Prepare for release of 3.1.5

Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

Copyright year updates

Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes

Update CHANGES.md and NEWS.md for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/23423)

Have OSSL_PARAM_allocate_from_text() fail on odd number of hex digits

The failure would be caught later on, so this went unnoticed, until someone
tried with just one hex digit, which was simply ignored.

Fixes #23373

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23374)

(cherry picked from commit ea6268cfceaba24328d66bd14bfc97c4fac14a58)

Add some tests for various PKCS12 files with NULL ContentInfo

PKCS7 ContentInfo fields held within a PKCS12 file can be NULL, even if the
type has been set to a valid value. CVE-2024-0727 is a result of OpenSSL
attempting to dereference the NULL pointer as a result of this.

We add test for various instances of this problem.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23362)

Add NULL checks where ContentInfo data can be NULL

PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.

CVE-2024-0727

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23362)

Fix a possible memory leak in req_main

if the private key is output to stdout using the HARNESS_OSSL_PREFIX,
out is a stack of BIOs and must therefore free'd using BIO_free_all.

Steps to reproduce:

$ HARNESS_OSSL_PREFIX=x OPENSSL_CONF=apps/openssl.cnf util/shlib_wrap.sh apps/openssl req -new -keyout - -passout pass: </dev/null
[...]
Direct leak of 128 byte(s) in 1 object(s) allocated from:
    #0 0x7f6f692b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f6f686eda00 in CRYPTO_malloc crypto/mem.c:202
    #2 0x7f6f686edba0 in CRYPTO_zalloc crypto/mem.c:222
    #3 0x7f6f68471bdf in BIO_new_ex crypto/bio/bio_lib.c:83
    #4 0x7f6f68491a8f in BIO_new_fp crypto/bio/bss_file.c:95
    #5 0x555c5f58b378 in dup_bio_out apps/lib/apps.c:3014
    #6 0x555c5f58f9ac in bio_open_default_ apps/lib/apps.c:3175
    #7 0x555c5f58f9ac in bio_open_default apps/lib/apps.c:3203
    #8 0x555c5f528537 in req_main apps/req.c:683
    #9 0x555c5f50e315 in do_cmd apps/openssl.c:426
    #10 0x555c5f4c5575 in main apps/openssl.c:307
    #11 0x7f6f680461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: 128 byte(s) leaked in 1 allocation(s).

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23365)

(cherry picked from commit ff78d94b131d7bb3b761509d3ce0dd864b1420e3)

ci.yml: Replace actions-rs/toolchain@v1 with dtolnay/rust-toolchain

actions-rs/toolchain is unmaintained and generates warnings

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23232)

(cherry picked from commit cd5911a6b300453eefb4b6d9d797c9d1cdefb956)

tlsfuzzer.sh: Use python3

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)

(cherry picked from commit 15f479e25f9591a2749fabb436dcdfb9304c5c7b)

tlsfuzzer.sh: Make it more informative on errors

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)

(cherry picked from commit 825b7cb16e0624d81421441949e843e9876c81f9)

tlsfuzzer.sh: Run openssl version on the built app and not system one

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)

(cherry picked from commit 150b3b18dfde317621a6bf26acfe0d06193e52fd)

gost_engine.sh: Set OPENSSL_ENGINES_DIR

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23342)

(cherry picked from commit 017c7cf2bb5f5461071d9e992eb3206c34a69c2c)

Uninitialized array variable

array"key" is uninitialized and it is being read directly in function SipHash_Init() as per the below statements making a way for the garbage values :
uint64_t k0 = U8TO64_LE(k);
uint64_t k1 = U8TO64_LE(k + 8);

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23298)

(cherry picked from commit a0826b184eed2dccc56cdf80e3e0bc061cc89ddc)

Document SSL_R_UNEXPECTED_EOF_WHILE_READING

Also document that it is ok to use this for control flow decisions.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23327)

X509_dup.pod: add caveat that extra data is not copied and hints, e.g., to use X509_up_ref() instead

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23043)

(cherry picked from commit 66adaf2b31bb51e00ffad784f60bdf195e5dd736)

Add a deprecation warning for a function in docs

The function in question is SSL_get_peer_certificate()

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23315)

(cherry picked from commit 3e938453be47751d50917e25b8f7334b482844b3)

Check whether the pubkey exists in ossl_ecx_key_dup

Signed-off-by: lan1120 <lanming@huawei.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22984)

(cherry picked from commit aac531e5daa2edec5d47e702a7f115cf77fe07f9)

Error in s_server when -rev option is used with dtls.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23278)

(cherry picked from commit 575117efe1e0eb8073c2d26ae3dff8926be00591)

Add CHANGES.md and NEWS.md entries for CVE-2023-6237

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)

(cherry picked from commit 38b2508f638787842750aec9a75745e1d8786743)

Limit the execution time of RSA public key check

Fixes CVE-2023-6237

If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.

Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)

(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)

Fix arithmetic expression overflow

If the value of a->length is large (>= 2^12), then an integer overflow will
occur for the signed type, which according to the C standard is UB.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23274)

(cherry picked from commit 486ab0fb003d05f89620662260486d31bd3faa8c)

Add test/recipes/15-test_gensm2.t, to test SM2 key generation results

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22529)

(cherry picked from commit d4d9b57530b2ecdca6b4263b5841b42c820e5275)

Fix the encoding of SM2 keys

OpenSSL's encoding of SM2 keys used the SM2 OID for the algorithm OID
where an AlgorithmIdentifier is encoded (for encoding into the structures
PrivateKeyInfo and SubjectPublicKeyInfo).

Such keys should be encoded as ECC keys.

Fixes #22184

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22529)

(cherry picked from commit 1d490694dfa790d8e47f8f2ea62ea1d9b1251179)

Fix NULL pointer deref when parsing the stable section

When parsing the stable section of a config such as this:
openssl_conf = openssl_init
[openssl_init]
stbl_section = mstbl
[mstbl]
id-tc26 = min

Can lead to a SIGSEGV, as the parsing code doesnt recognize min as a
proper section name without a trailing colon to associate it with a
value.  As a result the stack of configuration values has an entry with
a null value in it, which leads to the SIGSEGV in do_tcreate when we
attempt to pass NULL to strtoul.

Fix it by skipping any entry in the config name/value list that has a
null value, prior to passing it to stroul

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22988)

(cherry picked from commit 0981c20f8efa68bf9d68d7715280f83812c19a7e)

Add tests for re-using cipher contexts

Add test case for re-using a cipher context with the same key, iv and
cipher. It detects, if the hardware-specific cipher context is reset
correctly, like reported in issue #23175.

This test has encrypt and decrypt iterations for cfb128 and
ofb128. All iteations use the same key, iv and plaintext.

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)

(cherry picked from commit 3cb1b51dddf4deaf5e3886b827f3245d81670bc7)

Fix partial block encryption in cfb and ofb for s390x (legacy)

Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb also in
s390x-legacy code. For more details see 4df92c1a14 ("Fix partial block
encryption in cfb and ofb for s390x").

Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)

(cherry picked from commit f9ccd209c3d121668c51a992613c698f2a774cb3)

Fix partial block encryption in cfb and ofb for s390x

Use the number of processed bytes information (num) from the generic
cipher context for the partial block handling in cfb and ofb, instead
of keep this information in the s390x-specific part of the cipher
context. The information in the generic context is reset properly,
even if the context is re-initialized without resetting the key or iv.

Fixes: #23175
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23201)

(cherry picked from commit 576a3572bebf6115df1c03527114cbf74d06f861)

Update Docs for EVP_MAC

For GMAC/CMAC, its not possible to re-init the algorithm without
explicitly passing an OSSL_MAC_PARAM_IV to each init call, as it is
not possible to extract the IV value from the prior init call (be it
explicitly passed or auto generated).  As such, document the fact that
re-initalization requires passing an IV parameter

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23235)

(cherry picked from commit 7c1d533a512181b13de3bc0b7fa2fd8c481032d3)

evp_fetch.c: Check meth_id instead of name_id

Fixes #23226

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23238)

(cherry picked from commit da840c3775f52fc9766c654b5ad6ee031ffc9fd9)

Fix a similar memory leak in SXNET_add_id_INTEGER

Even in the good case there was memory leak here.
Add a simple test case to have at least some test coverage.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23234)

(cherry picked from commit 398011848468c7e8e481b295f7904afc30934217)

Fix a possible memory leak in sxnet_v2i

When a subsequent call to SXNET_add_id_asc fails
e.g. because user is a string larger than 64 char
or the zone is a duplicate zone id,
or the zone is not an integer,
a memory leak may be the result.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23234)

(cherry picked from commit 0151e772195fc03cce0f12e5e266e51dc15243a0)

Add CHANGES.md and NEWS.md entries for CVE-2023-6129

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)

(cherry picked from commit 858c7bc210a406cc7f891ac2aed78692d2e02937)

poly1305-ppc.pl: Fix vector register clobbering

Fixes CVE-2023-6129

The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs saves the the contents of vector registers in different order
than they are restored. Thus the contents of some of these vector registers
is corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)

(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)

Avoid memory leak if SXNET_add_id_INTEGER() fails

Fixes Coverity 1560046

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23211)

(cherry picked from commit 7054fc1ca3945342777f588fba43b77f669509ad)

Add missing sm4_ccm_dupctx() and sm4_gcm_dupctx()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23217)

VMS: Add the missing -p32 and -p64 variants for x86_64

The pointer size support is already in the code, and is present for
all other supported hardwares.

Fixes #22899

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)

(cherry picked from commit a43f253d586279b5d96fffcaf1b26c7a2b0dd938)

Fix VMS installation - update vmsconfig.pm for consistency

An effort was made to update the VMS installation data to align with
configuration data.  This touched the script templates in VMS/, but
didn't update the generation of vmsconfig.pm to match...  and also
missed a spot.

This change adds the missing updates

Ref:
https://github.com/openssl/openssl/pull/16842

Fixes #22899

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23081)

(cherry picked from commit 4058e121cbc6818235b0dcb618e636ce3c4d1f2f)

cleanse stack variable in kdf_pbkdf1_do_derive

kdf_pbkdf1_do_derive stores key derivation information in a stack
variable, which is left uncleansed prior to returning.  Ensure that the
stack information is zeroed prior to return to avoid potential leaks of
key information

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23194)

(cherry picked from commit 5963aa8c196d7c5a940a979299a07418527932af)

Validate config options during x509 extension creation

There are several points during x509 extension creation which rely on
configuration options which may have been incorrectly parsed due to
invalid settings.  Preform a value check for null in those locations to
avoid various crashes/undefined behaviors

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23183)

(cherry picked from commit bac7e687d71b124b09ad6ad3e15be9b38c08a1ba)

fixup! Adding interop tests

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)

(cherry picked from commit b062a3c552bf283319dede3437598f1747730053)

Adding interop tests

Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries.  This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.

Fixes #20685

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)

(cherry picked from commit 83783dd16e767483020e5b2dc3b1c0ac26520917)

Update workflow to use GITHUB_WORKSPACE

It was pointed out the GITHUB_WORKSPACE points to the container path of
the workspace, so we can use it instead of hardcoding the
__w/openssl/openssl path

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)

(cherry picked from commit 638ad52ae53ece2e870984430493e454f75d048a)

Adding interop tests

Fedora has some fairly nice interoperability tests that we can leverage
to build a PR and test it against gnutls and nss libraries.  This commit
adds the interop-tests.yml ci job to do that work, and run the interop
tests from beaker.

Fixes #20685

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22726)

(cherry picked from commit 337eb99c8474ed380f3aa6fbd6b2a4ab5d39aa26)

Fix a key repointing in various ciphers

In the dupctx fixups I missed a pointer that needed to be repointed to
the surrounding structures AES_KEY structure for the sm4/aes/aria
ccm/gcm variants.  This caused a colliding use of the key and possible
use after free issues.

Fixes #22076

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit 0398bc20080de037a8433fe81cfdef3ba0ec9d4c)

Add dupctx support to rc4_hmac_md5 algo

Pretty straightforward, just clone the requested context, no pointers to
fixup

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit f9163efe96e218adeae2a0dc6a4cbef568f395ee)

implement dupctx for chacha20_poly1305

Same as chacha20 in the last commit, just clone the ctx and its
underlying tlsmac array if its allocated

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit e7ef50c3e3b670a476aa0e864da5b5cc874b3528)

implement dupctx for aes_WRAP methods

create a dupctx method for aes_WRAP implementations of all sizes

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit a5bea0a8d423c7e52052d903b99f75034e78cecf)

Add dupctx support to aead ciphers

Add dupctx method support to to ciphers implemented with IMPLEMENT_aead_cipher
This includes:
aes-<kbits>-gcm
aria-<kbits>-ccm
aria-<kbits>-gcm

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit 879a853a1dc968fb010e5bf17d2e8888acc70742)

make inability to dup/clone ciphers an error

There should be no reason that a cipher can't be duplicated

Fixes #21887

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23102)

(cherry picked from commit 58a6aa0c9fe6abad996f45c6b452983035db7105)

fix buildtest job runner

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23203)

add missing doc of X509_REQ_get_extensions() and X509_REQ_add_extensions{,_nid}()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(cherry picked from commit 47dc828c6b652feb9cef5b0e4186d010986f197c)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23190)

Clarify the PKCS12 docs

Issue #23151 asks a question about the meaning of the PKCS12
documentation. This PR attempts to clarify how friendlyName and localKeyID
are added to the PKCS12 structure.

Fixes #23151

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23188)

(cherry picked from commit 3348713ad390372ba5a0a0f98b46b2f637475e47)

cleanse stack variable in blake2[b|s] finalization

If the output of a blake2[b|s] digest isn't a multipl of 8, then a stack
buffer is used to compute the final output, which is left un-zeroed
prior to return, allowing the potential leak of key data.  Ensure that,
if the stack variable is used, it gets cleared prior to return.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23173)

(cherry picked from commit 8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6)

validate requested key length in kdf_pbkdf1_do_derive

When using pbkdf1 key deriviation, it is possible to request a key
length larger than the maximum digest size a given digest can produce,
leading to a read of random stack memory.

fix it by returning an error if the requested key size n is larger than
the EVP_MD_size of the digest

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23174)

(cherry picked from commit 8d89050f0f676b429043fd5445e5a570d54ad225)

provider-keymgmt.pod: fix typo

Fix a typo from asymmmetric to asymmetric

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23164)

(cherry picked from commit cf8fea86f73c4606f132133cb34c07f8dad42482)

Add missing documentation for X509_ATTRIBUTE related functions.

Partial fix for #8026

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22656)

(cherry picked from commit f1f0731ddf6cb31d62a2c0f406b009ae9817ed7f)

Allow duplicate CMS attributes

Fixes regression introduced with https://github.com/openssl/openssl/pull/21505

Fixes #22266

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23029)

(cherry picked from commit d7e707cb4983a35b1a265c6042da410d829f3b19)

gate calling of evp_method_id on having a non-zero name id

If a name is passed to EVP_<OBJ>_fetch of the form:
name1:name2:name3

The names are parsed on the separator ':' and added to the store, but
during the lookup in inner_evp_generic_fetch, the subsequent search of
the store uses the full name1:name2:name3 string, which fails lookup,
and causes subsequent assertion failures in evp_method_id.

instead catch the failure in inner_evp_generic_fetch and return an error
code if the name_id against a colon separated list of names fails.  This
provides a graceful error return path without asserts, and leaves room
for a future feature in which such formatted names can be parsed and
searched for iteratively

Add a simple test to verify that providing a colon separated name
results in an error indicating an invalid lookup.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23110)

(cherry picked from commit 94be985cbcc1f0a5cf4f172d4a8d06c5c623122b)

doc: fix "the a" typos (and other things nearby)

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23068)

(cherry picked from commit aa3347ba9d670a747b46974ce46f2ed9ecb38662)

Add missing settable entry OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS for RSA asym

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)

(cherry picked from commit 26183614ed1dc03f509f26839b8a465684ca0f84)

Limit RSA-OAEP related functions to RSA keys only

Make EVP_PKEY_CTX_set_rsa_oaep_md() and
EVP_PKEY_CTX_get_rsa_oaep_md_name() only work for RSA keys.

Since these calls use "digest" as a OSSL_PARAM, they should not
work for other key types.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)

(cherry picked from commit 0c3eb31b55d3c1544e4e044c2e3c939655bac93d)

Fix memleak in rsa_cms_decrypt

If a call to EVP_PKEY_CTX_set_rsa_mgf1_md() fails then the caller
needs to free the label.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20319)

(cherry picked from commit d32dd65053431ee744d213b336b9a03a035807e6)

Fixed windows compilation issue

Fixed - Windows compilation issue - unbale to find correct definitions of _InterlockedExchangeAdd.
Issue number - https://github.com/openssl/openssl/issues/21080

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23087)

(cherry picked from commit aa50768bf6d0a987028175c4a3cac8a142b15941)

Fix a possible memory leak in dh_cms_encrypt

Add a missing check of the return code of X509_ALGOR_set0,
otherwise the ASN1_STRING object wrap_str may be leaked.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22998)

AES: Document that the XTS, SIV, WRAP modes do not support streaming

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23028)

(cherry picked from commit 8f0f814d791e0825b96c30494594de619da3e5a5)

Detect and prevent recursive config parsing

If a malformed config file is provided such as the following:

openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
 = provider_sect

The config parsing library will crash overflowing the stack, as it
recursively parses the same provider_sect ad nauseum.

Prevent this by maintaing a list of visited nodes as we recurse through
referenced sections, and erroring out in the event we visit any given
section node more than once.

Note, adding the test for this revealed that our diagnostic code
inadvertently pops recorded errors off the error stack because
provider_conf_load returns success even in the event that a
configuration parse failed. The call path to provider_conf_load has been
updated in this commit to address that shortcoming, allowing recorded
errors to be visibile to calling applications.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22898)

(cherry picked from commit 682fd21afb5428b5716e62eaefb09a7419f9cfd7)

Bump actions/setup-python from 4.7.1 to 5.0.0

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.1 to 5.0.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.7.1...v5.0.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22963)

(cherry picked from commit 51c85496dc227f277adbe0748d596e07d9a34bc2)

Fix a possible memory leak in ossl_x509_algor_md_to_mgf1

Add a missing check of the return code of X509_ALGOR_set0.
otherwise a memory leak may occur.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22999)

Fix provider compatibility check crash in evp_test

EVP_MAC_CTX_get_mac_size() cannot be called on older
unfixed versions before EVP_MAC_init().

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23008)

Fix no-des failure in test_cms

The newly introduced test case do not work
when configured with no-des, fix that by
choosing -aes128 as cipher.

Fixes ffed597882ba ("cms: avoid intermittent test failure")

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23086)

(cherry picked from commit 5b4f4474b2562c4422193e1719461a0ef5cbc3e5)

ci.yml: Fix bad conflict fix in backported patch

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23090)

Consolidate raising errors in SSL_CONF_cmd()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23048)

(cherry picked from commit 430dcbd0463573fece704263648cc15e891c3d49)

Test that incorrect entry in the ssl section is not fatal

The following entries should be still applied.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23048)

(cherry picked from commit 17b4277d9ac6665e9b53a6270949418154cab2dc)

Always apply all configuration settings from the ssl section

Even if some configuration entry is incorrect, do not
skip the remaining ones.

Fixes #20789

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23048)

(cherry picked from commit 69c067ffbc2c02295e20c90e557b6fcb2f7da69c)

run Windows GitHub CI workflow on self-hosted runners

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23042)

(cherry picked from commit ce42b72cb1ca2ba8669bc28a70ed9dca28b7a551)

run GitHub CI workflow on self-hosted runners

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23042)

(cherry picked from commit 834a2d7088a042a4f8f95fa2b8327fd388556151)

run Cross Compiles workflow on self-hosted runner

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23042)

(cherry picked from commit 625287bc80129deedab7484ee4c0ac112ae874a0)

cms: avoid intermittent test failure

If you decrypt a random input using RSAES-PKCS-v1_5, then there is a
non-negligible chance that the result will look like a valid plaintext
(that is why RSAES-PKCS-v1_5 shouldn't be used anymore).  This was the
cause of an intermittent failure in a test that did a cms-encrypt
operation targetting multiple recipients.

The failure happened during key-only decrypt.  The recipient decrypts
every RSA ciphertext -- only one is supposed to decrypt successfully,
which would reveal the right content-key.  Occassionally, more than
one decrypted successfully.

Update the test by specifying the recipient cert in the decrypt op
(this avoids looping over all RSA ciphertexts).

Add a new test to get coverage for key-only decrypt, but use RSA-OAEP
during the encrypt op.

Fixes https://github.com/openssl/project/issues/380

Testing:

  $ make TESTS='test_cms' test

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23055)

(cherry picked from commit ffed597882baf2f07274e7eaa8f3c4fa9fa74ac1)

Define L_ENDIAN for linux64-loongarch64

In commit d7c0fc5b1a7b5cb2219f8d89a861f3879582fc16 we removed L_ENDIAN
definition for guessed linux64-loongarch64 as it had caused an
inconsistency between configurations with and without explicit
specifying linux64-loongarch64.  Now add it back to the proper location.

Unlike MIPS or RISC-V, LoongArch is always little-endian [1].

By the way, change "LOONGARCH" to "LoongArch" in a comment as LOONGARCH
should only appear in the identifiers of macros, constants, etc.

[1]:https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#endian

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23064)

(cherry picked from commit e1002c84725a64b6a097f3155dc6851b57f7ba8e)

Bump actions/upload-artifact from 3 to 4

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23053)

(cherry picked from commit 1ee0560f43a38d3a2de6c2cd2cacb0879c75cf46)

Fix instructions for running tests on Windows

In the command `nmake TEST='foo' test`, on Windows the runner
will look for test `'foo'` and complain about the test not being found
(due to the extraneous single quotes), whereas with `nmake TEST="foo" test`,
the test `foo` will be correctly found.

CLA: trivial

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23059)

(cherry picked from commit cf424d1da05b3cd928c97596af08e260429b308c)

LHASH: Document down_load functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23032)

(cherry picked from commit f8c75e053569cdcbf0d39620e28b4044f1be04f1)

LHASH: Fix documentation for doall-delete hazards

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23032)

(cherry picked from commit e91f21193c1b11de775e65b4e209a9fed67a41c1)

Harden asn1 oid loader to invalid inputs

In the event that a config file contains this sequence:
=======
openssl_conf = openssl_init

config_diagnostics = 1

[openssl_init]
oid_section = oids

[oids]
testoid1 = 1.2.3.4.1
testoid2 = A Very Long OID Name, 1.2.3.4.2
testoid3 = ,1.2.3.4.3
======

The leading comma in testoid3 can cause a heap buffer overflow, as the
parsing code will move the string pointer back 1 character, thereby
pointing to an invalid memory space

correct the parser to detect this condition and handle it by treating it
as if the comma doesn't exist (i.e. an empty long oid name)

(cherry picked from commit a552c23c6502592c1b3c67d93dd7e5ffbe958aa4)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23034)

(cherry picked from commit d802bfbf80bab00123a4a6209f255852b3a10207)

CONTRIBUTING.md: add reference to util/check-format.pl and fix several nits

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22911)

(cherry picked from commit 260d97229c467d17934ca3e2e0455b1b5c0994a6)

doc: fix list display in man page

"=over 1" is too small.  Use "=over 2" so that list items are
displayed correctly in the generated man-page.

You can check the man-page using the following command:

  cd doc && pod2man man3/OSSL_PARAM_int.pod | man /dev/stdin

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22974)

(cherry picked from commit 7f4bf1857321d2a2ebcbbb2742946a965e463b79)

Enable BTI feature for md5 on aarch64

Fixes: #22959
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22971)

(cherry picked from commit ad347c9ff0fd93bdd2fa2085611c65b88e94829f)

ossl-params: check length returned by strlen()

In param_build.c, the functions OSSL_PARAM_BLD_push_utf8_string() and
OSSL_PARAM_BLD_push_utf8_ptr() use strlen() to compute the length of
the string when bsize is zero.  However, the size_t returned by
strlen() might be too large (it is stored in an intermediate "int"),
so check for that.

There are analogous functions in params.c, but they do not use an
intermediate "int" to store the size_t returned by strlen().  So there
is some inconsistency between the implementations.

Credit to Viktor D and Tomas M for spotting these missing checks.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22967)

(cherry picked from commit d4d6694aa710c9970410a6836070daa6486a0ac0)

provider-storemgmt.pod: fix nits (unclosed '<' around name)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22942)

(cherry picked from commit a149e8e108263718daede1858d2855d68dde5652)

Fix a possible memleak in opt_verify

The ASN1_OBJECT otmp was leaked if X509_VERIFY_PARAM_add0_policy fails.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22922)

(cherry picked from commit d6688e45fa2f987f3ffd324e19922468beee5ddc)

Fix a possible memleak in apps/rehash.c

The OPENSSL_DIR_end was missing in case of error.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22920)

(cherry picked from commit 01709fcb8b609cfc47e277d20492c333bafb113e)

Fix a possible memleak in smime_main

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22919)

(cherry picked from commit ba4d833f6e24a83bc3e74ba55f52d8916b70fb59)

Fix a possible memleak in cms_main

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22918)

(cherry picked from commit 3457a550c64ab8009c7cd0175675ac140cab33c2)

Don't attempt to set provider params on an ENGINE based cipher

If an ENGINE has been loaded after the SSL_CTX has been created then
the cipher we have cached might be provider based, but the cipher we
actually end up using might not be. Don't try to set provider params on
a cipher that is actually ENGINE based.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22865)

Add a test for late loading of an ENGINE in TLS

Confirm that using an ENGINE works as expected with TLS even if it is
loaded late (after construction of the SSL_CTX).

(cherry picked from commit a9c97da4910648790387d035afb12963158778fb)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22865)

Add a test case for OSSL_HTTP_parse_url

Ensure we test the case where the port value is empty in the URL.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)

(cherry picked from commit a36d10dfb7e77614c8d3da602ff3800a2e9f4989)

Fix some invalid use of sscanf

sscanf can return -1 on an empty input string. We need to appropriately
handle such an invalid case.

The instance in OSSL_HTTP_parse_url could cause an uninitialised read of
sizeof(unsigned int) bytes (typically 4). In many cases this uninit read
will immediately fail on the following check (i.e. if the read value
>65535).

If the top 2 bytes of a 4 byte unsigned int are zero then the value will
be <=65535 and the uninitialised value will be returned to the caller and
could represent arbitrary data on the application stack.

The OpenSSL security team has assessed this issue and consider it to be
a bug only (i.e. not a CVE).

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)

(cherry picked from commit 322517d817ecb5c1a3a8b0e7e038fa146857b4d4)

Extend the test of BN_GF2m_mod_inv

Test that input value of 1 for p is treated as an error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)

(cherry picked from commit b83c719ecb884f609ade7ad7f52bd5e09737585b)

Avoid an infinite loop in BN_GF2m_mod_inv

If p is set to 1 when calling BN_GF2m_mod_inv then an infinite loop will
result. Calling this function set 1 when applications call this directly
is a non-sensical value - so this would be considered a bug in the caller.

It does not seem possible to cause OpenSSL internal callers of
BN_GF2m_mod_inv to call it with a value of 1.

So, for the above reasons, this is not considered a security issue.
Reported by Bing Shi.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)

(cherry picked from commit 9c1b8f17ce2471ca37ee3936d07aed29aab10975)