CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (3.0)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Add test for DSA pubkey without param import and check

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

Do not create DSA keys without parameters by decoder

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

Prevent creating DSA and DH keys without parameters through import

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

Fix NULL deference when validating FFC public key.

Fixes CVE-2023-0217

When attempting to do a BN_Copy of params->p there was no NULL check.
Since BN_copy does not check for NULL this is a NULL reference.

As an aside BN_cmp() does do a NULL check, so there are other checks
that fail because a NULL is passed. A more general check for NULL params
has been added for both FFC public and private key validation instead.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Add test for d2i_PKCS7 NULL dereference

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>

Do not dereference PKCS7 object data if not set

Fixes CVE-2023-0216

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>

Check CMS failure during BIO setup with -stream is handled correctly

Test for the issue fixed in the previous commit

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Fix a UAF resulting from a bug in BIO_new_NDEF

If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.

Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.

Thanks to Octavio Galland for reporting this issue.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Add a test for CVE-2022-4450

Call PEM_read_bio_ex() and expect a failure. There should be no dangling
ptrs and therefore there should be no double free if we free the ptrs on
error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>

Avoid dangling ptrs in header and data params for PEM_read_bio_ex

In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.

Thanks to Dawei Wang for reporting this issue.

Based on a proposed patch by Kurt Roeckx.

CVE-2022-4450

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>

Fix Timing Oracle in RSA decryption

A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

Patch written by Dmitry Belyavsky and Hubert Kario

CVE-2022-4304

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Add testcase for nc_match_single type confusion

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>

Fix type confusion in nc_match_single()

This function assumes that if the "gen" is an OtherName, then the "base"
is a rfc822Name constraint. This assumption is not true in all cases.
If the end-entity certificate contains an OtherName SAN of any type besides
SmtpUtf8Mailbox and the CA certificate contains a name constraint of
OtherName (of any type), then "nc_email_eai" will be invoked, with the
OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.

Reported by Corey Bonnell from Digicert.

CVE-2022-4203

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

doc/man1/{storeutl,gendsa}: point out that extra options/arguments are ignored

... and therefore all options must be given before the final file/URI arg.

This is essentially a backport of the doc portion of #20156 to 3.0 and 3.1,
where the missing error checking/reporting likely will not be added.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20179)

Fix incomplete check on EVP_CIPHER_param_to_asn1()

That function is a wrapper around evp_cipher_param_to_asn1_ex() which
can return 0 as an error value via its ret <= 0 check [1].
Furthermore, all other callers of this function check against <= 0
instead of < 0 and this is also in line with what the documentation
tells us. Fix the incomplete check by changing it to <= 0 as well.

CLA: trivial

[1] https://github.com/openssl/openssl/blob/114d99b46bfb212ffc510865df317ca2c1542623/crypto/evp/evp_lib.c#L164-L165

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20180)

(cherry picked from commit e3663717fc16bd140f54ee7f1600bdced7f9ea66)

Use $config{build_file} instead of $target{build_file}

If the user specifies an alternative build file than the default, this
alternative is recorded in $config{build_file}, not $target{build_file}.
Therefore, the former should be used, leaving the latter as a mere default.

This is a bug.  While fixing it, document it better too.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20173)

(cherry picked from commit aa2d7e0ee15d1b7015479c38f370a25ceec690fc)

Fix a potential memory leak in crypto/provider_child.c

Fix issue #20063.
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20163)

(cherry picked from commit e788c772b12eea5ced4ce46619e13acf0e0eb6ba)

BIO_read.pod: fix small typo

Add missing `I` to `<b>`

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20169)

(cherry picked from commit 0414899887b98f973067f286ac126d8b529873e3)

Do not include sparse_array.o in libssl with no-shared

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20137)

(cherry picked from commit aea9b0e4b6c35c7f90b2e5a3475084500488775d)
(cherry picked from commit 984d28b9fe191ac9dfcd214b3a421d915b77ebf8)

Avoid duplicating symbols in legacy.a with some build options

If no-module or no-shared is used, the symbols from
libcrypto should not be duplicated in legacy.a

Also the BIGNUM functions are currently not needed
in legacy.a at all.

Fixes #20124

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20137)

(cherry picked from commit f6a6f7b6aa84dab44384780cb77050d15c5f575e)
(cherry picked from commit 58e8162e73d9061bd056f041bf07a1573d202d7a)

Fix incomplete check on X509V3_add1_i2d()

X509V3_add1_i2d() can return both -1 and 0 as an error code. This check
only checked for 0. Change it into <= 0 to also catch the -1 error code.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20157)

(cherry picked from commit ecd445464a73bb3f125327a604dd13ad16303ebc)

ChaCha20-Poly1305 no longer supports truncated IV's.

Fixes #20084

In the 3.0 provider implementation the generic code that handles IV's
only allows a 12 byte IV. Older code intentionally added the ability for
the IV to be truncated.
As this truncation is unsafe, the documentation has been updated to
state that this in no longer allowed. The code has been updated to
produce an error when the iv length is set to any value other than 12.

NOTE: It appears that this additional padding may have originated from the code
which uses a 12 byte IV, that is then passed to CHACHA which zero pads it to 16 bytes.

Note that legacy behaviour in e_chacha20_poly1305.c has not been
updated.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20151)

(cherry picked from commit a01152370676e7e11fb461cff8628eb50fa41b81)

coverity 1520506: error handling

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)

(cherry picked from commit a4347a9a57dcb985283bba03dd3b16294b55945b)

coverity 1520505: error handling

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20132)

(cherry picked from commit 00407fbf0b25d65f5e6d99defdb081432e810449)

Add notes about ignoring initialization failures on contexts

Fixes #20130

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20136)

(cherry picked from commit d4c5d8ff483d99f94d649fb67f1f26fce9694c92)

Document that the RSA e value is mandatory when importing.

The lab tried doing a RSA decryption primitive using just n (using p, q) and d.

This failed for 2 reasons:
(1) e is required when importing
(2) Internally e is used for blinding.

Note n and e can be calculated using:
n = pq
e = (1/d) mod (p-1)(q-1)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20133)

(cherry picked from commit 6e3b1c81736b1829584e3f40c2d00040fe1aa881)

Fix Coverity 1520485: logically dead code

The check is unnecessary as the condition is already checked
before the switch statement.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20121)

(cherry picked from commit 01a17b24f6649fc192ba6bb9ea34e28ce9678e6c)

Clarify the change of enc -S behavior in 3.0

Fixes  #19730

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19732)

(cherry picked from commit a4aa977d3a8049d5386dc583e16c17727c712eaa)

Fix incomplete checks for EVP_CIPHER_asn1_to_param

EVP_CIPHER_asn1_to_param() returns a value <= 0 in case of an error, and
a value greater than 0 in case of success. Two callsites only check for
< 0 instead of <= 0. The other callsites perform this check correctly.
Change the two callsites to <= 0. Additionally correctly handle a zero
return value from EVP_CIPHER_get_asn1_iv as success.

Fixes: #20116
CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/201213)

(cherry picked from commit 114d99b46bfb212ffc510865df317ca2c1542623)

OSSL_trace_set_channel(): add important statement that it takes BIO ownership

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19959)

(cherry picked from commit bfd5680e6be789fd554acf2ad34428816a644eec)

set_trace_data(): prevent double free on OPENSSL_strdup() failure

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19959)

(cherry picked from commit 0fec2121c0c40d8b098896c9bdf629a48fbafa63)

Fix corruption when searching for CRLs in hashed directories

The by_dir certificate/CRL lookup code uses an OPENSSL_STACK to track
how many sequentially numbered CRL files have been loaded for a given
X509_NAME hash which is being requested. This avoids loading already
loaded CRL files and repeated stat() calls.

This OPENSSL_STACK is searched using sk_find, however this mutates
the OPENSSL_STACK unless it is known to be sorted. This operation
therefore requires a write lock, which was not taken.

Fix this issue by sorting the OPENSSL_STACK whenever it is mutated. This
guarantees no mutation will occur during sk_find. This is chosen over
taking a write lock during sk_find as retrieving a CRL by X509_NAME is
assumed to be a hotter path than the case where a new CRL is installed.

Also optimise the code by avoiding creating the structure to track the
last CRL file sequence number in the circumstance where it would match
the initial value, namely where no CRL with the given hash is installed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20076)

(cherry picked from commit 3147785eb23bb27080a0b7accbbff46ac471e86c)

Add DTLS support to the large app data test

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20086)

(cherry picked from commit d36a9d66dc72fb2262f6e7491f658fb1da8242d7)

Ensure our buffer allocation allows for the Explicit IV

Some ciphers/protocol versions have an explicit IV. We need to make sure we
have sufficient room for it in the underlying buffer.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20086)

(cherry picked from commit 3be93f1b264d35ad93ceb71affacdef1b930c3c6)

Add a test for large app data

Test that sending large app data records works correctly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20086)

(cherry picked from commit 5e73bf03d78da6a635a0a48e1e584f5b9ead45e2)

MD5.pod: Recommend SHA-2 or SHA-3 family hashes instead of legacy ones

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20095)

(cherry picked from commit 61222b95ff20f6a7bb20668e43b657561efdb922)

X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in X509_VERIFY_PARAM_clear_flags doc

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20052)

(cherry picked from commit ec6cbda0f2e435ae0efaec308dc5569c75bb759b)

cmp_client.c: fix handling of total_timeout for RR and GENM transactions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19391)

(cherry picked from commit d7d1d0928af2f14e7e187fa8c78115d0d1aa28eb)

cmp_client_test.c: add tests for end_time being initialized for RR/GENM

To this end, tweak the internal handling of ctx->total_timeout.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19391)

(cherry picked from commit b908ec0f217da0a23f9d81442f81d44c94c98f23)

CMP docs: clarify behavior on message/total timeout values given

Clarify behavior of OSSL_CMP_CTX_set_option() when given (negative)
values for OSSL_CMP_OPT_MSG_TIMEOUT or OSSL_CMP_OPT_TOTAL_TIMEOUT.
Fix doc of -msg_timeout and -total_timeout in openssl-cmp.pod.in

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19391)

(cherry picked from commit 5acd4007a0646ef1f9d0015ce438b891d1b24a62)

Fixes wrong return type in BIO_do_connect man page.

Current man page indicates the function returns an int while it returns
a long.

Fixes #20096.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20097)

(cherry picked from commit 2bde260ac0e30da39f4453e972c461cd9d1342e0)

Fix incorrect check on RAND_bytes_ex() in generate_q_fips186_4()

RAND_bytes_ex() can also return 0 on failure. Other callers do check
this correctly. Change the check from <0 to <=0.

Fixes: #20100
CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20106)

(cherry picked from commit a2b01ae1c84ccc250d5d5cb5f2f8714573e3f11b)

Padlock: fix byte swapping assembly for AES-192 and 256

Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.

This commit correctly sets the number of swapping loops to be done.

Fixes #20073

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20077)

(cherry picked from commit 7331e7ef79fe4499d81cc92249e9c97e9ff9291a)

Add link to EBNF definition

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20023)

(cherry picked from commit 69d6ecb7c320bafe0d30a88949eb22e19704221a)

Add negative test for unquoted property string

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20023)

(cherry picked from commit 543ac2f0191f10d8a3774727fa691543de8b15bb)

Correct property EBNF for unquoted strings

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20023)

(cherry picked from commit 9866200bbe8eb65628f3f3e6eb290c48efb5a8ac)

Fix incorrect error return value in i2r_ADMISSION_SYNTAX()

The other implementations of i2r return 0 in case of an error, but
i2r_ADMISSION_SYNTAX() returns -1. That means the check on i2r does not
catch the error. Change it to return 0 like the others do.

Fixes: #20066
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20068)

(cherry picked from commit 53b5d6c30f3b8eaf7a582da2265c0d1cfe14d54f)

Fix potential NULL pointer dereference

In EC key generation, if allocation of struct ec_gen_ctx fails, values
provided by parameters are copied into the context at represented by a NULL
pointer.  To fix this, prevent copy if allocation fails.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20055)

(cherry picked from commit 235ef96049dbe337a3c3c5d419dacbb5a81df1b3)

Clarify documentation of X509_STORE_CTX_get_current_cert()

CLA: trivial

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20038)

(cherry picked from commit ed77c14d91ec008d4d78d7293f37bd4aa60071f0)

pkey: Imply public check if -pubin is specified

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20044)

(cherry picked from commit 3b1c0c8f3cd66e80f81a9b7c9810bdada39363f2)

Bump actions/setup-python from 4.4.0 to 4.5.0

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.4.0 to 4.5.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.4.0...v4.5.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

CLA: trivial
Signed-off-by: dependabot[bot] <support@github.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20046)

(cherry picked from commit c4edfa220e6d3705a0c6299463c83e61fd5f9d2c)

Documenting lack of error codes stability

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20019)

(cherry picked from commit ae61bd34e676036f22e44e8184d1ba649a990619)

Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime

Otherwise the alloca can cause an exception.

Issue reported by Jiayi Lin.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20005)

(cherry picked from commit 30667f5c306dbc11ac0e6fddc7d26fd984d546ab)

Revert "Limit size of modulus for BN_mod_exp_mont_consttime()"

This reverts commit 4378e3cd2a4d73a97a2349efaa143059d8ed05e8.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20005)

(cherry picked from commit 92d306b32b63dd502531a89fb96c4172be0ddb49)

SSKDF with KMAC should return SIZE_MAX when EVP_KDF_CTX_get_kdf_size()
is used.

Fixes #19934

The existing code was looking for the digest size, and then returned
zero.

The example code in EVP_KDF-SS.pod has been corrected to not use a
digest.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19935)

(cherry picked from commit e8add4d379075a6daef2591edd830297d469b9f4)

fix manpage of `d2i_X509(3)`

* capitalize `X509_NAME`
* add missing suffixes to `i2d_TYPE`

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20016)

(cherry picked from commit 5adca946c3b6f779eb593bff6dbefe0a85238d84)

Do not check definition of a macro and use it in a single condition

The condition evaluation in #if conditions does not tolerate this
if the macro is not defined.

Fixes #19628

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20018)

(cherry picked from commit a509b97d2c4efd96e231913d49544ac7cb36b51b)

OSSL_PARAM_BLD and BIGNUM; ensure at least one byte is allocated

A zero BIGNUM contains zero bytes, while OSSL_PARAMs with an INTEGER (or
UNSIGNED INTEGER) data type are expected to have at least one data byte
allocated, containing a zero.  This wasn't handled correctly.

Fixes #20011

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20013)

(cherry picked from commit c455f87aebf245814ba58d6a398b45ca4e80d1d7)
(cherry picked from commit e33c37aead7e7dd5647d949db7be875c8fa8c137)

In OSSL_PARAM_set_BN(), make sure that the data_size field is at least 1

This way, we guarantee that a zero is represented with one byte of data
that's set to zero.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20013)

(cherry picked from commit c2ae89148343750e420b72ef1b709ebbc16e47b8)
(cherry picked from commit fcc224a3c5c868ee4c0f5ab71d2f47e7f620bc98)

test/param_build_test.c: test zero BIGNUM

We also add tests where the zero bignum is the only parameter, to test what
that does with the allocated blocks that the OSSL_PARAM_BLD functionality
handles.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20013)

(cherry picked from commit b49cf273883c8d3f47542941fe5cc6cb51aec9c9)
(cherry picked from commit 2b7b7eebf9b7d01f8abab88b9ae0685f33c74b54)

Add testcase for OSSL_trace_set_callback()

Also test the OSSL_TRACE_CATEGORY_TRACE tracing - this fails
on address sanitizer runs without the fix for #19915

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(cherry picked from commit e64a169fc678b5e57db28d06c25020d69bc61e4c)

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19958)

Avoid ifdefs in trace categories

The trace code assumes all categories are present and
the category numbers are equal to the index in the table.

Fixes #19915

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(cherry picked from commit 78bd646b2f6a18cf8515e05a5f3efadff03b3920)

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19958)

test/trace_api_test.c: fix gcc error on -Werror=strict-prototypes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(cherry picked from commit 1fcd84c7017416a3c9461914d7a943591ad87a82)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19958)

Add tests for trace_api.

Fixes openssl#17422

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit fcff5bd43c85418cc4aa8052e3dc3dba344d763e)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19958)

Doc: Update history section of EC_GROUP API's.

Fixes #8630

The remaining functions are at least as old as 0.9.8 so it is
not worth documenting this.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19956)

(cherry picked from commit 8d927e55b751ba1af6c08cd4e37d565a43c56157)

Documentation for EVP_PKEY_CTX_get0_pkey() and EVP_PKEY_CTX_get0_peerkey().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19962)

(cherry picked from commit 3be76745e55eab9ea976f7a23e6c8ecd3bb8136c)

info.c: Fix typos in seed macro name and description string

Fixes: #19996
CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20001)

(cherry picked from commit 9c3de015121fb4ebbecccfbbda9eed8d4a3cb2d5)

rsaz_exp_x2.c: Remove leftover from broken cherry-pick

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20010)

Revert "rsaz_exp_x2.c: Remove unused ALIGN64 macro"

This reverts commit 2a57a117a2e5b433a93ae6c15686d9751b9dc527.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20010)

rsaz_exp_x2.c: Remove unused ALIGN64 macro

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19597)

(cherry picked from commit 4b65d79d7132d6e46bfb385a76082f6502ef617b)

rsaz_exp_x2.c: Avoid potential undefined behavior with strict aliasing

Fixes #19584

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19597)

(cherry picked from commit 9506a2e274c643b94a2c265019ea9288f99a521a)

Revert "Fix an occasional CI failure due to unaligned access"

This reverts commit 8511520842b744d1794ea794c032ce5f78cd874b.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19597)

(cherry picked from commit f83490fb9ce4dd1c09d4f94526fbcad14bd2fd85)

BIO_s_dgram: add documentation and hazard warnings

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19913)

(cherry picked from commit 69e18a4d93ee5f50bcbf62268b4a59df29d67a02)

Avoid possible divide by zero

Backport of commit 624efd2

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19967)

(cherry picked from commit 8c29e5ebfd5f19442422ba43fea4c95816417e34)

80-test_cms.t: Fix rsapssSaltlen check on MinGW

Fixes #19907

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19957)

(cherry picked from commit 55e2dd8c3162d7313d9408cb20fca8a4fe6e6f5a)

Cleanse internal BN_generate_dsa_nonce() buffers used to generate k.

Fixes #9205

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19954)

(cherry picked from commit 177d433bda2ffd287d676bc53b549b6c246973e6)

Bump actions/setup-python from 4.3.1 to 4.4.0

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.3.1 to 4.4.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.3.1...v4.4.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19961)

(cherry picked from commit 43a9e682d80d0abe4ffd0c76d18c43cf059a2bcc)

INSTALL.md: Remove trailing space

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19960)

(cherry picked from commit 98663afce7a909be1518921a9995540308a52462)

Docs: Move deprecated ECDSA_ functions into a separate file.

Fixes #19829

Examples added for setting/getting ECDSA SIG related r and s values

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19936)

(cherry picked from commit c99209264de98da94937b073a42219bada9ff7f5)

Change HKDF to alloc the info buffer.

Fixes #19909

I have enforced a maximum bound still but it is much higher.
Note also that TLS13 still uses the 2048 buffer size.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19923)

(cherry picked from commit e8115bd1654d5cd7718109679b2047ca573083a8)

ec_kmgmt.c: check the return of BN_CTX_get() in time.

If x and y are all NULL, then it is unnecessary to do subsequent operations.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19905)

(cherry picked from commit 467b0492c1e597857b30b91ed72605387aa9825b)

INSTALL.md: Fix typo

CLA:trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19882)

(cherry picked from commit 0e4e03c8528ab54a5b125582afdf2cdadfb6c9bb)

Add Demos for DSA params/DSA keygen.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19853)

(cherry picked from commit de1164102083730298e4f53eb465c9324aa6a0c0)

Fix possible UB in init_info_strings

"openssl version -c" may create undefined behavior in the shift:

crypto/info.c:42:50: runtime error: left shift of 4275712515
by 32 places cannot be represented in type 'long long int'

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19668)

(cherry picked from commit ee17dcc7ffbd6621f82838c75792f19aa97bd5d7)

Add a CMS test for a bad encryption algorithm

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19919)

(cherry picked from commit 0c5fe6e4e740e7150ecb9f0a1954ef085f1fcf10)

Ensure ossl_cms_EncryptedContent_init_bio() reports an error on no OID

If the cipher being used in ossl_cms_EncryptedContent_init_bio() has no
associated OID then we should report an error rather than continuing on
regardless. Continuing on still ends up failing - but later on and with a
more cryptic error message.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19919)

(cherry picked from commit cc122995d1fa12fb8f93562e0aca4a62cd83fc5b)

Fix BIO_f_asn1() to properly report some errors

Some things that may go wrong in asn1_bio_write() are serious errors
that should be reported as -1, rather than 0 (which just means "we wrote
no data").

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19919)

(cherry picked from commit 903e96599b53639d6a72f9b05514f93136eaf03b)

Fix SMIME_crlf_copy() to properly report an error

If the BIO unexpectedly fails to flush then SMIME_crlf_copy() was not
correctly reporting the error. We modify it to properly propagate the
error condition.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19919)

(cherry picked from commit 6259cf34eab1abdcfde12b7b3892b4780844091b)

Fix BIO_f_cipher() flushing

If an error occurs during a flush on a BIO_f_cipher() then in some cases
we could get into an infinite loop. We add a check to make sure we are
making progress during flush and exit if not.

This issue was reported by Octavio Galland who also demonstrated an
infinite loop in CMS encryption as a result of this bug.

The security team has assessed this issue as not a CVE. This occurs on
*encryption* only which is typically processing trusted data. We are not
aware of a way to trigger this with untrusted data.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19919)

(cherry picked from commit 54b5aeb94c34cc78166dec7cf756c12ee858eb29)

Update pyca-cryptography submodule to 38.0.4

(cherry picked from commit d656efb9eb7692c0b1cba843d7787751e388cc8a)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19901)

Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to UNCOMPRESSED

Originally the code to im/export the EC pubkey was meant to be consumed
only by the im/export functions when crossing the provider boundary.
Having our providers exporting to a COMPRESSED format octet string made
sense to avoid memory waste, as it wasn't exposed outside the provider
API, and providers had all tools available to convert across the three
formats.

Later on, with #13139 deprecating the `EC_KEY_*` functions, more state
was added among the params imported/exported on an EC provider-native
key (including `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT`, although it
did not affect the format used to export `OSSL_PKEY_PARAM_PUB_KEY`).

Finally, in #14800, `EVP_PKEY_todata()` was introduced and prominently
exposed directly to users outside the provider API, and the choice of
COMPRESSED over UNCOMPRESSED as the default became less sensible in
light of usability, given the latter is more often needed by
applications and protocols.

This commit fixes it, by using `EC_KEY_get_conv_form()` to get the
point format from the internal state (an `EC_KEY` under the hood) of the
provider-side object, and using it on
`EVP_PKEY_export()`/`EVP_PKEY_todata()` to format
`OSSL_PKEY_PARAM_PUB_KEY`.
The default for an `EC_KEY` was already UNCOMPRESSED, and it is altered
if the user sets `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` via
`EVP_PKEY_fromdata()`, `EVP_PKEY_set_params()`, or one of the
more specialized methods.

For symmetry, this commit also alters `ec_pkey_export_to()` in
`crypto/ec/ec_ameth.c`, part of the `EVP_PKEY_ASN1_METHOD` for legacy EC
keys: it exclusively used COMPRESSED format, and now it honors the
conversion format specified in the EC_KEY object being exported to a
provider when this function is called.

Expand documentation about `OSSL_PKEY_PARAM_PUB_KEY` and mention the
change in behavior for our providers.

Fixes #16595

(cherry picked from commit 926db476bc669fdcc4c4d2f1cb547060bdbfa153)

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19901)

Fix a logic flaw in test_mod_exp_zero

Due to the logic flaw, possible test failures
in this test case might be ignored.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19929)

(cherry picked from commit 42061268ee8f9ae0555d522870740fc91b744f4f)

Raise the KMAC limits for key and custom size to 512 bytes

This is necessary to pass new ACVP tests and to
fix the CI failure in FIPS provider compat CI

Partial cherry pick of 211c47ca1b1ac129dcee59d383cae44e36532bb9

Original-author: Shane Lontis <shane.lontis@oracle.com>

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19937)

Update FIPS related build instructions.

This also links back to the new location that lists the cert and
security policy.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19617)

(cherry picked from commit e8241fb6fe4e73bb337c9068e5a2421948ee40ad)

Refine the documents of several APIs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19816)

(cherry picked from commit dd1f28427b375931fda45180619c8f5971cd6bca)

Update HMAC() documentation.

Fixes #19782

Clarify that EVP_Q_MAC() can be used as an alternative that allows
setting of the libctx.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19855)

(cherry picked from commit d1ebd99397e18de367918c201c25c389f1f07005)

Fix FIPS Provider compat CI of 3.0 libcrypto with 3.2 FIPS provider

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19904)

Coverity: fix 272011 resource leak

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19900)

(cherry picked from commit a167e048a40151f9884014680c9a765ef79c3b44)

Fix openssl storeutl to allow serial + issuer

storeutl wants to enforce the use of issuer and serial together,
however the current code prevents to use them together and returns an
error if only one of them is specified.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19856)

(cherry picked from commit abdf35158e4398deedcf160c28bd07c7080edf47)