[openssl/openssl] 6460c3: increase x509 code coverage metrics

James Muir noreply at github.com
Wed Nov 9 14:36:17 UTC 2022


  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: 6460c3cf931feef9aea2ad0e8264c042816c9436
      https://github.com/openssl/openssl/commit/6460c3cf931feef9aea2ad0e8264c042816c9436
  Author: Tavis Ormandy <taviso at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    A fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25
    A fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f
    A fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64
    A fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057
    A fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344
    A fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7
    A fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f
    A fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061
    A fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3
    A fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6
    A fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12
    A fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295
    A fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385
    A fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83
    A fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33
    A fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7
    A fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a
    A fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc
    A fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3
    A fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270
    A fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c
    A fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16
    A fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47
    A fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e
    A fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7
    A fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3
    A fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752
    A fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2
    A fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6
    A fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc
    A fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806
    A fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16
    A fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f
    A fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718
    A fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9
    A fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0
    A fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892
    A fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2

  Log Message:
  -----------
  increase x509 code coverage metrics

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16651)

(cherry picked from commit 415e6ac80405e13b20b083315747e431274fbd33)


  Commit: 0c1613aeb924b3b1baff9599132bd8bca0103f83
      https://github.com/openssl/openssl/commit/0c1613aeb924b3b1baff9599132bd8bca0103f83
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M include/internal/tsan_assist.h

  Log Message:
  -----------
  tsan: add an addition macro

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit b0b456f8c8b628c3d7e212339e31cbfd06ac4ec8)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 196c57ee6a956169aadbd760c13110671773f371
      https://github.com/openssl/openssl/commit/196c57ee6a956169aadbd760c13110671773f371
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/objects/obj_dat.c

  Log Message:
  -----------
  obj: make the OBJ_ calls thread safe

This is done using a single global lock.  The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.

This does, however, introduce the overhead of taking an uncontested read lock
when accessing the object database.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit 397065c621e733fff80dedb28252120ec143693e)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 26d9ed7aef61eb847359360f4c4ae4324b51f2ac
      https://github.com/openssl/openssl/commit/26d9ed7aef61eb847359360f4c4ae4324b51f2ac
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/objects/obj_dat.c

  Log Message:
  -----------
  obj: make new NIDs use tsan if possible

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit 29c80c6004de8bfd1792e421bbe03ab5f075f21d)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 060290e6aaf278f01826c37e3f55b8b8b95cbbb5
      https://github.com/openssl/openssl/commit/060290e6aaf278f01826c37e3f55b8b8b95cbbb5
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/objects/obj_xref.c

  Log Message:
  -----------
  obj: add locking to the OBJ sigid calls

This is done using a single global lock.  The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit c568900c9ac02e92c54bd3168773d54d7350a580)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: a5d27c2907ed9658df228dc0b3b5743e20f1557f
      https://github.com/openssl/openssl/commit/a5d27c2907ed9658df228dc0b3b5743e20f1557f
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M doc/man3/OBJ_nid2obj.pod
    M doc/man7/provider-base.pod

  Log Message:
  -----------
  doc: Document that the OBJ creation functions are now thread safe.

With the OBJ_ thread locking in place, these documentation changes are not
required.

This reverts commit 0218bcdd3feab456135207c140998305df73ab7b.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit 06394a6cc7c784b46bc6d1e65a1ff39637093934)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: cd0cc4911f88f39f97dd13791b59a2d22463e663
      https://github.com/openssl/openssl/commit/cd0cc4911f88f39f97dd13791b59a2d22463e663
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M doc/man7/openssl-threads.pod

  Log Message:
  -----------
  doc: add note to indicate that the OBJ_ functions were not thread safe in 3.0

Also remove OBJ_thread from the list of non-threadsafe functions.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit b66b024cf7124c9639011b27b70a082e3bc3d269)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 74299cf58fefb3cdde23444bd12e6e212a4c99af
      https://github.com/openssl/openssl/commit/74299cf58fefb3cdde23444bd12e6e212a4c99af
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/threadstest.c

  Log Message:
  -----------
  test: add threading test for object creation

In addition, rework the multi tests to use common code.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit 0855591e1f3559313641c13e4b7ce900ce42321c)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 8bb214fae17097d8258f19f6c571a11306108be6
      https://github.com/openssl/openssl/commit/8bb214fae17097d8258f19f6c571a11306108be6
  Author: Pauli <ppzgs1 at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M CHANGES.md

  Log Message:
  -----------
  Add changes entry indicating that the OBJ_* calls are now thread safe

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)

(cherry picked from commit 63d0f4d2b04ed334e534c9f6d0b18262161b0050)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 17366644e4d84b64c14302b36dac90e68d54453d
      https://github.com/openssl/openssl/commit/17366644e4d84b64c14302b36dac90e68d54453d
  Author: marcfedorow <mark.fedorov at cloudbear.ru>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/sha/sha512.c

  Log Message:
  -----------
  RISC-V support for the SHA512

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16638)

(cherry picked from commit 611685adc04a7c7e9612d51e743044fdcd9d1846)


  Commit: 37fdd76d06b961d650e12a0d19d8186669e80398
      https://github.com/openssl/openssl/commit/37fdd76d06b961d650e12a0d19d8186669e80398
  Author: Russ Butler <russ.butler at arm.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/aes/asm/aesv8-armx.pl
    M crypto/aes/asm/vpaes-armv8.pl
    M crypto/aes/build.info
    M crypto/arm64cpuid.pl
    M crypto/arm_arch.h
    M crypto/bn/asm/armv8-mont.pl
    M crypto/chacha/asm/chacha-armv8.pl
    M crypto/ec/asm/ecp_nistz256-armv8.pl
    M crypto/modes/asm/aes-gcm-armv8_64.pl
    M crypto/modes/asm/ghashv8-armx.pl
    M crypto/poly1305/asm/poly1305-armv8.pl
    M crypto/sha/asm/keccak1600-armv8.pl
    M crypto/sha/asm/sha1-armv8.pl
    M crypto/sha/asm/sha512-armv8.pl
    M crypto/sha/build.info

  Log Message:
  -----------
  aarch64: support BTI and pointer authentication in assembly

This change adds optional support for
- Armv8.3-A Pointer Authentication (PAuth) and
- Armv8.5-A Branch Target Identification (BTI)
features to the perl scripts.

Both features can be enabled with additional compiler flags.
Unless any of these are enabled explicitly there is no code change at
all.

The extensions are briefly described below. Please read the appropriate
chapters of the Arm Architecture Reference Manual for the complete
specification.

Scope
-----

This change only affects generated assembly code.

Armv8.3-A Pointer Authentication
--------------------------------

Pointer Authentication extension supports the authentication of the
contents of registers before they are used for indirect branching
or load.

PAuth provides a probabilistic method to detect corruption of register
values. PAuth signing instructions generate a Pointer Authentication
Code (PAC) based on the value of a register, a seed and a key.
The generated PAC is inserted into the original value in the register.
A PAuth authentication instruction recomputes the PAC, and if it matches
the PAC in the register, restores its original value. In case of a
mismatch, an architecturally unmapped address is generated instead.

With PAuth, mitigation against ROP (Return-oriented Programming) attacks
can be implemented. This is achieved by signing the contents of the
link-register (LR) before it is pushed to stack. Once LR is popped,
it is authenticated. This way a stack corruption which overwrites the
LR on the stack is detectable.

The PAuth extension adds several new instructions, some of which are not
recognized by older hardware. To support a single codebase for both pre
Armv8.3-A targets and newer ones, only NOP-space instructions are added
by this patch. These instructions are treated as NOPs on hardware
which does not support Armv8.3-A. Furthermore, this patch only considers
cases where LR is saved to the stack and then restored before branching
to its content. There are cases in the code where LR is pushed to stack
but it is not used later. We do not address these cases as they are not
affected by PAuth.

There are two keys available to sign an instruction address: A and B.
PACIASP and PACIBSP only differ in the used keys: A and B, respectively.
The keys are typically managed by the operating system.

To enable generating code for PAuth compile with
-mbranch-protection=<mode>:

- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI
  (read below)
- pac-ret+b-key: add PACIBSP and AUTIBSP

Armv8.5-A Branch Target Identification
--------------------------------------

Branch Target Identification features some new instructions which
protect the execution of instructions on guarded pages which are not
intended branch targets.

If Armv8.5-A is supported by the hardware, execution of an instruction
changes the value of PSTATE.BTYPE field. If an indirect branch
lands on a guarded page the target instruction must be one of the
BTI <jc> flavors, or in case of a direct call or jump it can be any
other instruction. If the target instruction is not compatible with the
value of PSTATE.BTYPE a Branch Target Exception is generated.

In short, indirect jumps are compatible with BTI <j> and <jc> while
indirect calls are compatible with BTI <c> and <jc>. Please refer to the
specification for the details.

Armv8.3-A PACIASP and PACIBSP are implicit branch target
identification instructions which are equivalent with BTI c or BTI jc
depending on system register configuration.

BTI is used to mitigate JOP (Jump-oriented Programming) attacks by
limiting the set of instructions which can be jumped to.

BTI requires active linker support to mark the pages with BTI-enabled
code as guarded. For ELF64 files BTI compatibility is recorded in the
.note.gnu.property section. For a shared object or static binary it is
required that all linked units support BTI. This means that even a
single assembly file without the required note section turns-off BTI
for the whole binary or shared object.

The new BTI instructions are treated as NOPs on hardware which does
not support Armv8.5-A or on pages which are not guarded.

To insert this new and optional instruction compile with
-mbranch-protection=standard (also enables PAuth) or +bti.

When targeting a guarded page from a non-guarded page, weaker
compatibility restrictions apply to maintain compatibility between
legacy and new code. For detailed rules please refer to the Arm ARM.

Compiler support
----------------

Compiler support requires understanding '-mbranch-protection=<mode>'
and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT
and __ARM_FEATURE_PAC_DEFAULT). The current state is the following:

-------------------------------------------------------
| Compiler | -mbranch-protection | Feature macros     |
+----------+---------------------+--------------------+
| clang    | 9.0.0               | 11.0.0             |
+----------+---------------------+--------------------+
| gcc      | 9                   | expected in 10.1+  |
-------------------------------------------------------

Available Platforms
------------------

Arm Fast Model and QEMU support both extensions.

https://developer.arm.com/tools-and-software/simulation-models/fast-models
https://www.qemu.org/

Implementation Notes
--------------------

This change adds BTI landing pads even to assembly functions which are
likely to be directly called only. In these cases, landing pads might
be superfluous depending on what code the linker generates.
Code size and performance impact for these cases would be negligible.

Interaction with C code
-----------------------

Pointer Authentication is a per-frame protection while Branch Target
Identification can be turned on and off only for all code pages of a
whole shared object or static binary. Because of these properties if
C/C++ code is compiled without any of the above features but assembly
files support any of them unconditionally there is no incompatibility
between the two.

Useful Links
------------

To fully understand the details of both PAuth and BTI it is advised to
read the related chapters of the Arm Architecture Reference Manual
(Arm ARM):
https://developer.arm.com/documentation/ddi0487/latest/

Additional materials:

"Providing protection for complex software"
https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software

Arm Compiler Reference Guide Version 6.14: -mbranch-protection
https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en

Arm C Language Extensions (ACLE)
https://developer.arm.com/docs/101028/latest

Addional Notes
--------------

This patch is a copy of the work done by Tamas Petz in boringssl. It
contains the changes from the following commits:

aarch64: support BTI and pointer authentication in assembly
    Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084
aarch64: Improve conditional compilation
    Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524
aarch64: Fix name of gnu property note section
    Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec
    URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024

Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16674)

(cherry picked from commit 19e277dd19f2897f6a7b7eb236abe46655e575bf)


  Commit: 5f113755bdeb02d879ee22129d3d3e90630228a4
      https://github.com/openssl/openssl/commit/5f113755bdeb02d879ee22129d3d3e90630228a4
  Author: Felipe Gasper <felipe at felipegasper.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M CHANGES.md
    M apps/include/s_apps.h
    M apps/lib/s_cb.c
    M apps/s_client.c
    M apps/s_server.c

  Log Message:
  -----------
  Revise s_client and s_server verbiage re secure renegotiation.

Since TLS v1.3 eschews renegotiation entirely it’s misleading to have
these apps say it’s “not supported” when in fact the TLS version is
new enough not to need renegotiation at all.

Reviewed-by: Ben Kaduk <kaduk at mit.edu>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16937)

(cherry picked from commit af5e63e1e3300f784f302a5d3309bf673cc08894)


  Commit: 8786f7058c05d3c70fb7d269274cee1ea152584f
      https://github.com/openssl/openssl/commit/8786f7058c05d3c70fb7d269274cee1ea152584f
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/evp/digest.c

  Log Message:
  -----------
  Remove redundant tests

Removed the three checks of type against NULL since type cannot be NULL for
any of them.

Moved a check of ->engine inside a CPP guard for engines.

Didn't address the teardown and rebuild of the provider context.

Partially fixes #16947

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16952)

(cherry picked from commit 10cf46c4ef93e22f999b7b6d2c3aadc4db965e5a)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: c3f76ee8e40ff0db4174e1b12fc64ea8ea225f32
      https://github.com/openssl/openssl/commit/c3f76ee8e40ff0db4174e1b12fc64ea8ea225f32
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/x509/v3_sxnet.c

  Log Message:
  -----------
  x509: remove dead call to strlen()

The condition `userlen == -1` isn't possible because this is already checked
on line 159 above and the subsequent strlen(3) call guarantees that it's value
is positive.

Reviewed-by: Paul Yang <kaishen.yy at antfin.com>
(Merged from https://github.com/openssl/openssl/pull/16987)

(cherry picked from commit a18cdd28077be05ec88538be84a761469f3f20c4)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: e7557d7d7475e6188cf11dcdd74d23b1356c41f0
      https://github.com/openssl/openssl/commit/e7557d7d7475e6188cf11dcdd74d23b1356c41f0
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/provider_core.c
    M doc/internal/man3/ossl_provider_new.pod
    M include/internal/provider.h

  Log Message:
  -----------
  prov: remove unused field `flag_fallback` and function `ossl_provider_set_fallback`

These are legacy of older versions of the code and are currently not used
anywhere.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16985)

(cherry picked from commit 90c311315c15a4fea895fd317d9c8fe801ba04a0)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: b25d775e6cc473993d16eea3bdf479d7d9c37722
      https://github.com/openssl/openssl/commit/b25d775e6cc473993d16eea3bdf479d7d9c37722
  Author: Anton Blanchard <anton at linux.ibm.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/sha/asm/keccak1600-ppc64.pl

  Log Message:
  -----------
  sha/asm/keccak1600-ppc64.pl: Load data in 8 byte chunks on little endian

We currently load data byte by byte in order to byteswap it on big
endian. On little endian we can just do 8 byte loads.

A SHAKE128 benchmark runs 10% faster on POWER9 with this patch applied.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8455)

(cherry picked from commit 8f9842fd03945d9484dcc9e5fab37dce7caa5f50)


  Commit: 0bed814750c62c738d509cd0a9655789ae69e99b
      https://github.com/openssl/openssl/commit/0bed814750c62c738d509cd0a9655789ae69e99b
  Author: Shane Lontis <shane.lontis at oracle.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M demos/README.txt
    A demos/encrypt/Makefile
    A demos/encrypt/rsa_encrypt.c
    A demos/encrypt/rsa_encrypt.h

  Log Message:
  -----------
  Add RSA encrypt demo

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16283)

(cherry picked from commit 35530b117fcf54cf733c485e9e2e267963c081ee)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 3d2b47bcdf8cf407ef1e459d54d4501cc19f0227
      https://github.com/openssl/openssl/commit/3d2b47bcdf8cf407ef1e459d54d4501cc19f0227
  Author: Andrey Matyukov <andrey.matyukov at intel.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M CHANGES.md
    A crypto/bn/asm/rsaz-2k-avx512.pl
    A crypto/bn/asm/rsaz-3k-avx512.pl
    A crypto/bn/asm/rsaz-4k-avx512.pl
    R crypto/bn/asm/rsaz-avx512.pl
    M crypto/bn/bn_exp.c
    M crypto/bn/build.info
    M crypto/bn/rsaz_exp_x2.c
    M test/exptest.c

  Log Message:
  -----------
  Dual 1536/2048-bit exponentiation optimization for Intel IceLake CPU

It uses AVX512_IFMA + AVX512_VL (with 256-bit wide registers) ISA to
keep lower power license.

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14908)

(cherry picked from commit f87b4c4ea67393c9269663ed40a7ea3463cc59d3)


  Commit: 923140bd0036ac629cbaa712fbc2d8c11f7854fa
      https://github.com/openssl/openssl/commit/923140bd0036ac629cbaa712fbc2d8c11f7854fa
  Author: pkubaj <pkubaj at FreeBSD.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M Configurations/10-main.conf
    M Configure
    M crypto/ppccap.c
    M util/perl/OpenSSL/config.pm

  Log Message:
  -----------
  Add support for BSD-ppc, BSD-ppc64 and BSD-ppc64le configurations

OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.

CLA: trivial

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17090)

(cherry picked from commit f5485b97b6c9977c0d39c7669b9f97a879312447)


  Commit: ee51843cbe8a00ccfc222d2dc90c636ccda1b8bc
      https://github.com/openssl/openssl/commit/ee51843cbe8a00ccfc222d2dc90c636ccda1b8bc
  Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/bn/bn_asm.c

  Log Message:
  -----------
  Remove some unnecessary undefs in bn_asm.c

This is likely the leftover of a previous hack,
and thus should be removed now.

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17259)

(cherry picked from commit 17cca0e85e83eac23069ddc5c5ebab6d7dd13ee1)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 45c74dea20c9b5060063a9f72f85b6e1af84a656
      https://github.com/openssl/openssl/commit/45c74dea20c9b5060063a9f72f85b6e1af84a656
  Author: Orr Toledano <otoledan at amazon.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/arm64cpuid.pl
    M crypto/arm_arch.h
    M crypto/armcap.c

  Log Message:
  -----------
  Add Arm Assembly (aarch64) support for RNG

Include aarch64 asm instructions for random number generation using the
RNDR and RNDRRS instructions. Provide detection functions for RNDR and
RNDRRS getauxval.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)

(cherry picked from commit efa1f22483ee43d84e1aee01b08c0bda04060c1c)


  Commit: 42ffe7812ca7be00bc24c1b06ffd5878f69fcf08
      https://github.com/openssl/openssl/commit/42ffe7812ca7be00bc24c1b06ffd5878f69fcf08
  Author: Orr Toledano <otoledan at amazon.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/info.c
    M providers/implementations/rands/seeding/build.info
    A providers/implementations/rands/seeding/rand_cpu_arm64.c

  Log Message:
  -----------
  Add support for RNDRRS Provider

Create new provider for RNDRRS. Modify support for rand_cpu to default to
RDRAND/RDSEED on x86 and RNDRRS on aarch64.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)

(cherry picked from commit eb28fda79748c303d88a8af48de5187100f2c64c)


  Commit: f716af3484c5bc543b4a9d9ee99d819d017fec20
      https://github.com/openssl/openssl/commit/f716af3484c5bc543b4a9d9ee99d819d017fec20
  Author: Orr Toledano <otoledan at amazon.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/build.info
    A test/rdcpu_sanitytest.c
    R test/rdrand_sanitytest.c
    A test/recipes/06-test_rdcpu_sanity.t
    R test/recipes/06-test_rdrand_sanity.t

  Log Message:
  -----------
  Add tests for RNDR and combine tests with RDRAND

Add test cases for RNDR and RNDRRS. Combine tests for RDRAND and RNDR to
share common logic.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)

(cherry picked from commit 1f8ce0c9faee59ac51a5db7a8ec42c38866be090)


  Commit: 25136fcf1b056c93cc8d88f2a93b76fda53bbaa2
      https://github.com/openssl/openssl/commit/25136fcf1b056c93cc8d88f2a93b76fda53bbaa2
  Author: Orr Toledano <otoledan at amazon.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M CHANGES.md
    M INSTALL.md

  Log Message:
  -----------
  Documentation for RNDR and RNDRRS

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)

(cherry picked from commit e8b597f33143410fb50bdeba8722c249524bc0b9)


  Commit: 9316125febb5351c1ec791fe173fa42c20aac98a
      https://github.com/openssl/openssl/commit/9316125febb5351c1ec791fe173fa42c20aac98a
  Author: Michael Baentsch <info at baentsch.ch>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/upcallstest.c

  Log Message:
  -----------
  improving tests for adding sigalg with empty digest

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17315)

(cherry picked from commit 2080da84a49b0c52fc8c6e6caef5d373235bd3e4)


  Commit: ea578b6553b178e1ae2448eab175fce81da07987
      https://github.com/openssl/openssl/commit/ea578b6553b178e1ae2448eab175fce81da07987
  Author: x2018 <xkernel.wang at foxmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M providers/implementations/exchange/dh_exch.c
    M providers/implementations/exchange/ecdh_exch.c

  Log Message:
  -----------
  check the return value of EVP_MD_fetch in ecdh_exch.c:285 & dh_exch.c:347

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17153)

(cherry picked from commit 04e3ab64d58bb43efc4392d12c607bb4b5a2c562)


  Commit: f53caf04eba061193055392934ad2e8c4346b0ec
      https://github.com/openssl/openssl/commit/f53caf04eba061193055392934ad2e8c4346b0ec
  Author: fangming.fang <fangming.fang at arm.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/rdcpu_sanitytest.c

  Log Message:
  -----------
  Fix compile error when building with no-asm

Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17376)

(cherry picked from commit a8251a32a0dc449fc39f44a1768e091fcc077227)


  Commit: 490934c61bdf015067c27a24243a76db186413be
      https://github.com/openssl/openssl/commit/490934c61bdf015067c27a24243a76db186413be
  Author: fangming.fang <fangming.fang at arm.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/armcap.c

  Log Message:
  -----------
  fix building failure when using -Wconditional-uninitialized

Use clang -Wconditional-uninitialized to build, the error "initialize
the variable 'buffer_size' to silence this warning" will be reported.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17375)

(cherry picked from commit abc4345a19430869b9a8925c6defc9e9ce977429)


  Commit: 6f79bda426c3b0df70d6b8e4d0d562b724eae75a
      https://github.com/openssl/openssl/commit/6f79bda426c3b0df70d6b8e4d0d562b724eae75a
  Author: Dmitry Belyavskiy <beldmit at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M .gitmodules
    A python-ecdsa
    A tlsfuzzer
    A tlslite-ng

  Log Message:
  -----------
  TLSfuzzer: submodules

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17340)

(cherry picked from commit cccbb4fa60ca890a0ce6757fcba5669208fffa46)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: cda2f1b9d4b558f0fa60f546be199cc68a681773
      https://github.com/openssl/openssl/commit/cda2f1b9d4b558f0fa60f546be199cc68a681773
  Author: Dmitry Belyavskiy <beldmit at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    A test/recipes/95-test_external_tlsfuzzer.t
    A test/recipes/95-test_external_tlsfuzzer_data/cert.json.in
    A test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh
    A test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh

  Log Message:
  -----------
  TLS Fuzzer: initial test infrastructure

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17340)

(cherry picked from commit db87f89b7393eea395b82050c7fc4e1869ef112e)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 8963caee37402060520859f2ef8d1f8f0232181f
      https://github.com/openssl/openssl/commit/8963caee37402060520859f2ef8d1f8f0232181f
  Author: Dmitry Belyavskiy <beldmit at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M .github/workflows/ci.yml

  Log Message:
  -----------
  Run TLSfuzzer tests for CI

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17340)

(cherry picked from commit e66c41725f03dae2b295df048312fe6d28729e98)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 53f2ed743700a15cb8e2d56a7f2ac77396f94e78
      https://github.com/openssl/openssl/commit/53f2ed743700a15cb8e2d56a7f2ac77396f94e78
  Author: Dmitry Belyavskiy <beldmit at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/recipes/95-test_external_tlsfuzzer.t

  Log Message:
  -----------
  Don't run TLSFuzzer tests when it is not properly set

Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17448)

(cherry picked from commit e5fb4b1469f317aa92768cdf804dfa29b72cb8f3)


  Commit: 0aaa71b90a9460e0e57c8e45163d1b2ba16e2d64
      https://github.com/openssl/openssl/commit/0aaa71b90a9460e0e57c8e45163d1b2ba16e2d64
  Author: Dimitris Apostolou <dimitris.apostolou at icloud.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M Configure
    M INSTALL.md
    M README-ENGINES.md
    M apps/cmp.c
    M apps/include/http_server.h
    M configdata.pm.in
    M crypto/aes/asm/aesv8-armx.pl
    M crypto/bn/asm/rsaz-2k-avx512.pl
    M crypto/bn/asm/rsaz-3k-avx512.pl
    M crypto/bn/asm/rsaz-4k-avx512.pl
    M crypto/cmp/cmp_vfy.c
    M crypto/context.c
    M crypto/ec/ec2_oct.c
    M crypto/encode_decode/encoder_lib.c
    M crypto/evp/ctrl_params_translate.c
    M crypto/evp/m_sigver.c
    M crypto/ffc/ffc_params_generate.c
    M crypto/rsa/rsa_lib.c
    M crypto/x509/v3_ist.c
    M crypto/x509/v3_utf8.c
    M crypto/x509/v3_utl.c
    M crypto/x509/x_pubkey.c
    M demos/mac/gmac.c
    M dev/release-aux/README.md
    M dev/release.sh
    M doc/internal/man3/OPTIONS.pod
    M doc/internal/man3/ossl_random_add_conf_module.pod
    M doc/internal/man7/EVP_PKEY.pod
    M doc/man1/openssl-genpkey.pod.in
    M doc/man1/openssl-s_client.pod.in
    M doc/man1/openssl-verification-options.pod
    M doc/man3/ASN1_aux_cb.pod
    M doc/man3/ASN1_item_sign.pod
    M doc/man3/BIO_s_core.pod
    M doc/man3/BN_rand.pod
    M doc/man3/CONF_modules_load_file.pod
    M doc/man3/DH_get0_pqg.pod
    M doc/man3/EVP_EncryptInit.pod
    M doc/man3/EVP_KEYMGMT.pod
    M doc/man3/EVP_PKEY2PKCS8.pod
    M doc/man3/EVP_PKEY_derive.pod
    M doc/man3/EVP_PKEY_gettable_params.pod
    M doc/man3/EVP_PKEY_new.pod
    M doc/man3/EVP_PKEY_todata.pod
    M doc/man3/OCSP_resp_find_status.pod
    M doc/man3/OCSP_sendreq_new.pod
    M doc/man3/OSSL_CMP_log_open.pod
    M doc/man3/OSSL_DECODER.pod
    M doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod
    M doc/man3/OSSL_ENCODER.pod
    M doc/man3/OSSL_ENCODER_CTX.pod
    M doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod
    M doc/man3/OSSL_ESS_check_signing_certs.pod
    M doc/man3/OSSL_HTTP_REQ_CTX.pod
    M doc/man3/OSSL_HTTP_parse_url.pod
    M doc/man3/OSSL_PARAM.pod
    M doc/man3/OSSL_PARAM_int.pod
    M doc/man3/OSSL_STORE_LOADER.pod
    M doc/man3/OSSL_trace_set_channel.pod
    M doc/man3/PKCS12_decrypt_skey.pod
    M doc/man3/PKCS12_gen_mac.pod
    M doc/man3/RAND_bytes.pod
    M doc/man3/RSA_get0_key.pod
    M doc/man3/SSL_CTX_set_tmp_dh_callback.pod
    M doc/man3/X509_VERIFY_PARAM_set_flags.pod
    M doc/man3/X509_add_cert.pod
    M doc/man3/X509_digest.pod
    M doc/man3/X509_dup.pod
    M doc/man5/config.pod
    M doc/man7/EVP_PKEY-EC.pod
    M doc/man7/crypto.pod
    M doc/man7/fips_module.pod
    M doc/man7/life_cycle-pkey.pod
    M doc/man7/migration_guide.pod
    M doc/man7/openssl-glossary.pod
    M doc/man7/provider-kdf.pod
    M doc/man7/provider-object.pod
    M include/openssl/core_dispatch.h
    M providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc
    M providers/implementations/encode_decode/encode_key2any.c
    M providers/implementations/keymgmt/kdf_legacy_kmgmt.c
    M providers/implementations/keymgmt/mac_legacy_kmgmt.c
    M providers/implementations/signature/sm2_sig.c
    M ssl/statem/statem_srvr.c
    M test/cmp_vfy_test.c
    M test/evp_extra_test.c
    M test/param_build_test.c
    M test/params_api_test.c
    M test/params_test.c
    M test/recipes/70-test_sslrecords.t
    M test/recipes/90-test_threads.t
    M test/ssl-tests/28-seclevel.cnf.in
    M test/sslapitest.c
    M test/tls-provider.c
    M util/add-depends.pl

  Log Message:
  -----------
  Fix typos

Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17392)

(cherry picked from commit e304aa87b35fac5ea97c405dd3c21549faa45e78)


  Commit: 00ce831152403589f7f0e558d5291de12bfedc5f
      https://github.com/openssl/openssl/commit/00ce831152403589f7f0e558d5291de12bfedc5f
  Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/store/store_lib.c

  Log Message:
  -----------
  OSSL_STORE_open_ex(): Prevent spurious error: unregistered scheme=file

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16452)

(cherry picked from commit 7c64ca71c2ceeb1d47e8499bd351de7d0078ce37)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 068c7fa995249894e5935003d1ac478de1df64f3
      https://github.com/openssl/openssl/commit/068c7fa995249894e5935003d1ac478de1df64f3
  Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M apps/lib/apps.c

  Log Message:
  -----------
  APPS load_key_certs_crls(): Make file access errors much more readable

This reverts part of commit ef0449135c4e4e7f using a less invasive suppression.

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16452)

(cherry picked from commit 6e2499474cb96b28a51df1da25cc72f1cf342fad)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 0029f786658229b15f98741a336e8091305cbf15
      https://github.com/openssl/openssl/commit/0029f786658229b15f98741a336e8091305cbf15
  Author: David Benjamin <davidben at google.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/aes/asm/aesv8-armx.pl
    M crypto/arm_arch.h
    M crypto/modes/asm/ghashv8-armx.pl
    M crypto/poly1305/asm/poly1305-armv8.pl

  Log Message:
  -----------
  Don't use __ARMEL__/__ARMEB__ in aarch64 assembly

GCC's __ARMEL__ and __ARMEB__ defines denote little- and big-endian arm,
respectively. They are not defined on aarch64, which instead use
__AARCH64EL__ and __AARCH64EB__.

However, OpenSSL's assembly originally used the 32-bit defines on both
platforms and even define __ARMEL__ and __ARMEB__ in arm_arch.h. This is
less portable and can even interfere with other headers, which use
__ARMEL__ to detect little-endian arm.

Over time, the aarch64 assembly has switched to the correct defines,
such as in 32bbb62ea634239e7cb91d6450ba23517082bab6. This commit
finishes the job: poly1305-armv8.pl needed a fix and the dual-arch
armx.pl files get one more transform to convert from 32-bit to 64-bit.

(There is an even more official endianness detector, __ARM_BIG_ENDIAN in
the Arm C Language Extensions. But I've stuck with the GCC ones here as
that would be a larger change.)

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17373)

(cherry picked from commit 40c24d74deaad8a0ad7566a68ea5ea757bc3ccef)


  Commit: ec8ee00100faeddf149e70e1f0964f3a41b51545
      https://github.com/openssl/openssl/commit/ec8ee00100faeddf149e70e1f0964f3a41b51545
  Author: Matt Caswell <matt at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/build.info
    M test/build.info
    M test/endecode_test.c

  Log Message:
  -----------
  Statically link the legacy provider to endecode_test

We already statically link libcrypto to endecode_test even in a "shared"
build. This can cause problems on some platforms with tests that load the
legacy provider which is dynamically linked to libcrypto. Two versions of
libcrypto are then linked to the same executable which can lead to crashes.

Fixes #17059

Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17345)

(cherry picked from commit 7ee992a5d931ab5ad9df00d2d8e47e1b7a72d7ac)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: a99bc33130274d615a80755f80973cebedc31423
      https://github.com/openssl/openssl/commit/a99bc33130274d615a80755f80973cebedc31423
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/cpt_err.c
    M crypto/err/openssl.txt
    M include/crypto/cryptoerr.h
    M include/openssl/cryptoerr.h

  Log Message:
  -----------
  err: add additional errors

Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17440)

(cherry picked from commit 826da1451b2525b70f93fcc57ed5dbab61a19591)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 59548647a81fe77319cd66a4587d700ef3bd18bf
      https://github.com/openssl/openssl/commit/59548647a81fe77319cd66a4587d700ef3bd18bf
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/params.c

  Log Message:
  -----------
  params: add error messages for built in param conversions

Specifically:
* out of range
* unsigned negatives
* inexact reals
* bad param types
* buffers that are too small
* null function arguments
* unknown sizes of real

Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17440)

(cherry picked from commit ac1082f00f991aca1c6e8282717fece16e9bb41f)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: c737132dff034a6efbcf27edd0cfd7997cd299c5
      https://github.com/openssl/openssl/commit/c737132dff034a6efbcf27edd0cfd7997cd299c5
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/params_conversion_test.c

  Log Message:
  -----------
  test: check for properly raised errors during param conversion

Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17440)

(cherry picked from commit 291c5b3e39f4c98e61cf7f65056fe49780d1f0ac)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: b08f61e7c4db8bfcb94c4ea546bc3dacfd96c587
      https://github.com/openssl/openssl/commit/b08f61e7c4db8bfcb94c4ea546bc3dacfd96c587
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/param_build.c

  Log Message:
  -----------
  param build: add errors to failure returns

Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17440)

(cherry picked from commit 3831351da50b7ce07edba88056394a7a33c5e5d5)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 584e447377925fbe3c253076ac170483208d9222
      https://github.com/openssl/openssl/commit/584e447377925fbe3c253076ac170483208d9222
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/param_build_set.c

  Log Message:
  -----------
  param build set: add errors to failure returns

Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17440)

(cherry picked from commit 3ee3a2bd1e5763b0df5c0a2cba3b06edc26f5276)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 4c4ac7c7ddb096ca55e231bdc4f70a868746f1e4
      https://github.com/openssl/openssl/commit/4c4ac7c7ddb096ca55e231bdc4f70a868746f1e4
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/params_dup.c

  Log Message:
  -----------
  param dup: add errors to failure returns

Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17440)

(cherry picked from commit a10a576090022e583a06271ceced8e38dd509657)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 654490cebf8ee6bd0da1f801b10206607869e623
      https://github.com/openssl/openssl/commit/654490cebf8ee6bd0da1f801b10206607869e623
  Author: fangming.fang <fangming.fang at arm.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/arm64cpuid.pl
    M crypto/arm_arch.h
    M crypto/armcap.c
    A crypto/sm3/asm/sm3-armv8.pl
    M crypto/sm3/build.info
    M crypto/sm3/sm3_local.h

  Log Message:
  -----------
  SM3 acceleration with SM3 hardware instruction on aarch64

SM3 hardware instruction is optional feature of crypto extension for
aarch64. This implementation accelerates SM3 via SM3 instructions. For
the platform not supporting SM3 instruction, the original C
implementation still works. Thanks to AliBaba for testing and reporting
the following perf numbers for Yitian710:

Benchmark on T-Head Yitian-710 2.75GHz:

Before:
type  16 bytes     64 bytes    256 bytes    1024 bytes   8192 bytes   16384 bytes
sm3   49297.82k   121062.63k   223106.05k   283371.52k   307574.10k   309400.92k

After (33% - 74% faster):
type  16 bytes     64 bytes    256 bytes    1024 bytes   8192 bytes   16384 bytes
sm3   65640.01k   179121.79k   359854.59k   481448.96k   534055.59k   538274.47k

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17454)

(cherry picked from commit 71396cd048072b69559b46d98cfebfd4474cd712)


  Commit: b1b4806a8caf92f32d18b52985fe4b14a6a694bd
      https://github.com/openssl/openssl/commit/b1b4806a8caf92f32d18b52985fe4b14a6a694bd
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/property/property_string.c

  Log Message:
  -----------
  property: use a stack to efficiently convert index to string

The existing code does this conversion by searching the hash table for the
appropriate index which is slow and expensive.

Fixes #15867

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17325)

(cherry picked from commit 2e3c59356f847a76a90f9f837d4983428df6eb19)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 8ea185e2e41e095421159e08500ede39bfdd4989
      https://github.com/openssl/openssl/commit/8ea185e2e41e095421159e08500ede39bfdd4989
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/property_test.c

  Log Message:
  -----------
  test: add some unit tests for the property to string functions

That is: ossl_property_name_str and ossl_property_value_str.

These only have high level tests during the creation of child library
contexts.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17325)

(cherry picked from commit 9f6841e9d8964943cf5f616543750cee85c4911c)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 852bb13853b6c240ecc75c99b7d30b10b1b9490b
      https://github.com/openssl/openssl/commit/852bb13853b6c240ecc75c99b7d30b10b1b9490b
  Author: Pauli <ppzgs1 at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/property/property_string.c

  Log Message:
  -----------
  property: reduce memory consumption when OPENSSL_SMALL_FOOTPRINT is defined.

This takes out the lock step stacks that allow a fast property to name
resolution.  Follow on from #17325.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17388)

(cherry picked from commit 57645339ab645fe5abffe14fc005b5402ce03b84)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 8c39948b2694277c591ccf57354b77442e9a7c2a
      https://github.com/openssl/openssl/commit/8c39948b2694277c591ccf57354b77442e9a7c2a
  Author: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M providers/defltprov.c
    M providers/implementations/ciphers/build.info
    A providers/implementations/ciphers/cipher_sm4_ccm.c
    A providers/implementations/ciphers/cipher_sm4_ccm.h
    A providers/implementations/ciphers/cipher_sm4_ccm_hw.c
    A providers/implementations/ciphers/cipher_sm4_gcm.c
    A providers/implementations/ciphers/cipher_sm4_gcm.h
    A providers/implementations/ciphers/cipher_sm4_gcm_hw.c
    M providers/implementations/include/prov/implementations.h
    M providers/implementations/include/prov/names.h
    M test/recipes/30-test_evp_data/evpciph_sm4.txt

  Log Message:
  -----------
  providers: Add SM4 GCM implementation

The GCM mode of the SM4 algorithm is specifieded by RFC8998.

Signed-off-by: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>

Reviewed-by: Paul Yang <kaishen.yy at antfin.com>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16491)

(cherry picked from commit c2ee608a234340aa735f894f8d84ead0ce58286e)


  Commit: 37f1828d8701662c40cc98172001a533fe49764c
      https://github.com/openssl/openssl/commit/37f1828d8701662c40cc98172001a533fe49764c
  Author: Daniel Hu <Daniel.Hu at arm.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/arm64cpuid.pl
    M crypto/arm_arch.h
    M crypto/armcap.c
    M crypto/evp/e_sm4.c
    A crypto/sm4/asm/sm4-armv8.pl
    M crypto/sm4/build.info
    A include/crypto/sm4_platform.h
    M providers/implementations/ciphers/cipher_sm4.h
    M providers/implementations/ciphers/cipher_sm4_gcm_hw.c
    M providers/implementations/ciphers/cipher_sm4_hw.c

  Log Message:
  -----------
  SM4 optimization for ARM by HW instruction

This patch implements the SM4 optimization for ARM processor,
using SM4 HW instruction, which is an optional feature of
crypto extension for aarch64 V8.

Tested on some modern ARM micro-architectures with SM4 support, the
performance uplift can be observed around 8X~40X over existing
C implementation in openssl. Algorithms that can be parallelized
(like CTR, ECB, CBC decryption) are on higher end, with algorithm
like CBC encryption on lower end (due to inter-block dependency)

Perf data on Yitian-710 2.75GHz hardware, before and after optimization:

Before:
  type      16 bytes     64 bytes    256 bytes    1024 bytes   8192 bytes  16384 bytes
  SM4-CTR  105787.80k   107837.87k   108380.84k   108462.08k   108549.46k   108554.92k
  SM4-ECB  111924.58k   118173.76k   119776.00k   120093.70k   120264.02k   120274.94k
  SM4-CBC  106428.09k   109190.98k   109674.33k   109774.51k   109827.41k   109827.41k

After (7.4x - 36.6x faster):
  type      16 bytes     64 bytes    256 bytes    1024 bytes   8192 bytes  16384 bytes
  SM4-CTR  781979.02k  2432994.28k  3437753.86k  3834177.88k  3963715.58k  3974556.33k
  SM4-ECB  937590.69k  2941689.02k  3945751.81k  4328655.87k  4459181.40k  4468692.31k
  SM4-CBC  890639.88k  1027746.58k  1050621.78k  1056696.66k  1058613.93k  1058701.31k

Signed-off-by: Daniel Hu <Daniel.Hu at arm.com>

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17455)

(cherry picked from commit 15b7175f558bf9eb057ec3266685486f727dd70f)


  Commit: fc83bd1a1d84bd34810fddcb0063b9bd4eb7fa9f
      https://github.com/openssl/openssl/commit/fc83bd1a1d84bd34810fddcb0063b9bd4eb7fa9f
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M providers/implementations/digests/sha3_prov.c
    M providers/implementations/kdfs/pbkdf2.c

  Log Message:
  -----------
  fix indentation

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17529)

(cherry picked from commit 2c9da416a608e2aaf19c16d920baddf2473c8392)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 107b16037eda575136b62d5c106fcf4ce5bd503d
      https://github.com/openssl/openssl/commit/107b16037eda575136b62d5c106fcf4ce5bd503d
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/evp/digest.c
    M crypto/evp/evp_enc.c
    M include/openssl/evp.h
    M util/libcrypto.num

  Log Message:
  -----------
  Add context dup functions for digests and ciphers

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17529)

(cherry picked from commit 4e62f1a3af36512a1f5e1273d2dc54e3ce7f5fca)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 0e1634db8e181b2d078cb2f1cf1f91bbce9bc249
      https://github.com/openssl/openssl/commit/0e1634db8e181b2d078cb2f1cf1f91bbce9bc249
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M doc/man3/EVP_DigestInit.pod
    M doc/man3/EVP_EncryptInit.pod

  Log Message:
  -----------
  doc: document digest and cipher dup functions

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17529)

(cherry picked from commit 0324ae3e98725f722b7d7871c23fbbff596a5bf6)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 15e6cb6223af17b0d27f26245f5057f735dc6b36
      https://github.com/openssl/openssl/commit/15e6cb6223af17b0d27f26245f5057f735dc6b36
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/evp_extra_test2.c
    M test/evp_test.c

  Log Message:
  -----------
  test: add digest context dup tests

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17529)

(cherry picked from commit 0be4b0403d2f65adf0d037581223dbebd0fa135e)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 3fe69d976b5fa03e2a3930b3daa14d42238aa51e
      https://github.com/openssl/openssl/commit/3fe69d976b5fa03e2a3930b3daa14d42238aa51e
  Author: Pauli <pauli at openssl.org>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M test/evp_test.c

  Log Message:
  -----------
  test: add cipher context dup test

Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17529)

(cherry picked from commit ed16b0fc282d29f755e656043e8a70553ef7bea5)
Reviewed-by: Hugo Landau <hlandau at openssl.org>


  Commit: 5948336502afca679c0d26e22ae6f9e41c807350
      https://github.com/openssl/openssl/commit/5948336502afca679c0d26e22ae6f9e41c807350
  Author: fangming.fang <fangming.fang at arm.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/sm3/asm/sm3-armv8.pl

  Log Message:
  -----------
  Fix sm3ss1 translation issue in sm3-armv8.pl

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17542)

(cherry picked from commit bca6cc53d4592ccbe78eeede3bc79f09d149603c)


  Commit: 08043118d1d303921537997543cafeaaae972383
      https://github.com/openssl/openssl/commit/08043118d1d303921537997543cafeaaae972383
  Author: James Muir <muir.james.a at gmail.com>
  Date:   2022-11-09 (Wed, 09 Nov 2022)

  Changed paths:
    M crypto/ec/curve25519.c

  Log Message:
  -----------
  Simpler square-root computation for Ed25519

Description:
Mark Wooden and Franck Rondepierre noted that the square-root-mod-p
operations used in the EdDSA RFC (RFC 8032) can be simplified.  For
Ed25519, instead of computing u*v^3 * (u * v^7)^((p-5)/8), we can
compute u * (u*v)^((p-5)/8).  This saves 3 multiplications and 2
squarings.  For more details (including a proof), see the following
message from the CFRG mailing list:

  https://mailarchive.ietf.org/arch/msg/cfrg/qlKpMBqxXZYmDpXXIx6LO3Oznv4/

Note that the Ed448 implementation (see
ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio() in
./crypto/ec/curve448/curve448.c) appears to already use this simpler
method (i.e. it does not follow the method suggested in RFC 8032).

Testing:
Build and then run the test suite:

  ./Configure -Werror --strict-warnings
  make update
  make
  make test

Numerical testing of the square-root computation can be done using the
following sage script:

  def legendre(x,p):
      return kronecker(x,p)

  # Ed25519
  p = 2**255-19
  # -1 is a square
  if legendre(-1,p)==1:
      print("-1 is a square")

  # suppose u/v is a square.
  # to compute one of its square roots, find x such that
  #    x**4 == (u/v)**2 .
  # this implies
  #    x**2 ==  u/v, or
  #    x**2 == -(u/v) ,
  # which implies either x or i*x is a square-root of u/v (where i is a square root of -1).
  # we can take x equal to u * (u*v)**((p-5)/8).

  # 2 is a generator
  # this can be checked by factoring p-1
  # and then showing 2**((p-1)/q) != 1 (mod p)
  # for all primes q dividing p-1.
  g = 2
  s = p>>2  # s = (p-1)/4
  i = power_mod(g, s, p)

  t = p>>3  # t = (p-5)/8
  COUNT = 1<<18
  while COUNT > 0:
      COUNT -= 1

      r = randint(0,p-1)   # r = u/v
      v = randint(1,p-1)
      u = mod(r*v,p)

      # compute x = u * (u*v)**((p-5)/8)
      w = mod(u*v,p)
      x = mod(u*power_mod(w, t, p), p)

      # check that x**2 == r, or (i*x)**2 == r, or r is not a square
      rr = power_mod(x, 2, p)
      if rr==r:
          continue

      rr = power_mod(mod(i*x,p), 2, p)
      if rr==r:
          continue

      if legendre(r,p) != 1:
          continue

      print("failure!")
      exit()

  print("passed!")

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17544)

(cherry picked from commit a822a0cb3c8466adbcee510a6234c0fe95ff4bfe)


Compare: https://github.com/openssl/openssl/compare/b699a1e89d2b...08043118d1d3


More information about the openssl-commits mailing list