git.openssl.org Git - openssl.git/log

APPS/cmp: prevent HTTP client failure on -rspin option with too few filenames

The logic for handling inconsistent use of -rspin etc., -port, -server,
and -use_mock_srv options proved faulty. This is fixed here, updating and
correcting also the documentation and diagnostics of the involved options.

In particular, the case that -rspin (or -rspout. reqin, -reqout) does not
provide enough message file names was not properly described and handled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20295)

(cherry picked from commit 1f757df1f3de0c18cc22a4992d66e9a7b113f61d)

Correct the CHANGES entry for CVE-2023-1255

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20798)

(cherry picked from commit e6990079c2413625d2039ebed49ea17a5b8cf935)

Fix regression of no-posix-io builds

Instead of using stat() to check if a file is a directory
we just skip . and .. as a workaround.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20786)

(cherry picked from commit 3155b5a90e6ad9c7369d09e70e81686f4b321a73)

Fix calling pthread_key_delete on uninitialized data

default_context_do_init may be never called and CRYPTO_THREAD_init_local
inside it may be never called too. But corresponding
CRYPTO_THREAD_cleanup_local is always called at cleanup stage. This lead
to undefined behavior.

So, add flag to check that default_context_do_init will be called
successfully or not.

Fix: #20697

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20801)

(cherry picked from commit 31295ca02c0a2d7209a33047c7f6dd1dabc12c93)

fips: setup the FIPS provider in pendantic mode for testing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

(cherry picked from commit c04e78f0c69201226430fed14c291c281da47f2d)

test: update ssl_new tests in line with pedantic FIPS policy

Add a new option to the `test' section of SSL test data structure.
This contains a space separated list of version checks, all of which must
pass.

Note that the version checks are as they as because:

- 3.1.0 doesn't have mandatory EMS support, so it can run the old tests.
- 3.1.1 (& later) will have mandatory EMS support, so they can't run them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

(cherry picked from commit 4454c20f026bb47f158ea05c207f143c81d674d8)

test: update TLS PDF tests in line with pedantic FIPS policy

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

(cherry picked from commit e07999369a13a29243f34cbd5d24281783984299)

test: update evprand tests in line with pedantic FIPS policy

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

(cherry picked from commit cf3d5c2fbaf734731b1ccbd3a84e21eeb6d0f30d)

sslapi: use correct fipsmodule.cnf

The SSL API tests copies fipsmodule.cnf and modifies it. Unfortunately, it
grabbed the wrong instance of this file.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

(cherry picked from commit bc5d9502c5f3c726e42ef72263a4076fd48300d6)

Bump actions/setup-python from 4.5.0 to 4.6.0

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.5.0...v4.6.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20792)

(cherry picked from commit 3ac96c8f715672ff77025d48b5773f5de4f84215)

Fix checking return code of EVP_PKEY_get_int_param at check_curve

According to docs, EVP_PKEY_get_int_param should return 1 on Success, and
0 on Failure. So, fix checking of this return value at check_curve

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20770)

(cherry picked from commit 4e5f3d691343a691ddae739c51f7ae71e9893c98)

aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption

Original author: Nevine Ebeid (Amazon)
Fixes: CVE-2023-1255
The buffer overread happens on decrypts of 4 mod 5 sizes.
Unless the memory just after the buffer is unmapped this is harmless.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20759)

(cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304)

test: test -pedantic option in fipsinstall

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)

(cherry picked from commit c8093347f736c7991350d26048b680d0e64974a0)

doc: document the -pedantic option to fipsinstall.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)

(cherry picked from commit d30fec6ff438f73f4e255b0b9c6af3ea57ec122a)

fipsinstall: add -pedantic option

This adds a -pedantic option to fipsinstall that adjusts the various
settings to ensure strict FIPS compliance rather than backwards
compatibility.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)

(cherry picked from commit bc2a4225a4a03f70bb0154a72c2889aa80c1b0f6)

Configurations/descrip.mms.tmpl: Fix a few typos

These typos caused failed propagation of the 'cflags' attribute from
Configurations/10-main.conf.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20737)

(cherry picked from commit 04e0abc8bb1c24534d16cc930b611ac1d03bc9bf)

Fix broken links in crypto manpage

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20741)

(cherry picked from commit d79b6104ae947b8749623d3152c309f398387a54)

CMP cert_response(): add missing rejection status on client rejecting new cert

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 44e816bd540c8687c1b4995febbde2626a655338)

cmp_client_test.c: add tests for errors reported by server on subsequent requests in a transaction

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 154625e1090b18c8c306a6b7a6970dbab185c49d)

ossl_cmp_mock_srv_new.pod: correct/update names of internal test support functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 7439661627b8009f69b13c57b7372286e85a2805)

OSSL_CMP_SRV_process_request(): fix recipNonce on error in subsequent request of a transaction

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 7cd91d221f630f18eb2cc5c01c4204e31c0a15aa)

cmp_ctx.c: fix wrong comments on OSSL_CMP_CTX_set1_{recipient,issuer}

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 56d5c55de779f35d4e66ae4b791ef1488ab1f57a)

CMP check_transactionID_or_nonce(): fix reason code on unmatched recipNonce

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 40eea44884dff96ffd753bfe66c025145a69191b)

ossl_cmp_msg_check_update(): fix two wrong error return values (-1 instead of 0)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 2eb7a11035144b5556b81aa7e8233927165a5880)

test_get_libctx(): prevent crash when called with NULL provider arg

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20257)

(cherry picked from commit 40f3a606b1671d417b63a902dab205e7906dbccd)

crypto/cmp: fix CertReqId to use in p10cr transactions acc. to RFC 4210

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20298)

(cherry picked from commit 25b18e629d5cab40f88b33fd9ecf0d69e08c7707)

bn_local: remove unused `PTR_SIZE_INT` definition

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)

(cherry picked from commit dcfeb617477dd957f69e713cbc61fd4dca0f2db4)

bn_nist: remove unused type-punning union `u`

We no longer need to cast function pointers to PTR_SIZE_INT.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)

(cherry picked from commit f659f7a1c70709caa1727bb0b7f836d170d35bb5)

bn_nist: replace pointer bit-fiddling with ternary

Bit-fiddling pointers is technically implementation defined behavior
in the C specification so the following code is not supported in all
platforms:

    PTR_SIZE_INT mask;
    void * a, b, c;
    int boolean_flag;

    mask = 0 - boolean_flag;
    /* Not guaranteed to be a valid ptr to a or b on all platforms  */
    a = (void *)
        ((((PTR_SIZE_INT) b & ~mask) | (((PTR_SIZE_INT)) c & mask)));

Using a ternary conditional operator is supported on all platforms
(i.e. `a = boolean_flag ? b : c;`).

On most modern compilers/CPUs, this will be faster, since it will
get converted to a CMOV instruction.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)

(cherry picked from commit 326af4ad171b849ba1e76fd425d8f337718c4108)

adding provider_unload functions for cmp_ tests

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20731)

(cherry picked from commit 8835940db58229fc467cdea1eebf3f064352a086)

List also non-fetchable hashes in openssl dgst -list

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20651)

(cherry picked from commit 7eab7680ee61c64b2ae7acd9dd199ab6734f3d1f)

Fix the LCM computation in the RSA multiprime key check

Fixes #20693

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20708)

(cherry picked from commit efbff4de3e259cee71a4e1bbd86b30ebd86bbdae)

doc: Fix incorrect pairing of functions

CLA: trivial

The functions that should be implemented together are `OSSL_FUNC_signature_verify_recover_init` and `OSSL_FUNC_signature_verify_recover` and not `OSSL_FUNC_signature_verify_recover_init` with ` OSSL_FUNC_signature_verify_init`

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20704)

(cherry picked from commit 51b941ac290864103d00a3d6a3018372b58b01f4)

doc: Fix misleading stucture info

CLA: trivial

The thing created by `OSSL_FUNC_signature_newctx()` and `OSSL_FUNC_signature_dupctx()` is a signature context, not a signature. It's in the name of the function and surrounding documentation.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20705)

(cherry picked from commit b2023d5dfc957cf5a3cfca16961f97e79842b941)

Fixes #19580 ECX keygen

Signed-off-by: Yuan, Shuai <shuai.yuan@intel.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20680)

(cherry picked from commit 40f4884990a1717755df366e2aa06d01a1affd63)

Updated return value of PEM_write_TYPE() and PEM_write_bio_TYPE() in man-pages.

Fixes #20218

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20673)

(cherry picked from commit dfb8e185134df90fd3f21fb6ec625e7c295fdcea)

Alternative fix for CVE-2022-4304

This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.

There are in fact at least three bugs together that
caused the timing leak:

First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.

Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.

And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.

In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.

And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.

Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.

In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.

So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20282)

Revert "Fix Timing Oracle in RSA decryption"

This reverts commit 8022a4799fe884b3bf8d538e2b4c4ec323663118.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20282)

Erase temporary buffer in EVP_PKEY_get_bn_param()

Function EVP_PKEY_get_bn_param() uses temporary buffer (on stack or
heap allocated) to store serialized bignum, but after deserializing it
into BIGNUM*, the buffer is not erased and may contain sensitive data.

This change makes sure the buffer is erased if it was successfully
filled before. Unfortunately, it does not distinguish between public and
private key components, and will always erase the buffer.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20639)

(cherry picked from commit 34e4a962bca998cc2d6eb4be721153fbde2f4c35)

Don't call OPENSSL_init_crypto from inside a RUN_ONCE

Calling OPENSSL_init_crypto from inside a RUN_ONCE seems like a bad idea.
This is especially bad if OPENSSL_init_crypto can recursively end up
attempting to call the RUN_ONCE that we're already inside.

The initialisation in OPENSSL_init_crypto is already "run once" protected.
There is no need to protect it "twice".

Fixes #20653

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20662)

Avoid calling into provider with the same iv_len or key_len

Fixes #20625

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20664)

(cherry picked from commit eb52450f5151e8e78743ab05de21a344823316f5)

Make DSA_sign() test for negative p,q,g values.

Related to #20268

DSA_sign() assumes that the signature passed in is related to DSA_size().
If q is negative then DSA_size() actually fails and returns 0.

A test that tries to allocate the signature buffer using DSA_size() and then
pass it to DSA_sign() will then either.

(1) Have a signature buffer of NULL. In this case it was leaking data
returned via i2d_DSA_SIG.

(2) Cause a seg fault because we created a buffer that was not large
enough to hold the signature. As it already checked zero we also now
check for negative values also.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20553)

(cherry picked from commit 9559ad0e8d433a2a212b63cc848fa2ac82a9b048)

Incorrect null pointer check

CLA: trivial
There is an incorrect null pointer check and this ccommit resolves it.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20646)

(cherry picked from commit 6469043bbabc9728aed61d7708c32e2ae319be1d)

Fix mem leak in ECDSA_sign().

Similiar to the issue found in PR #20553 for DSA_sign().
ECDSA_sign() leaked memory if the signature was NULL
when i2d_ECDSA_SIG was called.

Note that this does not affect the higher level EVP
functions as they correctly handle NULL.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20554)

(cherry picked from commit 4befe81a99b89c52b749a87eece82c1cba4fab12)

doc: Fix typo in EVP_EncryptInit.pod

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20645)

(cherry picked from commit 027226eb229c41d7066366a8b9ef8241da7500bd)

Add a test for an app data record appearing before epoch change in DTLS

We had a test for a handshake record appearing before epoch change, and
a test for an app data record appearing before Finished - but not one for
the app data record appearing before epoch change.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20637)

Handle app data records from the next epoch

It is possible that DTLS records are received out of order such that
records from the next epoch arrive before we have finished processing the
current epoch. We are supposed to buffer such records but for some reason
we only did that for handshake and alert records. This is incorrect since
it is perfectly possible for app data records to arrive early too.

Fixes #20597

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20637)

SM4 check should be for __aarch64__, not __ARM_MAX_ARCH__ >= 8

(And then __arm__ and __arm tests are redundant)

Fixes #20604 for 3.1 branch

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20624)

Fix: some patches related to error exiting

Fixes #20613

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20615)

Declare FIPS option functions in their own header

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 30ab774770a7e8547b0d6363b63a73cc80f33a7b)

test: test -drbg_allow_truncated_digests option

Verify that the option produces the correct output in the FIPS configuration
file and that the default is as expected.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 78bcbc1ea440feac3e9a3292dba4b055b81ca29e)

Let fipsinstall know about DRBG digiest limiting

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit b345dbed28701f8aab06b0271603186127499928)

changes: note the banning of truncated hashes with DRBGs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 808b30f6b60da3e92283e315f2e6f0e574a62080)

doc: note the restriction on digests used by DRBGs in FIPS mode.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit e14fc22c90ce5a9e6d66d8658fc6bb37f95019da)

DRBG: restrict the digests that can be used with HMAC and Hash DRBGs.

According to FIP 140-3 IG D.R: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf

Outside of FIPS, there remains no restriction other than not allowing
XOF digests.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit f553c0f0dd24f037f31d971a99a1ffe7a11f64e6)

fips: rework the option handling code

Add option for restricting digests available to DRBGs.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20521)

(cherry picked from commit 83ccf81b1dd8886d54c570354ef8c532af4c514f)

Fix documentation of X509_VERIFY_PARAM_add0_policy()

The function was incorrectly documented as enabling policy checking.

Fixes: CVE-2023-0466
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20562)

Updated CHANGES.md and NEWS.md for CVE-2023-0465

Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)

Add a Certificate Policies Test

Test that a valid certificate policy is accepted and that an invalid
certificate policy is rejected. Specifically we are checking that a
leaf certificate with an invalid policy is detected.

Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)

Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs

Even though we check the leaf cert to confirm it is valid, we
later ignored the invalid flag and did not notice that the leaf
cert was bad.

Fixes: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)

Generate some certificates with the certificatePolicies extension

Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20586)

`EVP_PKEY_CTX_dup` segmentation fault fix

CLA: trivial
The the provider, context duplication method for signature, key
exchange, asymmetric cipher, and key encapsulation is optional. But if
they are missing, we will get a segmentation fault in `EVP_PKEY_CTX_dup`
because they are called without null pointer checking.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20581)

(cherry picked from commit 864c70e43ea5f1d7fe20bfea457e53e79fd46b6e)

CMP add: fix -reqin option, which requires adding OSSL_CMP_MSG_update_recipNonce()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)

(cherry picked from commit b75d56dee09ac6f1fdb75169da891668cf181066)

apps/cmp.c: make sure that last -reqin argument is actually used

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)

(cherry picked from commit d27f73ad31691d81715b4affe01264fa10f5da9e)

CMP app: improve doc and help output on -{req,rsp}{in,out} options

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)

(cherry picked from commit 44190234e4f65038f5b093306779a04e79fbd8cd)

Update the EVP_PKEY_get_id documentation

The documentation didn't mention the development where EVP_PKEY_get_id()
returns a negative value for provider-only implementations, and the
migration guide didn't mention how to cope with that.

Fixes #20497

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20501)

(cherry picked from commit a2a543e0e3ec277d136772b4b0e0bb3d1181d337)

CMP app and doc: improve texts on (un-)trusted certs, srvCert, etc.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20277)

(cherry picked from commit d5e50bdf87053d99e8fce50ac57d94bbed571b56)

tls1_set_groups_list: freeing *pext before overwriting

calling SSL_CTX_set1_groups_list() twice on one SSL_CTX* caused a memory
leak visible in valgrind:
  4 bytes in 1 blocks are definitely lost in loss record 1 of 1
     at 0x4841888: malloc (vg_replace_malloc.c:381)
     by 0x4B1EE96: CRYPTO_memdup (in libcrypto.so.3)
     by 0x48993A0: tls1_set_groups_list (in libssl.so.3)
     by 0x487AA7E: ssl3_ctx_ctrl (in libssl.so.3)
     by 0x1091EA: main (mem_leak.c:10)

  LEAK SUMMARY:
     definitely lost: 4 bytes in 1 blocks

Freeing *pext to fix it.

CLA: trivial

Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20317)

(cherry picked from commit fcf3a9f7c6a10acb2d92f03aec5e45df7dd712d5)

OBJ_nid2obj(): Return UNDEF object instead of NULL for NID_undef

Fixes a regression from 3.0 from the obj creation refactoring.

Fixes #20555

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20556)

(cherry picked from commit 908ba3ed9adbb3df90f7684a3111ca916a45202d)

Disable the policy tree exponential growth test conditionally

If there is no EC specified, the test won't pass.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20572)

(cherry picked from commit f5935fcf8e4bc2191ac4a32e5b7ec32817642f1e)

VC++ 2010 x86 compilers do not have InterlockedOr64

The changes from the following commit should also apply to
Visual Studio 2010
https://github.com/openssl/openssl/commit/2d46a44ff24173d2cf5ea2196360cb79470d49c7#r104867505

Fixes build errors: undefined symbol InterlockedOr64
on Windows 2003, Visual Studio 2010 for x86 target.

CLA: trivial

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20557)

(cherry picked from commit 8bdc3708964814ea0b7002df020fbd459e3a813f)

Do not build P10-specific AES-GCM assembler on macOS

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20543)

(cherry picked from commit 175645a1a695017a312155a2c1d864ad8bff4eaa)

changes: note about policy tree size limits and circumvention

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20570)

test: add test cases for the policy resource overuse

These trees have pathological properties with respect to building. The small
tree stays within the imposed limit, the large tree doesn't.

The large tree would consume over 150Gb of RAM to process.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20570)

x509: excessive resource use verifying policy constraints

A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Fixes CVE-2023-0464

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20570)

cmp: fix --strict-warnings windows builds

remove unneeded const qualifier to keep method declaration
and definition in sync.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20436)

(cherry picked from commit 6f792f4d27b47213166e0fa9c9b10a3eab85b8f6)

nit: tidy-up code, and fix a typo.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20436)

(cherry picked from commit f42d6b7ae62a2b2914b144153af56096f9b4a6d5)

cmp_msg.c: free memory of certStatus before goto err

CLA: trivial

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20406)

(cherry picked from commit c9c99018a887bfac1fe5a5ae6dcd8a5647494504)

Fix Configure test for -mips in CFLAGS

We want to add -mips2 or -mips3 only if the user hasn't already
specified a mips version in CFLAGS. The existing test was a
double-negative.

CLA: trivial

Fixes: https://github.com/openssl/openssl/issues/20214
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20273)

(cherry picked from commit 8b399c5e51b4d010650cb344a67a696daf096a05)

doc: note the default iteration count for PBKDF2 in the enc command

Fixes #20466

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20471)

(cherry picked from commit 6678b0868b7660177f8b5af299894e2e99330a21)

Include the default iteration count in the help for the enc command

The only way to discover this otherwise is looking at the code.

Fixes #20466

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20471)

(cherry picked from commit dc43f080c5d60ef76df4087c1cf53a4bbaad93bd)

rsaz-*k-avx512.pl: fix wrong name of avx512 flag variable

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20519)

aes-gcm-avx512.pl: Fix the clang version detection on Apple Oses

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20519)

Fix version detection on Apple clang

Added missing fix from the master branch.

Fixes #20518

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20519)

Fix copyright disclaimer.

The mention of the GPL shouldn't have been there.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20517)

(cherry picked from commit c879f8ac56170a5cf929fab8067beb2a5902be2b)

Fix documented function return types

The documented return type of the (incorrectly named; see below) OSSL_FUNC_decoder_export_object function signature is wrong; the correct type is int, due to the following line in core_dispatch.h:
OSSL_CORE_MAKE_FUNC(int, decoder_export_object,

Fixes #19543

Per the Github conversation with levitte and t8m for pull request #19964, the following issues are not addressed by this patch:

The macro OSSL_CORE_MAKE_FUNC in core_dispatch.h generates a function, and a corresponding function signature typedef with name ending in "_fn". The typedefed signature is unrelated to the signature of the function.
However, provider-decoder.pod describes typedefed signatures generated by the macro, but uses the names of the functions (lacking "_fn") instead of the typedefed signatures, which is a mismatch.

Also, the documented claim about OSSL_FUNC_decoder_export_object, etc that "None of these are actual functions" is contradicted by the fact that the code actually calls those functions, and calls them specifically by those names. E.g. in decoder_meth.c:
decoder->export_object = OSSL_FUNC_decoder_export_object(fns);

The functions are generated by OSSL_CORE_MAKE_FUNC.

The paragraph "None of these are actual functions"... should be replaced by something more like "These function signatures, generated by the OSSL_CORE_MAKE_FUNC macro, are for functions that are offered via function pointers in OSSL_DISPATCH arrays."

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19964)

(cherry picked from commit 04af51c276e7d785a194eb9ed199abf250c5b3b6)

cms_ec.c: Fix broken backport of size_t fix in ecdh_cms_encrypt

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20516)

demo: Fix makefile target

The makefile target was incorrect and wouldn't build the rsa_encrypt demo.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20503)

(cherry picked from commit 67bfdfa17bc4ca8e2b819316299bb82748394c45)

Test that there are no errors on the stack for rejected early data

If we reject early data then it is normal for decryption operations to
fail. We should ensure there are no spurious errors on the stack in that
case. This adds a test for that scenario.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20442)

Remove spurious error queue entries on early data

Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes #20377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20442)

Improve the performance of d2i_AutoPrivateKey and friends

Probe first to see if we have a PKCS8 file to improve decoder performance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20416)

(cherry picked from commit dba97d4c7142621fb279ef2074cd5c0a04eca7d3)

Document remaining obsolete SSL_OP_NETSCAPE_*_BUG

SSL_OP_NETSCAPE_CA_DN_BUG became obsolete in 3c33c6f6b1086435 and
support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG was removed by
7a4dadc3a6a487db. The definitions are still listed under "OBSOLETE
OPTIONS retained for compatibility" in ssl.h.in, so this commit adds
them to the list of obsolete options in doc/man3.

Refs: https://github.com/nodejs/node/pull/46954

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20443)

(cherry picked from commit fe52208c560fb4d16fc40cfe395032544b82271e)

Add missing assignment to EVP_get_digestbynid()

The assignment of the result of EVP_get_digestbynid() did not happen
which made the fallback not actually perform the fallback.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20447)

(cherry picked from commit c09c202e9bc66f0300ee598ca94f2b3fa5a5899d)

doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some missing entries

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20450)

(cherry picked from commit 1caa4835eb140682ba091bf328758fc6535e70bc)

Segmentation fault in parent rng cleanup

CLA: trivial
When `cleanup_entropy()` is called to cleanup parent by calling
provided `OSSL_FUNC_rand_clear_seed_fn` method, incorrect random
context is passed to the method. So accessing that context creates
a segmentation fault. Parent context should be passed rather than
DRBG's own context.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20454)

(cherry picked from commit 6d45fd47f4849c8dc55b8dd5fa1e1b8a158774a0)

Updated `rsa_has()` for correct validation

CLA: trivial
In RSA, `(n,e)` and `(n,d)` identify public key and private key.
Modulus `n` is the common part. So I updated `rsa_has()` to validate
these pairs correctly. `OSSL_KEYMGMT_SELECT_KEYPAIR` is common part
for both public and private key, so I changed it to check `n` of
RSA and for `OSSL_KEYMGMT_SELECT_PUBLIC_KEY`, `e` is checked. Before
this change, if `selection` was `OSSL_KEYMGMT_SELECT_PRIVATE_KEY` and
only `e` and `d` was in the RSA structure, the function returns 1
while it was incorrect.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20455)

(cherry picked from commit a3207163ef3d30658a41a9c9e3750ca4c5b16677)

Fix size_t/int mismatch in cms_ec.c and rsa_sig.c

Fixes #20435

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20457)

(cherry picked from commit 559e078d94f1213318105b03f4e88b848fc28314)

aes/asm/bsaes-armv7.pl: Replace adrl with add

"adrl" is a pseudo-instruction used to calculate an address relative
to PC. It's not recognized by clang resulting in a compilation error.
I've stumbled upon it when trying to integrate the bsaes-armv7 assmebly
logic into FreeBSD kernel, which uses clang as it's default compiler.
Note that this affect the build only if BSAES_ASM_EXTENDED_KEY is
defined, which is not the default option in OpenSSL.

The solution here is to replace it with an add instruction.
This mimics what has already been done in !BSAES_ASM_EXTENDED_KEY logic.
Because of that I've marked this as trivial CLA.

CLA: trivial
Signed-off-by: Kornel Dulęba <mindal@semihalf.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20458)

(cherry picked from commit 27093ba73372935fe4ef91d0a45ce6ea90a1ac8e)

Add missing copyright header

This file was only recently introduced and the missing header slipped through
the review process.

Fixes #20461

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20470)

(cherry picked from commit 93b0a1ea614f9ce3931373fd3d1d1af04795e6d7)

doc: document that prediction resistance comes with a hidden cost

In the default setup, using prediction resistance cascades to a reseeding
of all DRBGs. The cost for this will be excessive for highly threaded
applications.

Fixes #20414

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20452)

(cherry picked from commit d90bd3468a9a8d2af6b821be50c1034e21d782ca)