Ignore a bad signature in a CertificateVerify message while fuzzing

We ignore such a bad signature when fuzzing - it will never be correct.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

Don't fail on a bad dcid in the tranport params when fuzzing

We accept a bad original destination connection id in the transport params
while we are fuzzing since this may change every time.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

Updates to the quic client fuzzer

Handle retryable errors from SSL_read(). Also ensure the underlying BIO
handles the destination address capability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

Don't encrypt/decrypt packet data during fuzzing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

Add quic client fuzzer.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)

Reference the non-"legacy" provider names directly from EVP_md5(3) &c.

Earlier today, it took me five manuals! to find what on earth the
"Performance"/"EVP_MD_fetch(3)" crosslinks actually mean:
  EVP_sha1(3)
  crypto(7)
  EVP_MD_fetch(3) (but not there! don't read that!)
  OSSL_PROVIDER-default(7)
  EVP_MD-SHA1(7)

If, instead, EVP_sha1(3) referenced EVP_MD-SHA1(7) at /all/,
which it should do, since it's supposed to be what you're replacing it
with, but it doesn't actually say that, maybe people would use it.
I know I didn't because it's basically just deadass buried

As found by git grep -l 'and should consider using'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22420)

Add a test for converting OSSL_TIME to struct timeval

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22440)

Round up nano secs when converting OSSL_TIME to struct timeval

struct timeval doesn't support nanosecs but OSSL_TIME does. We round up
any nanosecs to ensure that a non-zero input always results in a non-zero
output.

This fixes a quic-client fuzzer hang.

Fixes #22437

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22440)

QUIC: Test handling of post-connection session tickets

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22439)

QUIC: Prevent incoming oversize tokens

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22436)

Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option

Creating JDK compatible pkcs12 files requires a bit more than just
adding the Trusted Key Usage OID to a certbag in the pkcs12 file.
Additionally the JDK currently requires that pkcs12 files setting this
oid _not_ contain any additional keys, and in response will produce
unpredictable results.

This could be solved by implying --nokeys when the pkcs12 utility is run
and the config option is set, but thatcould confuse users who didn't
specify nokeys on the command line.  As such, remove the config file
setting for this feature, and replace it with a -jdktrust command line
option, that is documented to assert nokeys when a users specifies the
new command line option.

Fixes #22215

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22422)

QUIC: Add handling of SSL_get_shutdown()

Return SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN with semantics
similar to TLS connections.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22408)

Postpone two TODO(QUIC) items appropriately

The one in ch_rx_handle_packet() is a tuning thing -> QUIC FUTURE
The one in ossl_quic_tserver_shutdown() is a server thing -> QUIC SERVER

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22408)

rand: add callbacks to cleanup the user entropy resp. nonce

The `get_user_{entropy,nonce}` callbacks were add recently to the
dispatch table in commit 4cde7585ce8e. Instead of adding corresponding
`cleanup_user_{entropy,nonce}` callbacks, the `cleanup_{entropy,nonce}`
callbacks were reused. This can cause a problem in the case where the
seed source is replaced by a provider: the buffer gets allocated by
the provider but cleared by the core.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22423)

Ignore ping deadline when calculating tick deadline if we can't send

If the CC TX allowance is zero then we cannot send a PING frame at the
moment, so do not take into account the ping deadline when calculating the
tick deadline in that case.

This avoids the hang found by the fuzzer mentioned in
https://github.com/openssl/openssl/pull/22368#issuecomment-1765131727

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22410)

Ignore retry packets that arrive too late

RFC 9000 s 17.2.5.2 says

> After the client has received and processed an Initial or Retry packet
> from the server, it MUST discard any subsequent Retry packets that it
> receives.

We were checking for multiple Retry packets, but not if we had already
processed an Initial packet.

Fixes the assertion failure noted in
https://github.com/openssl/openssl/pull/22368#issuecomment-1765618884

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22411)

cms_enc.c: Include crypto/asn1.h for struct asn1_object_st

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22432)

Do not include crypto/asn1.h from internal/cryptlib.h

This is unnecessary and conceptualy wrong as
headers from internal should not include headers from crypto

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22432)

apps.c: Remove a redundant error print-out

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22318)

apps: Print out a proper message when a store cannot be opened

Fixes #22306

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22318)

Fix markdown

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22369)

Add SNI

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22369)

Rename

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22369)

Add link to nghttp3

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22369)

Add copyright headers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22369)

QUIC: Add comments to HTTP/3 demo

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22369)

QUIC: Add HTTP/3 demo using nghttp3

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22369)

Add a test to confirm that legacy rsa keys work

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22334)

Dont require CRT params on ossl_rsa_set0_all_params

Its not required that crt params be available in an RSA key, so don't
perform an error check on them

Fixes #29135

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22334)

remove sanity check from ossl_rsa_todata

Theres no reason we should gate ossl_rsa_todata on there being a minimum
set of parameters. EVP_PKEY_todata makes no guarantees about the
validity of a key, it only returns the parameters that are set in the
requested key, whatever they may be.  Remove the check.

Fixes #21935

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22334)

ossl_param_build_set_multi_key_bn(): Do not set NULL BIGNUMs

This makes them zeroes otherwise
where NULLs actually mean the values aren't present.

Fixes #21935

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22334)

ensure that ossl_obj_nid_lock is allocated before use

external calls to OBJ_new_nid will fail on an attempt to lock the
ossl_obj_nid_lock as it won't have been initalized yet.

Bifurcate OBJ_new_nid into an external and internal variant, in which
the former calls ossl_obj_write_lock (ensuring that the nid_lock is
initalized), while OBJ_create (the sole internal caller) uses the latter
to avoid having to drop and re-acquire the lock

Fixes #22337

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22350)

cms encrypt, better OBJ_nid2obj() return check

Fixes #22225

In OBJ_nid2obj(), if the NID does not have an OID, then a pointer to
the special "undefined" ASN1_OBJECT is returned.  Check for the
undefined-ASN1_OBJECT and return an error.  Also, add a test for this
in 80-test_cms.t.

Testing:

  #!/bin/bash -x

  shopt -s expand_aliases

  alias openssl="LD_LIBRARY_PATH=~/git/openssl ~/git/openssl/apps/openssl"

  echo "This is a confidential message.  It should be encrypted." > msg.txt

  ## this should fail b/c there is no OID for aes-256-ctr
  openssl cms -encrypt -in msg.txt -aes-256-ctr -out msg.txt.cms -recip demos/cms/signer.pem
  echo $?

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22392)

fix: LINEAR search doesn't work properly (if CHARSET_EBCDIC is defined)

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22108)

rsa: Accept NULL OAEP label for backward compatibility

According to the manual page, EVP_PKEY_CTX_set0_rsa_oaep_label()
should accept NULL as the label argument, though the function
currently rejects it while setting the corresponding octet string
parameter with OSSL_PARAM_construct_octet_string, which expects
non-NULL input.  This adds a workaround to the caller for backward
compatibility.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22397)

EVP shake_ctrl(): add missing NULL evp_ctx check

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22390)

CMS_add1_signer(): add missing ERR_raise() calls

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22390)

CMS_add1_signer.pod: add missing info on CMS_SignerInfo_sign() return values

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22390)

PKCS7_SIGNER_INFO: point out confusing names of digest_enc_alg and enc_digest fields

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22390)

Avoid another copy of key schedule pointer in PROV_GCM_CTX

This copy would need an update on dupctx but
rather than doing it just remove the copy.

This fixes failures of evp_test on Windows with
new CPUs.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22384)

QUIC APL: Fix incoming default stream popping

Fixes #22106

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22333)

cmp: add null pointer check in tear_down test function

problem reported by: 2ourc3

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22355)

Fix parenthesis, use a colon

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22356)

Update unix Makefile template to handle paths with spaces

Fixes #4668 (on unix-like platforms)

Testing:

  rm -rf "$HOME/tmp/beforespace afterspace"
  ./Configure -Werror --strict-warnings --prefix="$HOME/tmp/beforespace afterspace"
  make -j6 update
  make -j6
  make install
  make test

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21821)

trace_api_test.c: Separate tracing statements

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22347)

Windows: use srand() instead of srandom()

This is used for memory allocation failure debugging only

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22347)

Windows CI: Add some non-default options to check they are working

Some of the non-default options that enable more
code to be built need to be enabled in one of the
Windows builds to avoid regressions.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22347)

DH_check_pub_key() should not fail when setting result code

The semantics of ossl_ffc_validate_public_key() and
ossl_ffc_validate_public_key_partial() needs to be changed
to not return error on non-fatal problems.

Fixes #22287

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22291)

test/recipes/05-test_rand.t: replace 'and' with '&&'

The lower priority 'and' seems to have some "interesting" interactions with
function argument parsing in some perl versions (presumably because 'and' is
lower priority than the comma).

For the lines that are changed here, perl v5.20.1 says this:

    Useless use of string eq in void context at [.test.recipes]05-test_rand.t line 33.
    Useless use of numeric eq (==) in void context at [.test.recipes]05-test_rand.t line 39.

Replacing 'and' with '&&' in these two cases fixes the problem.

Replacing

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22331)

Ensure struct timeval is defined when including ssl.h

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22323)

Improve Malloc Failure Test

Allow 2 digits after the comma in percentage in OPENSSL_MALLOC_FAILURES.
Add OPENSSL_MALLOC_SEED to allow for some randomization.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22127)

CMP: fix OSSL_CMP_MSG_http_perform() by adding option OSSL_CMP_OPT_USE_TLS

Fixes #21120

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21176)

OSSL_CMP_CTX_new.pod: remove overlap with OSSL_HTTP_transfer.pod; improve the latter

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21176)

apps/cmp.c: -tls_used may be implied by -server https:...; improve related checks and doc

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21176)

Added check for the return value of the RAND_bytes() function

Call app_bail_out if RAND_bytes() fails.

Also changed the output parameter of RAND_bytes() to inp as
writing to encrypted output buffer does not make sense.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21706)

ECDSA with SHA3 verification does not depend on FIPS provider version

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22322)

provider-compatibility.yml: Correct the directory where opensslwrap.sh is being run

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22322)

* Enable extra Arm64 optimization on Windows for GHASH, RAND and AES

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21673)

When calling ossl_crypto_condvar_wait_timeout() we must use real time

Although many of the QUIC tests use fake time, the time we pass to the
ossl_crypto_condvar_wait_timeout() must be a real time.

Passing fake time was causing the QUIC tserver test to hang because
ossl_crypto_convar_wait_timeout() always timed out immediately and never
relinquished the CPU.

If using fake time we adjust the time to real time just before using it.

Fixes #22020

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22301)

Avoid divide-by-zero in kmac_prov.c's bytepad()

This would happen if EVP_MD_get_block_size() returned 0
so we return an error instead.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21698)

Fix the BIO_addr test

The BIO_addr test is failing on non-stop. The length of the data is larger
than the size we have allocated for it. We dynamically allocate instead.

Fixes #22218

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22294)

test_provider_ex(): Add missing call failure checks

Fixes Coverity 1542440

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21913)

Timeout in the tserver test using real time

When running the tserver test we bail out if a timeout expires. We
shouldn't use fake time for that timeout, because fake time might never
actually get incremented.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22284)

Don't wait in the tesrver idle testing every time around the loop

If we wait for 100ms 600 times - then the test takes a minute to complete
which is far too long. The purpose of the wait is to give the assistance
thread a chance to catch up. We only do that if the event timeout has
actually expired - otherwise we are waiting for no reason.

Fixes #22156

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22284)

Windows CI: Continue on error during cpuinfo

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22293)

Always back off on the first packet noise from client to server

The test server cannot really cope with modifications

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22267)

Add testing of bitflips in packet headers

A new type of noise is introduced in the noisy dgram bio
filter.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22267)

avoid sun as variable name

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22281)

d2i_X509.pod: Better document using the reuse capability for libctx setup

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22265)

embed bio_dgram_data inside bio_dgram_sctp_data

the sctp BIO implementation uses the generic BIO dgram implementation
under the covers for some operations.  However, the private data for
each bio is incongruous, leading to segfaults when doing things like
passing a dgram_sctp_ctrl operation to the underlying dgram_ctrl method.

Fix this by removing the common fields between the two strcutres and
embedding a bio_dgram_data as the first member of the
bio_dgram_sctp_data struct.  This allows implicit casting when that call
path is taken, avoiding any memory mis-use

Fixes #20643

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22278)

Fix coverity alert on use of uninitialised data

The function `ossl_blake2b_param_init` should initialise only, and not
read the data it is initialising

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22282)

BN_gcd(): Avoid shifts of negative values

Fixes #22216

Thanks to Leland Mills for investigation and testing.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22272)

DH_check: Emphasize the importance of return value check

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22262)

[design] Make it possible to use explicitly fetched signature implementation

This design is to allow the use of explicitly fetched EVP_SIGNATURE
implementations.

Ref: openssl/project#171

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22129)

[design] Make it possible to pass AlgorithmIdentifier parameter data

This design is to allow passing AlgorithmIdentifier parameter data to and
from any cryptograpfic operation, with convenience functions for them all,
not just for symmetric ciphers.

This is crucial to support CMS, among others.

Ref: openssl/project#172

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22162)

ossl_property_list_to_string: handle quoted strings

ossl_property_list_to_string() didn't quote strings correctly which
could result in a generated property string being unparsable.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22182)

Bump suisei-cn/actions-download-file from 1.3.0 to 1.4.0

Bumps [suisei-cn/actions-download-file](https://github.com/suisei-cn/actions-download-file) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/suisei-cn/actions-download-file/releases)
- [Commits](https://github.com/suisei-cn/actions-download-file/compare/v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: suisei-cn/actions-download-file
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22268)

d2i_PKCS8PrivateKey_bio.pod: evp.h include is unnecessary

It is also not allowed by doc nits check to have
multiple includes.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22276)

Added info on change to HISTORY of SSL_CTX_set_msg_callback()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22241)

Update documentation on SSL_CTX_set_msg_callback() to match the actual functionality.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22241)

Print record version for DTLSv1_listen()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22241)

Pass the dtls record version to the record layer msg_callback function.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22241)

Don't (re-)initialize the FFC_PARAMs in dh_init and dsa_init

The initialization was introduced in commit dc8de3e6f1ee and
changes the behaviour of the `init` method for DSA and DH
between 1.1.1 and 3.0, while the behaviour for RSA and EC_KEY
remains unchanged.

The initialization is not necessary in 3.x and master imho and
breaks the use-case of intercepting the methods of an existing
key.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22185)

test: evp_extra: test signing with legacy app method based keys

This commit adds `test_EVP_PKEY_sign_with_app_method`, a regression
test for the bug fix in commit 1acc3e8cc3c6 (pull request #22163).

It is analogous to `test_EVP_PKEY_sign`, only with a fake app method
based key. (The EC key test case was omitted, because there is no
`EC_KEY_METHOD_dup` method.)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22185)

test: evp_extra: fix indentation error

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22185)

Correct documentation for PKCS5_PBKDF2_HMAC

In OpenSSL 3.x, the documentation for PKCS5_PBKDF2_HMAC incorrectly states
that an iter value less than 1 is treated as a single iteration. Upon further
investigation in providers/implementations/kdfs/pbkdf2.c, it appears that
invalid iter values will result in failure and raise the
PROV_R_INVALID_ITERATION_COUNT error. This commit corrects the documentation
to accurately reflect the behavior in OpenSSL 3.x.

Closes openssl#22168

Signed-off-by: Sumitra Sharma <sumitraartsy@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22252)

Restore the meaning of EVP_PKEY_print_private()

With pre-3.0 OpenSSL, EVP_PKEY_print_private() calls the EVP_PKEY_ASN1_METHOD
function "priv_print", effectively asking the backend to print whatever it
regards as private key components.

In all backends that were built into libcrypto, this function printed what
was included in the private key structure, which usually includes the
public key components as well.

With OpenSSL 3.0, some of the corresponding key2text encoders got a
slightly different behavior, where the presence of the selector
OSSL_KEYMGMT_SELECT_PRIVATE_KEY without the presence of the selector
OSSL_KEYMGMT_SELECT_PUBLIC_KEY would only get what would intuitively be
regarded as private key components printed.  This isn't entirely consistent,
though, as the RSA key2text encoder will still print the public key
components regardless.

To compensate for the changed backend behavior, EVP_PKEY_print_private()
was made to ask the encoder to print the keypair rather than just the
private key, thereby moving the backend semantics to the application API.
Unfortunately, this causes confusion for providers where the key2text
encoder really should print the private key only.

This change restores the built-in 1.1.1 backend behavior in the encoders
that OpenSSL provides, and renders EVP_PKEY_print_private() more true to its
documented behavior, leaving it to the backend to decide what it regards as
"private key components".

Fixes #22233

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22237)

Improved detection of engine-provided private "classic" keys

Resolves #17092 (?)
Resolves #17286 (?)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19965)

Remove duplicates of EVP_aes_xxx_wrap() from EVP_aes_128_gcm.pod

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22236)

Call post_process_record for dtls records

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22239)

doc/man3: fix misnamed function name

Rename `DSA_generate_prime[_ex]` to `DSA_generate_parameters[_ex]`,
fixing a copy&paste error from the `BN_generate_prime[_ex]` paragraph
in commit b3696a55a5ed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22242)

Back off on generating noise in the event of a PING frame

If either endpoint issues a PING frame while we are introducing noise
into the communication then there is a danger that the connection itself
will fail. We detect the PING and then back off on generating noise for a
short while. It should be sufficient to just ensure that the next datagram
does not get dropped for each endpoint.

Fixes #22199

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22243)

CHANGES.md: Mention new features added after 3.2 alpha1

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22251)

Add openssl/pem.h inclusion for d2i_PKCS8PrivateKey

Include the necessary header file openssl/pem.h in the
documentation to ensure that all functions related to
d2i_PKCS8PrivateKey are correctly defined.

Closes openssl#22188

Signed-off-by: Sumitra Sharma <sumitraartsy@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22253)

Occupy the rec_version field of a decoded dtls record

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22238)

macros.h: There are just 3.1 deprecations, no 3.2 deprecations

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22247)

All lh_stats functions were deprecated in 3.1

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22247)

quicapitest: Enable test_ssl_trace with enable-zlib

To improve Coverage mapping in Coveralls make it
possible to run test_ssl_trace() with enable-zlib

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22222)

coveralls: Drop no-shared and -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22222)

GH action workflows: Add cpu report before 'make test'

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22232)