Checking __STDC_VERSION__ rather than __STRICT_ANSI__

`__STRICT_ANSI__` is a gnuish flag macro that indicates if `-ansi`
was given on the command line.  To check the C version, it's better
to check the macro `__STDC_VERSION__`.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19197)

OSSL_CRYPTO_ALLOC attribute introduction proposal.

Giving hint to the compiler the returned pointer is not aliased
 (so realloc-like api is de facto excluded).

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19180)

update oqsprovider/liboqs to v0.7.2

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19184)

Fix PROV_RC5_CTX's original structure name

It looks like a typo when copy & pasting the structure from blowfish.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19186)

Fix tests when configured with -DOPENSSL_USE_IPV6=0

In include/internal/sockets.h it says that you can disable IPv6, and only
defines OPENSSL_USE_IPV6 (to 0 or 1) if it's not already defined.

The codebase generally then checks `#if OPENSSL_USE_IPV6`.

However, test_bio_dgram uses `#if defined(OPENSSL_USE_IPV6)` which means it tries
to test IPv6 even if it's explicitly configured out with -DOPENSSL_USE_IPV6=0
(`#if defined(OPENSSL_USE_IPV6)` is always true).

This fixes that.

Change-Id: Ie1641c9dd654f27f3bdca186517df5599ad1059b

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19181)

list: add an option to list all available algorithms

Fixes #19145

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19168)

crypto/x509/{x509_req,x_all}.c: add some NULL parameter checks, improve coding style

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19090)

X509 x_all.c: Set 'modified' flag when ASN1_item_sign{,_ctx} call was successful

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19090)

X509 x509_req.c: Set 'modified' flag when X509_req_info_st member data updated

We need to reencode X509_req_info_st if member data updated.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19090)

openssl.cnf: split option value and comment and remove leading space

CLA: trivial

Signed-off-by: a1346054 <36859588+a1346054@users.noreply.github.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19173)

Cleanup EBCDIC string defintions

Use a single definiton for protocol string defintions.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19122)

Add some API tests for TLSv1.3 record padding

We have some ssl_test_new tests for record padding. But these only use
the block padding approach set via a config file on the SSL_CTX. We add
tests for all the various API calls.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19103)

crypto/conf: gcc build warning fix

Fix the gcc build warning from conf_sap.c:
variable flags set but not used [-Wunused-but-set-variable]
variable appname set but not used [-Wunused-but-set-variable]
variable filename set but not used [-Wunused-but-set-variable]

CLA: trivial

Signed-off-by: Gang Chen <gang.c.chen@intel.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19153)

s390x: fix ecx derive

Derivation via ecx-methods did not properly set the length.  Make the code
more similar to common code and set the length property.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19158)

Remove perror() usage in library

The dgram code used perror extensively.

Keep the `perror()` in the allocation code; it's used for debugging only.
Keep the `perror()`s in the demos, tests and apps.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19148)

bio_dgram_test.c: Fix warning from older clang compilers

Older clang compilers warn about the initializer:

test/bio_dgram_test.c:107:29: error: suggest braces around initialization
 of subobject [-Werror,-Wmissing-braces]
    struct in6_addr ina6 = {0};
                            ^
                            {}

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19152)

Add an EVP demo for key encoding using EC

Fixes openssl#14117

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19143)

Fix BIO_sendmmsg/BIO_recvmmsg issues on FreeBSD

Fixes #19156.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19164)

Fix undefined ipi_spec_dst for cygwin build.

The 'struct in_pktinfo' doesn't have a 'ipi_spec_dst' field on windows
OS which break cygwin builds of OpenSSL.

Signed-off-by: Tristan Lelong <tlelong@google.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19134)

apps/lib/http_server.{c,h}: clean up logging and move it to log.{c,h}

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)

apps/ocsp.c etc.: rename 'multi' to 'n_responders' for clarity

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)

APPS HTTP server: trace requests and responses when enabled

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)

OSSL_trace_enabled.pod: add missing synopsis for OSSL_TRACE()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)

Coverity: explicit null dereference

Coverity is being pretty silly here but adding the explicit pointer checks
will stop a crash if something goes badly awry.

Fixes Coverity 1513706 - 1513709

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19136)

Initial congestion control API design

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18018)

Fix build failure on freebsd due to missing data declaration

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19130)

Coverity 1513478: negative return

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19126)

test/pkcs12_api_test.c: fix failure on MinGW

Use binary mode when opening a file.

Partially fixes #18017.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19117)

list: add a doubly linked list type.

These list can be embedded into structures and structures can be members of
multiple lists.  Moreover, this is done without dynamic memory allocation.
That is, this is legal:

    typedef struct item_st ITEM;

    struct item_st {
        ...
        OSSL_LIST_MEMBER(new_items, ITEM);
        OSSL_LIST_MEMBER(failed_items, ITEM);
        ...
    };

    DEFINE_LIST_OF(new_items, TESTL);
    DEFINE_LIST_OF(failed_items, TESTL);

    struct {
        ...
        OSSL_LIST(new_items) new;
        OSSL_LIST(failed_items) failed;
        ...
    } *st;

    ITEM *p;

    for (p = ossl_list_new_items_head(&st->new); p != NULL;
         p = ossl_list_new_items_next(p))
        /* do something */

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19115)

provider: cipher: aes: add riscv32 zkn (zbkb) support

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

aes_platform: add riscv32 zkn asm support

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

add build support for riscv32 aes zkn

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

Add RISC-V 32 cpuid support

Mainly from #17640

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

Add linux32-riscv32/BSD-riscv32 target

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

Add AES implementation in riscv32 zkn asm

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18308)

check-format.pl: improve whitespace reporting on <op>=

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18812)

check-format.pl: further fixes for whitespace reporting within 'for (...)'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18812)

check-format.pl: report #if and #elif with constant condition; improve checks on '/*'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18812)

check-format.pl: extend checking into macro bodies; small further improvements

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18812)

check-format.pl: improve preprocessor directive handling; re-order state variables

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18812)

PKCS7: add notes to pkcs7.h.in and minor code cleanup in crypto/{pkcs7,cms}/

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18915)

Fix many inconsistencies in doc of CMS_verify() and PKC7_verify() etc.

Also change B< to I< in {CMS,PKCS7}_verify.pod, PKCS7_sign{,_add_signer}.pod

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18915)

TX key update support, RX time and PN reporting, general refactoring

- Adds an RX time field to the OSSL_QRX_PKT structure.

- Adds a timekeeping argument to ossl_demux_new which is used to determine
  packet reception time.

- Adds a decoded PN field to the OSSL_QRX_PKT structure.
  This has to be decoded by the QRX anyway, and its omission was an oversight.

- Key update support for the TX side.

- Minor refactoring.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18949)

QUIC Record Layer (Refactor and TX Side)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18949)

QUIC Demuxer and Record Layer (RX Side)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18949)

Document the return value of OSSL_LIB_CTX_load_config()

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19101)

Fix documented max. length for info buffer in HKDF

This limit was increased with 20c2876f24d0 ("Increase
HKDF_MAXBUF from 1024 to 2048").

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19085)

PKCS7_dataVerify(): fix missing use of CRLs in PKCS#7 message

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18913)

Remove unused dtls1_bitmap.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19088)

BIO_dgram support for BIO_sendmmsg/BIO_recvmmsg

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18270)

Improve chacha20 perfomance on aarch64 by interleaving scalar with SVE/SVE2

The patch will process one extra block by scalar in addition to
blocks by SVE/SVE2 in parallel. This is esp. helpful in the
scenario where we only have 128-bit vector length.

The actual uplift to performance is complicated, depending on the
vector length and input data size. SVE/SVE2 implementation don't
always perform better than  Neon, but it should prevail in most
cases

On a CPU with 256-bit SVE/SVE2, interleaved processing can
handle 9 blocks in parallel (8 blocks by SVE and 1 by Scalar).
on 128-bit SVE/SVE2 it is 5 blocks. Input size that is a multiple
of 9/5 blocks on respective CPU can be typically handled at
maximum speed.

Here are test data for 256-bit and 128-bit SVE/SVE2 by running
"openssl speed -evp chacha20 -bytes 576" (and other size)

----------------------------------+---------------------------------
                256-bit SVE       |        128-bit SVE2
----------------------------------|---------------------------------
Input  576 bytes     512 bytes    |  320 bytes        256 bytes
----------------------------------|---------------------------------
SVE    1716361.91k   1556699.18k  |  1615789.06k      1302864.40k
----------------------------------|---------------------------------
Neon   1262643.44k   1509044.05k  |  680075.67k       1060532.31k
----------------------------------+---------------------------------

If the input size gets very large, the advantage of SVE/SVE2 over
Neon will fade out.

Signed-off-by: Daniel Hu <Daniel.Hu@arm.com>
Change-Id: Ieedfcb767b9c08280d7c8c9a8648919c69728fab

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18901)

Fix memory leak with TLS1.2 compression

Leak sanitizer reports following leak for ssl-test-new subtest
4-tlsv1_2-both-compress:

==335733==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 17728 byte(s) in 1 object(s) allocated from:
    #0 0x3ff9fbba251 in malloc (/usr/lib64/libasan.so.8+0xba251)
    #1 0x3ff9f71744f in tls_do_uncompress ssl/record/methods/tls_common.c:868
    #2 0x3ff9f7175bd in tls_default_post_process_record ssl/record/methods/tls_common.c:896
    #3 0x3ff9f715ee7 in tls_get_more_records ssl/record/methods/tls_common.c:773
    #4 0x3ff9f712209 in tls_read_record ssl/record/methods/tls_common.c:958
    #5 0x3ff9f6ef73f in ssl3_read_bytes ssl/record/rec_layer_s3.c:1235
    #6 0x3ff9f776165 in tls_get_message_header ssl/statem/statem_lib.c:1198
    #7 0x3ff9f74709b in read_state_machine ssl/statem/statem.c:624
    #8 0x3ff9f74709b in state_machine ssl/statem/statem.c:478
    #9 0x3ff9f662e61 in SSL_do_handshake ssl/ssl_lib.c:4430
    #10 0x100c55d in do_handshake_step test/helpers/handshake.c:775
    #11 0x100c55d in do_connect_step test/helpers/handshake.c:1134
    #12 0x100e85b in do_handshake_internal test/helpers/handshake.c:1544
    #13 0x1011715 in do_handshake test/helpers/handshake.c:1738
    #14 0x101d1a7 in test_handshake test/ssl_test.c:543
    #15 0x1027875 in run_tests test/testutil/driver.c:370
    #16 0x1008393 in main test/testutil/main.c:30
    #17 0x3ff9cc2b871 in __libc_start_call_main (/usr/lib64/libc.so.6+0x2b871)
    #18 0x3ff9cc2b94f in __libc_start_main_alias_2 (/usr/lib64/libc.so.6+0x2b94f)
    #19 0x100864f  (/code/openssl/test/ssl_test+0x100864f)
Direct leak of 17728 byte(s) in 1 object(s) allocated from:
    #0 0x3ff9fbba251 in malloc (/usr/lib64/libasan.so.8+0xba251)
    #1 0x3ff9f71744f in tls_do_uncompress ssl/record/methods/tls_common.c:868
    #2 0x3ff9f7175bd in tls_default_post_process_record ssl/record/methods/tls_common.c:896
    #3 0x3ff9f715ee7 in tls_get_more_records ssl/record/methods/tls_common.c:773
    #4 0x3ff9f712209 in tls_read_record ssl/record/methods/tls_common.c:958
    #5 0x3ff9f6ef73f in ssl3_read_bytes ssl/record/rec_layer_s3.c:1235
    #6 0x3ff9f776165 in tls_get_message_header ssl/statem/statem_lib.c:1198
    #7 0x3ff9f74709b in read_state_machine ssl/statem/statem.c:624
    #8 0x3ff9f74709b in state_machine ssl/statem/statem.c:478
    #9 0x3ff9f662e61 in SSL_do_handshake ssl/ssl_lib.c:4430
    #10 0x100c55d in do_handshake_step test/helpers/handshake.c:775
    #11 0x100c55d in do_connect_step test/helpers/handshake.c:1134
    #12 0x1010b09 in do_handshake_internal test/helpers/handshake.c:1550
    #13 0x1011715 in do_handshake test/helpers/handshake.c:1738
    #14 0x101d1a7 in test_handshake test/ssl_test.c:543
    #15 0x1027875 in run_tests test/testutil/driver.c:370
    #16 0x1008393 in main test/testutil/main.c:30
    #17 0x3ff9cc2b871 in __libc_start_call_main (/usr/lib64/libc.so.6+0x2b871)
    #18 0x3ff9cc2b94f in __libc_start_main_alias_2 (/usr/lib64/libc.so.6+0x2b94f)
    #19 0x100864f  (/code/openssl/test/ssl_test+0x100864f)
SUMMARY: AddressSanitizer: 35456 byte(s) leaked in 2 allocation(s).

Fix this by freeing the SSL3_RECORD structure inside the OSSL_RECORD_LAYER.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19030)

apps/speed.c: Wait for generated children

In multi-mode, speed fork()s off several children but does not wait for them.
On Linux, this leads to wrong accounting information of getrusage used by
tools to extract running time and page faults.

Wait for every children and check the return code and termination signal.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19093)

Fix man page to indicate SHA256 MAC for PKCS12

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19079)

Test that we ignore a bad record version in a plaintext TLSv1.3 record

The RFC requires us to ignore this field in plaintext records - so even
if it is set incorrectly we should tolerate it.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19058)

Tolerate a bad record version in TLSv1.3 plaintext records

When a server responds to a second TLSv1.3 ClientHello it is required to
set the legacy_record_version to 0x0303 (TLSv1.2). The client is required
to ignore that field even if it is wrong. The recent changes to the read
record layer in PR #18132 made the record layer stricter and it was
checking that the legacy_record_version was the correct value. This
caused connection failures when talking to buggy servers that set the
wrong legacy_record_version value.

We make us more tolerant again.

Fixes #19051

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19058)

Add design requirements for QUIC packet demuxer

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18249)

ERR: Make CRYPTO_malloc() and friends report ERR_R_MALLOC_FAILURE

Fixes #6251

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14833)

Convert serverinfo in SSL_CTX_use_serverinfo() to v2.

Fixes openssl#18183.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18614)

Add missing ')' to command help

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19049)

Drop the optimisation level for ppc64le cross-compile

The default cross compiler (gcc 9.4.0) for ppc64le on Ubunut 20.04 seems
buggy and causes a seg fault in sslapitest. This doesn't impact any other
CI cross compile platforms and does not seem to impact the gcc 10.3.0 cross
compiler.

We just drop the optimisation level on that platform.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19056)

Updates for OSSL_TIME changes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18676)

QUIC ACK Manager, Statistics Manager and Congestion Control API

This is the initial implementation of the ACK Manager for OpenSSL's QUIC
support, with supporting design documentation and tests.

Because the ACK Manager also depends on the Statistics Manager, it is
also implemented here. The Statistics Manager is quite simple, so this
does not amount to a large amount of extra code.

Because the ACK Manager depends on a congestion controller, it adds a
no-op congestion controller, which uses the previously workshopped
congestion control API.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18676)

CMP: correct handling of fallback subject in OSSL_CMP_CTX_setup_CRM() and its doc

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18929)

CMP: fix crash in check_transactionID_or_nonce() on 'actual' being NULL

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18929)

CRMF: make create_popo_signature() check that pubkey and pkey match

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18930)

add missing CRMF API function OSSL_CRMF_CERTTEMPLATE_get0_publicKey()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18930)

X509: clean up doc and implementation of X509{,_REQ}_check_private_key()

Also constify X509_REQ_get0_pubkey() and X509_REQ_check_private_key().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18930)

x509_att.c: improve error checking and reporting and coding style

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18931)

add missing doc of X509_REQ_get_extensions() and X509_REQ_add_extensions{,_nid}()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18931)

X509_REQ_get_extensions: add error queue entry on ill-formed extensions attribute

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18931)

util/wrap.pl.in: If the subprocess died with a signal, let's re-signal it

A simple 'kill' of the same signal on our own process should do it.
This will allow the shell that this is running under to catch it
properly, and output something if it usually does that.

Fixes #19041

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19042)

Fix the return type for the rlayer_skip_early_data callback

There was a copy & paste error in the definition of the
rlayer_skip_early_data callback. The return type is supposed to
be "int" but it was defined as a pointer type. This was causing
test failures on some platforms.

Fixes #19037

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19048)

rl->enc_ctx must be non-NULL and cipher must be set

Otherwise ssl3_cipher() cannot work properly.

Fixes Coverity CID 1509401

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19027)

Do not use RLAYERfatal on NULL RLAYER

or on record layer that is to be freed anyway.

Fixes Coverity CID 1509402, 1509403

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19027)

Coverity 1508532: out of bounds access

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19033)

OSSL_HTTP_REQ_CTX_nbio: add support for partial content-type string matching

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18675)

app_http_tls_cb() and tls_error_hint(): code cleanup

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18675)

Makefile: Generate crypto objects only as far as needed

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15224)

Makefile: Call mknum.pl on 'make ordinals' only if needed

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15224)

Support decode SM2 parameters

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18819)

Moving notify check after the no time check

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19007)

openssl speed fails in FIPS mode

...because it uses md5 for HMAC tests. Skip md5 in case of its
unavailability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17331)

Fix typo in migration guide

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19032)

Always automatically add -DPEDANTIC with enable-ubsan

To avoid reports like: #19028

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19029)

Fix doc-nits

PR #19031 updated options that that were listed as commands, these
options were already in openssl-list.pod.in, so they are redundant
in openssl.pod.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19044)

evp: Use functions instead of direct structure field references

AES and chacha20poly1305 also have some codes that directly reference
the fields in the EVP_CIPHER_CTX structure, such as 'ctx->buf' and
'ctx->encrypt', in order to make the code style uniform, use the
corresponding interface API instead of direct field references.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16465)

evp: Simplify ARIA aead cipher definition

Remove fixed macro variables, only keep the cipher mode name and
key length.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16465)

Add BSD-armv4 target based on linux-armv4

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18910)

Clarify dashes are required for openssl list command

Fixes #19013

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19031)

Update gitignore

Add test/timing_load_creds

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19021)

BIO_sendmmsg/BIO_recvmmsg (API only)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18923)

Limit the size of various MAXCHUNK definitions

The current code has issues when sizeof(long) <> sizeof(size_t).  The two
types are assumed to be interchangeable and them being different will
cause crashes and endless loops.

This fix limits the maximum chunk size for many of the symmetric ciphers
to 2^30 bytes.  This chunk size limits the amount of data that will
be encrypted/decrypted in one lump.  The code internally handles block
of data later than the chunk limit, so this will present no difference
to the caller.  Any loss of efficiency due to limiting the chunking to
1Gbyte rather than more should be insignificant.

Fixes Coverity issues:
    1508498, 1508500 - 1508505, 1508507 - 1508527, 1508529 - 1508533,
    1508535 - 1508537, 1508539, 1508541 - 1508549, 1508551 - 1508569 &
    1508571 - 1508582.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18997)

Coverity: misuses of time_t

Coverity 1508506:

    Fixes a bug in the cookie code which would have caused problems for
    ten minutes before and after the lower 32 bits of time_t rolled over.

Coverity 1508534 & 1508540:

    Avoid problems when the lower 32 bits of time_t roll over by delaying
    the cast to integer until after the time delta has been computed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19004)

Check record layer callbacks are non-null

The current libssl code always ensures that the callbacks are non-null.
However, the record layer itself wasn't checkthing this. We ensure it does.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

Formatting cleanups

Some minor formatting cleanups and other minor tweaks.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

Remove redefinition of macros

Some macros were redefined in ssl3_cbc.c. We remove the redefinitions

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

Remove redefinition of SSL_AD_NO_ALERT

The SSL_AD_NO_ALERT value was defined in two places. We centralise its
definition.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

Ensure the rrl object is set to NULL after it is freed

Once we free the rrl object we should NULL it to prevent a dangling ref
to it. Otherwise we could get a double free.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)

Rename some functions to be more consistent

Some functions in the record layer were called rlayer_*, but most were
called tls_*. We standardise on the latter.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)