryption}, {NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption}, @@ -122,9 +126,13 @@ static const nid_triple *const sigoid_srt_xref[] = { &sigoid_srt[28], &sigoid_srt[40], &sigoid_srt[41], + &sigoid_srt[48], &sigoid_srt[44], + &sigoid_srt[49], &sigoid_srt[45], + &sigoid_srt[50], &sigoid_srt[46], + &sigoid_srt[51], &sigoid_srt[47], - &sigoid_srt[48], + &sigoid_srt[52], }; -- Gitee From 2986d12fa1cbec641acd068bba3fac48df42fa25 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 22 Sep 2023 22:09:33 +0200 Subject: [PATCH 16/60] test: add verify test for EC cert signed with SHA3 Signed-off-by: Mathieu Tortuyaux Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22147) Signed-off-by: fly2x --- test/certs/ee-cert-ec-sha3-224.pem | 10 ++++++++++ test/certs/ee-cert-ec-sha3-256.pem | 10 ++++++++++ test/certs/ee-cert-ec-sha3-384.pem | 10 ++++++++++ test/certs/ee-cert-ec-sha3-512.pem | 10 ++++++++++ test/certs/setup.sh | 6 ++++++ test/recipes/25-test_verify.t | 22 +++++++++++++++++++--- 6 files changed, 65 insertions(+), 3 deletions(-) create mode 100644 test/certs/ee-cert-ec-sha3-224.pem create mode 100644 test/certs/ee-cert-ec-sha3-256.pem create mode 100644 test/certs/ee-cert-ec-sha3-384.pem create mode 100644 test/certs/ee-cert-ec-sha3-512.pem diff --git a/test/certs/ee-cert-ec-sha3-224.pem b/test/certs/ee-cert-ec-sha3-224.pem new file mode 100644 index 0000000000..047517d025 --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-224.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBezCCASCgAwIBAgIBAjALBglghkgBZQMEAwkwDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI4MDk1NjI1WhgPMjEyMzA5MjkwOTU2MjVaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMJA0gAMEUCIG/6DFqC+WzrYaZzZ4RbsZNNtb1Z +MwN3GXj+S8LM4c83AiEA3V5/mXHWaDi2JfjycScqnDC++awvc26rMa9vk9ZwVYM= +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-sha3-256.pem b/test/certs/ee-cert-ec-sha3-256.pem new file mode 100644 index 0000000000..2112ba15ce --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBejCCASCgAwIBAgIBAjALBglghkgBZQMEAwowDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI4MDk1NjI1WhgPMjEyMzA5MjkwOTU2MjVaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMKA0cAMEQCIFToMNgLf3+sW1oHDhDrCQWpIzLE +PgAdgDdtbBO7OerTAiB3vkCvu/Vs8v/6Ys/OQOsHbX0tT5NUMWZfP3X8CYUfmA== +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-sha3-384.pem b/test/certs/ee-cert-ec-sha3-384.pem new file mode 100644 index 0000000000..0397280f29 --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-384.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBezCCASCgAwIBAgIBAjALBglghkgBZQMEAwswDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI1MTU0NTIxWhgPMjEyMzA5MjYxNTQ1MjFaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMLA0gAMEUCIGq8RYriO3scZLij8fglpZOZdZRZ +DfzsopaAvzQrwcS9AiEA0JDYvat1hiygjXUxZmWPD2cDrxogvCSsoi3QW7YtP/o= +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert-ec-sha3-512.pem b/test/certs/ee-cert-ec-sha3-512.pem new file mode 100644 index 0000000000..f528f8fd95 --- /dev/null +++ b/test/certs/ee-cert-ec-sha3-512.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBezCCASCgAwIBAgIBAjALBglghkgBZQMEAwwwDTELMAkGA1UEAwwCQ0EwIBcN +MjMwOTI4MDk1NjQyWhgPMjEyMzA5MjkwOTU2NDJaMBkxFzAVBgNVBAMMDnNlcnZl +ci5leGFtcGxlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtGFOe/kRUVsa/365 +y/rzmJGN4fa6Cp78QhtO8CubXrxGLUnSs9CrB7wwQ2rcNa9yTb/ptqeeP9wKhTwG +d+W9D6NiMGAwHQYDVR0OBBYEFMqcqbma1JdARJm7oXyaaN0BTSL1MB8GA1UdIwQY +MBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYI +KwYBBQUHAwEwCwYJYIZIAWUDBAMMA0gAMEUCIQCXnpYI3xKBcJkb5M/3vo4/xf2a +Cdurg8zR8WyPRXdS8QIgT0DMnX5W3ZbVK4p2nd+uyZ/o29TKBLpEtsyuiiZCsS0= +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index bd8d49337d..d517384301 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -471,3 +471,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ ./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" # We can create a cert with a duplicate policy oid - but its actually invalid! ./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" + +# EC cert signed by curve ca with SHA3-224, SHA3-256, SHA3-384, SHA3-512 +OPENSSL_SIGALG="sha3-224" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-224 ca-key-ec-named ca-cert-ec-named +OPENSSL_SIGALG="sha3-256" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-256 ca-key-ec-named ca-cert-ec-named +OPENSSL_SIGALG="sha3-384" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-384 ca-key-ec-named ca-cert-ec-named +OPENSSL_SIGALG="sha3-512" ./mkcert.sh genee server.example ee-key-ec-named-named ee-cert-ec-sha3-512 ca-key-ec-named ca-cert-ec-named diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index c69dcb2239..48af75ab2e 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -29,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 185; +plan tests => 193; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -339,7 +339,7 @@ ok(!verify("ee-cert-md5", "", ["root-cert"], ["ca-cert"]), # Explicit vs named curve tests SKIP: { - skip "EC is not supported by this OpenSSL build", 3 + skip "EC is not supported by this OpenSSL build", 7 if disabled("ec"); ok(!verify("ee-cert-ec-explicit", "", ["root-cert"], ["ca-cert-ec-named"]), @@ -350,6 +350,14 @@ SKIP: { ok(verify("ee-cert-ec-named-named", "", ["root-cert"], ["ca-cert-ec-named"]), "accept named curve leaf with named curve intermediate"); + ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-224"); + ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-256"); + ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-384"); + ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], ), + "accept cert generated with EC and SHA3-512"); } # Same as above but with base provider used for decoding SKIP: { @@ -358,7 +366,7 @@ SKIP: { my $provpath = bldtop_dir("providers"); my @prov = ("-provider-path", $provpath); - skip "EC is not supported or FIPS is disabled", 3 + skip "EC is not supported or FIPS is disabled", 7 if disabled("ec") || $no_fips; run(test(["fips_version_test", "-config", $provconf, ">3.0.0"]), @@ -377,6 +385,14 @@ SKIP: { ok(verify("ee-cert-ec-named-named", "", ["root-cert"], ["ca-cert-ec-named"], @prov), "accept named curve leaf with named curve intermediate w/fips"); + ok(verify("ee-cert-ec-sha3-224", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-224 w/fips"); + ok(verify("ee-cert-ec-sha3-256", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-256 w/fips"); + ok(verify("ee-cert-ec-sha3-384", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-384 w/fips"); + ok(verify("ee-cert-ec-sha3-512", "", ["root-cert"], ["ca-cert-ec-named"], @prov), + "accept cert generated with EC and SHA3-512 w/fips"); delete $ENV{OPENSSL_CONF}; } -- Gitee From 0054addf2a9bb3da9634821413aa20e0485ba7d4 Mon Sep 17 00:00:00 2001 From: Danny Tsen Date: Tue, 22 Aug 2023 15:58:53 -0400 Subject: [PATCH 17/60] Improve performance for 6x unrolling with vpermxor instruction Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21812) Signed-off-by: fly2x --- crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++------------- 1 file changed, 95 insertions(+), 50 deletions(-) diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl index 60cf86f52a..38b9405a28 100755 --- a/crypto/aes/asm/aesp8-ppc.pl +++ b/crypto/aes/asm/aesp8-ppc.pl @@ -99,11 +99,12 @@ rcon: .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev .long 0,0,0,0 ?asis +.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe Lconsts: mflr r0 bcl 20,31,\$+4 mflr $ptr #vvvvv "distance between . and rcon - addi $ptr,$ptr,-0x48 + addi $ptr,$ptr,-0x58 mtlr r0 blr .long 0 @@ -2405,7 +2406,7 @@ ___ my $key_=$key2; my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); $x00=0 if ($flavour =~ /osx/); -my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); +my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys @@ -2460,6 +2461,18 @@ _aesp8_xts_encrypt6x: li $x70,0x70 mtspr 256,r0 + # Reverse eighty7 to 0x010101..87 + xxlor 2, 32+$eighty7, 32+$eighty7 + vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 + xxlor 1, 32+$eighty7, 32+$eighty7 + + # Load XOR contents. 0xf102132435465768798a9bacbdcedfe + mr $x70, r6 + bl Lconsts + lxvw4x 0, $x40, r6 # load XOR contents + mr r6, $x70 + li $x70,0x70 + subi $rounds,$rounds,3 # -4 in total lvx $rndkey0,$x00,$key1 # load key schedule @@ -2502,69 +2515,77 @@ Load_xts_enc_key: ?vperm v31,v31,$twk5,$keyperm lvx v25,$x10,$key_ # pre-load round[2] + # Switch to use the following codes with 0x010101..87 to generate tweak. + # eighty7 = 0x010101..87 + # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits + # vand tmp, tmp, eighty7 # last byte with carry + # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) + # xxlor vsx, 0, 0 + # vpermxor tweak, tweak, tmp, vsx + vperm $in0,$inout,$inptail,$inpperm subi $inp,$inp,31 # undo "caller" vxor $twk0,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vand $tmp,$tmp,$eighty7 vxor $out0,$in0,$twk0 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 lvx_u $in1,$x10,$inp vxor $twk1,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in1,$in1,$in1,$leperm vand $tmp,$tmp,$eighty7 vxor $out1,$in1,$twk1 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 lvx_u $in2,$x20,$inp andi. $taillen,$len,15 vxor $twk2,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in2,$in2,$in2,$leperm vand $tmp,$tmp,$eighty7 vxor $out2,$in2,$twk2 - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 lvx_u $in3,$x30,$inp sub $len,$len,$taillen vxor $twk3,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in3,$in3,$in3,$leperm vand $tmp,$tmp,$eighty7 vxor $out3,$in3,$twk3 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 lvx_u $in4,$x40,$inp subi $len,$len,0x60 vxor $twk4,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in4,$in4,$in4,$leperm vand $tmp,$tmp,$eighty7 vxor $out4,$in4,$twk4 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 lvx_u $in5,$x50,$inp addi $inp,$inp,0x60 vxor $twk5,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in5,$in5,$in5,$leperm vand $tmp,$tmp,$eighty7 vxor $out5,$in5,$twk5 - vxor $tweak,$tweak,$tmp + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 vxor v31,v31,$rndkey0 mtctr $rounds @@ -2590,6 +2611,8 @@ Loop_xts_enc6x: lvx v25,$x10,$key_ # round[4] bdnz Loop_xts_enc6x + xxlor 32+$eighty7, 1, 1 # 0x010101..87 + subic $len,$len,96 # $len-=96 vxor $in0,$twk0,v31 # xor with last round key vcipher $out0,$out0,v24 @@ -2599,7 +2622,6 @@ Loop_xts_enc6x: vaddubm $tweak,$tweak,$tweak vcipher $out2,$out2,v24 vcipher $out3,$out3,v24 - vsldoi $tmp,$tmp,$tmp,15 vcipher $out4,$out4,v24 vcipher $out5,$out5,v24 @@ -2607,7 +2629,8 @@ Loop_xts_enc6x: vand $tmp,$tmp,$eighty7 vcipher $out0,$out0,v25 vcipher $out1,$out1,v25 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 vcipher $out2,$out2,v25 vcipher $out3,$out3,v25 vxor $in1,$twk1,v31 @@ -2618,13 +2641,13 @@ Loop_xts_enc6x: and r0,r0,$len vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipher $out0,$out0,v26 vcipher $out1,$out1,v26 vand $tmp,$tmp,$eighty7 vcipher $out2,$out2,v26 vcipher $out3,$out3,v26 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 vcipher $out4,$out4,v26 vcipher $out5,$out5,v26 @@ -2638,7 +2661,6 @@ Loop_xts_enc6x: vaddubm $tweak,$tweak,$tweak vcipher $out0,$out0,v27 vcipher $out1,$out1,v27 - vsldoi $tmp,$tmp,$tmp,15 vcipher $out2,$out2,v27 vcipher $out3,$out3,v27 vand $tmp,$tmp,$eighty7 @@ -2646,7 +2668,8 @@ Loop_xts_enc6x: vcipher $out5,$out5,v27 addi $key_,$sp,$FRAME+15 # rewind $key_ - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 vcipher $out0,$out0,v28 vcipher $out1,$out1,v28 vxor $in3,$twk3,v31 @@ -2655,7 +2678,6 @@ Loop_xts_enc6x: vcipher $out2,$out2,v28 vcipher $out3,$out3,v28 vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipher $out4,$out4,v28 vcipher $out5,$out5,v28 lvx v24,$x00,$key_ # re-pre-load round[1] @@ -2663,7 +2685,8 @@ Loop_xts_enc6x: vcipher $out0,$out0,v29 vcipher $out1,$out1,v29 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 vcipher $out2,$out2,v29 vcipher $out3,$out3,v29 vxor $in4,$twk4,v31 @@ -2673,14 +2696,14 @@ Loop_xts_enc6x: vcipher $out5,$out5,v29 lvx v25,$x10,$key_ # re-pre-load round[2] vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipher $out0,$out0,v30 vcipher $out1,$out1,v30 vand $tmp,$tmp,$eighty7 vcipher $out2,$out2,v30 vcipher $out3,$out3,v30 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 vcipher $out4,$out4,v30 vcipher $out5,$out5,v30 vxor $in5,$twk5,v31 @@ -2690,7 +2713,6 @@ Loop_xts_enc6x: vcipherlast $out0,$out0,$in0 lvx_u $in0,$x00,$inp # load next input block vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vcipherlast $out1,$out1,$in1 lvx_u $in1,$x10,$inp vcipherlast $out2,$out2,$in2 @@ -2703,7 +2725,10 @@ Loop_xts_enc6x: vcipherlast $out4,$out4,$in4 le?vperm $in2,$in2,$in2,$leperm lvx_u $in4,$x40,$inp - vxor $tweak,$tweak,$tmp + xxlor 10, 32+$in0, 32+$in0 + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 + xxlor 32+$in0, 10, 10 vcipherlast $tmp,$out5,$in5 # last block might be needed # in stealing mode le?vperm $in3,$in3,$in3,$leperm @@ -2736,6 +2761,8 @@ Loop_xts_enc6x: mtctr $rounds beq Loop_xts_enc6x # did $len-=96 borrow? + xxlor 32+$eighty7, 2, 2 # 0x870101..01 + addic. $len,$len,0x60 beq Lxts_enc6x_zero cmpwi $len,0x20 @@ -3112,6 +3139,18 @@ _aesp8_xts_decrypt6x: li $x70,0x70 mtspr 256,r0 + # Reverse eighty7 to 0x010101..87 + xxlor 2, 32+$eighty7, 32+$eighty7 + vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 + xxlor 1, 32+$eighty7, 32+$eighty7 + + # Load XOR contents. 0xf102132435465768798a9bacbdcedfe + mr $x70, r6 + bl Lconsts + lxvw4x 0, $x40, r6 # load XOR contents + mr r6, $x70 + li $x70,0x70 + subi $rounds,$rounds,3 # -4 in total lvx $rndkey0,$x00,$key1 # load key schedule @@ -3159,64 +3198,64 @@ Load_xts_dec_key: vxor $twk0,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vand $tmp,$tmp,$eighty7 vxor $out0,$in0,$twk0 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 lvx_u $in1,$x10,$inp vxor $twk1,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in1,$in1,$in1,$leperm vand $tmp,$tmp,$eighty7 vxor $out1,$in1,$twk1 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 lvx_u $in2,$x20,$inp andi. $taillen,$len,15 vxor $twk2,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in2,$in2,$in2,$leperm vand $tmp,$tmp,$eighty7 vxor $out2,$in2,$twk2 - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 lvx_u $in3,$x30,$inp sub $len,$len,$taillen vxor $twk3,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in3,$in3,$in3,$leperm vand $tmp,$tmp,$eighty7 vxor $out3,$in3,$twk3 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 lvx_u $in4,$x40,$inp subi $len,$len,0x60 vxor $twk4,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in4,$in4,$in4,$leperm vand $tmp,$tmp,$eighty7 vxor $out4,$in4,$twk4 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 lvx_u $in5,$x50,$inp addi $inp,$inp,0x60 vxor $twk5,$tweak,$rndkey0 vsrab $tmp,$tweak,$seven # next tweak value vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 le?vperm $in5,$in5,$in5,$leperm vand $tmp,$tmp,$eighty7 vxor $out5,$in5,$twk5 - vxor $tweak,$tweak,$tmp + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 vxor v31,v31,$rndkey0 mtctr $rounds @@ -3242,6 +3281,8 @@ Loop_xts_dec6x: lvx v25,$x10,$key_ # round[4] bdnz Loop_xts_dec6x + xxlor 32+$eighty7, 1, 1 + subic $len,$len,96 # $len-=96 vxor $in0,$twk0,v31 # xor with last round key vncipher $out0,$out0,v24 @@ -3251,7 +3292,6 @@ Loop_xts_dec6x: vaddubm $tweak,$tweak,$tweak vncipher $out2,$out2,v24 vncipher $out3,$out3,v24 - vsldoi $tmp,$tmp,$tmp,15 vncipher $out4,$out4,v24 vncipher $out5,$out5,v24 @@ -3259,7 +3299,8 @@ Loop_xts_dec6x: vand $tmp,$tmp,$eighty7 vncipher $out0,$out0,v25 vncipher $out1,$out1,v25 - vxor $tweak,$tweak,$tmp + xxlor 32+$in1, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in1 vncipher $out2,$out2,v25 vncipher $out3,$out3,v25 vxor $in1,$twk1,v31 @@ -3270,13 +3311,13 @@ Loop_xts_dec6x: and r0,r0,$len vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipher $out0,$out0,v26 vncipher $out1,$out1,v26 vand $tmp,$tmp,$eighty7 vncipher $out2,$out2,v26 vncipher $out3,$out3,v26 - vxor $tweak,$tweak,$tmp + xxlor 32+$in2, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in2 vncipher $out4,$out4,v26 vncipher $out5,$out5,v26 @@ -3290,7 +3331,6 @@ Loop_xts_dec6x: vaddubm $tweak,$tweak,$tweak vncipher $out0,$out0,v27 vncipher $out1,$out1,v27 - vsldoi $tmp,$tmp,$tmp,15 vncipher $out2,$out2,v27 vncipher $out3,$out3,v27 vand $tmp,$tmp,$eighty7 @@ -3298,7 +3338,8 @@ Loop_xts_dec6x: vncipher $out5,$out5,v27 addi $key_,$sp,$FRAME+15 # rewind $key_ - vxor $tweak,$tweak,$tmp + xxlor 32+$in3, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in3 vncipher $out0,$out0,v28 vncipher $out1,$out1,v28 vxor $in3,$twk3,v31 @@ -3307,7 +3348,6 @@ Loop_xts_dec6x: vncipher $out2,$out2,v28 vncipher $out3,$out3,v28 vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipher $out4,$out4,v28 vncipher $out5,$out5,v28 lvx v24,$x00,$key_ # re-pre-load round[1] @@ -3315,7 +3355,8 @@ Loop_xts_dec6x: vncipher $out0,$out0,v29 vncipher $out1,$out1,v29 - vxor $tweak,$tweak,$tmp + xxlor 32+$in4, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in4 vncipher $out2,$out2,v29 vncipher $out3,$out3,v29 vxor $in4,$twk4,v31 @@ -3325,14 +3366,14 @@ Loop_xts_dec6x: vncipher $out5,$out5,v29 lvx v25,$x10,$key_ # re-pre-load round[2] vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipher $out0,$out0,v30 vncipher $out1,$out1,v30 vand $tmp,$tmp,$eighty7 vncipher $out2,$out2,v30 vncipher $out3,$out3,v30 - vxor $tweak,$tweak,$tmp + xxlor 32+$in5, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in5 vncipher $out4,$out4,v30 vncipher $out5,$out5,v30 vxor $in5,$twk5,v31 @@ -3342,7 +3383,6 @@ Loop_xts_dec6x: vncipherlast $out0,$out0,$in0 lvx_u $in0,$x00,$inp # load next input block vaddubm $tweak,$tweak,$tweak - vsldoi $tmp,$tmp,$tmp,15 vncipherlast $out1,$out1,$in1 lvx_u $in1,$x10,$inp vncipherlast $out2,$out2,$in2 @@ -3355,7 +3395,10 @@ Loop_xts_dec6x: vncipherlast $out4,$out4,$in4 le?vperm $in2,$in2,$in2,$leperm lvx_u $in4,$x40,$inp - vxor $tweak,$tweak,$tmp + xxlor 10, 32+$in0, 32+$in0 + xxlor 32+$in0, 0, 0 + vpermxor $tweak, $tweak, $tmp, $in0 + xxlor 32+$in0, 10, 10 vncipherlast $out5,$out5,$in5 le?vperm $in3,$in3,$in3,$leperm lvx_u $in5,$x50,$inp @@ -3386,6 +3429,8 @@ Loop_xts_dec6x: mtctr $rounds beq Loop_xts_dec6x # did $len-=96 borrow? + xxlor 32+$eighty7, 2, 2 + addic. $len,$len,0x60 beq Lxts_dec6x_zero cmpwi $len,0x20 -- Gitee From c6a4f22fd4b14b8b1dc6d4ca62c0aacd9d858fee Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Fri, 29 Sep 2023 15:31:37 +0200 Subject: [PATCH 18/60] doc: correct the SSL_CTX_set_info_callback(3) manual page The info callback is not prototyped correctly, and the code example fails to compile because of const-incorrectness. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22224) Signed-off-by: fly2x --- doc/man3/SSL_CTX_set_info_callback.pod | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set_info_callback.pod b/doc/man3/SSL_CTX_set_info_callback.pod index 9cee642073..99f59b063c 100644 --- a/doc/man3/SSL_CTX_set_info_callback.pod +++ b/doc/man3/SSL_CTX_set_info_callback.pod @@ -12,11 +12,15 @@ SSL_get_info_callback #include - void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)()); - void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))(); + void SSL_CTX_set_info_callback(SSL_CTX *ctx, + void (*callback) (const SSL *ssl, int type, int val)); - void SSL_set_info_callback(SSL *ssl, void (*callback)()); - void (*SSL_get_info_callback(const SSL *ssl))(); + void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, int val); + + void SSL_set_info_callback(SSL *ssl, + void (*callback) (const SSL *ssl, int type, int val)); + + void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type, int val); =head1 DESCRIPTION @@ -119,7 +123,7 @@ SSL_get_info_callback() returns the current setting. The following example callback function prints state strings, information about alerts being handled and error messages to the B BIO. - void apps_ssl_info_callback(SSL *s, int where, int ret) + void apps_ssl_info_callback(const SSL *s, int where, int ret) { const char *str; int w = where & ~SSL_ST_MASK; -- Gitee From 40c69b92c240ca505587da51e47666c8625ac1ba Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 28 Sep 2023 14:21:37 +0300 Subject: [PATCH 19/60] remove files under test directory from coverage report Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22212) Signed-off-by: fly2x --- .github/workflows/coveralls.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index bdb576fd65..5330984c71 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -64,7 +64,13 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS='-test_external_krb5' - name: generate coverage info - run: lcov -d . -c -o ./lcov.info + run: lcov -d . -c \ + --exclude "${PWD}/test/*" \ + --exclude "${PWD}/test/helpers/*" \ + --exclude "${PWD}/test/testutil/*" \ + --exclude "${PWD}/fuzz/*" \ + --exclude "/usr/include/*" \ + -o ./lcov.info - name: Coveralls upload uses: coverallsapp/github-action@v2.2.3 with: -- Gitee From 68a5f75e24ca5f2f5e282b2672479a2fcfc61797 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 28 Sep 2023 13:59:45 +0100 Subject: [PATCH 20/60] Fix timeouts in the quic_multistream test script 13 Script 13 is a stress test which can timeout on some low powered platforms or with some options that significantly slow performance. We increase the timeout. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22214) Signed-off-by: fly2x --- test/quic_multistream_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/quic_multistream_test.c b/test/quic_multistream_test.c index 2ad4ef292e..58b0831ebb 100644 --- a/test/quic_multistream_test.c +++ b/test/quic_multistream_test.c @@ -1053,7 +1053,7 @@ static int run_script_worker(struct helper *h, const struct script_op *script, first = 0; offset = 0; op_start_time = ossl_time_now(); - op_deadline = ossl_time_add(op_start_time, ossl_ms2time(8000)); + op_deadline = ossl_time_add(op_start_time, ossl_ms2time(60000)); } if (!TEST_int_le(ossl_time_compare(ossl_time_now(), op_deadline), 0)) { -- Gitee From cedf9bbf40b1468e3fd0d97a4e3d66ce6c773bbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 17:23:41 +0000 Subject: [PATCH 21/60] Bump actions/setup-python from 4.7.0 to 4.7.1 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.0 to 4.7.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4.7.0...v4.7.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22254) Signed-off-by: fly2x --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 596a82a560..1eeaa69ba2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -442,7 +442,7 @@ jobs: - name: make run: make -s -j4 - name: Setup Python - uses: actions/setup-python@v4.7.0 + uses: actions/setup-python@v4.7.1 with: python-version: ${{ matrix.PYTHON }} - uses: actions-rs/toolchain@v1 -- Gitee From 7f8534e0fda35faf1a5f72a3f4696142b2dabb64 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 08:39:31 +0200 Subject: [PATCH 22/60] coveralls: Fix invocation of lcov Fixes recent regression from commit febe8cf4dee9939ee3e5523b6f14d9dc1ec74153 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22258) Signed-off-by: fly2x --- .github/workflows/coveralls.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 5330984c71..e22c0099c0 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -64,12 +64,12 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS='-test_external_krb5' - name: generate coverage info - run: lcov -d . -c \ - --exclude "${PWD}/test/*" \ - --exclude "${PWD}/test/helpers/*" \ - --exclude "${PWD}/test/testutil/*" \ - --exclude "${PWD}/fuzz/*" \ - --exclude "/usr/include/*" \ + run: lcov -d . -c + --exclude "${PWD}/test/*" + --exclude "${PWD}/test/helpers/*" + --exclude "${PWD}/test/testutil/*" + --exclude "${PWD}/fuzz/*" + --exclude "/usr/include/*" -o ./lcov.info - name: Coveralls upload uses: coverallsapp/github-action@v2.2.3 -- Gitee From 82dc1a3c8f0d35b0aa4fe113a36ff7e2fa6b6405 Mon Sep 17 00:00:00 2001 From: Dmitry Misharov Date: Thu, 28 Sep 2023 11:50:55 +0300 Subject: [PATCH 23/60] GH action workflows: Add cpu report before 'make test' Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22232) Signed-off-by: fly2x --- .github/workflows/ci.yml | 91 ++++++++++++++++++++ .github/workflows/compiler-zoo.yml | 4 + .github/workflows/coveralls.yml | 4 + .github/workflows/cross-compiles.yml | 3 + .github/workflows/fuzz-checker.yml | 4 + .github/workflows/os-zoo.yml | 23 +++++ .github/workflows/provider-compatibility.yml | 13 ++- .github/workflows/run-checker-ci.yml | 4 + .github/workflows/run-checker-daily-sctp.yml | 5 ++ .github/workflows/run-checker-daily.yml | 4 + .github/workflows/run-checker-merge.yml | 4 + .github/workflows/windows.yml | 33 +++++++ .github/workflows/windows_comp.yml | 22 +++++ 13 files changed, 213 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1eeaa69ba2..6c89c65096 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -83,6 +83,10 @@ jobs: run: CC=gcc ./config --banner=Configured enable-fips enable-quic --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -96,6 +100,10 @@ jobs: run: CC=clang ./config --banner=Configured no-fips --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -109,6 +117,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump - name: make run: make -j4 # verbose, so no -s here + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -122,6 +134,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-deprecated enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -138,6 +154,8 @@ jobs: run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -151,6 +169,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" @@ -164,6 +186,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -178,6 +204,10 @@ jobs: run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -191,6 +221,10 @@ jobs: run: CC=clang ./config --banner=Configured no-fips --strict-warnings -fsanitize=thread && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make V=1 TESTS="test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*" test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -206,6 +240,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips no-threads && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -221,6 +259,10 @@ jobs: run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -239,6 +281,10 @@ jobs: run: ./config enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -257,6 +303,10 @@ jobs: run: ./config enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -276,6 +326,10 @@ jobs: run: ./config enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -294,6 +348,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -DPEDANTIC && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -312,6 +370,10 @@ jobs: run: ./config --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -DPEDANTIC && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 @@ -325,6 +387,10 @@ jobs: run: ./config --banner=Configured --strict-warnings no-legacy enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -338,6 +404,10 @@ jobs: run: ./config --banner=Configured -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -354,6 +424,8 @@ jobs: run: CC=gcc ./config --banner=Configured enable-tfo --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -367,6 +439,10 @@ jobs: run: ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -389,6 +465,9 @@ jobs: - name: make run: make -s -j4 working-directory: ./build + - name: get cpu info + run: ./util/opensslwrap.sh version -c + working-directory: ./build - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} working-directory: ./build @@ -416,6 +495,10 @@ jobs: run: ./config --banner=Configured --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: test external gost-engine run: make test TESTS="test_external_gost_engine" - name: test external krb5 @@ -451,6 +534,10 @@ jobs: toolchain: ${{ matrix.RUST }} override: true default: true + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: test external pyca run: make test TESTS="test_external_pyca" VERBOSE=1 @@ -469,5 +556,9 @@ jobs: profile: default toolchain: stable default: true + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: test external Cloudflare quiche run: make test TESTS="test_external_cf_quiche" VERBOSE=1 diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 658d33f082..30634fccc3 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -127,5 +127,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index e22c0099c0..d321bc483a 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -61,6 +61,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS='-test_external_krb5' - name: generate coverage info diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index e2cd6cbb00..79af07c701 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -195,6 +195,9 @@ jobs: run: echo "OPENSSL_${{ matrix.platform.opensslcapsname }}=\ ${{ matrix.platform.opensslcaps }}" >> $GITHUB_ENV + - name: get cpu info + run: cat /proc/cpuinfo + - name: make all tests if: github.event_name == 'push' && matrix.platform.tests == '' run: | diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 3e84fdbac6..766a4a1326 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -63,6 +63,10 @@ jobs: - name: make sans explicit linker if: matrix.fuzzy.linker == '' run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test restricted if: matrix.fuzzy.tests != '' run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS="${{ matrix.fuzzy.tests }}" diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index 98fe0c744c..d3dc6770c3 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -43,6 +43,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -89,6 +93,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -111,6 +119,10 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + sysctl machdep.cpu + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} @@ -141,6 +153,17 @@ jobs: - name: build working-directory: _build run: nmake /S + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4 diff --git a/.github/workflows/provider-compatibility.yml b/.github/workflows/provider-compatibility.yml index e95a847522..ccb0fbdd7d 100644 --- a/.github/workflows/provider-compatibility.yml +++ b/.github/workflows/provider-compatibility.yml @@ -10,7 +10,6 @@ name: Provider compatibility across versions - # NOTE: if this is being run on pull_request, it will **not** use the pull # request's branch. It is hardcoded to use the master branch. # @@ -160,6 +159,12 @@ jobs: -providers working-directory: ${{ matrix.branch.dir }} + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + working-directory: ${{ matrix.branch.dir }} + - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} working-directory: ${{ matrix.branch.dir }} @@ -230,6 +235,12 @@ jobs: -providers working-directory: ${{ matrix.tree_b }} + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + working-directory: ${{ matrix.branch.dir }} + - name: run cross validation tests of FIPS from A with tree from B if: steps.early_exit.outcome == 'success' run: | diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index b4a20bcedd..2b7ca84d86 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -50,5 +50,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily-sctp.yml b/.github/workflows/run-checker-daily-sctp.yml index d258847e7e..ba9a5178f0 100644 --- a/.github/workflows/run-checker-daily-sctp.yml +++ b/.github/workflows/run-checker-daily-sctp.yml @@ -43,6 +43,11 @@ jobs: if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c + - name: make test if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success' run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index fe8a3a8e66..fdd07294a4 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -144,5 +144,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 31148bf0b8..461f16527d 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -46,5 +46,9 @@ jobs: run: ./configdata.pm --dump - name: make run: make -s -j4 + - name: get cpu info + run: | + cat /proc/cpuinfo + ./util/opensslwrap.sh version -c - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 9c32d2689b..29ad9689e9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -47,6 +47,17 @@ jobs: - name: build working-directory: _build run: nmake /S + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4 @@ -80,6 +91,17 @@ jobs: - name: build working-directory: _build run: nmake /S + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4 @@ -106,6 +128,17 @@ jobs: - name: build working-directory: _build run: nmake # verbose, so no /S here + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4 diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index 8f19b812a7..3ffd5f2e72 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -41,6 +41,17 @@ jobs: - name: build working-directory: _build run: nmake + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: | @@ -68,6 +79,17 @@ jobs: - name: build working-directory: _build run: nmake + - name: download coreinfo + uses: suisei-cn/actions-download-file@v1.3.0 + with: + url: "https://download.sysinternals.com/files/Coreinfo.zip" + target: _build/coreinfo/ + - name: get cpu info + working-directory: _build + run: | + 7z.exe x coreinfo/Coreinfo.zip + ./Coreinfo64.exe -accepteula -f + ./apps/openssl.exe version -c - name: test working-directory: _build run: | -- Gitee From 3e61973c10f6c7fd003052d96f813d0171dd1d1a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 29 Sep 2023 12:09:10 +0200 Subject: [PATCH 24/60] coveralls: Drop no-shared and -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22222) Signed-off-by: fly2x --- .github/workflows/coveralls.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index d321bc483a..6df0543e5d 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -26,13 +26,13 @@ jobs: branches: [ { branch: openssl-3.1, - extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 + extra_config: no-afalgeng enable-fips }, { branch: openssl-3.0, - extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 + extra_config: no-afalgeng enable-fips }, { branch: master, - extra_config: no-afalgeng enable-fips enable-ssl-trace enable-trace enable-zlib enable-rc5 enable-md2 enable-weak-ssl-ciphers enable-ec_nistp_64_gcc_128 enable-tfo + extra_config: no-afalgeng enable-fips enable-tfo } ] runs-on: ubuntu-latest @@ -56,7 +56,7 @@ jobs: - name: setup hostname workaround run: sudo hostname localhost - name: config - run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-buildtest-c++ enable-ssl-trace enable-trace - name: config dump run: ./configdata.pm --dump - name: make -- Gitee From da86ba7008ea6d7bed1bdee89693acf77717452d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 29 Sep 2023 14:55:05 +0200 Subject: [PATCH 25/60] quicapitest: Enable test_ssl_trace with enable-zlib To improve Coverage mapping in Coveralls make it possible to run test_ssl_trace() with enable-zlib Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22222) Signed-off-by: fly2x --- test/quicapitest.c | 11 +- .../75-test_quicapi_data/ssltraceref-zlib.txt | 302 ++++++++++++++++++ 2 files changed, 309 insertions(+), 4 deletions(-) create mode 100644 test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt diff --git a/test/quicapitest.c b/test/quicapitest.c index 8452ba4b62..273f1421e7 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -33,10 +33,9 @@ static char *datadir = NULL; static int is_fips = 0; /* The ssltrace test assumes some options are switched on/off */ -#if !defined(OPENSSL_NO_SSL_TRACE) && !defined(OPENSSL_NO_EC) \ - && defined(OPENSSL_NO_ZLIB) && defined(OPENSSL_NO_BROTLI) \ - && defined(OPENSSL_NO_ZSTD) && !defined(OPENSSL_NO_ECX) \ - && !defined(OPENSSL_NO_DH) +#if !defined(OPENSSL_NO_SSL_TRACE) \ + && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) \ + && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH) # define DO_SSL_TRACE_TEST #endif @@ -426,7 +425,11 @@ static int compare_with_file(BIO *membio) int ret = 0; size_t i; +#ifdef OPENSSL_NO_ZLIB reffile = test_mk_file_path(datadir, "ssltraceref.txt"); +#else + reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt"); +#endif if (!TEST_ptr(reffile)) goto err; diff --git a/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt b/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt new file mode 100644 index 0000000000..e8bdee624f --- /dev/null +++ b/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt @@ -0,0 +1,302 @@ +Sent TLS Record +Header: + Version = TLS 1.0 (0x301) + Content Type = Handshake (22) + Length = 263 + ClientHello, Length=259 + client_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x???????? + random_bytes (len=28): ???????????????????????????????????????????????????????? + session_id (len=0): + cipher_suites (len=2) + {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_methods (len=1) + No Compression (0x00) + extensions, length = 216 + extension_type=UNKNOWN(57), length=49 + 0000 - 0c 00 0f 00 01 04 80 00-75 30 03 02 44 b0 0e ........u0..D.. + 000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06 ............... + 001e - 04 80 08 00 00 07 04 80-08 00 00 08 02 40 64 .............@d + 002d - 09 02 40 64 ..@d + extension_type=ec_point_formats(11), length=4 + uncompressed (0) + ansiX962_compressed_prime (1) + ansiX962_compressed_char2 (2) + extension_type=supported_groups(10), length=22 + ecdh_x25519 (29) + secp256r1 (P-256) (23) + ecdh_x448 (30) + secp521r1 (P-521) (25) + secp384r1 (P-384) (24) + ffdhe2048 (256) + ffdhe3072 (257) + ffdhe4096 (258) + ffdhe6144 (259) + ffdhe8192 (260) + extension_type=session_ticket(35), length=0 + extension_type=application_layer_protocol_negotiation(16), length=11 + ossltest + extension_type=encrypt_then_mac(22), length=0 + extension_type=extended_master_secret(23), length=0 + extension_type=signature_algorithms(13), length=36 + ecdsa_secp256r1_sha256 (0x0403) + ecdsa_secp384r1_sha384 (0x0503) + ecdsa_secp521r1_sha512 (0x0603) + ed25519 (0x0807) + ed448 (0x0808) + ecdsa_brainpoolP256r1_sha256 (0x081a) + ecdsa_brainpoolP384r1_sha384 (0x081b) + ecdsa_brainpoolP512r1_sha512 (0x081c) + rsa_pss_pss_sha256 (0x0809) + rsa_pss_pss_sha384 (0x080a) + rsa_pss_pss_sha512 (0x080b) + rsa_pss_rsae_sha256 (0x0804) + rsa_pss_rsae_sha384 (0x0805) + rsa_pss_rsae_sha512 (0x0806) + rsa_pkcs1_sha256 (0x0401) + rsa_pkcs1_sha384 (0x0501) + rsa_pkcs1_sha512 (0x0601) + extension_type=supported_versions(43), length=3 + TLS 1.3 (772) + extension_type=psk_key_exchange_modes(45), length=2 + psk_dhe_ke (1) + extension_type=key_share(51), length=38 + NamedGroup: ecdh_x25519 (29) + key_exchange: (len=32): ???????????????????????????????????????????????????????????????? + extension_type=compress_certificate(27), length=3 + zlib (1) + +Sent Frame: Crypto + Offset: 0 + Len: 263 +Sent Frame: Padding +Sent Packet + Packet Type: Initial + Version: 0x00000001 + Destination Conn Id: 0x???????????????? + Source Conn Id: + Payload length: 1178 + Token: + Packet Number: 0x00000000 +Sent Datagram + Length: 1200 +Received Datagram + Length: 1200 +Received Datagram + Length: 234 +Received Packet + Packet Type: Initial + Version: 0x00000001 + Destination Conn Id: + Source Conn Id: 0x???????????????? + Payload length: 115 + Token: + Packet Number: 0x00000000 +Received Frame: Ack (without ECN) + Largest acked: 0 + Ack delay (raw) 0 + Ack range count: 0 + First ack range: 0 +Received Frame: Crypto + Offset: 0 + Len: 90 +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = Handshake (22) + Length = 90 + Inner Content Type = Handshake (22) + ServerHello, Length=86 + server_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x???????? + random_bytes (len=28): ???????????????????????????????????????????????????????? + session_id (len=0): + cipher_suite {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_method: No Compression (0x00) + extensions, length = 46 + extension_type=supported_versions(43), length=2 + TLS 1.3 (772) + extension_type=key_share(51), length=36 + NamedGroup: ecdh_x25519 (29) + key_exchange: (len=32): ???????????????????????????????????????????????????????????????? + +Received Packet + Packet Type: Handshake + Version: 0x00000001 + Destination Conn Id: + Source Conn Id: 0x???????????????? + Payload length: 213 + Packet Number: 0x00000001 +Received Packet + Packet Type: Handshake + Version: 0x00000001 + Destination Conn Id: + Source Conn Id: 0x???????????????? + Payload length: 1042 + Packet Number: 0x00000000 +Received Frame: Crypto + Offset: 1022 + Len: 192 +Received Frame: Crypto + Offset: 0 + Len: 1022 +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 1022 + Inner Content Type = Handshake (22) + EncryptedExtensions, Length=88 + extensions, length = 86 + extension_type=UNKNOWN(57), length=67 + 0000 - 0c 00 00 08 ?? ?? ?? ??-?? ?? ?? ?? 0f 08 ?? ....????????..? + 000f - ?? ?? ?? ?? ?? ?? ?? 01-04 80 00 75 30 03 02 ???????....u0.. + 001e - 44 b0 0e 01 02 04 04 80-0c 00 00 05 04 80 08 D.............. + 002d - 00 00 06 04 80 08 00 00-07 04 80 08 00 00 08 ............... + 003c - 02 40 64 09 02 40 64 .@d..@d + extension_type=application_layer_protocol_negotiation(16), length=11 + ossltest + + Certificate, Length=818 + context (len=0): + certificate_list, length=814 + ASN.1Cert, length=809 +------details----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Root CA + Validity + Not Before: Jan 14 22:29:46 2016 GMT + Not After : Jan 15 22:29:46 2116 GMT + Subject: CN = server.example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:5d:60:6a:df:fc:61:ee:48:aa:8c:11:48:43: + a5:6d:b6:52:5d:aa:98:49:b1:61:92:35:b1:fc:3a: + 04:25:0c:6d:79:ff:b4:d5:c9:e9:5c:1c:3b:e0:ab: + b3:b8:7d:a3:de:6d:bd:e0:dd:d7:5a:bf:14:47:11: + 42:5e:a6:82:d0:61:c1:7f:dd:13:46:e6:09:85:07: + 0e:f2:d4:fc:1a:64:d2:0a:ad:20:ab:20:6b:96:f0: + ad:cc:c4:19:53:55:dc:01:1d:a4:b3:ef:8a:b4:49: + 53:5d:8a:05:1c:f1:dc:e1:44:bf:c5:d7:e2:77:19: + 57:5c:97:0b:75:ee:88:43:71:0f:ca:6c:c1:b4:b2: + 50:a7:77:46:6c:58:0f:11:bf:f1:76:24:5a:ae:39: + 42:b7:51:67:29:e1:d0:55:30:6f:17:e4:91:ea:ad: + f8:28:c2:43:6f:a2:64:a9:fb:9d:98:92:62:48:3e: + eb:0d:4f:82:4a:8a:ff:3f:72:ee:96:b5:ae:a1:c1: + 98:ba:ef:7d:90:75:6d:ff:5a:52:9e:ab:f5:c0:7e: + d0:87:43:db:85:07:07:0f:7d:38:7a:fd:d1:d3:ee: + 65:1d:d3:ea:39:6a:87:37:ee:4a:d3:e0:0d:6e:f5: + 70:ac:c2:bd:f1:6e:f3:92:95:5e:a9:f0:a1:65:95: + 93:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C0:E7:84:BF:E8:59:27:33:10:B0:52:4F:51:52:2F:06:D6:C0:7A:CD + X509v3 Authority Key Identifier: + 70:7F:2E:AE:83:68:59:98:04:23:2A:CD:EB:3E:17:CD:24:DD:01:49 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:server.example + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 7b:d3:04:43:75:8a:0f:11:ae:c4:fb:d7:a1:a2:9e:fe:20:18: + d5:f4:2f:31:88:46:b6:75:8c:ee:e5:9b:97:a6:b9:a3:cd:60: + 9a:46:c3:48:97:e5:97:68:f7:5a:86:35:73:d9:69:9e:f9:5f: + 74:b9:e6:94:13:01:cb:6a:dc:e3:c4:04:e9:65:da:9c:a4:8b: + 28:f3:f9:9a:7f:bf:97:1f:45:92:e5:05:b1:56:e6:0b:f6:47: + de:1e:89:b6:2b:e1:4d:df:4a:7e:01:d3:23:dc:97:8c:47:fe: + 5f:c7:cc:98:46:0e:c4:83:5b:ca:8a:f1:52:09:be:6b:ec:3f: + 09:8b:d0:93:02:bf:e1:51:e7:d1:7e:34:56:19:74:d0:ff:28: + 25:de:b7:9f:56:52:91:7d:20:29:85:0a:80:44:5f:71:32:25: + 71:0f:c2:16:e2:5f:6b:1d:3f:32:5b:0a:3c:74:1c:b9:62:f1: + ed:07:50:a3:6d:b4:b4:31:0a:c0:53:44:6a:3a:88:84:8b:2d: + a9:b0:37:8e:e6:18:36:bd:9a:20:40:0f:01:92:8b:3d:aa:61: + e7:ae:2c:ed:36:cd:3a:07:86:74:3a:29:b3:d7:3a:b4:00:a9: + c2:f5:92:78:0e:e2:0f:a3:fe:bb:be:e0:06:53:84:59:1d:90: + 69:e5:b6:f9 +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +-----END CERTIFICATE----- +------------------ + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 192 + Inner Content Type = Handshake (22) + CertificateVerify, Length=260 + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature (len=256): ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? + + Finished, Length=32 + verify_data (len=32): ???????????????????????????????????????????????????????????????? + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 36 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ???????????????????????????????????????????????????????????????? + +Sent Frame: Ack (without ECN) + Largest acked: 0 + Ack delay (raw) 0 + Ack range count: 0 + First ack range: 0 +Sent Frame: Ack (without ECN) + Largest acked: 1 + Ack delay (raw) 0 + Ack range count: 0 + First ack range: 1 +Sent Frame: Crypto + Offset: 0 + Len: 36 +Sent Frame: Padding +Sent Packet + Packet Type: Initial + Version: 0x00000001 + Destination Conn Id: 0x???????????????? + Source Conn Id: + Payload length: 1097 + Token: + Packet Number: 0x00000001 +Sent Packet + Packet Type: Handshake + Version: 0x00000001 + Destination Conn Id: 0x???????????????? + Source Conn Id: + Payload length: 60 + Packet Number: 0x00000000 +Sent Datagram + Length: 1200 -- Gitee From 509952fbd2098592805bd435f58840fda6a77e29 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 2 Oct 2023 15:38:12 +0200 Subject: [PATCH 26/60] All lh_stats functions were deprecated in 3.1 Reviewed-by: Matthias St. Pierre Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22247) Signed-off-by: fly2x --- crypto/lhash/lh_stats.c | 4 ++-- doc/internal/man7/deprecation.pod | 2 +- doc/man3/OPENSSL_LH_COMPFUNC.pod | 2 +- doc/man3/OPENSSL_LH_stats.pod | 18 +++++++++--------- include/openssl/lhash.h.in | 18 +++++++++--------- util/libcrypto.num | 12 ++++++------ 6 files changed, 28 insertions(+), 28 deletions(-) diff --git a/crypto/lhash/lh_stats.c b/crypto/lhash/lh_stats.c index 36a177129e..ea0a3252a6 100644 --- a/crypto/lhash/lh_stats.c +++ b/crypto/lhash/lh_stats.c @@ -23,7 +23,7 @@ #include "lhash_local.h" # ifndef OPENSSL_NO_STDIO -# ifndef OPENSSL_NO_DEPRECATED_3_2 +# ifndef OPENSSL_NO_DEPRECATED_3_1 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp) { BIO *bp; @@ -62,7 +62,7 @@ void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp) # endif # endif -# ifndef OPENSSL_NO_DEPRECATED_3_2 +# ifndef OPENSSL_NO_DEPRECATED_3_1 /* * These functions are implemented as separate static functions as they are * called from the stdio functions above and calling deprecated functions will diff --git a/doc/internal/man7/deprecation.pod b/doc/internal/man7/deprecation.pod index 87cdcb13c8..de34c30fa2 100644 --- a/doc/internal/man7/deprecation.pod +++ b/doc/internal/man7/deprecation.pod @@ -2,7 +2,7 @@ =head1 NAME -OPENSSL_NO_DEPRECATED_3_2, OSSL_DEPRECATEDIN_3_2, +OPENSSL_NO_DEPRECATED_3_1, OSSL_DEPRECATEDIN_3_1, OPENSSL_NO_DEPRECATED_3_0, OSSL_DEPRECATEDIN_3_0, OPENSSL_NO_DEPRECATED_1_1_1, OSSL_DEPRECATEDIN_1_1_1, OPENSSL_NO_DEPRECATED_1_1_0, OSSL_DEPRECATEDIN_1_1_0, diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod index e1eba6b965..d3091f6a56 100644 --- a/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -280,7 +280,7 @@ L In OpenSSL 1.0.0, the lhash interface was revamped for better type checking. -In OpenSSL 3.2, B() was introduced and B() +In OpenSSL 3.1, B() was introduced and B() was deprecated. =head1 COPYRIGHT diff --git a/doc/man3/OPENSSL_LH_stats.pod b/doc/man3/OPENSSL_LH_stats.pod index 01381e9216..fb95928d8f 100644 --- a/doc/man3/OPENSSL_LH_stats.pod +++ b/doc/man3/OPENSSL_LH_stats.pod @@ -10,16 +10,16 @@ OPENSSL_LH_node_stats_bio, OPENSSL_LH_node_usage_stats_bio - LHASH statistics #include +The following functions have been deprecated since OpenSSL 3.1, and can be +hidden entirely by defining B with a suitable version value, +see L: + void OPENSSL_LH_node_stats(LHASH *table, FILE *out); void OPENSSL_LH_node_usage_stats(LHASH *table, FILE *out); void OPENSSL_LH_node_stats_bio(LHASH *table, BIO *out); void OPENSSL_LH_node_usage_stats_bio(LHASH *table, BIO *out); -The following functions have been deprecated since OpenSSL 3.2, and can be -hidden entirely by defining B with a suitable version value, -see L: - void OPENSSL_LH_stats(LHASH *table, FILE *out); void OPENSSL_LH_stats_bio(LHASH *table, BIO *out); @@ -48,8 +48,7 @@ record a miss. OPENSSL_LH_stats_bio(), OPENSSL_LH_node_stats_bio() and OPENSSL_LH_node_usage_stats_bio() are the same as the above, except that the output goes to a B. -OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() are deprecated and should no -longer be used. +These functions are deprecated and should no longer be used. =head1 RETURN VALUES @@ -61,13 +60,14 @@ These calls should be made under a read lock. Refer to L for more details about the locks required when using the LHASH data structure. -The functions OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() were deprecated in -version 3.2. - =head1 SEE ALSO L, L +=head1 HISTORY + +These functions were deprecated in version 3.1. + =head1 COPYRIGHT Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/lhash.h.in b/include/openssl/lhash.h.in index 780639bd49..97dd3a4b84 100644 --- a/include/openssl/lhash.h.in +++ b/include/openssl/lhash.h.in @@ -97,16 +97,16 @@ unsigned long OPENSSL_LH_get_down_load(const OPENSSL_LHASH *lh); void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long down_load); # ifndef OPENSSL_NO_STDIO -# ifndef OPENSSL_NO_DEPRECATED_3_2 -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp); +# ifndef OPENSSL_NO_DEPRECATED_3_1 +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp); # endif # endif -# ifndef OPENSSL_NO_DEPRECATED_3_2 -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out); -OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +# ifndef OPENSSL_NO_DEPRECATED_3_1 +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); # endif # ifndef OPENSSL_NO_DEPRECATED_1_1_0 @@ -181,7 +181,7 @@ OSSL_DEPRECATEDIN_3_2 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH * } \ LHASH_OF(type) -# ifndef OPENSSL_NO_DEPRECATED_3_2 +# ifndef OPENSSL_NO_DEPRECATED_3_1 # define DEFINE_LHASH_OF_DEPRECATED(type) \ static ossl_unused ossl_inline void \ lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ diff --git a/util/libcrypto.num b/util/libcrypto.num index 6af1fe1707..a16f93db47 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -1178,7 +1178,7 @@ OPENSSL_uni2asc 1205 3_0_0 EXIST::FUNCTION: SCT_validation_status_string 1206 3_0_0 EXIST::FUNCTION:CT PKCS7_add_attribute 1207 3_0_0 EXIST::FUNCTION: ENGINE_register_DSA 1208 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OPENSSL_LH_node_stats 1209 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2,STDIO +OPENSSL_LH_node_stats 1209 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO X509_policy_tree_free 1210 3_0_0 EXIST::FUNCTION: EC_GFp_simple_method 1211 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC X509_it 1212 3_0_0 EXIST::FUNCTION: @@ -1317,7 +1317,7 @@ BIO_f_linebuffer 1346 3_0_0 EXIST::FUNCTION: ASN1_item_d2i_bio 1347 3_0_0 EXIST::FUNCTION: ENGINE_get_flags 1348 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE OCSP_resp_find 1349 3_0_0 EXIST::FUNCTION:OCSP -OPENSSL_LH_node_usage_stats_bio 1350 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2 +OPENSSL_LH_node_usage_stats_bio 1350 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 EVP_PKEY_encrypt 1351 3_0_0 EXIST::FUNCTION: CRYPTO_cfb128_8_encrypt 1352 3_0_0 EXIST::FUNCTION: SXNET_get_id_INTEGER 1353 3_0_0 EXIST::FUNCTION: @@ -1790,7 +1790,7 @@ X509V3_EXT_REQ_add_conf 1832 3_0_0 EXIST::FUNCTION: ASN1_STRING_to_UTF8 1833 3_0_0 EXIST::FUNCTION: EVP_MD_meth_set_update 1835 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_camellia_192_cbc 1836 3_0_0 EXIST::FUNCTION:CAMELLIA -OPENSSL_LH_stats_bio 1837 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2 +OPENSSL_LH_stats_bio 1837 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 PKCS7_set_signed_attributes 1838 3_0_0 EXIST::FUNCTION: EC_KEY_priv2buf 1839 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC BN_BLINDING_free 1840 3_0_0 EXIST::FUNCTION: @@ -1973,7 +1973,7 @@ i2d_TS_REQ_fp 2019 3_0_0 EXIST::FUNCTION:STDIO,TS i2d_OTHERNAME 2020 3_0_0 EXIST::FUNCTION: EC_KEY_get0_private_key 2021 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC SCT_get0_extensions 2022 3_0_0 EXIST::FUNCTION:CT -OPENSSL_LH_node_stats_bio 2023 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2 +OPENSSL_LH_node_stats_bio 2023 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 i2d_DIRECTORYSTRING 2024 3_0_0 EXIST::FUNCTION: BN_X931_derive_prime_ex 2025 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ENGINE_get_pkey_asn1_meth_str 2026 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE @@ -2553,7 +2553,7 @@ EVP_DecodeUpdate 2609 3_0_0 EXIST::FUNCTION: ENGINE_get_default_RAND 2610 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE ERR_peek_last_error_line 2611 3_0_0 EXIST::FUNCTION: ENGINE_get_ssl_client_cert_function 2612 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OPENSSL_LH_node_usage_stats 2613 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2,STDIO +OPENSSL_LH_node_usage_stats 2613 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO DIRECTORYSTRING_it 2614 3_0_0 EXIST::FUNCTION: BIO_write 2615 3_0_0 EXIST::FUNCTION: OCSP_ONEREQ_get_ext_by_OBJ 2616 3_0_0 EXIST::FUNCTION:OCSP @@ -3073,7 +3073,7 @@ TXT_DB_free 3139 3_0_0 EXIST::FUNCTION: ASN1_STRING_set 3140 3_0_0 EXIST::FUNCTION: d2i_ESS_CERT_ID 3141 3_0_0 EXIST::FUNCTION: EVP_PKEY_meth_set_derive 3142 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_2,STDIO +OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO NCONF_dump_fp 3144 3_0_0 EXIST::FUNCTION:STDIO TS_STATUS_INFO_print_bio 3145 3_0_0 EXIST::FUNCTION:TS OPENSSL_sk_dup 3146 3_0_0 EXIST::FUNCTION: -- Gitee From d16159bfc3d26f07d19ed2a4139c941cbe8c6742 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 2 Oct 2023 15:49:42 +0200 Subject: [PATCH 27/60] macros.h: There are just 3.1 deprecations, no 3.2 deprecations Reviewed-by: Matthias St. Pierre Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22247) Signed-off-by: fly2x --- include/openssl/macros.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/openssl/macros.h b/include/openssl/macros.h index 66fa4eec2e..e9ef938747 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -169,7 +169,7 @@ * 'no-deprecated'. */ -# undef OPENSSL_NO_DEPRECATED_3_2 +# undef OPENSSL_NO_DEPRECATED_3_1 # undef OPENSSL_NO_DEPRECATED_3_0 # undef OPENSSL_NO_DEPRECATED_1_1_1 # undef OPENSSL_NO_DEPRECATED_1_1_0 @@ -178,16 +178,16 @@ # undef OPENSSL_NO_DEPRECATED_1_0_0 # undef OPENSSL_NO_DEPRECATED_0_9_8 -# if OPENSSL_API_LEVEL >= 30200 +# if OPENSSL_API_LEVEL >= 30100 # ifndef OPENSSL_NO_DEPRECATED -# define OSSL_DEPRECATEDIN_3_2 OSSL_DEPRECATED(3.2) -# define OSSL_DEPRECATEDIN_3_2_FOR(msg) OSSL_DEPRECATED_FOR(3.2, msg) +# define OSSL_DEPRECATEDIN_3_1 OSSL_DEPRECATED(3.1) +# define OSSL_DEPRECATEDIN_3_1_FOR(msg) OSSL_DEPRECATED_FOR(3.1, msg) # else -# define OPENSSL_NO_DEPRECATED_3_2 +# define OPENSSL_NO_DEPRECATED_3_1 # endif # else -# define OSSL_DEPRECATEDIN_3_2 -# define OSSL_DEPRECATEDIN_3_2_FOR(msg) +# define OSSL_DEPRECATEDIN_3_1 +# define OSSL_DEPRECATEDIN_3_1_FOR(msg) # endif # if OPENSSL_API_LEVEL >= 30000 # ifndef OPENSSL_NO_DEPRECATED -- Gitee From 0a9771508f81f5b4cd24e1d8b8388cf49b8bf536 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 09:49:34 +0200 Subject: [PATCH 28/60] Occupy the rec_version field of a decoded dtls record Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22238) Signed-off-by: fly2x --- ssl/record/methods/dtls_meth.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index fd89038eb0..7205283173 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -383,7 +383,6 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) size_t more, n; TLS_RL_RECORD *rr; unsigned char *p = NULL; - unsigned short version; DTLS_BITMAP *bitmap; unsigned int is_next_epoch; @@ -438,7 +437,7 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) rr->type = *(p++); ssl_major = *(p++); ssl_minor = *(p++); - version = (ssl_major << 8) | ssl_minor; + rr->rec_version = (ssl_major << 8) | ssl_minor; /* sequence number is 64 bits, with top 2 bytes = epoch */ n2s(p, rr->epoch); @@ -453,7 +452,7 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) * version number (e.g. because of protocol version errors) */ if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) { - if (version != rl->version) { + if (rr->rec_version != rl->version) { /* unexpected version, silently discard */ rr->length = 0; rl->packet_length = 0; -- Gitee From b9a4c4663a6c7730944edbc17639472b1c73414f Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Mon, 2 Oct 2023 20:53:52 +0530 Subject: [PATCH 29/60] Add openssl/pem.h inclusion for d2i_PKCS8PrivateKey Include the necessary header file openssl/pem.h in the documentation to ensure that all functions related to d2i_PKCS8PrivateKey are correctly defined. Closes openssl#22188 Signed-off-by: Sumitra Sharma Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22253) Signed-off-by: fly2x --- doc/man3/d2i_PKCS8PrivateKey_bio.pod | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/man3/d2i_PKCS8PrivateKey_bio.pod b/doc/man3/d2i_PKCS8PrivateKey_bio.pod index 5b5371b70f..e84283f63e 100644 --- a/doc/man3/d2i_PKCS8PrivateKey_bio.pod +++ b/doc/man3/d2i_PKCS8PrivateKey_bio.pod @@ -9,6 +9,7 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private =head1 SYNOPSIS #include + #include EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); -- Gitee From adf04270b7f815352aa8b6ead002a43ee4b23817 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 2 Oct 2023 17:07:52 +0200 Subject: [PATCH 30/60] CHANGES.md: Mention new features added after 3.2 alpha1 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22251) Signed-off-by: fly2x --- CHANGES.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index f0b6898511..af5f3cd2ab 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -25,6 +25,17 @@ OpenSSL 3.2 ### Changes between 3.1 and 3.2 [xx XXX xxxx] + * Added a function to delete objects from store by URI - OSSL_STORE_delete() + and the corresponding provider-storemgmt API function + OSSL_FUNC_store_delete(). + + *Dmitry Belyavskiy* + + * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass + a passphrase callback when opening a store. + + *Simo Sorce* + * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and -- Gitee From 7e498ec6f12a384995e9aeae9744fad947627e9e Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 2 Oct 2023 11:47:08 +0100 Subject: [PATCH 31/60] Back off on generating noise in the event of a PING frame If either endpoint issues a PING frame while we are introducing noise into the communication then there is a danger that the connection itself will fail. We detect the PING and then back off on generating noise for a short while. It should be sufficient to just ensure that the next datagram does not get dropped for each endpoint. Fixes #22199 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22243) Signed-off-by: fly2x --- test/helpers/noisydgrambio.c | 22 ++++++++++ test/helpers/quictestlib.c | 80 +++++++++++++++++++++++++++++++----- test/helpers/quictestlib.h | 2 + test/quicapitest.c | 4 +- 4 files changed, 97 insertions(+), 11 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index 8b68726dd2..33cf84c3c6 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -17,6 +17,7 @@ struct noisy_dgram_st { uint64_t this_dgram; BIO_MSG msg; uint64_t reinject_dgram; + int backoff; }; static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) @@ -31,6 +32,16 @@ static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) case BIO_CTRL_DUP: ret = 0L; break; + case BIO_CTRL_NOISE_BACK_OFF: { + struct noisy_dgram_st *data; + + data = BIO_get_data(bio); + if (!TEST_ptr(data)) + return 0; + data->backoff = 1; + ret = 1; + break; + } default: ret = BIO_ctrl(next, cmd, num, ptr); break; @@ -195,6 +206,17 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, } get_noise(&reinject, &should_drop); + if (data->backoff) { + /* + * We might be asked to back off on introducing too much noise if + * there is a danger that the connection will fail. In that case + * we always ensure that the next datagram does not get dropped so + * that the connection always survives. After that we can resume + * with normal noise + */ + should_drop = 0; + data->backoff = 0; + } /* * We ignore reinjection if a message is already waiting to be diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 514bb6422a..0ae05e5701 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -26,6 +26,13 @@ #define GROWTH_ALLOWANCE 1024 +struct noise_args_data_st { + BIO *cbio; + BIO *sbio; + BIO *tracebio; + int flags; +}; + struct qtest_fault { QUIC_TSERVER *qtserv; @@ -62,6 +69,7 @@ struct qtest_fault { BIO_MSG msg; /* Allocated size of msg data buffer */ size_t msgalloc; + struct noise_args_data_st noiseargs; }; static void packet_plain_finish(void *arg); @@ -75,6 +83,41 @@ static OSSL_TIME fake_now_cb(void *arg) return fake_now; } +static void noise_msg_callback(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, + void *arg) +{ + struct noise_args_data_st *noiseargs = (struct noise_args_data_st *)arg; + + if (content_type == SSL3_RT_QUIC_FRAME_FULL) { + PACKET pkt; + uint64_t frame_type; + + if (!PACKET_buf_init(&pkt, buf, len)) + return; + + if (!ossl_quic_wire_peek_frame_header(&pkt, &frame_type, NULL)) + return; + + if (frame_type == OSSL_QUIC_FRAME_TYPE_PING) { + /* + * If either endpoint issues a ping frame then we are in danger + * of our noise being too much such that the connection itself + * fails. We back off on the noise for a bit to avoid that. + */ + BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + } + } + +#ifndef OPENSSL_NO_SSL_TRACE + if ((noiseargs->flags & QTEST_FLAG_CLIENT_TRACE) != 0 + && !SSL_is_server(ssl)) + SSL_trace(write_p, version, content_type, buf, len, ssl, + noiseargs->tracebio); +#endif +} + int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, SSL_CTX *serverctx, char *certfile, char *keyfile, int flags, QUIC_TSERVER **qtserv, SSL **cssl, @@ -89,15 +132,18 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, BIO *tmpbio = NULL; *qtserv = NULL; - if (fault != NULL) - *fault = NULL; - if (*cssl == NULL) { *cssl = SSL_new(clientctx); if (!TEST_ptr(*cssl)) return 0; } + if (fault != NULL) { + *fault = OPENSSL_zalloc(sizeof(**fault)); + if (*fault == NULL) + goto err; + } + #ifndef OPENSSL_NO_SSL_TRACE if ((flags & QTEST_FLAG_CLIENT_TRACE) != 0) { tmpbio = BIO_new_fp(stdout, BIO_NOCLOSE); @@ -170,7 +216,15 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, } if ((flags & QTEST_FLAG_NOISE) != 0) { - BIO *noisebio = BIO_new(bio_f_noisy_dgram_filter()); + BIO *noisebio; + + /* + * It is an error to not have a QTEST_FAULT object when introducing noise + */ + if (!TEST_ptr(fault)) + goto err; + + noisebio = BIO_new(bio_f_noisy_dgram_filter()); if (!TEST_ptr(noisebio)) goto err; @@ -181,6 +235,14 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_ptr(noisebio)) goto err; sbio = BIO_push(noisebio, sbio); + + (*fault)->noiseargs.cbio = cbio; + (*fault)->noiseargs.sbio = sbio; + (*fault)->noiseargs.tracebio = tmpbio; + (*fault)->noiseargs.flags = flags; + + SSL_set_msg_callback(*cssl, noise_msg_callback); + SSL_set_msg_callback_arg(*cssl, &(*fault)->noiseargs); } SSL_set_bio(*cssl, cbio, cbio); @@ -192,12 +254,6 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_true(SSL_set1_initial_peer_addr(*cssl, peeraddr))) goto err; - if (fault != NULL) { - *fault = OPENSSL_zalloc(sizeof(**fault)); - if (*fault == NULL) - goto err; - } - fisbio = BIO_new(qtest_get_bio_method()); if (!TEST_ptr(fisbio)) goto err; @@ -237,6 +293,10 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, sbio = NULL; fisbio = NULL; + if ((flags & QTEST_FLAG_NOISE) != 0) + ossl_quic_tserver_set_msg_callback(*qtserv, noise_msg_callback, + &(*fault)->noiseargs); + if (fault != NULL) (*fault)->qtserv = *qtserv; diff --git a/test/helpers/quictestlib.h b/test/helpers/quictestlib.h index f090299b22..d1ac350c24 100644 --- a/test/helpers/quictestlib.h +++ b/test/helpers/quictestlib.h @@ -245,6 +245,8 @@ int qtest_fault_resize_datagram(QTEST_FAULT *fault, size_t newlen); /* Copy a BIO_MSG */ int bio_msg_copy(BIO_MSG *dst, BIO_MSG *src); +#define BIO_CTRL_NOISE_BACK_OFF 1001 + /* BIO filter for simulating a noisy UDP socket */ const BIO_METHOD *bio_f_noisy_dgram_filter(void); diff --git a/test/quicapitest.c b/test/quicapitest.c index 273f1421e7..7739cbcb24 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1410,6 +1410,7 @@ static int test_noisy_dgram(int idx) size_t msglen = strlen(msg), written, readbytes, i, j; unsigned char buf[80]; int flags = QTEST_FLAG_NOISE | QTEST_FLAG_FAKE_TIME; + QTEST_FAULT *fault = NULL; if (idx == 1) flags |= QTEST_FLAG_PACKET_SPLIT; @@ -1418,7 +1419,7 @@ static int test_noisy_dgram(int idx) || !TEST_true(qtest_create_quic_objects(libctx, cctx, NULL, cert, privkey, flags, &qtserv, - &clientquic, NULL, NULL))) + &clientquic, &fault, NULL))) goto err; if (!TEST_true(qtest_create_quic_connection(qtserv, clientquic))) @@ -1492,6 +1493,7 @@ static int test_noisy_dgram(int idx) SSL_free(stream[1]); SSL_free(clientquic); SSL_CTX_free(cctx); + qtest_fault_free(fault); return testresult; } -- Gitee From 3f1a88936abf4517961437ea1015a4376621ac79 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Tue, 26 Sep 2023 18:25:27 +0200 Subject: [PATCH 32/60] doc/man3: fix misnamed function name Rename `DSA_generate_prime[_ex]` to `DSA_generate_parameters[_ex]`, fixing a copy&paste error from the `BN_generate_prime[_ex]` paragraph in commit b3696a55a5ed. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22242) Signed-off-by: fly2x --- doc/man3/DSA_generate_parameters.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/DSA_generate_parameters.pod b/doc/man3/DSA_generate_parameters.pod index 415c4c8b82..32eecb6891 100644 --- a/doc/man3/DSA_generate_parameters.pod +++ b/doc/man3/DSA_generate_parameters.pod @@ -51,7 +51,7 @@ called as shown below. For information on the BN_GENCB structure and the BN_GENCB_call function discussed below, refer to L. -DSA_generate_prime() is similar to DSA_generate_prime_ex() but +DSA_generate_parameters() is similar to DSA_generate_parameters_ex() but expects an old-style callback function; see L for information on the old-style callback. -- Gitee From 565de52c239f63395260a9103b68962837d7b7e0 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 09:58:30 +0200 Subject: [PATCH 33/60] Call post_process_record for dtls records Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22239) Signed-off-by: fly2x --- ssl/record/methods/dtls_meth.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index 7205283173..e71730eba6 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -568,6 +568,11 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) goto again; /* get another record */ } + if (rl->funcs->post_process_record && !rl->funcs->post_process_record(rl, rr)) { + /* RLAYERfatal already called */ + return OSSL_RECORD_RETURN_FATAL; + } + rl->num_recs = 1; return OSSL_RECORD_RETURN_SUCCESS; } -- Gitee From 6198370098aef74d89e6d0165e501b28d1a55017 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 10:58:48 +0200 Subject: [PATCH 34/60] Remove duplicates of EVP_aes_xxx_wrap() from EVP_aes_128_gcm.pod Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22236) Signed-off-by: fly2x --- doc/man3/EVP_aes_128_gcm.pod | 6 ------ 1 file changed, 6 deletions(-) diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod index 09cae99129..067f17e8fc 100644 --- a/doc/man3/EVP_aes_128_gcm.pod +++ b/doc/man3/EVP_aes_128_gcm.pod @@ -134,13 +134,7 @@ section for details. EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_128_wrap_pad(), -EVP_aes_128_wrap(), -EVP_aes_192_wrap(), -EVP_aes_256_wrap(), EVP_aes_192_wrap_pad(), -EVP_aes_128_wrap(), -EVP_aes_192_wrap(), -EVP_aes_256_wrap(), EVP_aes_256_wrap_pad() AES key wrap with 128, 192 and 256 bit keys, as according to RFC 3394 section -- Gitee From 0341a0d619afde2a9e7638f0ffb509aedcbba7c6 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 26 Dec 2022 20:38:44 +0100 Subject: [PATCH 35/60] Improved detection of engine-provided private "classic" keys Resolves #17092 (?) Resolves #17286 (?) Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19965) Signed-off-by: fly2x --- crypto/engine/eng_pkey.c | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/crypto/engine/eng_pkey.c b/crypto/engine/eng_pkey.c index 6e6d6df35b..a8f1371a79 100644 --- a/crypto/engine/eng_pkey.c +++ b/crypto/engine/eng_pkey.c @@ -79,6 +79,48 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); return NULL; } + /* We enforce check for legacy key */ + switch (EVP_PKEY_get_id(pkey)) { + case EVP_PKEY_RSA: + { + RSA *rsa = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } + break; +# ifndef OPENSSL_NO_EC + case EVP_PKEY_SM2: + case EVP_PKEY_EC: + { + EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); + EVP_PKEY_set1_EC_KEY(pkey, ec); + EC_KEY_free(ec); + } + break; +# endif +# ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + { + DSA *dsa = EVP_PKEY_get1_DSA(pkey); + EVP_PKEY_set1_DSA(pkey, dsa); + DSA_free(dsa); + } + break; +#endif +# ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + { + DH *dh = EVP_PKEY_get1_DH(pkey); + EVP_PKEY_set1_DH(pkey, dh); + DH_free(dh); + } + break; +#endif + default: + /*Do nothing */ + break; + } + return pkey; } -- Gitee From ccbb1cf2586661cd8fcd89ea3d463d60834669c2 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 2 Oct 2023 09:12:12 +0200 Subject: [PATCH 36/60] Restore the meaning of EVP_PKEY_print_private() With pre-3.0 OpenSSL, EVP_PKEY_print_private() calls the EVP_PKEY_ASN1_METHOD function "priv_print", effectively asking the backend to print whatever it regards as private key components. In all backends that were built into libcrypto, this function printed what was included in the private key structure, which usually includes the public key components as well. With OpenSSL 3.0, some of the corresponding key2text encoders got a slightly different behavior, where the presence of the selector OSSL_KEYMGMT_SELECT_PRIVATE_KEY without the presence of the selector OSSL_KEYMGMT_SELECT_PUBLIC_KEY would only get what would intuitively be regarded as private key components printed. This isn't entirely consistent, though, as the RSA key2text encoder will still print the public key components regardless. To compensate for the changed backend behavior, EVP_PKEY_print_private() was made to ask the encoder to print the keypair rather than just the private key, thereby moving the backend semantics to the application API. Unfortunately, this causes confusion for providers where the key2text encoder really should print the private key only. This change restores the built-in 1.1.1 backend behavior in the encoders that OpenSSL provides, and renders EVP_PKEY_print_private() more true to its documented behavior, leaving it to the backend to decide what it regards as "private key components". Fixes #22233 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22237) Signed-off-by: fly2x --- crypto/evp/p_lib.c | 2 +- include/openssl/evp.h | 2 + .../encode_decode/encode_key2text.c | 63 ++++++++----------- 3 files changed, 28 insertions(+), 39 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index bd9e5a9100..eb937d52ca 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1201,7 +1201,7 @@ int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey, int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx) { - return print_pkey(pkey, out, indent, EVP_PKEY_KEYPAIR, NULL, + return print_pkey(pkey, out, indent, EVP_PKEY_PRIVATE_KEY, NULL, (pkey->ameth != NULL ? pkey->ameth->priv_print : NULL), pctx); } diff --git a/include/openssl/evp.h b/include/openssl/evp.h index f343eccbff..dbe6c72969 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -85,6 +85,8 @@ /* Easy to use macros for EVP_PKEY related selections */ # define EVP_PKEY_KEY_PARAMETERS \ ( OSSL_KEYMGMT_SELECT_ALL_PARAMETERS ) +# define EVP_PKEY_PRIVATE_KEY \ + ( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PRIVATE_KEY ) # define EVP_PKEY_PUBLIC_KEY \ ( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PUBLIC_KEY ) # define EVP_PKEY_KEYPAIR \ diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index f335870a4c..c0c2923285 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -241,7 +241,7 @@ static int dh_to_text(BIO *out, const void *key, int selection) return 0; } } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { pub_key = DH_get0_pub_key(dh); if (pub_key == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY); @@ -316,7 +316,7 @@ static int dsa_to_text(BIO *out, const void *key, int selection) return 0; } } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { pub_key = DSA_get0_pub_key(dsa); if (pub_key == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY); @@ -526,7 +526,7 @@ static int ec_to_text(BIO *out, const void *key, int selection) if (priv_len == 0) goto err; } - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { const EC_POINT *pub_pt = EC_KEY_get0_public_key(ec); if (pub_pt == NULL) { @@ -577,26 +577,31 @@ static int ecx_to_text(BIO *out, const void *key, int selection) return 0; } + switch (ecx->type) { + case ECX_KEY_TYPE_X25519: + type_label = "X25519"; + break; + case ECX_KEY_TYPE_X448: + type_label = "X448"; + break; + case ECX_KEY_TYPE_ED25519: + type_label = "ED25519"; + break; + case ECX_KEY_TYPE_ED448: + type_label = "ED448"; + break; + } + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { if (ecx->privkey == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY); return 0; } - switch (ecx->type) { - case ECX_KEY_TYPE_X25519: - type_label = "X25519 Private-Key"; - break; - case ECX_KEY_TYPE_X448: - type_label = "X448 Private-Key"; - break; - case ECX_KEY_TYPE_ED25519: - type_label = "ED25519 Private-Key"; - break; - case ECX_KEY_TYPE_ED448: - type_label = "ED448 Private-Key"; - break; - } + if (BIO_printf(out, "%s Private-Key:\n", type_label) <= 0) + return 0; + if (!print_labeled_buf(out, "priv:", ecx->privkey, ecx->keylen)) + return 0; } else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { /* ecx->pubkey is an array, not a pointer... */ if (!ecx->haspubkey) { @@ -604,29 +609,11 @@ static int ecx_to_text(BIO *out, const void *key, int selection) return 0; } - switch (ecx->type) { - case ECX_KEY_TYPE_X25519: - type_label = "X25519 Public-Key"; - break; - case ECX_KEY_TYPE_X448: - type_label = "X448 Public-Key"; - break; - case ECX_KEY_TYPE_ED25519: - type_label = "ED25519 Public-Key"; - break; - case ECX_KEY_TYPE_ED448: - type_label = "ED448 Public-Key"; - break; - } + if (BIO_printf(out, "%s Public-Key:\n", type_label) <= 0) + return 0; } - if (BIO_printf(out, "%s:\n", type_label) <= 0) - return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 - && !print_labeled_buf(out, "priv:", ecx->privkey, ecx->keylen)) - return 0; - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0 - && !print_labeled_buf(out, "pub:", ecx->pubkey, ecx->keylen)) + if (!print_labeled_buf(out, "pub:", ecx->pubkey, ecx->keylen)) return 0; return 1; -- Gitee From f0b8335f71b61402e8436ee10b71d46040a64e71 Mon Sep 17 00:00:00 2001 From: Sumitra Sharma Date: Tue, 3 Oct 2023 09:28:44 +0530 Subject: [PATCH 37/60] Correct documentation for PKCS5_PBKDF2_HMAC In OpenSSL 3.x, the documentation for PKCS5_PBKDF2_HMAC incorrectly states that an iter value less than 1 is treated as a single iteration. Upon further investigation in providers/implementations/kdfs/pbkdf2.c, it appears that invalid iter values will result in failure and raise the PROV_R_INVALID_ITERATION_COUNT error. This commit corrects the documentation to accurately reflect the behavior in OpenSSL 3.x. Closes openssl#22168 Signed-off-by: Sumitra Sharma Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22252) Signed-off-by: fly2x --- doc/man3/PKCS5_PBKDF2_HMAC.pod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/man3/PKCS5_PBKDF2_HMAC.pod b/doc/man3/PKCS5_PBKDF2_HMAC.pod index 0984e993da..3da271bdbf 100644 --- a/doc/man3/PKCS5_PBKDF2_HMAC.pod +++ b/doc/man3/PKCS5_PBKDF2_HMAC.pod @@ -33,7 +33,8 @@ be NULL terminated. B is the iteration count and its value should be greater than or equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any -B less than 1 is treated as a single iteration. +B value less than 1 is invalid; such values will result in failure +and raise the PROV_R_INVALID_ITERATION_COUNT error. B is the message digest function used in the derivation. PKCS5_PBKDF2_HMAC_SHA1() calls PKCS5_PBKDF2_HMAC() with EVP_sha1(). -- Gitee From 360ed94fe3ba5a01daf10c0cc0f860a7d759b40a Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Sun, 24 Sep 2023 01:24:59 +0200 Subject: [PATCH 38/60] test: evp_extra: fix indentation error Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22185) Signed-off-by: fly2x --- test/evp_extra_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index bec16144f9..41de4af6ab 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1267,11 +1267,11 @@ static int test_EVP_PKEY_sign(int tst) if (tst == 0) { if (!TEST_ptr(pkey = load_example_rsa_key())) - goto out; + goto out; } else if (tst == 1) { #ifndef OPENSSL_NO_DSA if (!TEST_ptr(pkey = load_example_dsa_key())) - goto out; + goto out; #else ret = 1; goto out; @@ -1279,7 +1279,7 @@ static int test_EVP_PKEY_sign(int tst) } else { #ifndef OPENSSL_NO_EC if (!TEST_ptr(pkey = load_example_ec_key())) - goto out; + goto out; #else ret = 1; goto out; -- Gitee From 48c216e9840ea8411139b562bee1625b26f96003 Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Sun, 24 Sep 2023 01:13:20 +0200 Subject: [PATCH 39/60] test: evp_extra: test signing with legacy app method based keys This commit adds `test_EVP_PKEY_sign_with_app_method`, a regression test for the bug fix in commit 1acc3e8cc3c6 (pull request #22163). It is analogous to `test_EVP_PKEY_sign`, only with a fake app method based key. (The EC key test case was omitted, because there is no `EC_KEY_METHOD_dup` method.) Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22185) Signed-off-by: fly2x --- test/evp_extra_test.c | 85 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 41de4af6ab..a0724981de 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1313,6 +1313,88 @@ static int test_EVP_PKEY_sign(int tst) return ret; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 +static int test_EVP_PKEY_sign_with_app_method(int tst) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + RSA *rsa = NULL; + RSA_METHOD *rsa_meth = NULL; +#ifndef OPENSSL_NO_DSA + DSA *dsa = NULL; + DSA_METHOD *dsa_meth = NULL; +#endif + unsigned char *sig = NULL; + size_t sig_len = 0, shortsig_len = 1; + EVP_PKEY_CTX *ctx = NULL; + unsigned char tbs[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13 + }; + + if (tst == 0) { + if (!TEST_ptr(pkey = load_example_rsa_key())) + goto out; + if (!TEST_ptr(rsa_meth = RSA_meth_dup(RSA_get_default_method()))) + goto out; + + if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey)) + || !TEST_int_gt(RSA_set_method(rsa, rsa_meth), 0) + || !TEST_int_gt(EVP_PKEY_assign_RSA(pkey, rsa), 0)) + goto out; + rsa = NULL; /* now owned by the pkey */ + } else { +#ifndef OPENSSL_NO_DSA + if (!TEST_ptr(pkey = load_example_dsa_key())) + goto out; + if (!TEST_ptr(dsa_meth = DSA_meth_dup(DSA_get_default_method()))) + goto out; + + if (!TEST_ptr(dsa = EVP_PKEY_get1_DSA(pkey)) + || !TEST_int_gt(DSA_set_method(dsa, dsa_meth), 0) + || !TEST_int_gt(EVP_PKEY_assign_DSA(pkey, dsa), 0)) + goto out; + dsa = NULL; /* now owned by the pkey */ +#else + ret = 1; + goto out; +#endif + } + + ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL); + if (!TEST_ptr(ctx) + || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0) + || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs, + sizeof(tbs)), 0)) + goto out; + sig = OPENSSL_malloc(sig_len); + if (!TEST_ptr(sig) + /* Test sending a signature buffer that is too short is rejected */ + || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs, + sizeof(tbs)), 0) + || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)), + 0) + /* Test the signature round-trips */ + || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0) + || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)), + 0)) + goto out; + + ret = 1; + out: + EVP_PKEY_CTX_free(ctx); + OPENSSL_free(sig); + EVP_PKEY_free(pkey); + RSA_free(rsa); + RSA_meth_free(rsa_meth); +#ifndef OPENSSL_NO_DSA + DSA_free(dsa); + DSA_meth_free(dsa_meth); +#endif + return ret; +} +#endif /* !OPENSSL_NO_DEPRECATED_3_0 */ + /* * n = 0 => test using legacy cipher * n = 1 => test using fetched cipher @@ -4973,6 +5055,9 @@ int setup_tests(void) ADD_TEST(test_EVP_Digest); ADD_TEST(test_EVP_md_null); ADD_ALL_TESTS(test_EVP_PKEY_sign, 3); +#ifndef OPENSSL_NO_DEPRECATED_3_0 + ADD_ALL_TESTS(test_EVP_PKEY_sign_with_app_method, 2); +#endif ADD_ALL_TESTS(test_EVP_Enveloped, 2); ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata)); ADD_TEST(test_privatekey_to_pkcs8); -- Gitee From bcd1d6b3e43dda9de78ba752575d4300a685937f Mon Sep 17 00:00:00 2001 From: "Matthias St. Pierre" Date: Mon, 2 Oct 2023 12:10:01 +0200 Subject: [PATCH 40/60] Don't (re-)initialize the FFC_PARAMs in dh_init and dsa_init The initialization was introduced in commit dc8de3e6f1ee and changes the behaviour of the `init` method for DSA and DH between 1.1.1 and 3.0, while the behaviour for RSA and EC_KEY remains unchanged. The initialization is not necessary in 3.x and master imho and breaks the use-case of intercepting the methods of an existing key. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22185) Signed-off-by: fly2x --- crypto/dh/dh_key.c | 1 - crypto/dh/dh_lib.c | 2 ++ crypto/dsa/dsa_lib.c | 2 ++ crypto/dsa/dsa_ossl.c | 1 - 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index bc26cee303..8ab75e06d7 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -194,7 +194,6 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, static int dh_init(DH *dh) { dh->flags |= DH_FLAG_CACHE_MONT_P; - ossl_ffc_params_init(&dh->params); dh->dirty_cnt++; return 1; } diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index e2eb53961c..9d5a6b0b6c 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -119,6 +119,8 @@ static DH *dh_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) goto err; #endif /* FIPS_MODULE */ + ossl_ffc_params_init(&ret->params); + if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { ERR_raise(ERR_LIB_DH, ERR_R_INIT_FAIL); goto err; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index b18fda3378..7997c2ac25 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -179,6 +179,8 @@ static DSA *dsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx) goto err; #endif + ossl_ffc_params_init(&ret->params); + if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { ERR_raise(ERR_LIB_DSA, ERR_R_INIT_FAIL); goto err; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 29e2a80572..234362b6d7 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -462,7 +462,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, static int dsa_init(DSA *dsa) { dsa->flags |= DSA_FLAG_CACHE_MONT_P; - ossl_ffc_params_init(&dsa->params); dsa->dirty_cnt++; return 1; } -- Gitee From 44b099f0b47e2bacc96af0a44b8d5d4ea7fd3f00 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 11:11:29 +0200 Subject: [PATCH 41/60] Pass the dtls record version to the record layer msg_callback function. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) Signed-off-by: fly2x --- ssl/record/methods/dtls_meth.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index e71730eba6..258dbd3b14 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -429,10 +429,6 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) p = rl->packet; - if (rl->msg_callback != NULL) - rl->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, - rl->cbarg); - /* Pull apart the header into the DTLS1_RECORD */ rr->type = *(p++); ssl_major = *(p++); @@ -447,6 +443,10 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) n2s(p, rr->length); + if (rl->msg_callback != NULL) + rl->msg_callback(0, rr->rec_version, SSL3_RT_HEADER, rl->packet, DTLS1_RT_HEADER_LENGTH, + rl->cbarg); + /* * Lets check the version. We tolerate alerts that don't have the exact * version number (e.g. because of protocol version errors) -- Gitee From d0a4141d26ef0bb117b6e7bd21d6d4e35963c38c Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 12:00:58 +0200 Subject: [PATCH 42/60] Print record version for DTLSv1_listen() Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) Signed-off-by: fly2x --- ssl/d1_lib.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 8bbabd8f41..be4ff02a89 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -411,7 +411,7 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) const unsigned char *data; unsigned char *buf = NULL, *wbuf; size_t fragoff, fraglen, msglen; - unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen; + unsigned int rectype, versmajor, versminor, msgseq, msgtype, clientvers, cookielen; BIO *rbio, *wbio; BIO_ADDR *tmpclient = NULL; PACKET pkt, msgpkt, msgpayload, session, cookiepkt; @@ -496,17 +496,18 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) goto end; } - if (s->msg_callback) - s->msg_callback(0, 0, SSL3_RT_HEADER, buf, - DTLS1_RT_HEADER_LENGTH, ssl, s->msg_callback_arg); - /* Get the record header */ if (!PACKET_get_1(&pkt, &rectype) - || !PACKET_get_1(&pkt, &versmajor)) { + || !PACKET_get_1(&pkt, &versmajor) + || !PACKET_get_1(&pkt, &versminor)) { ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); goto end; } + if (s->msg_callback) + s->msg_callback(0, (versmajor << 8) | versminor, SSL3_RT_HEADER, buf, + DTLS1_RT_HEADER_LENGTH, ssl, s->msg_callback_arg); + if (rectype != SSL3_RT_HANDSHAKE) { ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE); goto end; @@ -521,9 +522,8 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) goto end; } - if (!PACKET_forward(&pkt, 1) - /* Save the sequence number: 64 bits, with top 2 bytes = epoch */ - || !PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE) + /* Save the sequence number: 64 bits, with top 2 bytes = epoch */ + if (!PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE) || !PACKET_get_length_prefixed_2(&pkt, &msgpkt)) { ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); goto end; -- Gitee From 6ed9088218b368d7df0c4e2e90d487011189530b Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 13:08:56 +0200 Subject: [PATCH 43/60] Update documentation on SSL_CTX_set_msg_callback() to match the actual functionality. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) Signed-off-by: fly2x --- doc/man3/SSL_CTX_set_msg_callback.pod | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/man3/SSL_CTX_set_msg_callback.pod b/doc/man3/SSL_CTX_set_msg_callback.pod index 7484773afe..559f53d408 100644 --- a/doc/man3/SSL_CTX_set_msg_callback.pod +++ b/doc/man3/SSL_CTX_set_msg_callback.pod @@ -58,8 +58,9 @@ when a protocol message has been sent. The protocol version according to which the protocol message is interpreted by the library such as B, B, -B etc. This is set to 0 for the SSL3_RT_HEADER pseudo -content type (see NOTES below). +B etc. For the SSL3_RT_HEADER pseudo +content type (see NOTES below) this value will be the decoded +version/legacy_version field of the record header. =item I -- Gitee From 39dcdc8ed2df404a365fc42cd682939931230739 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 2 Oct 2023 15:53:28 +0200 Subject: [PATCH 44/60] Added info on change to HISTORY of SSL_CTX_set_msg_callback() Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22241) Signed-off-by: fly2x --- doc/man3/SSL_CTX_set_msg_callback.pod | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/man3/SSL_CTX_set_msg_callback.pod b/doc/man3/SSL_CTX_set_msg_callback.pod index 559f53d408..f046c77b53 100644 --- a/doc/man3/SSL_CTX_set_msg_callback.pod +++ b/doc/man3/SSL_CTX_set_msg_callback.pod @@ -173,6 +173,12 @@ The pseudo content types B, B, B, B and B were added in OpenSSL 3.2. +In versions previous to OpenSSL 3.0 I was called with 0 as I for +the pseudo content type B for TLS records. + +In versions previous to OpenSSL 3.2 I was called with 0 as I for +the pseudo content type B for DTLS records. + =head1 COPYRIGHT Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. -- Gitee From 5917f7d8a006b23765e2d8d95ef58779df9c6f02 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 4 Oct 2023 12:30:22 +0200 Subject: [PATCH 45/60] d2i_PKCS8PrivateKey_bio.pod: evp.h include is unnecessary It is also not allowed by doc nits check to have multiple includes. Reviewed-by: Matt Caswell Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tom Cosgrove (Merged from https://github.com/openssl/openssl/pull/22276) Signed-off-by: fly2x --- doc/man3/d2i_PKCS8PrivateKey_bio.pod | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/man3/d2i_PKCS8PrivateKey_bio.pod b/doc/man3/d2i_PKCS8PrivateKey_bio.pod index e84283f63e..55ec346575 100644 --- a/doc/man3/d2i_PKCS8PrivateKey_bio.pod +++ b/doc/man3/d2i_PKCS8PrivateKey_bio.pod @@ -8,7 +8,6 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private =head1 SYNOPSIS - #include #include EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); -- Gitee From 6a9876518c5ebb7779452aae6268381c331c6221 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Oct 2023 17:03:39 +0000 Subject: [PATCH 46/60] Bump suisei-cn/actions-download-file from 1.3.0 to 1.4.0 Bumps [suisei-cn/actions-download-file](https://github.com/suisei-cn/actions-download-file) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/suisei-cn/actions-download-file/releases) - [Commits](https://github.com/suisei-cn/actions-download-file/compare/v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: suisei-cn/actions-download-file dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22268) Signed-off-by: fly2x --- .github/workflows/os-zoo.yml | 2 +- .github/workflows/windows.yml | 6 +++--- .github/workflows/windows_comp.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index d3dc6770c3..29137bd7c7 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -154,7 +154,7 @@ jobs: working-directory: _build run: nmake /S - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 29ad9689e9..806bc25f55 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -48,7 +48,7 @@ jobs: working-directory: _build run: nmake /S - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ @@ -92,7 +92,7 @@ jobs: working-directory: _build run: nmake /S - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ @@ -129,7 +129,7 @@ jobs: working-directory: _build run: nmake # verbose, so no /S here - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index 3ffd5f2e72..bf2e89ed71 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -42,7 +42,7 @@ jobs: working-directory: _build run: nmake - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ @@ -80,7 +80,7 @@ jobs: working-directory: _build run: nmake - name: download coreinfo - uses: suisei-cn/actions-download-file@v1.3.0 + uses: suisei-cn/actions-download-file@v1.4.0 with: url: "https://download.sysinternals.com/files/Coreinfo.zip" target: _build/coreinfo/ -- Gitee From 87b8f5a18da4b68639e9da3cc9b452eae6f1bc6a Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 25 Sep 2023 09:34:07 +1000 Subject: [PATCH 47/60] ossl_property_list_to_string: handle quoted strings ossl_property_list_to_string() didn't quote strings correctly which could result in a generated property string being unparsable. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22182) Signed-off-by: fly2x --- crypto/property/property_parse.c | 32 +++++++++++++++++++++++++++++--- test/property_test.c | 3 +++ 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c index b2bf3cd631..983f07e070 100644 --- a/crypto/property/property_parse.c +++ b/crypto/property/property_parse.c @@ -588,15 +588,38 @@ static void put_char(char ch, char **buf, size_t *remain, size_t *needed) static void put_str(const char *str, char **buf, size_t *remain, size_t *needed) { - size_t olen, len; + size_t olen, len, i; + char quote = '\0'; + int quotes; len = olen = strlen(str); *needed += len; - if (*remain == 0) + /* + * Check to see if we need quotes or not. + * Characters that are legal in a PropertyName don't need quoting. + * We simply assume all others require quotes. + */ + for (i = 0; i < len; i++) + if (!ossl_isalnum(str[i]) && str[i] != '.' && str[i] != '_') { + /* Default to single quotes ... */ + if (quote == '\0') + quote = '\''; + /* ... but use double quotes if a single is present */ + if (str[i] == '\'') + quote = '"'; + } + + quotes = quote != '\0'; + if (*remain == 0) { + *needed += 2 * quotes; return; + } - if (*remain < len + 1) + if (quotes) + put_char(quote, buf, remain, needed); + + if (*remain < len + 1 + quotes) len = *remain - 1; if (len > 0) { @@ -605,6 +628,9 @@ static void put_str(const char *str, char **buf, size_t *remain, size_t *needed) *remain -= len; } + if (quotes) + put_char(quote, buf, remain, needed); + if (len < olen && *remain == 1) { **buf = '\0'; ++*buf; diff --git a/test/property_test.c b/test/property_test.c index 45b1db3e85..bba96fac0a 100644 --- a/test/property_test.c +++ b/test/property_test.c @@ -645,6 +645,9 @@ static struct { { "", "" }, { "fips=3", "fips=3" }, { "fips=-3", "fips=-3" }, + { "provider='foo bar'", "provider='foo bar'" }, + { "provider=\"foo bar'\"", "provider=\"foo bar'\"" }, + { "provider=abc***", "provider='abc***'" }, { NULL, "" } }; -- Gitee From d97b07afa2feeb035bd363d2c3b7c466f5beb2bf Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 21 Sep 2023 14:39:30 +0200 Subject: [PATCH 48/60] [design] Make it possible to pass AlgorithmIdentifier parameter data This design is to allow passing AlgorithmIdentifier parameter data to and from any cryptograpfic operation, with convenience functions for them all, not just for symmetric ciphers. This is crucial to support CMS, among others. Ref: openssl/project#172 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22162) Signed-off-by: fly2x --- .../passing-algorithmidentifier-parameters.md | 156 ++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 doc/designs/passing-algorithmidentifier-parameters.md diff --git a/doc/designs/passing-algorithmidentifier-parameters.md b/doc/designs/passing-algorithmidentifier-parameters.md new file mode 100644 index 0000000000..bb3821e337 --- /dev/null +++ b/doc/designs/passing-algorithmidentifier-parameters.md @@ -0,0 +1,156 @@ +Passing AlgorithmIdentifier parameters to operations +==================================================== + +Quick background +---------------- + +We currently only support passing the AlgorithmIdentifier (`X509_ALGOR`) +parameter field to symmetric cipher provider implementations. + +We do support passing them to legacy implementations of other types of +operation algorithms as well, but it's done in a way that can't be supported +with providers, because it involves sharing specific structures between +libcrypto and the backend implementation. + +For a longer background and explanation, see +[Background / tl;dr](#background-tldr) at the end of this design. + +Establish an OSSL_PARAM key that any algorithms may become aware of +------------------------------------------------------------------- + +We already have a parameter key, but it's currently only specified for +`EVP_CIPHER`, in support of `EVP_CIPHER_param_to_asn1()` and +`EVP_CIPHER_asn1_to_param()`. + +"alg_id_param", also known as the macro `OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS` + +This parameter can be used in the exact same manner with other operations, +with the value of the AlgorithmIdentifier parameter as an octet string, to +be interpreted by the implementations in whatever way they see fit. + +Applications can choose to add these in an `OSSL_PARAM` array, to be passed +with the multitude of initialization functions that take such an array, or +using specific operation `OSSL_PARAM` setters and getters (such as +`EVP_PKEY_CTX_set_params`), or using other available convenience functions +(see below). + +This parameter will have to be documented in the following files: + +- `doc/man7/provider-asym_cipher.pod` +- `doc/man7/provider-cipher.pod` +- `doc/man7/provider-digest.pod` +- `doc/man7/provider-kdf.pod` +- `doc/man7/provider-kem.pod` +- `doc/man7/provider-keyexch.pod` +- `doc/man7/provider-mac.pod` +- `doc/man7/provider-signature.pod` + +That should cover all algorithms that are, or should be possible to fetch by +AlgorithmIdentifier.algorithm, and for which there's potentially a relevant +AlgorithmIdentifier.parameters field. + +We may arguably want to consider `doc/man7/provider-keymgmt.pod` too, but +an AlgorithmIdentifier that's attached directly to a key is usually part of +a PrivKeyInfo or SubjectPublicKeyInfo structure, and those are handled by +encoders and decoders as those see fit, and there's no tangible reason why +that would have to change. + +Public convenience API +---------------------- + +For convenience, the following set of functions would be added to pass the +AlgorithmIdentifier parameter data to diverse operations, or to retrieve +such parameter data from them. + +``` C +/* + * These two would essentially be aliases for EVP_CIPHER_param_to_asn1() + * and EVP_CIPHER_asn1_to_param(). + */ +EVP_CIPHER_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_CIPHER_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_MD_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_MD_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_MAC_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_MAC_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_KDF_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_KDF_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); + +EVP_PKEY_CTX_set_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +EVP_PKEY_CTX_get_algor_param(EVP_PKEY_CTX *ctx, X509_ALGOR *alg); +``` + +Note that all might not need to be added immediately, depending on if they +are considered useful or not. For future proofing, however, they should +probably all be added. + +Requirements on the providers +----------------------------- + +Providers that implement ciphers or any operation that uses asymmetric keys +will have to implement support for passing AlgorithmIdentifier parameter +data, and will have to process that data in whatever manner that's necessary +to meet the standards for that operation. + +Fallback strategies +------------------- + +There are no possible fallback strategies, which is fine, considering that +current provider functionality doesn't support passing AlgorithmIdentifier +parameter data at all (except for `EVP_CIPHER`), and therefore do not work +at all when such parameter data needs to be passed. + +----- + +----- + +Background / tl;dr +------------------ + +### AlgorithmIdenfier parameter and how it's used + +OpenSSL has historically done a few tricks to not have to pass +AlgorithmIdenfier parameter data to the backend implementations of +cryptographic operations: + +- In some cases, they were passed as part of the lower level key structure + (for example, the `RSA` structure can also carry RSA-PSS parameters). +- In the `EVP_CIPHER` case, there is functionality to pass the parameter + data specifically. +- For asymmetric key operations, PKCS#7 and CMS support was added as + `EVP_PKEY` ctrls. + +With providers, some of that support was retained, but not others. Most +crucially, the `EVP_PKEY` ctrls for PKCS#7 and CMS were not retained, +because the way they were implemented violated the principle that provider +implementations *MUST NOT* share complex OpenSSL specific structures with +libcrypto. + +### Usage examples + +Quite a lot of the available examples today revolve around CMS, with a +number of RFCs that specify what parameters should be passed with certain +operations / algorithms. This list is not exhaustive, the reader is +encouraged to research further usages. + +- [DSA](https://www.rfc-editor.org/rfc/rfc3370#section-3.1) signatures + typically have the domain parameters *p*, *q* and *g*. +- [RC2 key wrap](https://www.rfc-editor.org/rfc/rfc3370#section-4.3.2) +- [PBKDF2](https://www.rfc-editor.org/rfc/rfc3370#section-4.4.1) +- [3DES-CBC](https://www.rfc-editor.org/rfc/rfc3370#section-5.1) +- [RC2-CBC](https://www.rfc-editor.org/rfc/rfc3370#section-5.2) + +- [GOST 28147-89](https://www.rfc-editor.org/rfc/rfc4490.html#section-5.1) + +- [RSA-OAEP](https://www.rfc-editor.org/rfc/rfc8017#appendix-A.2.1) +- [RSA-PSS](https://www.rfc-editor.org/rfc/rfc8017#appendix-A.2.3) + +- [XOR-MD5](https://www.rfc-editor.org/rfc/rfc6210.html) is experimental, + but it does demonstrate the possibility of a parametrized hash algorithm. + +Some of it can be claimed to already have support in OpenSSL. However, this +is with old libcrypto code that has special knowledge of the algorithms that +are involved. -- Gitee From 2cc6d7badd651a87ea93ded4ca06c6c366ebe750 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 18 Sep 2023 09:30:13 +0200 Subject: [PATCH 49/60] [design] Make it possible to use explicitly fetched signature implementation This design is to allow the use of explicitly fetched EVP_SIGNATURE implementations. Ref: openssl/project#171 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22129) Signed-off-by: fly2x --- doc/designs/fetching-composite-algorithms.md | 187 +++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 doc/designs/fetching-composite-algorithms.md diff --git a/doc/designs/fetching-composite-algorithms.md b/doc/designs/fetching-composite-algorithms.md new file mode 100644 index 0000000000..1e3fa99968 --- /dev/null +++ b/doc/designs/fetching-composite-algorithms.md @@ -0,0 +1,187 @@ +Fetching composite algorithms and using them - adding the bits still missing +============================================================================ + +Quick background +---------------- + +We currently support - at least in the public libcrypto API - explicitly +fetching composite algorithms (such as AES-128-CBC or HMAC-SHA256), and +using them in most cases. In some cases (symmetric ciphers), our providers +also provide them. + +However, there is one class of algorithms where the support for *using* +explicitly fetched algorithms is lacking: asymmetric algorithms. + +For a longer background and explanation, see +[Background / tl;dr](#background-tldr) at the end of this design. + +Public API - Add variants of `EVP_PKEY_CTX` initializers +-------------------------------------------------------- + +As far as this design is concerned, these API sets are affected: + +- SIGNATURE (DigestSign and DigestVerify) +- ASYM_CIPHER +- KEYEXCH + +The proposal is to add these functions: + +``` C +EVP_DigestSignInit_ex2(EVP_PKEY_CTX **pctx, + EVP_SIGNATURE *sig, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const OSSL_PARAM params[]); +EVP_DigestVerifyInit_ex2(EVP_PKEY_CTX **pctx, + EVP_SIGNATURE *sig, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const OSSL_PARAM params[]); + +int EVP_PKEY_encrypt_init_ex2(EVP_PKEY_CTX *ctx, EVP_ASYM_CIPHER *asymciph, + const OSSL_PARAM params[]); +int EVP_PKEY_decrypt_init_ex2(EVP_PKEY_CTX *ctx, EVP_ASYM_CIPHER *asymciph, + const OSSL_PARAM params[]); + +int EVP_PKEY_derive_init_ex2(EVP_PKEY_CTX *ctx, EVP_KEYEXCH *exchange, + const OSSL_PARAM params[]); +``` + +Because `EVP_SIGNATURE`, `EVP_ASYM_CIPHER` and `EVP_KEYEXCH` aren't limited +to composite algorithms, these functions can be used just as well with +explicit fetches of simple algorithms, say "RSA". In that case, the caller +will need to pass necessary auxiliary parameters through the `OSSL_PARAM` or +a call to a corresponding `set_params` function. + +Requirements on the providers +----------------------------- + +Because it's not immediately obvious from a composite algorithm name what +key type it requires / supports, at least in code, allowing the use of an +explicitly fetched implementation of a composite algorithm requires that +providers cooperate by declaring what key type is required / supported by +each algorithm. + +For non-composite operation algorithms (like "RSA"), this is not necessary, +see the fallback strategies below. + +There are two ways this could be implemented: + +1. through an added provider function that would work like keymgmt's + `query_operation_name` function, but would return a key type name + instead: + + ``` C + # define OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPE 26 + OSSL_CORE_MAKE_FUNC(const char *, signature_query_key_type, (void)) + + # define OSSL_FUNC ASYM_CIPHER_QUERY_KEY_TYPE 12 + OSSL_CORE_MAKE_FUNC(const char *, asym_cipher_query_key_type, (void)) + + # define OSSL_FUNC_KEYEXCH_QUERY_KEY_TYPE 11 + OSSL_CORE_MAKE_FUNC(const char *, keyexch_query_key_type, (void)) + ``` + +2. through a gettable `OSSL_PARAM`, using the param identity "keytype" + +Fallback strategies +------------------- + +Because existing providers haven't been updated to declare composite +algorithms, or to respond to the key type query, some fallback strategies +will be needed to find out if the `EVP_PKEY` key type is possible to use +with the fetched algorithm: + +- Check if the fetched operation name matches the key type (keymgmt name) + of the `EVP_PKEY` that's involved in the operation. For example, this + is useful when someone fetched the `EVP_SIGNATURE` "RSA". +- Check if the fetched algorithm name matches the name returned by the + keymgmt's `query_operation_name` function. For example, this is useful + when someone fetched the `EVP_SIGNATURE` "ECDSA", for which the key type + to use is "EC". +- libcrypto currently has knowledge of some composite algorithm names and + what they are composed of, accessible with `OBJ_find_sigid_algs` and + similar functionality. This knowledge is regarded legacy, but can be + used to figure out the key type. + +If none of these strategies work out, the operation initialization should +fail. + +These strategies have their limitations, but the built-in legacy knowledge +we currently have in libcrypto should be enough to cover most bases. + +----- + +----- + +Background / tl;dr +------------------ + +### What is a composite algorithm? + +A composite algorithm is an algorithm that's composed of more than one other +algorithm. In OpenSSL parlance with a focus on signatures, they have been +known as "sigalgs", but this is really broader than just signature algorithms. +Examples are: + +- AES-128-CBC +- hmacWithSHA256 +- sha256WithRSAEncryption + +### The connection with AlgorithmIdentifiers + +AlgorithmIdentifier is an ASN.1 structure that defines an algorithm as an +OID, along with parameters that should be passed to that algorithm. + +It is expected that an application should be able to take that OID and +fetch it directly, after conversion to string form (either a name if the +application or libcrypto happens to know it, or the OID itself in canonical +numerical form). To enable this, explicit fetching is necessary. + +### What we have today + +As a matter of fact, we already have built-in support for fetching +composite algorithms, although our providers do not fully participate in +that support, and *most of the time*, we also have public APIs to use the +fetched result, commonly known as support for explicit fetching. + +The idea is that providers can declare the different compositions of a base +algorithm in the `OSSL_ALGORITHM` array, each pointing to different +`OSSL_DISPATCH` tables, which would in turn refer to pretty much the same +functions, apart from the constructor function. + +For example, we already do this with symmetric ciphers. + +Another example, which we could implement in our providers today, would be +compositions of HMAC: + +``` C +static const OSSL_ALGORITHM deflt_macs[] = { + /* ... */ + { "HMAC-SHA1:hmacWithSHA1:1.2.840.113549.2.7", + "provider=default", ossl_hmac_sha1_functions }, + { "HMAC-SHA224:hmacWithSHA224:1.2.840.113549.2.8", + "provider=default", ossl_hmac_sha224_functions }, + { "HMAC-SHA256:hmacWithSHA256:1.2.840.113549.2.9", + "provider=default", ossl_hmac_sha256_functions }, + { "HMAC-SHA384:hmacWithSHA384:1.2.840.113549.2.10", + "provider=default", ossl_hmac_sha384_functions }, + { "HMAC-SHA512:hmacWithSHA512:1.2.840.113549.2.11", + "provider=default", ossl_hmac_sha512_functions }, + /* ... */ +``` + +### What we don't have today + +There are some classes of algorithms for which we have no support for using +the result of explicit fetching. So for example, while it's possible for a +provider to declare composite algorithms through the `OSSL_ALGORITHM` array, +there's currently no way for an application to use them. + +This all revolves around asymmetric algorithms, where we currently only +support implicit fetching. + +This is hurtful in multiple ways: + +- It fails the provider authors in terms being able to consistently + declare all algorithms through `OSSL_ALGORITHM` arrays. +- It fails the applications in terms of being able to fetch algorithms and + use the result. +- It fails discoverability, for example through the `openssl list` + command. -- Gitee From 1db24a761c7f15b79865c27de4e673a9790c728c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 14:43:13 +0200 Subject: [PATCH 50/60] DH_check: Emphasize the importance of return value check Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22262) Signed-off-by: fly2x --- doc/man3/DH_generate_parameters.pod | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/man3/DH_generate_parameters.pod b/doc/man3/DH_generate_parameters.pod index bbcfe24ae6..e677885597 100644 --- a/doc/man3/DH_generate_parameters.pod +++ b/doc/man3/DH_generate_parameters.pod @@ -128,6 +128,10 @@ The parameter B is invalid. =back +If 0 is returned or B<*codes> is set to a nonzero value the supplied +parameters should not be used for Diffie-Hellman operations otherwise +the security properties of the key exchange are not guaranteed. + DH_check_ex(), DH_check_params() and DH_check_pub_key_ex() are similar to DH_check() and DH_check_params() respectively, but the error reasons are added to the thread's error queue instead of provided as return values from the -- Gitee From 2e7adde10d8919438c507d0475c938d70bfe4b64 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 4 Oct 2023 09:30:43 +0200 Subject: [PATCH 51/60] BN_gcd(): Avoid shifts of negative values Fixes #22216 Thanks to Leland Mills for investigation and testing. Reviewed-by: Tom Cosgrove Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22272) Signed-off-by: fly2x --- crypto/bn/bn_gcd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c index 519bb4e951..2cd8ee35e0 100644 --- a/crypto/bn/bn_gcd.c +++ b/crypto/bn/bn_gcd.c @@ -642,9 +642,9 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) for (i = 0; i < m; i++) { /* conditionally flip signs if delta is positive and g is odd */ - cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1 + cond = ((unsigned int)-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1 /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */ - & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))); + & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1))); delta = (-cond & -delta) | ((cond - 1) & delta); r->neg ^= cond; /* swap */ @@ -656,7 +656,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) goto err; BN_consttime_swap(g->d[0] & 1 /* g is odd */ /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */ - & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))), + & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1))), g, temp, top); if (!BN_rshift1(g, g)) goto err; -- Gitee From 2a48616d5832c2c5cdcf47f6a8b7a1b2ed23c349 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 4 Oct 2023 16:32:31 +0100 Subject: [PATCH 52/60] Fix coverity alert on use of uninitialised data The function `ossl_blake2b_param_init` should initialise only, and not read the data it is initialising Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22282) Signed-off-by: fly2x --- providers/implementations/digests/blake2_prov.c | 3 +++ providers/implementations/digests/blake2b_prov.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c index 298bc66de6..34bbd7ed37 100644 --- a/providers/implementations/digests/blake2_prov.c +++ b/providers/implementations/digests/blake2_prov.c @@ -23,8 +23,11 @@ static int ossl_blake2s256_init(void *ctx) static int ossl_blake2b512_init(void *ctx) { struct blake2b_md_data_st *mdctx = ctx; + uint8_t digest_length = mdctx->params.digest_length; ossl_blake2b_param_init(&mdctx->params); + if (digest_length != 0) + mdctx->params.digest_length = digest_length; return ossl_blake2b_init(&mdctx->ctx, &mdctx->params); } diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c index 8125dab41f..0e3e894a43 100644 --- a/providers/implementations/digests/blake2b_prov.c +++ b/providers/implementations/digests/blake2b_prov.c @@ -121,8 +121,7 @@ static void blake2b_init_param(BLAKE2B_CTX *S, const BLAKE2B_PARAM *P) /* Initialize the parameter block with default values */ void ossl_blake2b_param_init(BLAKE2B_PARAM *P) { - if (P->digest_length == 0) - P->digest_length = BLAKE2B_DIGEST_LENGTH; + P->digest_length = BLAKE2B_DIGEST_LENGTH; P->key_length = 0; P->fanout = 1; P->depth = 1; -- Gitee From 4cb4e4620e4eee364fa00fb9e617cf45692fce04 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 4 Oct 2023 09:48:37 -0400 Subject: [PATCH 53/60] embed bio_dgram_data inside bio_dgram_sctp_data the sctp BIO implementation uses the generic BIO dgram implementation under the covers for some operations. However, the private data for each bio is incongruous, leading to segfaults when doing things like passing a dgram_sctp_ctrl operation to the underlying dgram_ctrl method. Fix this by removing the common fields between the two strcutres and embedding a bio_dgram_data as the first member of the bio_dgram_sctp_data struct. This allows implicit casting when that call path is taken, avoiding any memory mis-use Fixes #20643 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22278) Signed-off-by: fly2x --- crypto/bio/bss_dgram.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 3f57de539f..5195634fdf 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -216,11 +216,13 @@ typedef struct bio_dgram_sctp_save_message_st { int length; } bio_dgram_sctp_save_message; +/* + * Note: bio_dgram_data must be first here + * as we use dgram_ctrl for underlying dgram operations + * which will cast this struct to a bio_dgram_data + */ typedef struct bio_dgram_sctp_data_st { - BIO_ADDR peer; - unsigned int connected; - unsigned int _errno; - unsigned int mtu; + bio_dgram_data dgram; struct bio_dgram_sctp_sndinfo sndinfo; struct bio_dgram_sctp_rcvinfo rcvinfo; struct bio_dgram_sctp_prinfo prinfo; @@ -2101,7 +2103,7 @@ static int dgram_sctp_read(BIO *b, char *out, int outl) if (ret < 0) { if (BIO_dgram_should_retry(ret)) { BIO_set_retry_read(b); - data->_errno = get_last_socket_error(); + data->dgram._errno = get_last_socket_error(); } } @@ -2253,7 +2255,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl) if (ret <= 0) { if (BIO_dgram_should_retry(ret)) { BIO_set_retry_write(b); - data->_errno = get_last_socket_error(); + data->dgram._errno = get_last_socket_error(); } } return ret; @@ -2275,16 +2277,16 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr) * Set to maximum (2^14) and ignore user input to enable transport * protocol fragmentation. Returns always 2^14. */ - data->mtu = 16384; - ret = data->mtu; + data->dgram.mtu = 16384; + ret = data->dgram.mtu; break; case BIO_CTRL_DGRAM_SET_MTU: /* * Set to maximum (2^14) and ignore input to enable transport * protocol fragmentation. Returns always 2^14. */ - data->mtu = 16384; - ret = data->mtu; + data->dgram.mtu = 16384; + ret = data->dgram.mtu; break; case BIO_CTRL_DGRAM_SET_CONNECTED: case BIO_CTRL_DGRAM_CONNECT: -- Gitee From 020e4d8413933133aee74b1e03d8ea03a9b6e36f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 15:45:13 +0200 Subject: [PATCH 54/60] d2i_X509.pod: Better document using the reuse capability for libctx setup Reviewed-by: Matt Caswell Reviewed-by: Viktor Dukhovni Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22265) Signed-off-by: fly2x --- doc/man3/d2i_X509.pod | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index 9226ef77c3..00efb60358 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -390,10 +390,12 @@ to the returned structure is also written to I<*a>. If an error occurred then NULL is returned. On a successful return, if I<*a> is not NULL then it is assumed that I<*a> -contains a valid B> structure and an attempt is made to reuse it. This -"reuse" capability is present for historical compatibility but its use is -B (see BUGS below, and the discussion in the RETURN -VALUES section). +contains a valid B> structure and an attempt is made to reuse it. +For B> structures where it matters it is possible to set up a library +context on the decoded structure this way (see the B section). +However using the "reuse" capability for other purposes is B (see B below, and the discussion in the B +section). B_bio>() is similar to B>() except it attempts to parse data from BIO I. @@ -538,6 +540,22 @@ Alternative technique: if (d2i_X509(&x, &p, len) == NULL) /* error */ +Setting up a library context and property query: + + X509 *x; + unsigned char *buf; + const unsigned char *p; + int len; + OSSL_LIB_CTX *libctx = ....; + const char *propq = ....; + + /* Set up buf and len to point to the input buffer. */ + p = buf; + x = X509_new_ex(libctx, propq); + + if (d2i_X509(&x, &p, len) == NULL) + /* error, x was freed and NULL assigned to it (see RETURN VALUES) */ + =head1 WARNINGS Using a temporary variable is mandatory. A common -- Gitee From feedc95a53ba6b3e4c7284e45a1cc7812d86a3b4 Mon Sep 17 00:00:00 2001 From: Vladimir Kotal Date: Wed, 4 Oct 2023 16:11:42 +0200 Subject: [PATCH 55/60] avoid sun as variable name Reviewed-by: Matt Caswell Reviewed-by: Tom Cosgrove Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22281) Signed-off-by: fly2x --- test/bio_addr_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/bio_addr_test.c b/test/bio_addr_test.c index a985d03b14..9ca007e511 100644 --- a/test/bio_addr_test.c +++ b/test/bio_addr_test.c @@ -31,7 +31,7 @@ static BIO_ADDR *make_dummy_addr(int family) struct sockaddr_in6 sin6; #endif #ifndef OPENSSL_NO_UNIX_SOCK - struct sockaddr_un sun; + struct sockaddr_un sunaddr; #endif } sa; void *where; @@ -51,9 +51,9 @@ static BIO_ADDR *make_dummy_addr(int family) #endif #ifndef OPENSSL_NO_UNIX_SOCK case AF_UNIX: - where = &(sa.sun.sun_path); + where = &(sa.sunaddr.sun_path); /* BIO_ADDR_rawmake needs an extra byte for a NUL-terminator*/ - wherelen = sizeof(sa.sun.sun_path) - 1; + wherelen = sizeof(sa.sunaddr.sun_path) - 1; break; #endif default: -- Gitee From e36e136f32864dea937c2540c8da7c1a87105993 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 3 Oct 2023 17:19:16 +0200 Subject: [PATCH 56/60] Add testing of bitflips in packet headers A new type of noise is introduced in the noisy dgram bio filter. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22267) Signed-off-by: fly2x --- test/helpers/noisydgrambio.c | 63 +++++++++++++++++++++++++++++++----- test/quicapitest.c | 28 ++++++++-------- 2 files changed, 69 insertions(+), 22 deletions(-) diff --git a/test/helpers/noisydgrambio.c b/test/helpers/noisydgrambio.c index 33cf84c3c6..445ae3c4ad 100644 --- a/test/helpers/noisydgrambio.c +++ b/test/helpers/noisydgrambio.c @@ -75,7 +75,8 @@ static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, #define NOISE_TYPE_DROP 0 #define NOISE_TYPE_DUPLICATE 1 #define NOISE_TYPE_DELAY 2 -#define NUM_NOISE_TYPES 3 +#define NOISE_TYPE_BITFLIPS 3 +#define NUM_NOISE_TYPES 4 /* * When a duplicate occurs we reinject the new datagram after up to @@ -89,10 +90,13 @@ static int noisy_dgram_sendmmsg(BIO *bio, BIO_MSG *msg, size_t stride, */ #define MAX_DGRAM_REINJECT 4 -static void get_noise(uint64_t *reinject, int *should_drop) +static void get_noise(int long_header, uint64_t *reinject, int *should_drop, + uint16_t *flip, size_t *flip_offset) { uint32_t type; + *flip = 0; + if (test_random() % NOISE_RATE != 0) { *reinject = 0; *should_drop = 0; @@ -102,7 +106,7 @@ static void get_noise(uint64_t *reinject, int *should_drop) type = test_random() % NUM_NOISE_TYPES; /* - * Of noisy datagrams, 33% drop, 33% duplicate, 33% delay + * Of noisy datagrams, 25% drop, 25% duplicate, 25% delay, 25% flip bits * A duplicated datagram keeps the current datagram and reinjects a new * identical one after up to MAX_DGRAM_DELAY datagrams have been sent. * A delayed datagram is implemented as both a reinject and a drop, i.e. an @@ -115,16 +119,50 @@ static void get_noise(uint64_t *reinject, int *should_drop) * Where a duplicate occurs we reinject the copy of the datagram up to * MAX_DGRAM_DELAY datagrams later */ - *reinject = (type == NOISE_TYPE_DROP) - ? 0 - : (uint64_t)((test_random() % MAX_DGRAM_REINJECT) + 1); + *reinject = (type == NOISE_TYPE_DUPLICATE || type == NOISE_TYPE_DELAY) + ? (uint64_t)((test_random() % MAX_DGRAM_REINJECT) + 1) + : 0; /* * No point in reinjecting after 1 datagram if the current datagram is also * dropped (i.e. this is a delay not a duplicate), so we reinject after an * extra datagram in that case */ - *reinject += (uint64_t)(*should_drop); + *reinject += type == NOISE_TYPE_DELAY; + + /* flip some bits in the header */ + if (type == NOISE_TYPE_BITFLIPS) { + /* we flip at most 8 bits of the 16 bit value at once */ + *flip = (test_random() % 255 + 1) << (test_random() % 8); + /* + * 25/50 bytes of guesstimated header size (it depends on CID length) + * It does not matter much if it is overestimated. + */ + *flip_offset = test_random() % (25 * (1 + long_header)); + } +} + +static void flip_bits(unsigned char *msg, size_t msg_len, uint16_t flip, + size_t flip_offset) +{ + if (flip == 0) + return; + + /* None of these border conditions should happen but check them anyway */ + if (msg_len < 2) + return; + if (msg_len < flip_offset + 2) + flip_offset = msg_len - 2; + +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("**Flipping bits in a datagram at offset %u\n", + (unsigned int)flip_offset); + BIO_dump_fp(stdout, msg, msg_len); + printf("\n"); +#endif + + msg[flip_offset] ^= flip >> 8; + msg[flip_offset + 1] ^= flip & 0xff; } static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, @@ -181,6 +219,8 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, i++, thismsg++, data->this_dgram++) { uint64_t reinject; int should_drop; + uint16_t flip; + size_t flip_offset; /* If we have a message to reinject then insert it now */ if (data->reinject_dgram > 0 @@ -205,7 +245,8 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, data->reinject_dgram = 0; } - get_noise(&reinject, &should_drop); + get_noise(/* long header */ (((uint8_t *)thismsg->data)[0] & 0x80) != 0, + &reinject, &should_drop, &flip, &flip_offset); if (data->backoff) { /* * We might be asked to back off on introducing too much noise if @@ -214,10 +255,16 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride, * that the connection always survives. After that we can resume * with normal noise */ +#ifdef OSSL_NOISY_DGRAM_DEBUG + printf("**Back off applied\n"); +#endif should_drop = 0; + flip = 0; data->backoff = 0; } + flip_bits(thismsg->data, thismsg->data_len, flip, flip_offset); + /* * We ignore reinjection if a message is already waiting to be * reinjected diff --git a/test/quicapitest.c b/test/quicapitest.c index 7739cbcb24..81c8c215bd 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1439,11 +1439,11 @@ static int test_noisy_dgram(int idx) qtest_add_time(1); /* - * Send data from the server to the client. Some datagrams may get lost, - * dropped or re-ordered. We repeat 10 times to ensure we are sending - * enough datagrams for problems to be noticed. - */ - for (i = 0; i < 10; i++) { + * Send data from the server to the client. Some datagrams may get + * lost, modified, dropped or re-ordered. We repeat 20 times to ensure + * we are sending enough datagrams for problems to be noticed. + */ + for (i = 0; i < 20; i++) { if (!TEST_true(ossl_quic_tserver_write(qtserv, sid, (unsigned char *)msg, msglen, &written)) @@ -1453,10 +1453,10 @@ static int test_noisy_dgram(int idx) qtest_add_time(1); /* - * Since the underlying BIO is now noisy we may get failures that - * need to be retried - so we use unreliable_client_read() to handle - * that - */ + * Since the underlying BIO is now noisy we may get failures that + * need to be retried - so we use unreliable_client_read() to + * handle that + */ if (!TEST_true(unreliable_client_read(clientquic, &stream[j], buf, sizeof(buf), &readbytes, qtserv)) @@ -1465,7 +1465,7 @@ static int test_noisy_dgram(int idx) } /* Send data from the client to the server */ - for (i = 0; i < 10; i++) { + for (i = 0; i < 20; i++) { if (!TEST_true(SSL_write_ex(stream[j], (unsigned char *)msg, msglen, &written)) || !TEST_size_t_eq(msglen, written)) @@ -1475,10 +1475,10 @@ static int test_noisy_dgram(int idx) qtest_add_time(1); /* - * Since the underlying BIO is now noisy we may get failures that - * need to be retried - so we use unreliable_server_read() to handle - * that - */ + * Since the underlying BIO is now noisy we may get failures that + * need to be retried - so we use unreliable_server_read() to + * handle that + */ if (!TEST_true(unreliable_server_read(qtserv, sid, buf, sizeof(buf), &readbytes, clientquic)) || !TEST_mem_eq(msg, msglen, buf, readbytes)) -- Gitee From ec020988048bb4fe24ec155b23478ff41de8ce85 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 4 Oct 2023 17:23:27 +0200 Subject: [PATCH 57/60] Always back off on the first packet noise from client to server The test server cannot really cope with modifications Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22267) Signed-off-by: fly2x --- test/helpers/quictestlib.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/test/helpers/quictestlib.c b/test/helpers/quictestlib.c index 0ae05e5701..26cd67e236 100644 --- a/test/helpers/quictestlib.c +++ b/test/helpers/quictestlib.c @@ -105,8 +105,8 @@ static void noise_msg_callback(int write_p, int version, int content_type, * of our noise being too much such that the connection itself * fails. We back off on the noise for a bit to avoid that. */ - BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); - BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + (void)BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); + (void)BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); } } @@ -235,6 +235,14 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx, if (!TEST_ptr(noisebio)) goto err; sbio = BIO_push(noisebio, sbio); + /* + * TODO(QUIC SERVER): + * Currently the simplistic handler of the quic tserver cannot cope + * with noise introduced in the first packet received from the + * client. This needs to be removed once we have proper server side + * handling. + */ + (void)BIO_ctrl(sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL); (*fault)->noiseargs.cbio = cbio; (*fault)->noiseargs.sbio = sbio; -- Gitee From 7f08758a2debe00830db756500daa22ad9077164 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 5 Oct 2023 15:24:38 +0200 Subject: [PATCH 58/60] Windows CI: Continue on error during cpuinfo Reviewed-by: Tom Cosgrove Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/22293) Signed-off-by: fly2x --- .github/workflows/windows.yml | 3 +++ .github/workflows/windows_comp.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 806bc25f55..7125b91f75 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -54,6 +54,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f @@ -98,6 +99,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f @@ -135,6 +137,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index bf2e89ed71..abcc0ad019 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -48,6 +48,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f @@ -86,6 +87,7 @@ jobs: target: _build/coreinfo/ - name: get cpu info working-directory: _build + continue-on-error: true run: | 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f -- Gitee From aa2a863be039597dace888ef89b012b71d9a659e Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 4 Oct 2023 17:50:53 +0100 Subject: [PATCH 59/60] Don't wait in the tesrver idle testing every time around the loop If we wait for 100ms 600 times - then the test takes a minute to complete which is far too long. The purpose of the wait is to give the assistance thread a chance to catch up. We only do that if the event timeout has actually expired - otherwise we are waiting for no reason. Fixes #22156 Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22284) Signed-off-by: fly2x --- test/quic_tserver_test.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/test/quic_tserver_test.c b/test/quic_tserver_test.c index 980c9a83ff..6ed84f0ae6 100644 --- a/test/quic_tserver_test.c +++ b/test/quic_tserver_test.c @@ -305,6 +305,9 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) if (c_start_idle_test && !c_done_idle_test) { /* This is more than our default idle timeout of 30s. */ if (idle_units_done < 600) { + struct timeval tv; + int isinf; + if (!TEST_true(CRYPTO_THREAD_write_lock(fake_time_lock))) goto err; fake_time = ossl_time_add(fake_time, ossl_ms2time(100)); @@ -312,7 +315,16 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) ++idle_units_done; ossl_quic_conn_force_assist_thread_wake(c_ssl); - OSSL_sleep(100); /* Ensure CPU scheduling for test purposes */ + + /* + * If the event timeout has expired then give the assistance + * thread a chance to catch up + */ + if (!TEST_true(SSL_get_event_timeout(c_ssl, &tv, &isinf))) + goto err; + if (!isinf && ossl_time_compare(ossl_time_zero(), + ossl_time_from_timeval(tv)) >= 0) + OSSL_sleep(100); /* Ensure CPU scheduling for test purposes */ } else { c_done_idle_test = 1; } -- Gitee From 8ec924eef314d7b7795e1460d1ac0bd5b4c3afdf Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 4 Oct 2023 17:55:33 +0100 Subject: [PATCH 60/60] Timeout in the tserver test using real time When running the tserver test we bail out if a timeout expires. We shouldn't use fake time for that timeout, because fake time might never actually get incremented. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22284) Signed-off-by: fly2x --- test/quic_tserver_test.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/test/quic_tserver_test.c b/test/quic_tserver_test.c index 6ed84f0ae6..b2b09354bb 100644 --- a/test/quic_tserver_test.c +++ b/test/quic_tserver_test.c @@ -73,7 +73,6 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) int s_begin_write = 0; OSSL_TIME start_time; unsigned char alpn[] = { 8, 'o', 's', 's', 'l', 't', 'e', 's', 't' }; - OSSL_TIME (*now_cb)(void *arg) = use_fake_time ? fake_now : real_now; size_t limit_ms = 1000; #if defined(OPENSSL_NO_QUIC_THREAD_ASSIST) @@ -194,10 +193,14 @@ static int do_test(int use_thread_assist, int use_fake_time, int use_inject) if (!TEST_true(SSL_set_blocking_mode(c_ssl, 0))) goto err; - start_time = now_cb(NULL); + /* + * We use real time for the timeout not fake time. Otherwise with fake time + * we could hit a hang if we never increment the fake time + */ + start_time = real_now(NULL); for (;;) { - if (ossl_time_compare(ossl_time_subtract(now_cb(NULL), start_time), + if (ossl_time_compare(ossl_time_subtract(real_now(NULL), start_time), ossl_ms2time(limit_ms)) >= 0) { TEST_error("timeout while attempting QUIC server test"); goto err; -- Gitee