git.openssl.org Git - openssl.git/log

Prepare for release of 3.0.11

Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes

make update

Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes

Copyright year updates

Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes

CMP app and API doc: add note on critical server auth on receiving trust anchor certs

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21138)

CMP doc: various small corrections, mostly on PBM vs. MAC-based protection

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21138)

Enhance code safety and readability in SSL_get_shared_ciphers()

This commit introduces two key improvements:

1. Improve code safety by replacing the conditional statement with
`if (n >= size)` and using OPENSSL_strnlen() instead of strlen().
This change ensures proper buffer size handling and adheres to
secure coding practices.

2. Enhance code readability by substituting `strcpy(p, c->name)` with
`memcpy(p, c->name, n)`. This adjustment prioritizes code clarity and
maintenance, even while mitigating a minimal buffer overflow risk.

These enhancements bolster the code's robustness and comprehensibility,
aligning with secure coding principles and best practices.

Fixes #19837

Signed-off-by: Sumitra Sharma <sumitraartsy@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21934)

(cherry picked from commit 2743594d73e65c38375c619e89ec62579e2c24a9)

Fix PKCS#12 creation error when certificate contains auxiliary data

Prefer friendly name passed by the caller and calculated local
key id to ones found in certificate auxiliary data when creating
PKCS#12.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21675)

(cherry picked from commit 388a8e731445d190a46ec27b2ff5b4bf334d526b)

Fix a merge mistake in engne_list_add

master version increments the struct_ref early
and needs to decrement the struct_ref on error,
while 3.1 and 3.0 increment the struct_ref later.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22115)

(cherry picked from commit bb67dff95aeb21047b95f92c5119cb63e75cfd2f)

Fix engine cleanup error handling

Error handling in engine_cleanup_add_first/last was
broken and caused memory leaks.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21971)

(cherry picked from commit 00f2efccf5b9671a7af2b12571068258e9c255a5)

Fix memory leaks in ssl_old_test.c

This fixes a few memory leaks reported in #22049.

If SSL_CTX_set0_tmp_dh_pkey rejects the temp dh key
due to security restrictions (even when @SECLEVEL=0 is used!)
then the caller has to delete the PKEY object.
That is different to how the deprecated
SSL_CTX_set_tmp_dh_pkey was designed to work.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22060)

(cherry picked from commit 21f0b80cd4b32ba80843b812b01a6056daf14093)

d2i_ECPKParameters and i2d_ECPKParameters are not deprecated

So do not document them as such.

Fixes #22068

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22069)

(cherry picked from commit 2508629765403375b3075300a0951705ec26fe27)

Fix typos found by codespell in openssl-3.0

Only modify doc/man* in the openssl-3.0 branch.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22064)

Fix a memleak in prepare_rsa_params

This affects only RSA-PSS keys with params using
negative salt legth, or in case of out of memory.
This fixes a memory leak reported in #22049.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22061)

(cherry picked from commit 46def829afa4d8bed8f53d484bdf842d65f0e176)

augment man pages with information about PKCS12KDF in FIPS mode

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21965)

(cherry picked from commit 4ee8c1fb51687ea811fc2abf87e173c70d018bc2)

Add CVE-2023-4807 fix to CHANGES.md and NEWS.md

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22033)

(cherry picked from commit 0be7510f49e498532708fd03628fc3fc62ee7875)

Fix a possible memleak in rsa_pub_encode

That seems to be only an issue for RSA-PSS with parameters.
Spotted by code review, so it looks like there is no test coverage for this.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22032)

(cherry picked from commit 285eb1688f05ad477fefc681bf05d0afedc46d40)

remove unused Appveyour config

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22000)

(cherry picked from commit 8ac32e1e1b1a786366333acf897d332339610e6b)

Fix typographical error in 80-test_cms.t (missing ;)

Fixes: #22045
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22046)

Fix output corruption in req command

when used in conjunction with -out and -modulus options.

Fixes #21403

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22026)

(cherry picked from commit d2873946dfaff5537ea3d1adf3890e33a3f276ff)

Fix a possible memleak in SRP_VBASE_new

In the error handling case the memory in
vb->users_pwd was accidentally not released.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21981)

(cherry picked from commit 68e95f7840d0d8ac4e5e03381cf9d305578dd1c7)

OSSL_STORE: Fix error flag clearing and setting (provider path only)

When the provider's load function returned with an error, the libcrypto
error flag was only set if EOF hadn't been reached. This is troublesome,
as an error can very well occur during the last load before EOF is reached!

Also, the error flag was never reset, even though documentation specifies
that it should indicate an error in the last load (i.e. not the one before
that).

Fixes #21968

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21976)

(cherry picked from commit 17dd9a2c6262c00800301fddd9441a9c590a630e)

Add test case for #21986

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21988)

(cherry picked from commit c870a465864259f0bdec0953ad085da31941bc27)

Check error return from cms_sd_asn1_ctrl() correctly.

Fixes #21986

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21988)

(cherry picked from commit 00a413e2483257a17239cef5dde52df14926284c)

Modify the dkeyform type to support engine

The valtype value of dkeyform defined in the s_server_options structure is F, which leads to the judgment that the engine is not supported when processing parameters in the opt_next function.
This the valtype value of dkeyform should be changed to "f".

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21982)

(cherry picked from commit b9a189ce87fde1de4bf691031624538262f005c5)

test/chacha: replace CPUID_OBJ with OPENSSL_CPUID_OBJ

Fixes #21977

Signed-off-by: Min Zhou <zhoumin@loongson.cn>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21978)

(cherry picked from commit e6b6b18af3e85a6b5f0d8ea1070f7070557d6357)

apps/cmp.c: fix bug not allowing to reset -csr and -serial option values

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)

(cherry picked from commit 374945a9aa545d4d6f015de0b48cbed6a90258e0)

apps.c: improve warning texts of parse_name() when skipping RDN input

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)

(cherry picked from commit 49e097344ba51a8b25016794d482813b9c1e137f)

apps.c: fix error messages (newline and needless text) in load_key_certs_crls()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)

(cherry picked from commit 81d037b8adb0232c8a4d4654f79c883dafb102bc)

Fix internal memory leaks from OPENSSL_MALLOC_FAILURES

There is a rarely used feature that can be enabled
with `./config enable-crypto-mdebug` when additionally
the environment variable OPENSSL_MALLOC_FAILURES is used.
It turns out to be possible that CRYPTO_zalloc may
create a leak when the memory is allocated and then
the shouldfail happens, then the memory is lost.
Likewise when OPENSSL_realloc is used with size=0,
then the memory is to be free'd but here the shouldfail
check is too early, and the failure may prevent the
memory to be freed thus creating a bogus memory leak.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21944)

(cherry picked from commit e2cf38d5751d6b48c8625b622c3765d0a39958d7)

Bump actions/checkout from 2 to 4

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21953)

(cherry picked from commit d4231af60a8d04196b3b873c2fa8638daff36173)

Implement dupctx for chacha20 cipher

Implement the dupctx method for the chacha20 cipher, so that
EVP_PKEY_CTX_copy works

Its pretty straightforward, its basically just a memdup.  Checking the
pointers that might need fixing up:

in PROV_CHACHA20_CTX all members are statically declared, so memduping
should be fine

in PROV_CHACHA20_CTX->base (PROV_CIPHER_CTX):
        Non statically declared members:
                *tlsmac needs to get memduped to avoid double free
                 conditions, but only if base.alloced is set
                *hw pointer is always assigned to the chacha20_hw global
                 variable, so can be left alone
                *libctx can be left alone as provctx is always NULL in
                 chacha20_newctx
                *ks appears unused by chacha20, so can be ignored
Fixes #20978

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21878)

(cherry picked from commit 61cfc22b60e33bc77b1e1944759af48c8e58f0d2)

Avoid clobbering non-volatile XMM registers

This affects some Poly1305 assembler functions
which are only used for certain CPU types.

Remove those functions for Windows targets,
as a simple interim solution.

Fixes #21522

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21808)

(cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165)

Update X509 fuzzer to verify a chain

It add supports for verifying that it's been signed by a CA, and
checks the CRL and OCSP status

Can find CVE-2022-4203 and CVE-2023-0286

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20243)

(cherry picked from commit 399c2da08ab9c6a382f8e9950742a022e847fec0)
(cherry picked from commit 869d95b00e22b68897a541abf3bcee3589d2d519)

OPENSSL_init_crypto load config into initial global default library context

OPENSSL_init_crypto() with OPENSSL_INIT_LOAD_CONFIG must load the configuration
into the initial global default library context, not the currently set default
library context.

OPENSSL_init_crypto() with OPENSSL_INIT_LOAD_CONFIG may be called within other
OpenSSL API functions, e.g. from within EVP_PKEY_CTX_new_xxx() when initializing
a pkey context, to perform implicit initialization, if it has not been
initialized yet. This implicit initialization may happen at a time when an
application has already create its own library context and made it the default
library context. So loading the config into the current default library context
would load it into the applications library context.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21897)

(cherry picked from commit ecb6cdf02a302af18fe4bc20097a9ea3177f897c)

Set VC win64 perlasm scheme during Configure

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21661)

(cherry picked from commit a2608e4bc430d6216bbf36f50a29278e8759103a)

Allow RSA-PSS also in EVP_PKEY_assign() and EVP_PKEY_can_sign()

Treat keys with EVP_PKEY_RSA_PSS the same as EVP_PKEY_RSA in EVP_PKEY_can_sign()
and detect_foreign_key() which is called by EVP_PKEY_assign().

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21819)

(cherry picked from commit e2972982c64f3f1ac10b3ebe1086d99ec67631bd)

ctrl_params_translate: Allow get_rsa_payload_x() also for RSA-PSS

The get_rsa_payload_x() functions should also allow to get the payload
for RSA-PSS keys.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21818)

(cherry picked from commit cf712830b7b5a20a768a1fc5f78dc48841b7617f)

ctrl_params_translate: Allow RSA controls also for RSA-PSS

Controls 'rsa_keygen_pubexp' and 'rsa_keygen_primes' should also be allowed
for RSA-PSS keys.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21818)

(cherry picked from commit e2c2cca4b2fd1ad946d93507e9ca4f9ea910a114)

doc: Avoid usage of non-existing constant

CLA: trivial

Fixes: #21809
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21817)

(cherry picked from commit de4661b23776dde80fe5832eea34c63d5e15a6e4)

Fixed default value of the "ess_cert_id_alg" option in man openssl-ts(1)

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21805)

(cherry picked from commit 5ffad4bad9bd701cc3d14c96304484884ace0831)

Updates documentation of RC4_CHAR and RC4_INT: Should not be used for new configuration targets

Fixes: #21358
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21391)

(cherry picked from commit c2a8226cba2757b251729620aedffeed23d73623)

issue-21718: remove setting of PTHREAD_MUTEX_NORMAL

issue: https://github.com/openssl/openssl/issues/21718

build break reported:
crypto/threads_pthread.c:76:5: warning: implicit declaration of function 'pthread_mutexattr_settype'; did you mean 'pthread_mutexattr_destroy'? [-Wimplicit-function-declaration]
   76 |     pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
      |     pthread_mutexattr_destroy
crypto/threads_pthread.c:76:38: error: 'PTHREAD_MUTEX_NORMAL' undeclared (first use in this function); did you mean 'PTHREAD_MUTEX_TIMED_NP'?
   76 |     pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
      |                                      ^~~~~~~~~~~~~~~~~~~~
      |                                      PTHREAD_MUTEX_TIMED_NP

This occurs because PTHREAD_MUTEX_NORMAL is only defined in glibc if
__USE_UNIX98 or __USE_XOPEN2K8 is defined, which is derived from setting
__USE_POSIX_C_SOURCE or __XOPEN_SOURCE is selected in the glibc feature
set for a build.  Since openssl selects no specific feature set from
glibc, the build break occurs

We could select a feature set of course, but that seems like a
significant discussion to have prior to doing so. Instead, the simpler
solution is to just not set the mutex type at all, given that
pthread_mutexattr_init sets the default mutex type, which should be akin
to normal anyway (i.e. no mutex error checking or allowed-recursive
behavior)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21726)

(cherry picked from commit e4d808652b0a1a19cfe615a6659e65ead0245108)

Improve documentation for BIO_s_mem

Recent leak discovered by valgrind:
==1007580== at 0x483C815: malloc (vg_replace_malloc.c:431)
==1007580== by 0x2C2689: CRYPTO_zalloc (in /home/vien/microedge-c/test)
==1007580== by 0x295A17: BUF_MEM_new (in /home/vien/microedge-c/test)
==1007580== by 0x295A78: BUF_MEM_new_ex (in /home/vien/microedge-c/test)
==1007580== by 0x28CACE: mem_new (in /home/vien/microedge-c/test)
==1007580== by 0x285EA8: BIO_new_ex (in /home/vien/microedge-c/test)
==1007580== by 0x231894: convert_pubkey_ECC (tpm2_driver.c:221)
==1007580== by 0x232B73: create_ephemeral_key (tpm2_driver.c:641)
==1007580== by 0x232E1F: tpm_gen_keypair (tpm2_driver.c:695)
==1007580== by 0x22D60A: gen_keypair (se_driver_api.c:275)
==1007580== by 0x21FF35: generate_keypair (dhkey.c:142)
==1007580== by 0x24D4C8: __test_dhkey (dhkey_test.c:55)

led me to find that BIO_get_mem_data is informative only, it does not
transer ownership of a BIO_s_mems data structure to the caller.
Additionally treating it as such leads to the above leak, or possibly
data corruption in the event that BIO_set_close(bio, BIO_NOCLOSE) is not
set properly prior to calling BIO_free.

Made an attempt to fix it in a minimally invasive manner in the 3.1
branch, but based on discussion, its just not safe to do in an API
compatible way, so just document the sematics a little more clearly
here, and fix it properly in a future release

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21724)

(cherry picked from commit 66d1658b4d88c66b27a8a538b2fb365ef1907936)

Check i2d_X509_NAME return in X509_NAME_hash_ex/old

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21697)

(cherry picked from commit 945fde53a3db5011940a059fd1407b81197c9e14)

Fix no-dsa in combination with no-err

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21722)

(cherry picked from commit 4efd84fdd648279367683b280c9d9feb2ba54e9e)

Fix no-dtls and no-tls in combination

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21722)

(cherry picked from commit fb32f6ea42e6916ff88cc44cf5de6e63ba596aca)

OSSL_HTTP_{REQ_CTX_set_request_line(),_set1_request()}: backward compat w.r.t. path parameter

Fixes #17923

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21690)

(cherry picked from commit 45c02183c65f0e1abf59909c2900764606334664)

For ASN1_STRING_set() check result and set correct error code

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21658)

Do not raise CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA error in CMS_ContentInfo_free

This happens if this function is called for signed content.

Added ossl_cms_env_enc_content_free() for cleaning enveloped content.

Fixed indentation in ossl_cms_env_enc_content_free

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21676)

(cherry picked from commit 13342efbb9e16ec8f97b1ac5ab4aa2b3b3490596)

Fix ChaCha assembly code on 32-bit HPUX itanium systems

This fixes the reported crashes 32-bit HPUX systems due to
raw out and inp pointer values, and adds one nop instruction
on 64-bit systems, like it is done in other assembly modules
for those systems.

The fix was tested by @johnkohl-hcl see:
https://github.com/openssl/openssl/issues/17067#issuecomment-1668468033

Fixes #17067

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21681)

(cherry picked from commit 6d38ccedb25f31dfab232e2669415fd4db18b20e)

Fix handling of the "0:" label in arm-xlate.pl

When $label == "0", $label is not truthy, so `if ($label)` thinks there isn't
a label. Correct this by looking at the result of the s/// command.

Verified that there are no changes in the .S files created during a normal
build, and that the "0:" labels appear in the translation given in the error
report (and they are the only difference in the before and after output).

Fixes #21647

Change-Id: I5f2440100c62360bf4bdb7c7ece8dddd32553c79

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21653)

(cherry picked from commit 9607f5ccf285ac9988a86f95c5ad9f92b556a843)

endecode_test.c: Add tests for decoding with 0 selection

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21519)

(cherry picked from commit 4c50610bdadbcf7aa6bbd968df67b8874234677b)
(cherry picked from commit 42f32b460646d8d4ef1e8927ec976716f02a093a)

When exporting/importing decoded keys do not use 0 as selection

When decoding 0 as the selection means to decode anything
you get.

However when exporting and then importing the key data 0 as
selection is not meaningful.
So we set it to OSSL_KEYMGMT_SELECT_ALL to make the export/import
function export/import everything that we have decoded.

Fixes #21493

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21519)

(cherry picked from commit 2acb0d363c0032b5b97c4f6596609f40bd7d842f)
(cherry picked from commit 137ba0567417441cd8b3d43cf23e27d73f7a7684)

Avoid exporting bogus (empty) data if empty selection is used

This is already correct in the rsa_kmgmt.c but other
implementations are wrong.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21519)

(cherry picked from commit 1ae4678cebaa13604c0f31bdf2c64cd28bdaf287)
(cherry picked from commit 8865d7c4e8f9afac969fc927f2b24ee6d03868bd)

New version of gost-engine tests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21635)

no_autoload: make the no-autoload-config option work again.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)

(cherry picked from commit cb8e64131e7ce230a9268bdd7cc4664868ff0dc9)

test: skip FIPS config auto loading based tests if feature is disabled

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)

(cherry picked from commit 9a255aa2bda07286d5516a77b269178fc03779b4)

provider test: don't run configuration based tests if configuration isn't loaded

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)

(cherry picked from commit a9dde749504065e6e66b63cc12c25381465ec721)

PBE test: load providers if auto config load is turned off

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)

(cherry picked from commit 52ea255d9d560513f69c3f7f3f21513a693c865c)

testutil: allow a failure return from setup_tests that doesn't print help

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21621)

(cherry picked from commit badf3c162d2b67635beee3fc948db32f13d274af)

Resolves some magic values that has a hello_retry_request enum type.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21636)

(cherry picked from commit 5ac7ee4d5a38e4f163ed6a7c9c283d45038625a8)

crypto/cmp: fix clash of OSSL_CMP_CERTREQID_NONE with error result of ossl_cmp_asn1_get_int()

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21579)

(cherry picked from commit 2c8d9f19e351a84d4329fbe2f68a4a8a49cad3ef)

Fix typo in function name

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21608)

(cherry picked from commit 38c70a161cc6f96682bd77c8a935c5767355438c)

A null pointer dereference occurs when memory allocation fails

Fixes #21605

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21606)

(cherry picked from commit a8da305fa3dd6e34ba5aab3978281f652fd12883)

Add a test for PEM_read_bio_Parameters()

We must not ask for a password when attempting to read parameters.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)

(cherry picked from commit df3d609030bdb0868d1ccca14227bb6829ad954c)

The PEM_read_bio_Parameters() function should not ask for a password

The PEM_read_bio_Parameters[_ex] function does not have the capability
of specifying a password callback. We should not use the fallback password
callback in this case because it will attempt to send a prompt for the
password which might not be the correct thing to do. We should just not
use a password in that case.

Fixes #21588

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)

(cherry picked from commit 0d0791eedff7f0747503d816184810aa093f523e)

Always add a suitable error if we fail to decode

We're always supposed to add the fallback "unsupported" error if we don't
have anything better. However in some cases this wasn't happening because
we were incorrectly setting "flag_construct_called" - even though the
construct function had failed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)

(cherry picked from commit 564e5b754a4680dfad38585dd73bcf025567b448)

Don't add the msblob/pvk decoders if they're not suitable

msblob only decodes public/private keys (not just params).
pvk only decodes private keys.

If the requested selection doesn't intersect with the above then don't
consider those decoders.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)

(cherry picked from commit 6207f2b657b5ba1823681b49c7c34c619da0dd00)

Prepare for 3.0.11

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Prepare for release of 3.0.10

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

make update

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Copyright year updates

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Fix a regression in X509_VERIFY_PARAM_add0_policy()

Also fixes a similar regression in X509_VERIFY_PARAM_add0_table().

Commit 38ebfc3 introduced a regression in 3.0.6 that changed the return
value of the two functions above from 1 on success to the number of entries
in the stack. If there are more than one entry then this is a change in
behaviour which should not have been introduced into a stable release.

This reverts the behaviour back to what it was prior to the change. The code
is slightly different to the original code in that we also handle a possible
-1 return value from the stack push function. This should never happen in
reality because we never pass a NULL stack as a parameter - but for the sake
of robustness we handle it anyway.

Note that the changed behaviour exists in all versions of 3.1 (it never had
the original version). But 3.1 should be fully backwards compatible with 3.0
so we should change it there too.

Fixes #21570

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/21576)

(cherry picked from commit e3d897d3fa3b48bb835fab0665a435469beea7ae)

Correct spelling of database

Apply normal sentence case to db update message

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21535)

(cherry picked from commit ccb2f3080d84a271f17458a60e0d7ccd77929e95)
(cherry picked from commit 4c1fc2c3ecb41b024ddafcb34210955d8ddfc684)

Add CHANGES.md and NEWS.md entries for CVE-2023-3817

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)

(cherry picked from commit 4b29762802c05fa871f0e1efcf804e86db0ddaa2)
(cherry picked from commit fb54f415b9981adebb03997304ac77d4d0cc520a)

dhtest.c: Add test of DH_check() with q = p + 1

This must fail with DH_CHECK_INVALID_Q_VALUE and
with DH_CHECK_Q_NOT_PRIME unset.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)

(cherry picked from commit ad5d35572695d7b5748b2bd4fb1afaa189b29e28)
(cherry picked from commit 1478ffad3f123550ec1014642d5c880dfbe270ef)

DH_check(): Do not try checking q properties if it is obviously invalid

If |q| >= |p| then the q value is obviously wrong as q
is supposed to be a prime divisor of p-1.

We check if p is overly large so this added test implies that
q is not large either when performing subsequent tests using that
q value.

Otherwise if it is too large these additional checks of the q value
such as the primality test can then trigger DoS by doing overly long
computations.

Fixes CVE-2023-3817

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21550)

(cherry picked from commit 1c16253f3c3a8d1e25918c3f404aae6a5b0893de)
(cherry picked from commit 6a1eb62c29db6cb5eec707f9338aee00f44e26f5)

Make DH_check set some error bits in recently added error

The pre-existing error cases where DH_check returned zero
are not related to the dh params in any way, but are only
triggered by out-of-memory errors, therefore having *ret
set to zero feels right, but since the new error case is
triggered by too large p values that is something different.
On the other hand some callers of this function might not
be prepared to handle the return value correctly but only
rely on *ret. Therefore we set some error bits in *ret as
additional safety measure.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21524)

(cherry picked from commit 81d10e61a4b7d5394d08a718bf7d6bae20e818fc)

get_cert_by_subject_ex(): Check result of X509_STORE_lock()

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21515)

(cherry picked from commit bc5d9cc8711e86d5c25b81c58dfae531536e61fc)

x509: add ASN1_STRING_set() check result

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21497)

(cherry picked from commit 46e95903762f0cc478d8a3c252390fa7312bba6e)

Fix error handling in pipelining test

When an early error happens in the test_pipelining
function and idx == 5 the error handling would try
to call OPENSSL_free(msg), but msg is at that time
just a string constant in read-only memory, so a
crash would be the result. Fixed that by using
fragsize as an indication when to free msg.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21512)

(cherry picked from commit 06a0d40322e96dbba816b35f82226871f635ec5a)

fix: reject adding a duplicity into STACK_OF(X509_ATTRIBUTE)

Function `X509at_add1_attr()` (crypto/x509/x509_att.c) rejects to add a duplicity into `*x` but it searches in a wrong stack.

Changed to search in `*x`.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21505)

(cherry picked from commit 7551264186f176ca5801aa84d60c7b91d8fba31f)

speed: Fix execution of EdDSA measurement

Running 'openssl speed eddsa' fails with

Doing 253 bits sign Ed25519 ops for 10s: EdDSA sign failure
000003FF9306C7D0:error:030000BC:digital envelope routines:EVP_DigestSign:
final error:crypto/evp/m_sigver.c:585:
-1 253 bits Ed25519 sign ops in 0.00s
Doing 253 bits verify Ed25519 ops for 10s: EdDSA verify failure
000003FF9306C7D0:error:030000BC:digital envelope routines:EVP_DigestVerify:
final error:crypto/evp/m_sigver.c:694:
-1 253 bits Ed25519 verify ops in 0.00s

This is because the EVP_DigestSign/Verify() calls in the EdDSA_sign/verify_loop()
fail because the context has already been finalized by the previous
EVP_DigestSign/Verify call during the EdDSA signature test done by speed_main().

This happens since commit 3fc2b7d6b8f961144905330dfd4689f5bd515199 where the
EVP_DigestSign/Verify() functions have been changed to set a flag that the
context has been finalized.

Fix this by re-initializing the context using EVP_DigestSign/Verify() in the
EdDSA_sign/verify_loop().

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)

(cherry picked from commit 0c85bcbaeabe3a695831bec44ab87964725a51a6)

speed: Fix memory leak

Free the signature stack after iterating over all found signatures.
Free the kem and signature stacks at the end of speed_main() if not
NULL.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)

(cherry picked from commit cc7e2b20de02959c328f96e464e5fb8b256a00e0)

Fix documentation around AAD and return values in EVP_Cipher*

Fixes #21485

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21494)

(cherry picked from commit 51a7066e2092b062a502e29166adfcc297803058)

apps/cms.c: Fix unreachable code in cms_main()

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21474)

(cherry picked from commit 8c34367e434c6b9555f21cc4fc77a18d6ef84a85)

Update CHANGES/NEWS for CVE-2023-3446

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)

(cherry picked from commit 4ec53ad6e1791daafbe26bdbd539f2ba9172959a)

Add a test for CVE-2023-3446

Confirm that the only errors DH_check() finds with DH parameters with an
excessively long modulus is that the modulus is too large. We should not
be performing time consuming checks using that modulus.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)

(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)

Fix DH_check() excessive time with over sized modulus

The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.

There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.

An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.

The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().

CVE-2023-3446

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21451)

(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)

openssl-kdf.pod.in: add text on 'salt' and 'info' parameters; small further improvements

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21469)

(cherry picked from commit 7b2a3a1e9d5246fb0f2935f152d0daec715f79f9)

EVP_KDF.pod: extend text on 'salt' and 'info' parameters

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21469)

(cherry picked from commit 61c8146aa36b84afd9d83c87c9a01138979ffd60)

Fix typos found by codespell

Only modify doc/man* in the openssl-3.0 branch.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21464)

Fix int_ctx_new() error when use 1.1.1n sm2 key and ec method engine

Signed-off-by: lan1120 <lanming@huawei.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21170)

(cherry picked from commit 4c4fefa5c78a49b63113aec35a2bc8d6d9432436)

Remove duplicated values

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21401)

(cherry picked from commit f1b7243cda208d8bd74f75c95990f8205e977ae4)

Fix ssl3_do_write() to correctly handle retries

A BIO is documented to return -1 on write retry - but sometimes they return
0. ssl3_do_write() was incorrectly handling a 0 response.

Fixes #21422

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21435)

(cherry picked from commit 034ea1d00e5816f35c3e4799d5c122e198e14b59)

Add a test for a retry during the handshake

Test various scenarios for a write retry occuring during a handshake.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21435)

(cherry picked from commit d6179e6d35af663ca41de615f35a1200a35f85e8)

no-module should not imply disabling DSO loading support

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21459)

(cherry picked from commit 3d2f96e2c867fa3e79a453639304b70ba0508076)

Fix RSA OAEP set/get label for legacy engine

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21401)

(cherry picked from commit 64b1d2fb06c9a5233dcabfe130036ff95c3fdaae)

Add CHANGES.md and NEWS.md entries for CVE-2023-2975

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)

(cherry picked from commit 1e398bec538978b9957e69bf9e12b3c626290bea)

Add testcases for empty associated data entries with AES-SIV

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)

(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)