git.openssl.org Git - openssl.git/log

implement dupctx for aes_WRAP methods

create a dupctx method for aes_WRAP implementations of all sizes

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit a5bea0a8d423c7e52052d903b99f75034e78cecf)

Add dupctx support to aead ciphers

Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher
This includes:
aes-<kbits>-gcm
aria-<kbits>-ccm
aria-<kbits>-gcm

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit 879a853a1dc968fb010e5bf17d2e8888acc70742)

make inability to dup/clone ciphers an error

There should be no reason that a cipher can't be duplicated

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit 58a6aa0c9fe6abad996f45c6b452983035db7105)

fix buildtest job runner

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23203)

add missing doc of X509_REQ_get_extensions() and X509_REQ_add_extensions{,_nid}()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(cherry picked from commit 47dc828c6b652feb9cef5b0e4186d010986f197c)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23190)

Clarify the PKCS12 docs

Issue #23151 asks a question about the meaning of the PKCS12
documentation. This PR attempts to clarify how friendlyName and localKeyID
are added to the PKCS12 structure.

Fixes #23151

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23188)

(cherry picked from commit 3348713ad390372ba5a0a0f98b46b2f637475e47)

cleanse stack variable in blake2[b|s] finalization

If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack
buffer is used to compute the final output, which is left un-zeroed
prior to return, allowing the potential leak of key data. Ensure that,
if the stack variable is used, it gets cleared prior to return.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23173)

(cherry picked from commit 8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6)

validate requested key length in kdf_pbkdf1_do_derive

When using pbkdf1 key deriviation, it is possible to request a key
length larger than the maximum digest size a given digest can produce,
leading to a read of random stack memory.

fix it by returning an error if the requested key size n is larger than
the EVP_MD_size of the digest

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23174)

(cherry picked from commit 8d89050f0f676b429043fd5445e5a570d54ad225)

provider-keymgmt.pod: fix typo

Fix a typo from asymmmetric to asymmetric

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23164)

(cherry picked from commit cf8fea86f73c4606f132133cb34c07f8dad42482)

Add missing documentation for X509_ATTRIBUTE related functions.

Partial fix for #8026

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22656)

(cherry picked from commit f1f0731ddf6cb31d62a2c0f406b009ae9817ed7f)

Allow duplicate CMS attributes

Fixes regression introduced with https://github.com/openssl/openssl/pull/21505

Fixes #22266

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23029)

(cherry picked from commit d7e707cb4983a35b1a265c6042da410d829f3b19)

gate calling of evp_method_id on having a non-zero name id

If a name is passed to EVP_<OBJ>_fetch of the form:
name1:name2:name3

The names are parsed on the separator ':' and added to the store, but
during the lookup in inner_evp_generic_fetch, the subsequent search of
the store uses the full name1:name2:name3 string, which fails lookup,
and causes subsequent assertion failures in evp_method_id.

instead catch the failure in inner_evp_generic_fetch and return an error
code if the name_id against a colon separated list of names fails. This
provides a graceful error return path without asserts, and leaves room
for a future feature in which such formatted names can be parsed and
searched for iteratively

Add a simple test to verify that providing a colon separated name
results in an error indicating an invalid lookup.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23110)

(cherry picked from commit 94be985cbcc1f0a5cf4f172d4a8d06c5c623122b)

doc: fix "the a" typos (and other things nearby)

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23068)

(cherry picked from commit aa3347ba9d670a747b46974ce46f2ed9ecb38662)

Add missing settable entry OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS for RSA asym

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)

(cherry picked from commit 26183614ed1dc03f509f26839b8a465684ca0f84)

Limit RSA-OAEP related functions to RSA keys only

Make EVP_PKEY_CTX_set_rsa_oaep_md() and
EVP_PKEY_CTX_get_rsa_oaep_md_name() only work for RSA keys.

Since these calls use "digest" as a OSSL_PARAM, they should not
work for other key types.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)

(cherry picked from commit 0c3eb31b55d3c1544e4e044c2e3c939655bac93d)

Fix memleak in rsa_cms_decrypt

If a call to EVP_PKEY_CTX_set_rsa_mgf1_md() fails then the caller
needs to free the label.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)

(cherry picked from commit d32dd65053431ee744d213b336b9a03a035807e6)

Fixed windows compilation issue

Fixed - Windows compilation issue - unbale to find correct definitions of _InterlockedExchangeAdd.
Issue number - https://github.com/openssl/openssl/issues/21080

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23087)

(cherry picked from commit aa50768bf6d0a987028175c4a3cac8a142b15941)

Fix a possible memory leak in dh_cms_encrypt

Add a missing check of the return code of X509_ALGOR_set0,
otherwise the ASN1_STRING object wrap_str may be leaked.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22998)

AES: Document that the XTS, SIV, WRAP modes do not support streaming

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23028)

(cherry picked from commit 8f0f814d791e0825b96c30494594de619da3e5a5)

Detect and prevent recursive config parsing

If a malformed config file is provided such as the following:

openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
= provider_sect

The config parsing library will crash overflowing the stack, as it
recursively parses the same provider_sect ad nauseum.

Prevent this by maintaing a list of visited nodes as we recurse through
referenced sections, and erroring out in the event we visit any given
section node more than once.

Note, adding the test for this revealed that our diagnostic code
inadvertently pops recorded errors off the error stack because
provider_conf_load returns success even in the event that a
configuration parse failed. The call path to provider_conf_load has been
updated in this commit to address that shortcoming, allowing recorded
errors to be visibile to calling applications.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22898)

(cherry picked from commit 682fd21afb5428b5716e62eaefb09a7419f9cfd7)

Bump actions/setup-python from 4.7.1 to 5.0.0

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.1 to 5.0.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.7.1...v5.0.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22963)

(cherry picked from commit 51c85496dc227f277adbe0748d596e07d9a34bc2)

Fix a possible memory leak in ossl_x509_algor_md_to_mgf1

Add a missing check of the return code of X509_ALGOR_set0.
otherwise a memory leak may occur.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22999)

Fix provider compatibility check crash in evp_test

EVP_MAC_CTX_get_mac_size() cannot be called on older
unfixed versions before EVP_MAC_init().

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23008)

Fix no-des failure in test_cms

The newly introduced test case do not work
when configured with no-des, fix that by
choosing -aes128 as cipher.

Fixes ffed597882ba ("cms: avoid intermittent test failure")

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23086)

(cherry picked from commit 5b4f4474b2562c4422193e1719461a0ef5cbc3e5)

ci.yml: Fix bad conflict fix in backported patch

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23090)

Consolidate raising errors in SSL_CONF_cmd()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23048)

(cherry picked from commit 430dcbd0463573fece704263648cc15e891c3d49)

Test that incorrect entry in the ssl section is not fatal

The following entries should be still applied.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23048)

(cherry picked from commit 17b4277d9ac6665e9b53a6270949418154cab2dc)

Always apply all configuration settings from the ssl section

Even if some configuration entry is incorrect, do not
skip the remaining ones.

Fixes #20789

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23048)

(cherry picked from commit 69c067ffbc2c02295e20c90e557b6fcb2f7da69c)

run Windows GitHub CI workflow on self-hosted runners

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23042)

(cherry picked from commit ce42b72cb1ca2ba8669bc28a70ed9dca28b7a551)

run GitHub CI workflow on self-hosted runners

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23042)

(cherry picked from commit 834a2d7088a042a4f8f95fa2b8327fd388556151)

run Cross Compiles workflow on self-hosted runner

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23042)

(cherry picked from commit 625287bc80129deedab7484ee4c0ac112ae874a0)

cms: avoid intermittent test failure

If you decrypt a random input using RSAES-PKCS-v1_5, then there is a
non-negligible chance that the result will look like a valid plaintext
(that is why RSAES-PKCS-v1_5 shouldn't be used anymore).  This was the
cause of an intermittent failure in a test that did a cms-encrypt
operation targetting multiple recipients.

The failure happened during key-only decrypt.  The recipient decrypts
every RSA ciphertext -- only one is supposed to decrypt successfully,
which would reveal the right content-key.  Occassionally, more than
one decrypted successfully.

Update the test by specifying the recipient cert in the decrypt op
(this avoids looping over all RSA ciphertexts).

Add a new test to get coverage for key-only decrypt, but use RSA-OAEP
during the encrypt op.

Fixes https://github.com/openssl/project/issues/380

Testing:

  $ make TESTS='test_cms' test

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23055)

(cherry picked from commit ffed597882baf2f07274e7eaa8f3c4fa9fa74ac1)

Define L_ENDIAN for linux64-loongarch64

In commit d7c0fc5b1a7b5cb2219f8d89a861f3879582fc16 we removed L_ENDIAN
definition for guessed linux64-loongarch64 as it had caused an
inconsistency between configurations with and without explicit
specifying linux64-loongarch64. Now add it back to the proper location.

Unlike MIPS or RISC-V, LoongArch is always little-endian [1].

By the way, change "LOONGARCH" to "LoongArch" in a comment as LOONGARCH
should only appear in the identifiers of macros, constants, etc.

[1]:https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#endian

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23064)

(cherry picked from commit e1002c84725a64b6a097f3155dc6851b57f7ba8e)

Bump actions/upload-artifact from 3 to 4

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23053)

(cherry picked from commit 1ee0560f43a38d3a2de6c2cd2cacb0879c75cf46)

Fix instructions for running tests on Windows

In the command `nmake TEST='foo' test`, on Windows the runner
will look for test `'foo'` and complain about the test not being found
(due to the extraneous single quotes), whereas with `nmake TEST="foo" test`,
the test `foo` will be correctly found.

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23059)

(cherry picked from commit cf424d1da05b3cd928c97596af08e260429b308c)

LHASH: Document down_load functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23032)

(cherry picked from commit f8c75e053569cdcbf0d39620e28b4044f1be04f1)

LHASH: Fix documentation for doall-delete hazards

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23032)

(cherry picked from commit e91f21193c1b11de775e65b4e209a9fed67a41c1)

Harden asn1 oid loader to invalid inputs

In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

(cherry picked from commit a552c23c6502592c1b3c67d93dd7e5ffbe958aa4)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23034)

(cherry picked from commit d802bfbf80bab00123a4a6209f255852b3a10207)

CONTRIBUTING.md: add reference to util/check-format.pl and fix several nits

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22911)

(cherry picked from commit 260d97229c467d17934ca3e2e0455b1b5c0994a6)

doc: fix list display in man page

"=over 1" is too small. Use "=over 2" so that list items are
displayed correctly in the generated man-page.

You can check the man-page using the following command:

cd doc && pod2man man3/OSSL_PARAM_int.pod | man /dev/stdin

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22974)

(cherry picked from commit 7f4bf1857321d2a2ebcbbb2742946a965e463b79)

Enable BTI feature for md5 on aarch64

Fixes: #22959
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22971)

(cherry picked from commit ad347c9ff0fd93bdd2fa2085611c65b88e94829f)

ossl-params: check length returned by strlen()

In param_build.c, the functions OSSL_PARAM_BLD_push_utf8_string() and
OSSL_PARAM_BLD_push_utf8_ptr() use strlen() to compute the length of
the string when bsize is zero. However, the size_t returned by
strlen() might be too large (it is stored in an intermediate "int"),
so check for that.

There are analogous functions in params.c, but they do not use an
intermediate "int" to store the size_t returned by strlen(). So there
is some inconsistency between the implementations.

Credit to Viktor D and Tomas M for spotting these missing checks.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22967)

(cherry picked from commit d4d6694aa710c9970410a6836070daa6486a0ac0)

provider-storemgmt.pod: fix nits (unclosed '<' around name)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22942)

(cherry picked from commit a149e8e108263718daede1858d2855d68dde5652)

Fix a possible memleak in opt_verify

The ASN1_OBJECT otmp was leaked if X509_VERIFY_PARAM_add0_policy fails.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22922)

(cherry picked from commit d6688e45fa2f987f3ffd324e19922468beee5ddc)

Fix a possible memleak in apps/rehash.c

The OPENSSL_DIR_end was missing in case of error.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22920)

(cherry picked from commit 01709fcb8b609cfc47e277d20492c333bafb113e)

Fix a possible memleak in smime_main

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22919)

(cherry picked from commit ba4d833f6e24a83bc3e74ba55f52d8916b70fb59)

Fix a possible memleak in cms_main

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22918)

(cherry picked from commit 3457a550c64ab8009c7cd0175675ac140cab33c2)

Don't attempt to set provider params on an ENGINE based cipher

If an ENGINE has been loaded after the SSL_CTX has been created then
the cipher we have cached might be provider based, but the cipher we
actually end up using might not be. Don't try to set provider params on
a cipher that is actually ENGINE based.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22865)

Add a test for late loading of an ENGINE in TLS

Confirm that using an ENGINE works as expected with TLS even if it is
loaded late (after construction of the SSL_CTX).

(cherry picked from commit a9c97da4910648790387d035afb12963158778fb)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22865)

Add a test case for OSSL_HTTP_parse_url

Ensure we test the case where the port value is empty in the URL.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)

(cherry picked from commit a36d10dfb7e77614c8d3da602ff3800a2e9f4989)

Fix some invalid use of sscanf

sscanf can return -1 on an empty input string. We need to appropriately
handle such an invalid case.

The instance in OSSL_HTTP_parse_url could cause an uninitialised read of
sizeof(unsigned int) bytes (typically 4). In many cases this uninit read
will immediately fail on the following check (i.e. if the read value
>65535).

If the top 2 bytes of a 4 byte unsigned int are zero then the value will
be <=65535 and the uninitialised value will be returned to the caller and
could represent arbitrary data on the application stack.

The OpenSSL security team has assessed this issue and consider it to be
a bug only (i.e. not a CVE).

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)

(cherry picked from commit 322517d817ecb5c1a3a8b0e7e038fa146857b4d4)

Extend the test of BN_GF2m_mod_inv

Test that input value of 1 for p is treated as an error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)

(cherry picked from commit b83c719ecb884f609ade7ad7f52bd5e09737585b)

Avoid an infinite loop in BN_GF2m_mod_inv

If p is set to 1 when calling BN_GF2m_mod_inv then an infinite loop will
result. Calling this function set 1 when applications call this directly
is a non-sensical value - so this would be considered a bug in the caller.

It does not seem possible to cause OpenSSL internal callers of
BN_GF2m_mod_inv to call it with a value of 1.

So, for the above reasons, this is not considered a security issue.
Reported by Bing Shi.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)

(cherry picked from commit 9c1b8f17ce2471ca37ee3936d07aed29aab10975)

Fix a possible memory leak in do_othername

Since the gen->type will not be set in a2i_GENERAL_NAME
the gen->d.otherName will not be automatically
cleaned up by GENERAL_NAME_free.
Also fixed a similar leak in a2i_GENERAL_NAME,
where ASN1_STRING_set may fail but gen->d.ia5
will not be automatically cleaned up.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22996)

(cherry picked from commit 1c078212f1548d7f647a1f0f12ed6df257c85cc3)

doc: improve documentation of EVP in-place encryption

The EVP interface explicitly allows in-place encryption/decryption,
but this fact is just 'partially' documented in `EVP_EncryptUpdate(3)`
(pun intended): the manual page mentions only operation failure in
case of 'partial' overlaps. This is not even correct, because
the check for partially overlapping buffers is only implemented
in legacy code paths.

Currently, in-place encryption/decryption is only documented for
RSA (`RSA_public_encrypt(3)`) and DES (`DES_ecb_encrypt(3)`), as
well as in the provider interface (`provider-cipher(7)`).

This commit amends `EVP_EncryptUpdate(3)` and `provider-cipher(7)`
to make the front-end and back-end documentation consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22875)

(cherry picked from commit 6ebdbba76a45294e22006ede1442847cdee24f03)

test/recipes/01-test_symbol_presence.t: Treat common symbols specially

Common symbols (type 'C' in the 'nm' output) are allowed to be defined more
than once. This makes test/recipes/01-test_symbol_presence.t reflect that.

(backport of commit 4ff5137ff5fb896e0273d274110517e3c7adb8cf)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22929)

test/recipes/01-test_symbol_presence.t: Ignore symbols starting with '__'

On some platforms, the compiler may add symbols that aren't ours and that we
should ignore.

They are generally expected to start with a double underscore, and thereby
easy to detect.

(backport of commit 6c63b7e861819db439551b52ea5594faec04b65c)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22929)

Add the 'run_tests' target to the Windows build file template as well

For some reason, it was added to the Unix and VMS build templates, but
Windows was forgotten.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22948)

Make sure that the test / tests build target run 'run_tests' last

Fixes #22943

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22948)

Configure: Refuse to make directories in the source tree

Fixes #22907

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22934)

Modify 'out-of-source-and-install' to work with a read-only source tree

Fixes #22907

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22934)

Add overflow checks to parse_number/parse_hex/parse_oct

Test the next arithmetic operation to safely determine if adding the
next digit in the passed property string will overflow

Also, noted a bug in the parse_hex code. When parsing non-digit
characters (i.e. a-f and A-F), we do a tolower conversion (which is
fine), and then subtract 'a' to get the hex value from the ascii (which
is definately wrong). We should subtract 'W' to convert tolower
converted hex digits in the range a-f to their hex value counterparts

Add tests to test_property_parse_error to ensure overflow checks work

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22874)

(cherry picked from commit 986c48c4eb26861f25bc68ea252d8f2aad592735)

Statically link legacy provider to evp_extra_test

Like in #17345, evp_extra_test links libcrypto statically, but also has
a dynamic/shared load via the legacy provider, which leads to ambiguous
behavior in evp_extra_test on some platforms, usually a crash (SIGSEGV)
on exit via the atexit handlers. Statically link the legacy provider to
avoid this.

Fixes #22819

Helped-by: Neil Horman <nhorman@openssl.org>
Helped-by: Tomas Mraz <tomas@openssl.org>
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22904)

(cherry picked from commit 426d34fc1302eb0d2f5a6152621c105ea2d198b6)

rehash.c: Do not use NAME_MAX limit

On some systems it is too small although the system allows longer
filenames.

Fixes #22886

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22889)

(cherry picked from commit de8e0851a1c0d22533801f081781a9f0be56c2c2)

Make 'openssl list' less sensitive for providers without params

When a provider can't return parameters, make that a warning instead of an
error, and continue to list further providers.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22866)

(cherry picked from commit 7ebaab7689f66ede1f960c42be3446922e3f5e21)

Add a minimal test provider

We test its validity by trying to load it.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22866)

(cherry picked from commit 31c2c12f2dada75c334f6a9aa60c8424cf4fd040)

After initializing a provider, check if its output dispatch table is NULL

If the provider's output dispatch table is NULL, trying to parse it causes a
crash. Let's not do that.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22866)

(cherry picked from commit 8fa65a6648554087a67102372e5e6c8b0fae0158)

Fix a possible memory leak in CMS_add_simple_smimecap

The return code of X509_ALGOR_set0 was not checked,
and if it fails the key will be leaked.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22741)

Fix detection on HP-UX (IA64)

HPE has a weird preference to prefix letters and zero-padding. Properly trim
them before processing.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22891)

(cherry picked from commit 253c5667a92efbbd1498b2f5b883da23c11b8930)

doc: improve display of KECCAK-KMAC128, KECCAK-KMAC256 defs

Do not allow mid-expression line breaks.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22814)

(cherry picked from commit 8da20b30da42fa8ceb070c6d293fe85e70e68428)

Don't free aliased pointers in ctx cmp_ctx tests

Coverity recorded issues 1551739 and 1551737, a potential double free in the
tests. It occurs when the DUP operation fails in such a way val3_read is
returned as the same pointer as val2_read. Ideally it should never
happen, but resetting val3_read to 0 should satisfy coverity that there
is no issue here

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22800)

(cherry picked from commit c8ca810da9c47d8cb6988fd14e1cb4e20b0877e8)

Add locking to CRYPTO_secure_used

Coverity issue 1551719 noted CRYPTO_secure_used referenced a shared
variable without taking the appropriate read lock. Add that.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22802)

(cherry picked from commit 7eae6ee0e503b0961d4f2e75baac981f2766b892)

evp-cmac: do not seg-fault when getting mac-size before init

Add null check to cmac_size(). This avoids a seg-fault encountered
with cmac when EVP_MAC_CTX_get_mac_size() is called before init.

Extend mac testing in evp_test.c to check that the sizes returned by
EVP_MAC_CTX_get_mac_size() before and after init make sense (this also
ensures that we no longer seg-fault).

Fixes #22842

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22858)

(cherry picked from commit ff181969e28c1503b077b47a9ded3683524b3fd8)

Fix a possible memory leak in make_receipt_request

When the CMS_ReceiptRequest cannot be created,
the rct_to and rct_from may be leaked.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22742)

(cherry picked from commit bed7a878107818c297301c6602013d364b266c67)

Fix a possible use after free in X509v3_asid_add_id_or_range

And clean up partially created choice objects, which have
still the default type = -1 from ASIdentifierChoice_new().

Fixes #22700

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22745)

(cherry picked from commit 49e9436af3d85963fd6156b7d6f33e0734bf5ba9)

rsa-doc: fix typo

"d_i in RFC8017" -> "d_i" in RFC8017

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22868)

(cherry picked from commit c89b553bdc2587b483f38aa1ab2b142cc078343d)

doc: Minor typo in SSL_CTX_set_tmp_dh_callback docs.

well know -> well known

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22778)

(cherry picked from commit db04cf25f3e0dda77a3b054ae12ae1874b1ae977)

Initialize dstctx->mgf1_md to NULL in rsa_dupctx function

Signed-off-by: lan1120 <lanming@huawei.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22795)

(cherry picked from commit f95e3a09173b13dcfae668be6103e64c02222f08)

bn_nist: Fix strict-aliasing violations in little-endian optimizations

The little-endian optimization is doing some type-punning in a way
violating the C standard aliasing rule by loading or storing through a
lvalue with type "unsigned int" but the memory location has effective
type "unsigned long" or "unsigned long long" (BN_ULONG). Convert these
accesses to use memcpy instead, as memcpy is defined as-is "accessing
through the lvalues with type char" and char is aliasing with all types.

GCC does a good job to optimize away the temporary copies introduced
with the change. Ideally copying to a temporary unsigned int array,
doing the calculation, and then copying back to `r_d` will make the code
look better, but unfortunately GCC would fail to optimize away this
temporary array then.

I've not touched the LE optimization in BN_nist_mod_224 because it's
guarded by BN_BITS2!=64, then BN_BITS2 must be 32 and BN_ULONG must be
unsigned int, thus there is no aliasing issue in BN_nist_mod_224.

Fixes #12247.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22816)

(cherry picked from commit 990d9ff508070757912c000f0c4132dbb5a0bb0a)

Fix EVP_RAND-SEED-SRC documentation example

Fixes #22810

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22857)

(cherry picked from commit 58d926213f00ba7046d0868de8b37929aa067a1f)

Add self-hosted runners

Added self-hosted runners for freebsd-x86_64 and ubuntu-aarch64.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Anton Arapov <anton@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22804)

(cherry picked from commit 6b7a11d8aa7abe50e6ebdd09a238e0a0df8cd228)

Add last missing TLSA usage/selector/mtype test case

There were no PKIX-TA(0) SPKI(1) Full(0) (i.e. "0 1 0") test cases in
"danetest.in".

There is now at least a success case, which will exercise freeing the public
key after it is sanity checked, since with PKIX-TA(0) there's nothing we can do
with just the raw public key, a full chain to a local trust anchor is in any
case required.

The failure (to match) code path is already well oiled, but failure to decode
while adding malfored TLSA records could still use some additional tests...

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)

(cherry picked from commit c8fe4b5948486e792016208f7c8ccea9c380f354)

Fix freshly introduced double-free.

We don't need the decoded X.509 Full(0) certificate for the EE usages 1 and 3,
because the leaf certificate is always part of the presented chain, so the
certificate is only validated as well-formed, and then discarded, but the
TLSA record is of course still used after the validation step.

Added DANE test cases for: 3 0 0, 3 1 0, 1 0 0, and 1 1 0

Reported by Claus Assmann.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22821)

(cherry picked from commit f636e7e6bd8e06c6d84e42729b4131b4f5df488f)

Fix a possible memory leak in ct_move_scts

Instead of trying to move the doomed sct back
to the src stack, which may fail as well, simply
free the sct object, as the src list will be
deleted anyway.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22762)

(cherry picked from commit a435d786046fabc85acdb89cbf47f154a09796e1)

x86_64-xlate.pl: Fix build with icx and nvc compilers

Fixes #22594

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22714)

(cherry picked from commit 1da7c09f7987a227701b6324e56003a89e9febf2)

Move freeing of an old enc_write_ctx/write_hash to dtls1_clear_sent_buffer

When we are clearing the sent messages queue we should ensure we free any
old enc_write_ctx/write_hash that are no longer in use. Previously this
logic was in dtls1_hm_fragment_free() - but this can end up freeing the
current enc_write_ctx/write_hash under certain error conditions.

Fixes #22664

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)

zero data in hm_fragment on alloc

if we allocate a new hm_frament in dtls1_buffer_message with
dtls1_hm_fragment_new, the returned fragment contains uninitalized data in the
msg_header field. If an error then occurs, and we free the fragment,
dtls_hm_fragment_free interrogates the msg_header field (which is garbage), and
potentially references undefined values, or worse, accidentally references
available memory that is not owned, leading to various corruptions.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2261)

Add negative test for key length change

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 1aa08644ecd4005c0f55276b2e8dabd8a2a758f0)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22613)

Add negative test for iv length change

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 82750a0826cd4728f40df9ef31b3294d83aaafe0)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22613)

update/final: Return error if key is not set

Also make sure the key is not set if the key
length is changed on the context after the key was
set previously.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3a95d1e41abf2e8eb0f6f07003bac844950bfaae)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22613)

When changing IV length invalidate previously set IV

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit eddbb78f4e5196eee33b2fd3d6adeabb69d52eb7)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22613)

Cross Compiles CI: Run evp tests on pull requests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22750)

(cherry picked from commit 0414f89d5c5187260cca63c2066580ba90c44426)

contributing-doc: give example commit message with "CLA: trivial"

The text "CLA: trivial" should go at the bottom of the commit message.
Also, update the force-push command to include the repository and
branch, which can avoid unexpected force-push results.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22775)

(cherry picked from commit cad48c5b0f7180c5fab8db70feb07e0846d80d67)

Adapt C compiler detection for VSI C on x86_64

VSI C on OpenVMS for x86_64 has a bit more information than on other
hardware.  This is no doubt because it's based on LLVM which leaves an
opening for cross compilation.

VSI C on Itanium:

    $ CC/VERSION
    VSI C V7.4-001 on OpenVMS IA64 V8.4-2L3

VSI C on x86_64:

    $ CC/VERSION
    VSI C x86-64 X7.4-843 (GEM 50XB9) on OpenVMS x86_64 V9.2-1

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22792)

(cherry picked from commit df5e72d220d9c8b9316b1ce8e8c8bdf23c7201f0)

Fix a possible memory leak in SM2 provider

ctx->propq that strdup from input parameter propq in sm2sig_newctx,
is not released. It should be released in sm2sig_freectx and copied
to dstctx in sm2sig_dupctx. And dstctx->id and dstctx->propq should
be set NULL to avoid releasing id/propq of srcctx when err occurs.

Signed-off-by: Huiyue Xu <xuhuiyue@huawei.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22796)

(cherry picked from commit e7d34d7ae32f16abbd79a49072cff580bee32269)

doc: fix description of mac "block-size" parameter

The macro for "block-size" is OSSL_MAC_PARAM_BLOCK_SIZE, and this
parameter is not settable. Refer to the "customization string" rather
than the "custom value" (in the Blake2 spec, this is called the
personalization string).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22763)

(cherry picked from commit 1750689767cc922bdbe73358f7256475f0838c67)

doc: better description of KECCAK-KMAC XOF

KECCAK-KMAC-128 and KECCAK-KMAC-256 are extendable output functions
that have been defined because they are convenient for implementing
KMAC. Give definitions for them so that users aren't left to figure
that out themselves. KECCAK-KMAC-128 is very similar to SHAKE-128,
and KECCAK-KMAC-256 is very similar to SHAKE-256.

Related to #22619.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22755)

(cherry picked from commit f1bea887ef17802a2d83e9289e812c00fd0f0523)

Update OpenSSL logos

Add two new files

  doc/images/openssl-square.svg
  doc/images/openssl-square-nontransparent.png

and update the existing file

  doc/images/openssl.svg

The "square" versions of the logo write "Open" and "SSL" on separate
lines, so that less horizontal space is used.

The png file (nontransparent, white background) can be used to update
the profile picture for the OpenSSL organization on GitHub.

For the existing logo, openssl.svg, the subtitle "Cryptography and
SSL/TLS Toolkit" has been dropped and the text-elements have been
converted to paths (so they are no longer dependent on what fonts the
renderer provides).

The svg files were provided by Anton A.

Part of https://github.com/openssl/project/issues/262

Reviewed-by: Anton Arapov <anton@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22626)

(cherry picked from commit 339e5cb0be8e57372548401a998d2e5145cfc7eb)

Fix possible memleak in PKCS7_add0_attrib_signing_time

When PKCS7_add_signed_attribute fails, the ASN1_TIME
object may be leaked when it was not passed in as
input parameter.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22772)

(cherry picked from commit 7d52539f00144cb410c4e9d8da0b9574c0badb19)

Fix a possible use-after-free in custom_exts_free

This may happen when ssl_cert_dup calls custom_exts_copy, where
a possible memory allocation error causes custom_exts_free
to be called twice: once in the error handling of custom_exts_copy
and a second time in the error handling of ssl_cert_dup.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22772)

(cherry picked from commit bc0773bbbd4d3ace6957385f1f22a5cda25dc94f)