Added an explicit yield (OP_SLEEP) to QUIC testing for cooperative threading.

Fixes: #24442
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24443)

(cherry picked from commit b9e084f139c53ce133e66aba2f523c680141c0e6)

[Docs] Default value for verification flags is 'SSL_VERIFY_NONE'

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24435)

(cherry picked from commit a73e07dbb7df4795c4ec537f19516b541fb8dd3c)

fips provider: explicitly setup cpuid when initializing

Fixes: #23979
Previously fips module relied on OPENSSL_cpuid_setup
being used as constructor by the linker to correctly
setup the capability vector, either via .section .init
(for x86_64) or via __attribute__((constructor)).

This would make ld.so call OPENSSL_cpuid_setup before
the init function for fips module. However, this early
constructing behavior has several disadvantages:

1. Not all platform/toolchain supports such behavior

2. Initialisation sequence is not well defined, and
some function might not be initialized when cpuid_setup
is called

3. Implicit path is hard to maintain and debug

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24419)

(cherry picked from commit a192b2439c0207ce1b04ba6137329b68f9e23680)

Fix mem leak in threadpool_test.c

Fixes #24104

Added a goto label for cleanup.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24412)

(cherry picked from commit 4dbd4925dfc61d93df678df607504f62b0ac3dcc)

Fix typo in CONTRIBUTING.md

CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24413)

(cherry picked from commit 45f5d51b72a262bf85c4461fbded91485ce6b9da)

Check DSA parameters for excessive sizes before validating

This avoids overly long computation of various validation
checks.

Fixes CVE-2024-4603

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)

(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)

Update openssl-smime.pod.in

Remove duplicate entries for -nocerts and -noattr

CLA:trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24052)

(cherry picked from commit 5a0c92cf093b4f0aa65f4fdbff88d7bdc83491f3)

[Docs] 'SSL_CTX_set_cert_store' ownership of 'store'

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24375)

(cherry picked from commit 987baef4fa54d268d7eaa93837a56398409698a1)

fix sm2 encryption implementation bug.

According to the "GB/T 32918.4-2016"
section 6.1 encryption, step A5:
If result of the "KDF" is all zeros, we should go back to
the begin(step A1).

section 7.1 decryption, step B4:
If result of the "KDF" is all zeros, we should raise error and exit.

Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23210)

(cherry picked from commit 170620675dfd74f34bdcf8aba71dffeb07f3d533)

sslapitest.c: With fips skip tests depending on X25519 and X448

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)

(cherry picked from commit f6e469808501f52c7e8f8679d6c3290cf1c258b3)

90-test_sslapi.t: Fix execution of sslapitest with fips provider

Default configuration of the fips provider for tests is pedantic
which means that sslapitest was not fully executed with fips provider.

The ems check must be switched off for full execution.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)

(cherry picked from commit d2af5e4c946afb59d3512b440642f0da775d198f)

test/ssl-tests: Avoid depending on X25519 and X448 being fips approved

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24348)

quicapitest.c: Make test_ssl_trace to be insensitive to fips changes

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24348)

Release pkey_ctx on initialization failure

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24366)

(cherry picked from commit 3e9d933882407a0792dc3466ba9a0d53d40677a7)

apps/pkcs12: Not writing the private key file until the import password is verified

Fixes #904

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23729)

(cherry picked from commit f5462572a1873482ce38646cbf00dfc483f02068)

Add reason codes with the correct offset for two alerts

Fixes #24300. The current values of SSL_R_NO_APPLICATION_PROTOCOL and
SSL_R_PSK_IDENTITY_NOT_FOUND don't allow for a correct lookup of the
corresponding reason strings.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24351)

(cherry picked from commit a401aaf9ed6eb34842cdedfcc35448bdc4174df3)

threads_win: fix build error with VS2010

VC 2010 or earlier compilers do not support static inline.
To work around this problem, we can use the ossl_inline macro.

Fixes:
crypto\threads_win.c(171) : error C2054: expected '(' to follow 'inline'
crypto\threads_win.c(172) : error C2085: 'get_hold_current_qp' : not in formal parameter list
crypto\threads_win.c(172) : error C2143: syntax error : missing ';' before '{'
crypto\threads_win.c(228) : warning C4013: 'get_hold_current_qp' undefined; assuming extern returning int
crypto\threads_win.c(228) : warning C4047: '=' : 'rcu_qp *' differs in levels of indirection from 'int'

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24370)

(cherry picked from commit d8dd1dfdf5cf2343f6afd43dad4ce37045218624)

doc: Fix description of EVP_CIPHER_CTX_dup

This fixes a couple of copy and paste error from EVP_MD_CTX_dup,
where: EVP_CIPHER_CTX_dup is useful to avoid multiple
EVP_CIPHER_fetch (instead of EVP_MD_fetch) and returns
EVP_CIPHER_CTX (instead of EVP_MD_CTX).

Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24376)

(cherry picked from commit 7860bca22c404cfd763ae2648d708d5cc4df6c2f)

quic_multistream_test: fix undefined symbol snprintf with VS2010

As snprintf is not available everywhere, use BIO_snprintf instead.

Fixes:
        IF EXIST test\quic_multistream_test.exe.manifest DEL /F /Q test\quic_multistream_test.exe.manifest
        "link" /nologo /debug setargv.obj /subsystem:console /opt:ref  /nologo /debug @V:\_tmp\nm4.tmp
quic_multistream_test-bin-quic_multistream_test.obj : error LNK2019: unresolved external symbol _snprintf referenced in function _helper_init
test\quic_multistream_test.exe : fatal error LNK1120: 1 unresolved externals
NMAKE : fatal error U1077: '"E:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE"' : return code '0x460'

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24369)

(cherry picked from commit c02f952b48927af9fc4e991d7ead89a4cd1636bc)

Implement riscv_vlen_asm for riscv32

riscvcap.c: undefined reference to 'riscv_vlen_asm'

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24270)

(cherry picked from commit 87314d24c4f025df1ebf47dc527cc8a96bef354a)

tls_provider_init(): Rename prov_ctx to xor_prov_ctx to clarify

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24103)

(cherry picked from commit 3de3d481b269e9831d0b9abd3598b262647ae050)

tls_provider_init(): Fix leaks in error cases

Fixes #24101

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24103)

(cherry picked from commit 2a5d733e64f009f758163da852f1e7fee6aea0a2)

Dependabot update: Bump coverallsapp/github-action

CLA: trivial

(deps): Bump coverallsapp/github-action

Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.2.3 to 2.3.0.
- [Release notes](https://github.com/coverallsapp/github-action/releases)
- [Commits](https://github.com/coverallsapp/github-action/compare/v2.2.3...v2.3.0)

---
updated-dependencies:
- dependency-name: coverallsapp/github-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24350)

(cherry picked from commit 13d37d8f7557ee7935032ea832eab3e3c5540158)

Avoid memory leak in x509_test error path

Fixes #23897

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23991)

(cherry picked from commit 7cbca5a6d6e792c75c414e1f3fb22e2afae67988)

Add linux-arm64ilp32-clang target

While clang 15 config target by '--target', not cannot support
'-mabi=ilp32', so add the linux-arm64ilp32-clang target.

Signed-off-by: Huiyue Xu <xuhuiyue@huawei.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22666)

(cherry picked from commit 69bd5e4fff8ac9bf4dc3ed6fd87b5a5858edbb01)

Fix potential divide by zero error

Coverity caught the following issues:
1591477
1591475
1591473
1591470

all of which are simmilar, in that they catch potential divide by zero
in double values.  It can't actually happen since the the threads which
increment these counters don't exit until they reach non-zero values,
but its easy to add the checks, so lets do that to ensure that we don't
change something in the future that causes it.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24337)

Coverity found the following issues:

1591471
1591474
1591476

which pertain to memory leaks in the conf_mod code

If an error is encountered after the module STACK_OF is duplicated or
created in the new_modules variable, we need to remember to free it in
the error path

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24337)

Fix undefined behaviour in the event of a zero length session id

Don't attempt to memcpy a NULL pointer if the length is 0.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24309)

(cherry picked from commit 97c6489b39c966c6e5169b9b92ec5fa9a35c7ba3)

Document the SSL_set_session_secret_cb() function

This function is only useful for EAP-FAST, but was previously undocumented.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24309)

(cherry picked from commit aecaaccaf93c4b36dd830accf08f2175059c5782)

Set the server sig algs before calling the session_secret_cb

Setting the server sig algs sets up the certificate "s3->tmp.valid_flags".
These are needed when calling ssl3_choose_cipher() which can happen
immediately after calling the session_secret_cb

Fixes #24213

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24309)

(cherry picked from commit 91c7ab27cebe4e6f6a6376e0a691736a2534fdd0)

Add a test for the session_secret_cb

Ensure that if a session_secret_cb is being used that a connection can
be successfully made

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24309)

(cherry picked from commit c8dddc61d49f84d1667de97e9548f07ccc92dddf)

test/threadstest.c: Add checks for CRYPTO_THREAD_lock_new()

Add checks for the return value of CRYPTO_THREAD_lock_new() in order to avoid Null pointer dereference.

Fixes: 5f8b812931 ("Add locking to atomic operations in rw/rcu tests")
Fixes: d0e1a0ae70 ("RCU lock implementation")
Fixes: 71a04cfca0 ("Implement new multi-threading API")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24313)

(cherry picked from commit 327261c076b8468382e1effea14d79446cc22b4d)

Fix error handling in CMS_EncryptedData_encrypt

That caused several memory leaks in case of error.
Also when the CMS object that is created by CMS_EncryptedData_encrypt
is not used in the normal way, but instead just deleted
by CMS_ContentInfo_free some memory was lost.

Fixes #21985

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22031)

(cherry picked from commit 6d2a01cdfb56fdb8ea5d5dd417724e6906c8b8e2)

Correct top for EC/DSA nonces if BN_DEBUG is on

Otherwise following operations would bail out in bn_check_top().

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)

(cherry picked from commit a380ae85be287045b1eaa64d23942101a426c080)

Adjust FIPS EC/DSA self test data for different nonce generation

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)

(cherry picked from commit 8a1f65468064e39f65ef4918c62db73a9eef80e4)

Rename BN_generate_dsa_nonce() to ossl_bn_gen_dsa_nonce_fixed_top()

And create a new BN_generate_dsa_nonce() that corrects the BIGNUM top.
We do this to avoid leaking fixed top numbers via the public API.

Also add a slight optimization in ossl_bn_gen_dsa_nonce_fixed_top()
and make it LE/BE agnostic.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)

(cherry picked from commit 9c85f6cd2d6debe5ef6ef475ff4bf17e0985f7a2)

Add ossl_bn_priv_rand_range_fixed_top() and use it for EC/DSA

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)

(cherry picked from commit 13b3ca5c998e6db4f7251a56c43541cb1a422bd0)

Make ossl_gen_deterministic_nonce_rfc6979() constant time

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)

(cherry picked from commit 2d285fa873028f6cff9484a0cdf690fe05d7fb16)

Make BN_generate_dsa_nonce() constant time and non-biased

Co-authored-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24265)

(cherry picked from commit d7d1bdcb6aa3d5000bf7f5ebc5518be5c91fd5a5)

Fixed typos in EVP_PKEY_decrypt.pod and RSA_public_encrypt.pod

CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24304)

(cherry picked from commit f4601b6de709a89120c86ad825b70f65b332deed)

Fix intermittent sslapitest early data related failures

Early data is time sensitive. We have an approx 8 second allowance between
writing the early data and reading it. If we exceed that time tests will
fail. This can sometimes (rarely) occur in normal CI operation. We can try
and detect this and just ignore the result of such test failures if the test
has taken too long. We assume anything over 7 seconds is too long.

This is a partial fix for #22605

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23966)

(cherry picked from commit 1848c561ec39a9ea91ff1bf740a554be274f98b0)

Use OSSL_TIME instead of using arithmetic directly on time_t

We have functions for adding/subtracting time. We should use them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23966)

(cherry picked from commit afb6ce0d0f5b8e88f8b4f420aba0a8e59f58934f)

Fix race for X509 store found by thread sanitizer

The following issue was found in automatic tests with thread sanitizer
builds in ClickHouse (which uses OpenSSL 3.2.1) [0].

The first stack [1] does proper locking (function 'x509_store_add',
x509_lu.c) but in the second stack [2], function 'get_cert_by_subject_ex'
(by_dir.b) forgets to lock when calling 'sk_X509_OBJECT_is_sorted'.

[0] https://github.com/ClickHouse/ClickHouse/issues/63049

[1] WARNING: ThreadSanitizer: data race (pid=1870)
  Write of size 4 at 0x7b08003d6810 by thread T552 (mutexes: write M0, write M1, write M2, write M3):
    #0 OPENSSL_sk_insert build_docker/./contrib/openssl/crypto/stack/stack.c:280:16 (clickhouse+0x203ad7e4) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #1 OPENSSL_sk_push build_docker/./contrib/openssl/crypto/stack/stack.c:401:12 (clickhouse+0x203ad7e4)
    #2 x509_store_add build_docker/./contrib/openssl/crypto/x509/x509_lu.c:419:17 (clickhouse+0x203d4a52) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #3 X509_STORE_add_cert build_docker/./contrib/openssl/crypto/x509/x509_lu.c:432:10 (clickhouse+0x203d48a2) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #4 X509_load_cert_file_ex build_docker/./contrib/openssl/crypto/x509/by_file.c:127:18 (clickhouse+0x203b74e6) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #5 get_cert_by_subject_ex build_docker/./contrib/openssl/crypto/x509/by_dir.c:333:22 (clickhouse+0x203b684c) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #6 X509_LOOKUP_by_subject_ex build_docker/./contrib/openssl/crypto/x509/x509_lu.c:105:16 (clickhouse+0x203d46ec) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #7 ossl_x509_store_ctx_get_by_subject build_docker/./contrib/openssl/crypto/x509/x509_lu.c:360:17 (clickhouse+0x203d46ec)
    #8 X509_STORE_CTX_get1_issuer build_docker/./contrib/openssl/crypto/x509/x509_lu.c:782:10 (clickhouse+0x203d56cb) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #9 get1_trusted_issuer build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3194:10 (clickhouse+0x203db4a9) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #10 build_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3324:40 (clickhouse+0x203db4a9)
    #11 verify_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:240:15 (clickhouse+0x203dbe27) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #12 x509_verify_x509 build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:358 (clickhouse+0x203d7fd8) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #13 X509_verify_cert build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:293:56 (clickhouse+0x203d8215) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #14 ssl_verify_internal build_docker/./contrib/openssl/ssl/ssl_cert.c:496:13 (clickhouse+0x2019a2a4) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #15 ssl_verify_cert_chain build_docker/./contrib/openssl/ssl/ssl_cert.c:543:12 (clickhouse+0x2019a402) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #16 tls_post_process_server_certificate build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:2072:9 (clickhouse+0x20227658) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #17 ossl_statem_client_post_process_message build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:1159:16 (clickhouse+0x202272ee) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #18 read_state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:712:35 (clickhouse+0x2021e96d) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #19 state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:478:21 (clickhouse+0x2021e96d)
    #20 ossl_statem_connect build_docker/./contrib/openssl/ssl/statem/statem.c:297:12 (clickhouse+0x2021ddce) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #21 SSL_do_handshake build_docker/./contrib/openssl/ssl/ssl_lib.c:4746:19 (clickhouse+0x201a5781) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #22 SSL_connect build_docker/./contrib/openssl/ssl/ssl_lib.c:2208:12 (clickhouse+0x201a5893) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #23 Poco::Net::SecureSocketImpl::connectSSL(bool) build_docker/./base/poco/NetSSL_OpenSSL/src/SecureSocketImpl.cpp:206:11 (clickhouse+0x1d179567) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)

[2] Previous read of size 4 at 0x7b08003d6810 by thread T553 (mutexes: write M4, write M5, write M6):
    #0 OPENSSL_sk_is_sorted build_docker/./contrib/openssl/crypto/stack/stack.c:490:33 (clickhouse+0x203adcff) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #1 get_cert_by_subject_ex build_docker/./contrib/openssl/crypto/x509/by_dir.c:423:10 (clickhouse+0x203b6d8f) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #2 X509_LOOKUP_by_subject_ex build_docker/./contrib/openssl/crypto/x509/x509_lu.c:105:16 (clickhouse+0x203d46ec) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #3 ossl_x509_store_ctx_get_by_subject build_docker/./contrib/openssl/crypto/x509/x509_lu.c:360:17 (clickhouse+0x203d46ec)
    #4 X509_STORE_CTX_get1_issuer build_docker/./contrib/openssl/crypto/x509/x509_lu.c:782:10 (clickhouse+0x203d56cb) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #5 get1_trusted_issuer build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3194:10 (clickhouse+0x203db4a9) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #6 build_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:3324:40 (clickhouse+0x203db4a9)
    #7 verify_chain build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:240:15 (clickhouse+0x203dbe27) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #8 x509_verify_x509 build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:358 (clickhouse+0x203d7fd8) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #9 X509_verify_cert build_docker/./contrib/openssl/crypto/x509/x509_vfy.c:293:56 (clickhouse+0x203d8215) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #10 ssl_verify_internal build_docker/./contrib/openssl/ssl/ssl_cert.c:496:13 (clickhouse+0x2019a2a4) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #11 ssl_verify_cert_chain build_docker/./contrib/openssl/ssl/ssl_cert.c:543:12 (clickhouse+0x2019a402) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #12 tls_post_process_server_certificate build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:2072:9 (clickhouse+0x20227658) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #13 ossl_statem_client_post_process_message build_docker/./contrib/openssl/ssl/statem/statem_clnt.c:1159:16 (clickhouse+0x202272ee) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #14 read_state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:712:35 (clickhouse+0x2021e96d) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #15 state_machine build_docker/./contrib/openssl/ssl/statem/statem.c:478:21 (clickhouse+0x2021e96d)
    #16 ossl_statem_connect build_docker/./contrib/openssl/ssl/statem/statem.c:297:12 (clickhouse+0x2021ddce) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #17 SSL_do_handshake build_docker/./contrib/openssl/ssl/ssl_lib.c:4746:19 (clickhouse+0x201a5781) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #18 SSL_connect build_docker/./contrib/openssl/ssl/ssl_lib.c:2208:12 (clickhouse+0x201a5893) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)
    #19 Poco::Net::SecureSocketImpl::connectSSL(bool) build_docker/./base/poco/NetSSL_OpenSSL/src/SecureSocketImpl.cpp:206:11 (clickhouse+0x1d179567) (BuildId: 3ceefd39df36d762f06bf9aab19cfc3467e4558b)

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24295)

(cherry picked from commit af75373eeab6040aba243dd7629fb6f8244f2f5d)

ess_lib.c: Changed ERR_LIB_CMS to ERR_LIB_ESS

This fixes an incorrect error message.

Fixes #24224
CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24290)

(cherry picked from commit 2d29a8a7e8ef42050d2b08ca8cec9e4d9f0a0bb7)

doc: clarify SSL_CIPHER_description allocation

Previously the documentation for `SSL_CIPHER_description` said:
> If buf is provided, it must be at least 128 bytes, otherwise a buffer
> will be allocated using OPENSSL_malloc().

In reality, `OPENSSL_malloc` is only invoked if the provided `buf`
argument is `NULL`. If the `buf` arg is not `NULL`, but smaller than
128 bytes, the function returns `NULL` without attempting to allocate
a new buffer for the description.

This commit adjusts the documentation to better describe the implemented
behaviour.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23921)

(cherry picked from commit 6a4a714045415be6720f4165c4d70a0ff229a26a)

archive artifacts before upload

Some CI jobs produce a significant amount artifacts and it takes a lot
of time to upload them into GitHub artifacts storage. It will be much
faster to upload only one archive with artifacts.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24264)

(cherry picked from commit 58ffcbbdc3302a35cea317aeee6b76987907ee60)

updated to oqs-provider 0.6.0

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24261)

(cherry picked from commit 7b1829fa37922a37ef9259fc1bc4038829e4fd73)

82-test_ocsp_cert_chain.t: kill -HUP the server after client quits

This ensures even if the connection for some reason
fails, the server will terminate and the test won't get
stuck.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23857)

(cherry picked from commit f4fcc21fdccfde90bda6f8a94d7f4e07f947e38f)

82-test_ocsp_cert_chain.t: Terminate the server after 1 connection

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23857)

(cherry picked from commit 7054412ea8bb49d9522c3dd99982e41bf08c3ef7)

Add an Apple privacy info file for OpenSSL

Added PrivacyInfo.xcprivacy to os-dep/Apple/ dir.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24260)

(cherry picked from commit bde66e828dd2869d02225e4aab01d0983f242ae3)

Update perl-actions/install-with-cpanm version in CI

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/23613)

(cherry picked from commit 599bc929baa3c5496342641e028e4c482aed7449)

Remove all references to FLOSS for NonStop Builds.

FLOSS is no longer a dependency for NonStop as of the deprecation of the SPT
thread model builds.

Fixes: #24214
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24217)

(cherry picked from commit 0339382abad578ccb3989799ea2fb99dfb2d099b)

Invoke tear_down when exiting test_encode_tls_sct() prematurely

Fixes #24121

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24222)

(cherry picked from commit 264ff64b9443e60c7c93af0ced2b22fdf622d179)

Be more explicit about RSAES-PKCS#1v1.5 error handling

And add a note how to perform side-channel free error stack handling.

Signed-off-by: Hubert Kario <hkario@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24159)

(cherry picked from commit 98161274636dca12e3bfafab7d2d2ac28f4d7c30)

Fix missing NULL check in prov_config_test

coverity-1596500 caught a missing null check.  We should never hit it as
the test harness always sets the environment variable, but lets add the
check for safety

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24208)

(cherry picked from commit 6ee369cd6ec751c03879da56178e75e2691e08cb)

fix sending error when no root CA cert update available

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24169)

(cherry picked from commit fc9649f61a8ac5f980da6807214fcbbbae1c45aa)

Fix migration guide mappings for i2o/o2i_ECPublicKey

Fixes #23854

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24041)

(cherry picked from commit 6594baf6457c64f6fce3ec60cb2617f75d98d159)

OSSL_STORE: Add reference docs for the built-in Windows store implementation

Fixes openssl/project#422

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24170)

(cherry picked from commit faa4a10ebe5095765262c0e3c711fca08026c3d4)

Fix up path generation to use OPENSSL_MODULES

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24025)

(cherry picked from commit 4e3c1e6206251c59855362d6d2edab4621c31dec)

Update modulepath test for provider config to skip if not present

If the p_test.so library isn't present, don't run the test

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24025)

(cherry picked from commit b80fed3f27ebe156b17246f7c12c5178cbe6834e)

Add test for OSSL_PROVIDER_load with module path set

Ensure that, with the modulepath setting set in a config field, that we
are able to load a provider from the path relative to OPENSSL_MODULES

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24025)

(cherry picked from commit 91a77cbf66c575345cf1eab31717e8edafcd1633)

set module path from template

Modules that aren't activated at conf load time don't seem to set the
module path from the template leading to load failures.  Make sure to
set that

Fixes #24020

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24025)

(cherry picked from commit bc9595963a45e28e6a8b2de45a6719c252bd3a3d)

QUIC TXP: Fix reserve calculations for PING frames

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24122)

(cherry picked from commit c3542b22fa3f14d7b6c970d4b2c38a737d6ed8a4)

.ctags.d is previous, include it in our tarballs

This is a simple change of .gitattributes, so our tarballs continue to
be a reproducible output of a util/mktar.sh (i.e. git archive with no
other funny business).

Fixes #24090

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24156)

(cherry picked from commit e1fd043ad7fa865a8ef9160c892b49a098d23c71)

Use scalar ALU and vector ALU together for chacha20 stream cipher

Fixes #24070

Use scalar ALU for 1 chacha block with rvv ALU simultaneously.
The tail elements(non-multiple of block length) will be handled by
the scalar logic.

Use rvv path if the input length > chacha_block_size.

And we have about 1.2x improvement comparing with the original code.

Reviewed-by: Hongren Zheng <i@zenithal.me>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24097)

(cherry picked from commit da8b6308bd7ad5b7c779aa2d9123bf5faacaec7f)

fuzz/decoder.c: Limit the EVP_PKEY_param_check on DHX keys as well

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24126)

(cherry picked from commit 8d8a0144303374f69f73fc944dd55c68600d15e5)

Handle empty param in EVP_PKEY_CTX_add1_hkdf_info

Fixes #24130
The regression was introduced in PR #23456.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24141)

(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)

OpenSSL 3.2.0, QUIC, macOS, error 56 on connected UDP socket

current `translate_msg()` function attempts to set `->msg_name`
(and `->msg_namelen`) with `BIO`'s peer name (connection destination)
regardless if underlying socket is connected or not. Such implementation
uncovers differences in socket implementation between various OSes.

As we have learned hard way `sendmsg()` and `sendmmsg()` on `OpenBSD`
and (`MacOS` too) fail to send messages with `->msg_name` being
set on connected socket. In such case the caller receives
`EISCON` errro.

I think `translate_msg()` caller should provide a hint to indicate
whether we deal with connected (or un-connected) socket. For
connected sockets the peer's name should not be set/filled
by `translate_msg()`. On the other hand if socket is un-connected,
then `translate_msg()` must populate `->msg_name` and `->msg_namelen`
members.

The caller can use `getpeername(2)` to see if socket is
connected. If `getpeername()` succeeds then we must be dealing
with connected socket and `translate_msg()` must not set
`->msg_name` and `->msg_namelen` members. If `getpeername(2)`
fails, then `translate_msg()` must provide peer's name (destination
address) in `->msg_name` and set `->msg_namelen` accordingly.

The propposed fix introduces `is_connected()` function,
which applies `getpeername()` to socket bound to `BIO` instance.
The `dgram_sendmmsg()` uses `is_connected()` as a hint
for `translate_msg()` function, so msghdr gets initialized
with respect to socket state.

The change also modifies existing `test/quic_client_test.c`
so it also covers the case of connected socket. To keep
things simple we can introduce optional argument `connect_first`
to `./quic_client_test` function. Without `connect_first`
the test run as usual. With `connect_first` the test creates
and connects socket first. Then it passes such socket to
`BIO` sub-system to perform `QUIC` connect test as usual.

Fixes #23251

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23396)

(cherry picked from commit c062403abd71550057b3647b01cc8af4cc2fc18c)

doc/fingerprints.txt: Add the future OpenSSL release key

This will be used for future releases

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24063)

(cherry picked from commit 4ffef97d3755a0425d5d72680daebfa07383b05c)

crypto/threads_pthread.c: refactor all atomics fallbacks for type safety

The atomics fallbacks were using 'void *' as a generic transport for all
possible scalar and pointer types, with the hypothesis that a pointer is
as large as the largest possible scalar type that we would use.

Then enters the use of uint64_t, which is larger than a pointer on any
32-bit system (or any system that has 32-bit pointer configurations).

We could of course choose a larger type as a generic transport.  However,
that only pushes the problem forward in time...  and it's still a hack.
It's therefore safer to reimplement the fallbacks per type that atomics
are used for, and deal with missing per type fallbacks when the need
arrises in the future.

For test build purposes, the macro USE_ATOMIC_FALLBACKS is introduced.
If OpenSSL is configured with '-DUSE_ATOMIC_FALLBACKS', the fallbacks
will be used, unconditionally.

Fixes #24096

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24123)

(cherry picked from commit a02077d4d7aeb0c99cc88cdfc7c131e48f98c4de)

crypto/threads_pthread.c: Cleanup misaligned preprocessor directives

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24123)

(cherry picked from commit 81f393498b333534111e320a33e3b244db06bbe9)

Adding missing NULL pointer check

CLA: trivial
In the provider store API, it is not necessary to provide both open and
attach method at the same time and providing at least one of them is
enough. Adding some null pointer checks to prevent exceptions in case
of not providing both methods at the same time.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23703)

(cherry picked from commit bd73e1e62c4103e0faffb79cb3d34a2a92a95439)

list_provider_info(): Fix leak on error

Fixes #24110

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24117)

(cherry picked from commit 993c2407d04956ffdf9b32cf0a7e4938ace816dc)

ossl_provider_new(): Fix memory leak on error

Fixes #24095

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24100)

(cherry picked from commit 875db35ac63beb0e5a3d520743fa55ad2e5ccd1d)

make_addressPrefix(): Fix a memory leak in error case

Fixes #24098

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24102)

(cherry picked from commit 682ed1b86ebe97036ab37897d528343d0e4def69)

Fix duplicate mutex allocation in threads_win.c

Creating an rcu lock does a double allocation of the underlying mutex.
Not sure how asan didn't catch this, but we clearly have a duplicate
line here

Fixes #24085

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24086)

(cherry picked from commit 8e5918fb8eb90289a0c89f6a4c6d623ecf49cf43)

VMS: Move defining _XOPEN_SOURCE and  _XOPEN_SOURCE_EXTENDED to config target

For all other platforms that need these macros defined, that's how it's
done, so we have VMS follow suit.  That avoids a crash between in source
definitions and command line definitions on some other platforms.

Fixes #24075

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24083)

Add locking to atomic operations in rw/rcu tests

I neglected to add locks to the calls to CRYPTO_atomic_add in these
test, which on newer compilers is fine, as atomic operations are
defined.  However on older compilers the __ATOMIC_ACQ_REL definition is
missing causing these function to be implemented using an rwlock, which
when NULL causes the locks to fail.

Fix this my creating the lock and using them appropriately

Fixes #24000

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24001)

(cherry picked from commit 5f8b812931e5da24df08913c05ff8e4f4494f014)

crypto/provider_core.c: Allocate activatecnt_lock

CRYPTO_atomic_add has a lock as a parameter, which is often ignored, but in
some cases (for example, when BROKEN_CLANG_ATOMICS is defined) it is required.

There is no easy way to determine if the lock is needed or not. The current
logic looks like this:

    if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
      if defined(__GNUC__) && defined(__ATOMIC_ACQ_REL) && !defined(BROKEN_CLANG_ATOMICS)
        - It works without the lock, but in general the need for the
          lock depends on __atomic_is_lock_free results
      elif defined(__sun) && (defined(__SunOS_5_10) || defined(__SunOS_5_11))
        - The lock is not needed (unless ret is NULL, which should never
          happen?)
      else
        - The lock is required
      endif
    else
      - The lock is not needed
    endif

Adding such conditions outside of crypto.h is error-prone, so it is better to
always allocate the lock, otherwise CRYPTO_atomic_add may silently fail.

Fixes #23376.

CLA: trivial
Fixes: fc570b2605 ("Avoid taking a write lock in ossl_provider_doall_activated()")
Signed-off-by: Oleg Bulatov <oleg@bulatov.me>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24081)

(cherry picked from commit 2fd6c12e85ec7558cbdee08033f822c42ee0f5d4)

Change approach to SSL_pending API

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24040)

QUIC APL: Fix default stream creation on server side

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24040)

QUIC APL: Revise SSL_pending and SSL_has_pending handling for s_client compat

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24040)

QUIC QSM: Add function to determine if data is waiting

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24040)

Fix typos found by codespell in openssl-3.3 doc

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24014)

Document that private and pairwise checks are not bounded by key size

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24049)

(cherry picked from commit 27005cecc75ec7a22a673d57fc35a11dea30ac0a)

fuzz/decoder.c: Limit the key sizes on which checks are run

In particular the DH safe prime check will be limited to 8192 bits
and the private and pairwise checks are limited to 16384 bits on
any key types.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24049)

(cherry picked from commit 9fc61ba0a74dfd910c4e96e711291555ac64b2b4)

Fix socket descriptor checks on Windows

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24035)

(cherry picked from commit c89baf871030c811ba316ccbdcea26c294f605ae)

man EVP_PKEY_CTX_set_params: document params is a list

Signed-off-by: Hubert Kario <hkario@redhat.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23986)

(cherry picked from commit 9b87c5a3ffa1ca233be96dd0bce812c04bad53fe)

aarch64: fix BTI in bsaes assembly code

Change-Id: I63f0fb2af5eb9cea515dec96485325f8efd50511

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/23982)

(cherry picked from commit 88c74fe05bb4ea21aaba648a5cabd6665e40e3a5)

Ensure proper memory barriers around ossl_rcu_deref/ossl_rcu_assign_ptr

Since the addition of macos14 M1 runners in our CI jobs we've been
seeing periodic random failures in the test_threads CI job.
Specifically we've seen instances in which the shared pointer in the
test (which points to a monotonically incrementing uint64_t went
backwards.

From taking a look at the disassembled code in the failing case, we see
that __atomic_load_n when emitted in clang 15 looks like this
0000000100120488 <_ossl_rcu_uptr_deref>:
100120488: f8bfc000     ldapr   x0, [x0]
10012048c: d65f03c0     ret

Notably, when compiling with gcc on the same system we get this output
instead:
0000000100120488 <_ossl_rcu_uptr_deref>:
100120488: f8bfc000     ldar   x0, [x0]
10012048c: d65f03c0     ret

Checking the arm docs for the difference between ldar and ldapr:
https://developer.arm.com/documentation/ddi0602/2023-09/Base-Instructions/LDAPR--Load-Acquire-RCpc-Register-
https://developer.arm.com/documentation/dui0802/b/A64-Data-Transfer-Instructions/LDAR

It seems that the ldar instruction provides a global cpu fence, not
completing until all writes in a given cpus writeback queue have
completed

Conversely, the ldapr instruction attmpts to achieve performance
improvements by honoring the Local Ordering register available in the
system coprocessor, only flushing writes in the same address region as
other cpus on the system.

I believe that on M1 virtualized cpus the ldapr is not properly ordering
writes, leading to an out of order read, despite the needed fencing.
I've opened an issue with apple on this here:
https://developer.apple.com/forums/thread/749530

I believe that it is not safe to issue an ldapr instruction unless the
programmer knows that the Local order registers are properly configured
for use on the system.

So to fix it I'm proposing with this patch that we, in the event that:
1) __APPLE__ is defined
AND
2) __clang__ is defined
AND
3) __aarch64__ is defined

during the build, that we override the ATOMIC_LOAD_N macro in the rcu
code such that it uses a custom function with inline assembly to emit
the ldar instruction rather than the ldapr instruction.  The above
conditions should get us to where this is only used on more recent MAC
cpus, and only in the case where the affected clang compiler emits the
offending instruction.

I've run this patch 10 times in our CI and failed to reproduce the
issue, whereas previously I could trigger it within 5 runs routinely.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23974)

(cherry picked from commit f5b5a35c84626823364b0c8535b968c106690a56)

Downgrade also the download-artifact action

It has to have the same version as upload-artifact.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24065)

(cherry picked from commit 65fe3e846f7c34f68ce82c6e9501d7309d196e06)

Add docs noting requirements for SM2 signing

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23887)

(cherry picked from commit 4feb4a2b2cb7c45c0392e03453a658f29bd70bd2)

Add check for public key presence on sm2 signing

SM2 requires that the public EC_POINT be present in a key when signing.
If its not there we crash on a NULL pointer.  Add a check to ensure that
its present, and raise an error if its not

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23887)

(cherry picked from commit d6a8adeccdb8188517c5a84d35b79ef826176472)

APPS: Add missing OPENSSL_free() and combine the error handler

Add the OPENSSL_free() in the error handler to release the "*md_value"
allocated by app_malloc(). To make the code clear and avoid possible
future errors, combine the error handler in the "err" tag.
Then, we only need to use "goto err" instead of releasing the memory
separately.

Since the EVP_MD_get_size() may return negative numbers when an error occurs,
create_query() may fail to catch the error since it only considers 0 as an
error code.

Therefore, unifying the error codes of create_digest() from non-positive
numbers to 0 is better, which also benefits future programming.

Fixes: c7235be ("RFC 3161 compliant time stamp request creation, response generation and response verification.")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23873)

(cherry picked from commit beb82177ddcd4b536544ceec92bb53f4d85d8e91)

Fix "Error finalizing cipher loop" when running openssl speed -evp -decrypt

When using CCM, openssl speed uses the loop function EVP_Update_loop_ccm() which
sets a (fake) tag when decrypting. When using -aead (which benchmarks a different
sequence than normal, to be comparable to TLS operation), the loop function
EVP_Update_loop_aead() is used, which also sets a tag when decrypting.

However, when using defaults, the loop function EVP_Update_loop() is used, which
does not set a tag on decryption, leading to "Error finalizing cipher loop".

To fix this, set a fake tag value if we're doing decryption on an AEAD cipher in
EVP_Update_loop(). We don't check the return value: this shouldn't really be able
to fail, and if it does, the following EVP_DecryptUpdate() is almost certain to
fail, so that can catch it.

The decryption is certain to fail (well, almost certain, but with a very low
probability of success), but this is no worse than at present. This minimal
change means that future benchmarking data should be comparable to previous
benchmarking data.

(This is benchmarking code: don't write real apps like this!)

Fixes #23657

Change-Id: Id581cf30503c1eb766464e315b1f33914040dcf7

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23757)

(cherry picked from commit b3be6cc89e4dcfafe8f8be97e9519c26af2d19f5)

Fix EVP_PKEY_CTX_add1_hkdf_info() behavior

Fix #23448

`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function.

Fix the setting of the parameter in the params code.
Update the TLS_PRF code to also use the params code.
Add tests.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23456)

(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b)

Add demo for ECDH key exchange

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22916)

(cherry picked from commit 56e4d112ae226d5fa0210cd1f0dd96e6857805fd)

Prepare for 3.3.1

Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

Prepare for release of 3.3.0

Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes