Remove redundant assignment in felem_mul_ref in p521

ftmp4 is assigned immediately before receiving the reduced output of the
multiplication of ftmp and ftmp3, without being read inbetween these
assignments. Remove redundant assignment.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19766)

(cherry picked from commit 3d4dfeb28a5cb944b8300b4cf807e19ab97d04f5)

doc: fix location of AES-SIV ciphers

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19776)

(cherry picked from commit d1aa7d11363ebb0dff080966f842fade91135eaa)

Update pyca-cryptography submodule to 38.0.4

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19681)

Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to UNCOMPRESSED

Originally the code to im/export the EC pubkey was meant to be consumed
only by the im/export functions when crossing the provider boundary.
Having our providers exporting to a COMPRESSED format octet string made
sense to avoid memory waste, as it wasn't exposed outside the provider
API, and providers had all tools available to convert across the three
formats.

Later on, with #13139 deprecating the `EC_KEY_*` functions, more state
was added among the params imported/exported on an EC provider-native
key (including `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT`, although it
did not affect the format used to export `OSSL_PKEY_PARAM_PUB_KEY`).

Finally, in #14800, `EVP_PKEY_todata()` was introduced and prominently
exposed directly to users outside the provider API, and the choice of
COMPRESSED over UNCOMPRESSED as the default became less sensible in
light of usability, given the latter is more often needed by
applications and protocols.

This commit fixes it, by using `EC_KEY_get_conv_form()` to get the
point format from the internal state (an `EC_KEY` under the hood) of the
provider-side object, and using it on
`EVP_PKEY_export()`/`EVP_PKEY_todata()` to format
`OSSL_PKEY_PARAM_PUB_KEY`.
The default for an `EC_KEY` was already UNCOMPRESSED, and it is altered
if the user sets `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` via
`EVP_PKEY_fromdata()`, `EVP_PKEY_set_params()`, or one of the
more specialized methods.

For symmetry, this commit also alters `ec_pkey_export_to()` in
`crypto/ec/ec_ameth.c`, part of the `EVP_PKEY_ASN1_METHOD` for legacy EC
keys: it exclusively used COMPRESSED format, and now it honors the
conversion format specified in the EC_KEY object being exported to a
provider when this function is called.

Expand documentation about `OSSL_PKEY_PARAM_PUB_KEY` and mention the
3.1 change in behavior for our providers.

Fixes #16595

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19681)

Fix occasional assertion failure when storing properties

Fixes #18631

The store lock does not prevent concurrent access to the
property cache, because there are multiple stores.

We drop the newly created entry and use the exisiting one
if there is one already.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19762)

(cherry picked from commit 92a25e24e6ec9735dea9ec645502cb075a5f8d24)

Drop incorrect skipping of some evp_test testcases with no-gost

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19739)

(cherry picked from commit d5e1fe9c04c7eb28e21070e3dfe0d2242504a9bc)

Add test for EVP_PKEY_Q_keygen

Test for #19736

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19761)

(cherry picked from commit 667a8501f0b6e5705fd611d5bb3ca24848b07154)

Fix typos in doc/man3/EVP_EncryptInit.pod

Fixes #19728

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19753)

(cherry picked from commit 0dbd3a81e46dd7ea9f7832307fdd0b2ac207a5bf)

When using PEM_read_bio_PrivateKey_ex() the public key is optional

Fixes #19498

However the private key part is not optional which was
mishandled by the legacy routine.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19505)

(cherry picked from commit adb408dc791e83f59f3a86bd90d8e804c814ac30)

add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function

Fixup for glitch while handling merge conflict in OSSL_CMP_CTX_new.pod

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19216)

(cherry picked from commit a2ede0396addd13f7fe9a629b450a14892152a83)

add missing OSSL_CMP_CTX_reset_geninfo_ITAVs() function

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19216)

(cherry picked from commit a2ede0396addd13f7fe9a629b450a14892152a83)

OSSL_CMP_CTX_reinit(): fix missing reset of ctx->genm_ITAVs

Otherwise, further OSSL_CMP_exec_GENM_ses() calls will go wrong.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19216)

(cherry picked from commit 1c04866c671db4a6db0a1784399b351ea061bc16)

CMP: fix gen_new() in cmp_msg.c checking wrong ITAVs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19216)

(cherry picked from commit 7e3034939b40ee15013bdba9ff6178de6bcc26d4)

Fix typo in openssl-x509.pod.in

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19746)

(cherry picked from commit 0b7ad5d928f9ee749cfc670ad08067a961217fea)

test/timing_load_creds.c: use OPENSSL_SYS_ macros

A previous change was only half done.  To avoid such mistakes again, we
switch to using the OPENSSL_SYS_ macros, as the are clearer than having
to check a pile of very platform and compiler specific macros.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19720)

(cherry picked from commit 83c1220ad137bb4b651478444c3666c66ec9d640)

Disable test/timing_load_creds.c on VMS

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19713)

(cherry picked from commit 81929ac49aa583b2347348953d8399ad775c6fd1)

Add SM2 support for EVP_PKEY_Q_keygen

There is no reason preventing this API to support SM2,
which gives us a simple method to do SM2 key gen.

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19736)

(cherry picked from commit 3f32d29ad464591ed968a1e430111e1525280f4c)

CMP: fix handling of unset or missing failInfo PKI status information

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19205)

(cherry picked from commit cba0e2afd6a222aa041e05f8455e83c9e959d05b)

CMP: fix status held in OSSL_CMP_CTX, in particular for genp messages

On this occasion, replace magic constants by mnemonic ones; update doc

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19205)

(cherry picked from commit 19ddcc4cbb43464493a4b82332a1ab96da823451)

Add two new build targets to enable the possibility of using clang-cl as
an assembler for Windows on Arm builds and also clang-cl as the compiler
as well. Make appropriate changes to armcap source and peralsm scripts.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19523)

(cherry picked from commit b863e1e4c69068e4166bdfbbf9f04bb07991dd40)

OSSL_trace_enabled.pod and OSSL_trace_set_channel.pod: improve doc

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18386)

(cherry picked from commit 3b7398843c1cfd170494a03a4be54042fb821172)

http_client.c: Dump response on error when tracing is enabled

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18386)

(cherry picked from commit e8fdb0603572bf051dad6abc56291cdf1313a905)

c_rehash: Fix file extension matching

For some reason, parenthesis were added 8 years ago in commit
a787c2590e468585a1a19738e0c7f481ec91b762. This essentially removed the
\. and $ constructs from the middle branches. Hence a file called e.g.
cert.key would accidentally match the (cer) rule.

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19427)

(cherry picked from commit 706fc5f6ebd63e1fcd18d4764248206ab3c18a0a)

Coverity 1515953: negative loop bound

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19413)

(cherry picked from commit 9ab57f29c78d8d69b6ba9c579521594d7170ca44)

Improve performance of the encoder collection

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19344)

(cherry picked from commit c3b46409559c18f103ebb2221c6f8af3cd7db00d)

optimize ossl_sm4_set_key speed

this optimization comes from libgcrypt, increse about 48% speed

Benchmark on my AMD Ryzen Threadripper 3990X

before:
Did 5752000 SM4 setup operations in 1000151us (5751131.6 ops/sec)
after:
Did 8506000 SM4 setup operations in 1000023us (8505804.4 ops/sec)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19270)

(cherry picked from commit 704e8090b4a789f52af07de9a3ebbe11db8e19f8)

Add vpaes-loongarch64.pl module.

Add 128 bit lsx vector expansion optimization code of Loongarch64 architecture
to AES. The test result on the 3A5000 improves performance by about 40%~50%.

Signed-off-by: zhuchen <zhuchen@loongson.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19364)

(cherry picked from commit ef917549f5867d269d359155ff67b8ccb5e66a76)

Add LoongArch64 cpuid and OPENSSL_loongarchcap_P

Loongarch64 architecture defines 128 bit vector extension lsx and 256 bit
vector extension lasx. The cpucfg instruction can be used to obtain whether
the CPU has a corresponding extension. This part of code is added to prepare
for the subsequent addition of corresponding vector instruction optimization.

Signed-off-by: zhuchen <zhuchen@loongson.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19364)

(cherry picked from commit 7f2d6188c7b16ef7a4deeeedb56f42014156b9f8)

nit: fix some pointer comparisons

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19059)

(cherry picked from commit e1e93f7a07dfc7a8dddd4ddbb79d1d9bc9760d32)

apps & al : Fix various typos, repeated words, align some spelling to LDP.

Mostly revamped from #16712
- fall thru -> fall through
- time stamp -> timestamp
- host name -> hostname
- ipv6 -> IPv6

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19059)

(cherry picked from commit 9929c81702381bff54f833d6fe0a3304f4e2b635)

Fix various typos, repeated words, align some spelling to LDP.

Partially revamped from #16712
- fall thru -> fall through
- time stamp -> timestamp
- host name -> hostname
- ipv6 -> IPv6

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19059)

(cherry picked from commit d7f3a2cc8691c062ef5bdeef28b66f80c8f7d5c3)

crypto/*: Fix various typos, repeated words, align some spelling to LDP.

partially revamped from #16712
- fall thru -> fall through
- time stamp -> timestamp
- host name -> hostname
- ipv6 -> IPv6

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19059)

(cherry picked from commit c7340583097a80a4fe42bacea745b2bbaa6d16db)

crypto: Fix various typos, repeated words, align some spelling to LDP.

partially revamped from #16712
- fall thru -> fall through
- time stamp -> timestamp
- file name -> filename
- host name -> hostname

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19059)

(cherry picked from commit 1567a821a4616f59748fa8982724f88e542867d6)

Fixed some grammar and spelling

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/19262)

(cherry picked from commit af33b200da8040c78dbfd8405878190980727171)

ERR: replace remnant ECerr() and EVPerr() calls in crypto/

except those throwing ERR_R_MALLOC_FAILURE

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19302)

(cherry picked from commit bd07cc1c7e3ca38689e59868b5945dc223235a49)

apps/speed.c: Lock buffer in memory

Lock the buffers used for throughput measurements into memory.  This removes
some side effects of paging.

Errors from the memory locking functions are ignored since they are not
critical to the application.

This feature is limited to Linux and Windows.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19091)

(cherry picked from commit 9710d72b95f4fc218ed613f42dc90ad0d263b14f)

Add config option for speed command
Fixed #16986

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18616)

(cherry picked from commit 8403c7350fd836ea44baf69c0b7dc3af1189253f)

test/trace_api_test.c: fix gcc error on -Werror=strict-prototypes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19277)

(cherry picked from commit 1fcd84c7017416a3c9461914d7a943591ad87a82)

Add tests for trace_api.

Fixes openssl#17422

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19096)

(cherry picked from commit fcff5bd43c85418cc4aa8052e3dc3dba344d763e)

Fix AES-GCM on Power 8 CPUs

Properly fallback to the default implementation on CPUs
missing necessary instructions.

Fixes #19163

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19182)

(cherry picked from commit 9ab6b64ac856157a31a54c0d12207c2338bfa8e2)

OSSL_CRYPTO_ALLOC attribute introduction proposal.

Giving hint to the compiler the returned pointer is not aliased
 (so realloc-like api is de facto excluded).

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19180)

(cherry picked from commit e1035957eba1e6ebdefd0e18dcbad5cbfa7a969a)

Fix PROV_RC5_CTX's original structure name

It looks like a typo when copy & pasting the structure from blowfish.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19186)

(cherry picked from commit 53ef02baf80130a81d019e85c528fdc13af9db33)

openssl.cnf: split option value and comment and remove leading space

CLA: trivial

Signed-off-by: a1346054 <36859588+a1346054@users.noreply.github.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19173)

(cherry picked from commit fd24de9f93049b05a54c48da5316f42882489230)

Cleanup EBCDIC string defintions

Use a single definiton for protocol string defintions.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19122)

(cherry picked from commit 44e47328178328198018c23e6918884af5e8ce4b)

Add some API tests for TLSv1.3 record padding

We have some ssl_test_new tests for record padding. But these only use
the block padding approach set via a config file on the SSL_CTX. We add
tests for all the various API calls.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19103)

(cherry picked from commit f3f8e53c852f07d38c124e45f7c678e854be4a54)

Add a test for read_ahead data crossing a key change

If read_ahead is switched on, it should still work even if the data that
is read cross epochs.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

(cherry picked from commit f7565348c22785f69239883feb1f3c91d1cfd675)

provider: cipher: aes: add riscv32 zkn (zbkb) support

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

(cherry picked from commit 5ccee69b1384fa9377986a6f7730e0d9a372b42b)

aes_platform: add riscv32 zkn asm support

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

(cherry picked from commit cbb15b31b98f47276cf9e87453831d96274baf66)

add build support for riscv32 aes zkn

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

(cherry picked from commit b733ce73a423b99c0354b42e268216e0656e556b)

Add RISC-V 32 cpuid support

Mainly from #17640

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

(cherry picked from commit 61170642b1ad084ae4f52e43d39c5c1e471b323a)

Add linux32-riscv32/BSD-riscv32 target

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

(cherry picked from commit 42ee6e7be43c57136d71e5612fed22a06f7f5d0e)

Add AES implementation in riscv32 zkn asm

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

(cherry picked from commit b1b889d1b3fc92a56ead5536bee06f3415b78482)

Add BSD-armv4 target based on linux-armv4

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18910)

(cherry picked from commit a9389c0b75e69ebaf74fdc8fee0c983809e45931)

Improve chacha20 perfomance on aarch64 by interleaving scalar with SVE/SVE2

The patch will process one extra block by scalar in addition to
blocks by SVE/SVE2 in parallel. This is esp. helpful in the
scenario where we only have 128-bit vector length.

The actual uplift to performance is complicated, depending on the
vector length and input data size. SVE/SVE2 implementation don't
always perform better than  Neon, but it should prevail in most
cases

On a CPU with 256-bit SVE/SVE2, interleaved processing can
handle 9 blocks in parallel (8 blocks by SVE and 1 by Scalar).
on 128-bit SVE/SVE2 it is 5 blocks. Input size that is a multiple
of 9/5 blocks on respective CPU can be typically handled at
maximum speed.

Here are test data for 256-bit and 128-bit SVE/SVE2 by running
"openssl speed -evp chacha20 -bytes 576" (and other size)

----------------------------------+---------------------------------
                256-bit SVE       |        128-bit SVE2
----------------------------------|---------------------------------
Input  576 bytes     512 bytes    |  320 bytes        256 bytes
----------------------------------|---------------------------------
SVE    1716361.91k   1556699.18k  |  1615789.06k      1302864.40k
----------------------------------|---------------------------------
Neon   1262643.44k   1509044.05k  |  680075.67k       1060532.31k
----------------------------------+---------------------------------

If the input size gets very large, the advantage of SVE/SVE2 over
Neon will fade out.

Signed-off-by: Daniel Hu <Daniel.Hu@arm.com>
Change-Id: Ieedfcb767b9c08280d7c8c9a8648919c69728fab

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18901)

(cherry picked from commit 3f42f41ad19c631287386fd8d58f9e02466c5e3f)

Drop the optimisation level for ppc64le cross-compile

The default cross compiler (gcc 9.4.0) for ppc64le on Ubunut 20.04 seems
buggy and causes a seg fault in sslapitest. This doesn't impact any other
CI cross compile platforms and does not seem to impact the gcc 10.3.0 cross
compiler.

We just drop the optimisation level on that platform.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19056)

(cherry picked from commit 200d9521a0d406a7d02778d1c6c5a5230caeecf5)

Add CODE-OF-CONDUCT.md

Fixes #18820

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19002)

(cherry picked from commit 63df86b041aaafba3e4998b2e3872fa8695a2377)

Fix unrolled montgomery multiplication for POWER9

In the reference C implementation in bn_asm.c, tp[num + 1] contains the
carry bit for accumulations into tp[num]. tp[num + 1] is only ever
assigned, never itself incremented.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18883)

(cherry picked from commit 2f1112b22a826dc8854b41b60a422c987f8ddafb)

Revert "Revert "bn: Add fixed length (n=6), unrolled PPC Montgomery Multiplication""

This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18883)

(cherry picked from commit eae70100fadbc94f18ba7a729bf065cb524a9fc9)

test/timing_load_creds.c: fix coding style and other (mostly minor) issues

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18821)

(cherry picked from commit 45479dcee1672661e4f5b6d8b6c9a50453581e65)

Rename the "timing" program to "timing_load_creds" and integrate it with test/build.info

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18821)

(cherry picked from commit c02036e1ad759fca228a2201f1c4752670ad59bd)

Add a stand-alone "timing" program

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18821)

(cherry picked from commit 6212fc6814e8a8968bb35239cd454afd22b6a083)

Add ROTATE inline RISC-V zbb/zbkb asm for DES

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18290)

(cherry picked from commit 6136408e6abf10672e399bf95be064868f2f7ca6)

Fix GHASH-ASM implementation on s390x

s390x GHASH assembler implementation assumed it was called from a
gcm128_context structure where the Xi paramter to the ghash function was
embedded in that structure.  Since the structure layout resembles the paramter
block required for kimd-GHASH, the assembler code simply assumed the 128 bytes
after Xi are the hash subkey.

This assumption was broken with the introduction of AES-GCM-SIV which uses the
GHASH implementation without a gcm128_context structure.  Furthermore, the
bytes following the Xi input parameter to the GHASH function do not contain
the hash subkey.  To fix this, we remove the assumption about the calling
context and build the parameter block on the stack.  This requires some
copying of data to and from the stack.  While this introduces a performance
degradation, new systems anyway use kma for GHASH/AES-GCM.

Finally fixes #18693 for s390x.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18939)

(cherry picked from commit cd854f225bbef9561fad680e2628dfd55be1b141)

Change name of parameter in documentation from sigret to sig

The rest of the documentation talks about sig, not sigret

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18943)

(cherry picked from commit 2bd8190aace8109a06aff495a3e20c863ef48653)

gcm_get_funcs(): Add missing fallback for ghash on x86_64

Fixes #19673

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19674)

(cherry picked from commit be0161ff100bf10c9549fc09ce4513681011da1c)

Fix regression from GCM mode refactoring

Fixes #18896

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18903)

(cherry picked from commit 186be8ed26f5561faf91d6da3ed14cd9cb6617dd)

s390x: Optimize kmac

Use hardware acceleration for kmac on s390x.  Since klmd does not support
kmac, perform padding of the last block by hand and use kimd.  Yields a
performance improvement of between 2x and 3x.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18863)

(cherry picked from commit affc070aabc930aeaba50f0dd6b3e0b7a2ddc399)

s390x: Fix GCM setup

Rework of GCM code did not include s390x causing NULL pointer dereferences on
GCM operations other than AES-GCM on platforms that support kma.  Fix this by
a proper setup of the function pointers.

Fixes: 92c9086e5c2b ("Use separate function to get GCM functions")
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18862)

(cherry picked from commit 48e35b99bd0071207cfe39da22eb2502db5c09dc)

Clean up GCM_MUL and remove GCM_FUNCREF_4BIT

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)

(cherry picked from commit d50e0934e5b1537db0ea43986464b8f8f8b4e9fd)

Clean up use of GHASH macro

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)

(cherry picked from commit 95201ef45711220455e8abf1cc6b334393384af2)

Use separate function to get GCM functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)

(cherry picked from commit 92c9086e5c2b63606cd28a7f13f09b9ff35a0de3)

Remove some unused 4bit GCM code

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)

(cherry picked from commit 7da952bcc54604141ea8ed40ec5ed1fd2f74cc25)

Remove unused 1bit GCM implementation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)

(cherry picked from commit 7b6e19fc4e6cc1a7000f71789ef50636dacdbb85)

Remove unused 8bit GCM implementation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)

(cherry picked from commit a8b5128fd724bc23f7454d64e401d15129634a01)

Emit rev8 on __riscv_zbkb as on __riscv_zbb

Also add early clobber for two-insn bswap.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18827)

(cherry picked from commit 48b6776678d794406c625dcb5767102b73081962)

Cleanup : directly include of `internal/nelem.h` when required.

And so clean a few useless includes

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19721)

(cherry picked from commit f2a6f83862be3e20260b708288a8f7d0928e9018)

Improve FIPS RSA keygen performance.

Reduce the Miller Rabin counts to the values specified by FIPS 186-5.
The old code was using a fixed value of 64.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19579)

(cherry picked from commit d2f6e66d2837bff1f5f7636bb2118e3a45c9df61)

params_api_test.c: Fix mistake in backported test fix

Fixup for e8f1d76b50204d87a0ef7f6879eb1dd507a54368.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19675)

Release the drbg in the global default context before engines

Fixes #17995
Fixes #18578

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/19386)

(cherry picked from commit a88e97fcace01ecf557b207f04328a72df5110df)

Add a test case for the engine crash with AES-256-CTR

Implement the AES-256-CTR cipher in the dasync engine.

Use that to reproduce the reported problems with the
devcrypto engine in our normal test environment.

See #17995 and #17532 for details.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19386)

(cherry picked from commit bd363ef32403d58a8b41553b5abd602b30073b10)

Add an EVP signature demo using DSA

Fixes openssl#14114

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19492)

(cherry picked from commit 858b5d12b85b0639519d21206c9da7e1bb976a00)

test/recipes/80-test_cms.t: Fix the "CAdES ko" test

This test had commands that assumes that runner_loop() is used to perform
the tests.  These tests still run fine because Unix accepts braces in file
names, but other operating systems might not.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19731)

Fix coverity issues in X509v3_addr

CID 1516955 : Null pointer deref (REVERSE_INULL)
CID 1516954 : Null pointer deref (REVERSE_INULL)
CID 1516953 : RESOURCE_LEAK of child

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19700)

(cherry picked from commit 26cfa4cd85f6b26dd7a48c2ff06bfa4a2cea4764)

Add missing HISTORY sections for OpenSSL 3.0 related documents.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19690)

(cherry picked from commit 4741c80c0556653c74252ec91425dcb74066b2ec)

Improve FIPS RSA keygen performance.

FIPS 186-4 has 5 different algorithms for key generation,
and all of them rely on testing GCD(a,n) == 1 many times.

Cachegrind was showing that during a RSA keygen operation,
the function BN_gcd() was taking a considerable percentage
of the total cycles.

The default provider uses multiprime keygen, which seemed to
be much faster. This is because it uses BN_mod_inverse()
instead.

For a 4096 bit key, the entropy of a key that was taking a
long time to generate was recorded and fed back into subsequent
runs. Roughly 40% of the cycle time was BN_gcd() with most of the
remainder in the prime testing. Changing to use the inverse
resulted in the cycle count being 96% in the prime testing.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19578)

(cherry picked from commit dd1d7bcb69994d81662e709b0ad838880b943870)

Fix no-dtls1_2

dtlstest.c needs some adjusting to handle no-dtls1_2 since commit
7bf2e4d7f0c banned DTLSv1 at the default security level - causing the
test to fail.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18848)

(cherry picked from commit a6843e6ae8ae0551aae8555783f06dab7951f112)

dhparam: Correct the documentation of -dsaparam

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)

(cherry picked from commit 2885b2ca4eee5586baa50208e41a1ca54532eb3a)

dhparam_test: Test that we add private key length on generation and print it

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)

(cherry picked from commit 2b11a8ecc8ed1355b99a6d88b8e7e7a75a67bd0a)

Use as small dh key size as possible to support the security

Longer private key sizes unnecessarily raise the cycles needed to
compute the shared secret without any increase of the real security.

We use minimum key sizes as defined in RFC7919.

For arbitrary parameters we cannot know whether they are safe
primes (we could test but that would be too inefficient) we have
to keep generating large keys.

However we now set a small dh->length when we are generating safe prime
parameters because we know it is safe to use small keys with them.

That means users need to regenerate the parameters if they
want to take the performance advantage of small private key.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)

(cherry picked from commit ddb13b283be84d771deba1e964610b1670641f03)

Add ROTATE inline RISC-V zbb/zbkb asm for chacha

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18289)

(cherry picked from commit ca6286c382a7eb527fac9aba2a018354acb27b16)

Add config option OPENSSL_NO_UNIX_SOCK

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18256)

(cherry picked from commit 081f3484593cdd3be2b7fdd8818c3f928ce729bc)

Add a DTLS next epoch test

Test that if we receive a packet from the next epoch, we can buffer it
and still use it.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18601)

(cherry picked from commit e1c153d31d4f913ebe2202a4bc20305919274d1f)

VMS: For executables, process the use of /INCLUDE=main a bit differently

The way it was implemented didn't play well with perl's join(), so it's
reimplemented a bit differently.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19347)

(cherry picked from commit 1ec0acf264652bd981e95842723e5414d634cd93)

VMS: use selective search when linking with shareable images

VMS linking complains a lot about multiply defined symbols unless told
otherwise, especially when shareable images are involved.  For example, this
involves the legacy provider, where there are overriding implementations of
certain ERR functions.

To quiet the linker down, we need to say that symbols should be searched
selectively in shareable images.

However, that's not quite enough.  The order in which the VMS linker
processes files isn't necessarily top to bottom as given on the command line
or the option file(s), which may result in some symbols appearing undefined,
even though they are.  To remedy that, it's necessary to explicitly include
all object files and object libraries into a cluster, thus ensuring that
they will be processed first.  This allows the search for remaining symbol
references to be done in the as desired in the shareable images that follow.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19327)

(cherry picked from commit c62a9cd720eccdbb388890ee4a36801d01315be4)

Add ROTATE inline asm support for SM3

And move ROTATE inline asm to header.

Now this benefits SM3, SHA (when with Zbb only and no Zknh)
and other hash functions

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18287)

(cherry picked from commit eea820f3e239a4c11d618741fd5d00a6bc877347)

Add SM3 implementation in RISC-V Zksh asm

This works for both RV32 and RV64

Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18287)

(cherry picked from commit 7ae2bc9df6e0916a8f16183f07dfa1815dd4b66d)

Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17937)

(cherry picked from commit 5317b6ee1fc3db20de5976fbb46cc49a45c0768a)

Optimize chacha20 on aarch64 by SVE2

This patch improves existing chacha20 SVE patch by using SVE2,
which is an optional architecture feature of aarch64, with XAR
instruction that can improve the performance of chacha20.

Signed-off-by: Daniel Hu <Daniel.Hu@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18522)

(cherry picked from commit bcb52bcc9f9c36a85d037976676fd5ca52f307cd)

Add test cases for verification of time stamping certificates

Test makes sure, that both time stamping certificate according to rfc3161 (no
requirements for keyUsage extension) and according to CAB forum (keyUsage
extension must be digitalSignature and be set critical) are accepted. Misuse
cases as stated in CAB forum are rejected, only exeption is a missing
"critial" flag on keyUsage.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18597)

(cherry picked from commit 386ab7f1fefdd77521e670d9593e9894e2774be0)

Remove debug and other outdated build targets.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18571)

(cherry picked from commit 909d590fe7a0935e7856ec618afd652ae03a9260)