git.openssl.org Git - openssl.git/log

Improve RFC 8446 PSK key exchange mode compliance

It's a MUST-level requirement that if the client sends a pre_shared_key
extension not accompanied by a psk_key_exchange_modes extension, the
server must abort the handshake. Prior to this commit the server
would continue on.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14749)

HTTP client: Minimal changes that include the improved API

This is a minimal version of pull request #15053 including all the
proposed improvements to the HTTP client API and its documentation
but only those code adaptations strictly needed for it.

The proposed new features include
* support for persistent connections (keep-alive),
* generalization to arbitrary request and response types, and
* support for streaming BIOs for request and response data.

The related API changes include:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)

Add ASN1_item_i2d_mem_bio(); document and improve also ASN1_item_d2i_bio()

ASN1_item_d2i_bio(): Do not report errors in queue on BIO input being NULL

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)

A few cleanups of the provider build.infos

Remove a TODO that is no longer relevant and
drop some more non-fips sources from the fips checksums.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15191)

Allow arbitrary digests with ECDSA and DSA

Unless the FIPS security check is enabled we allow arbitrary digests
with ECDSA and DSA.

Fixes #14696

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15220)

apps: make list -help not continue with listing

All the commands return after printing their help. List doesn't.
This brings them in line.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15211)

apps: change list command to only list fetchable algorithms.

The -propquery option will work with this change. By default the output will
be the same.

Also address some inconsistencies in the code with respects to error checking.

Fixes #15196

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15211)

encoder: add a _name() function for encoders and decoders

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15211)

doc: document the encoder and decoder name functions

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15211)

Checksum update

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

property: add test case for setting default user properties before fetching

Shamelessly culled from #15218.

Co-authored-by: Dr Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15222)

property: create property names more eagerly.

User defined property names were not created before the first fetch. The
rationale for this was to only maintain the user names defined by providers.
This was intended to prevent malicious memory use attacks.

Not being able to specify a default query before the first fetch is wrong. This
changes the behaviour of the property query parsing to always create property
names.

Fixes #15218

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15222)

Run-checker converted to GitHub Actions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15129)

coveralls: fix comment to indicate daily not weekly

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15129)

Add OID for RPKI id-ct-signedChecklist

References: draft-ietf-sidrops-rpki-rsc - Resource Public Key Infrastructure
(RPKI) object profile for Signed Checklist (RSC)

OID listed under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1

CLA: Trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15207)

find-doc-nits fix courtesy Rich Salz

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11481)

use LHASH_OF(TYPE) macro to make the example consistent with the declaration in ssl.h

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11481)

Checksum update

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>

evp: fix return code check.

The return from evp_do_md_getparams() is 0 for failure and -1 for not being
a provided algorithm. The code in evp_md_cache_constants() failed to check
the return code properly. In this case it was harmless but better to fix it.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15208)

coverity: fix 1484542 dereference after null check

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15208)

coverity: fix 1484540 resource leak

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15208)

coverity: fix 1484539 resource leak

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15208)

80-test_cmp_http.t: Improve fuzzing exclusion pattern - fixup!

This now correctly fixes #14966.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15217)

Fix missing $CPUIDDEF in libdefault.a

This fixes a build error caused by missing $CPUIDDEF when
compiling libdefault.a, and some functions(like armv8_aes_gcm_encrypt)
become undefined.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15215)

Update FIPS checksums

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Exclude child provider code from the FIPS module

We don't need the child provider code in the FIPS module so we exclude
it.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Update documentation following addition of OSSL_LIB_CTX_new_child()

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Add additional testing of child libctx/providers

Add a case where a provider explicitly loads a provider into a child
libctx where it does not already exist.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Don't convert pre-existing providers into children

If a provider explicitly loads another provider into a child libctx where
it wasn't previously loaded then we don't start treating it like a child
if the parent libctx subsequently loads the same provider.

Fixes #14925

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Add support for child provider to up_ref/free their parent

If the ref counts on a child provider change, then this needs to be
reflected in the parent so we add callbacks to do this.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Add a test to check that child provider callbacks are working

Write a test to confirm that if a provider is unloaded/loaded into a
libctx then it is similarly unloaded/loaded from any child libctxs.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Register callbacks with core for child provider creation/deletion

By adding callbacks to the core this will enable (in future commits) the
ability to add/remove child providers as the providers are added/removed
from the parent libctx.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Add a test for OSSL_LIB_CTX_new_child()

Check that we can create such a libctx and usable providers are loaded
into it.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Modify the legacy provider to use OSSL_LIB_CTX_new_child()

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Add the concept of a child OSSL_LIB_CTX

Add a child OSSL_LIB_CTX that will mirror the providers loaded into the
parent libctx. This is useful for providers that want to use algorithms
from other providers and just need to inherit the providers used by the
application.

Fixes #14925

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Add the ability for ex_data to have a priority

Where an object has multiple ex_data associated with it, then we free that
ex_data in order of priority (high priority first).

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Only load the config file into the default libctx if necessary

There is no need to load providers from the config file into the default
libctx, if the current libctx that we are using isn't the default libctx.
This avoids some deadlock situations.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)

Constify EVP_PKEY_CTX_set_params(), EVP_PKEY_CTX_{set,get}table_params(), etc.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)

Add convenience functions and macros for asymmetric key generation

Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen().
Also export auxiliary function OSSL_EC_curve_nid2name()
and improve deprecation info on RSA and EC key generation/management functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)

Tests for creating req from PKCS8 keys with extra attrs

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15142)

reduce surprise in choice of CASE/String/STRING by allowing all inputs to be in any case

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14877)

Reduce the runtime/output from the gmdiff test

Reduce from 1e6 iterations to 1e3. Add additional cases to cover the same
range although most intermediate values will be skipped.

Fixes #15185

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15202)

armcap: fix Mac M1 SHA512 support.

The SIGILL catch/trap works however disabled purposely for Darwin,
thus relying on native api instead.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14935)

Fix i2d_PKCS8PrivateKey_nid_bio() regression.

This method ignores the nid and could end up saving out the private key unencrypted

In earlier alpha releases OSSL_num_encoders() returned 0 for this test
case, which then meant that the legacy path was run, and the key was
then correctly encrypted.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15152)

checksum fix

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15209)

Mark pop/clear error stack in der2key_decode_p8

This commit sets the error mark before calling d2i_X509_SIG
and clear it if that function call is successful.

The motivation for this is that if d2i_X509_SIG returns NULL then the
else clause will be entered and d2i_PKCS8_PRIV_KEY_INFO will be
called. If d2i_X509_SIG raised any errors those error will be on the
error stack when d2i_PKCS8_PRIV_KEY_INFO gets called, and even if it
returns successfully those errors will still be on the error stack.

We ran into this issue when upgrading Node.js to 3.0.0-alpha15.
More details can be found in the ref links below.

Refs: https://github.com/nodejs/node/issues/38373
Refs: https://github.com/danbev/learning-libcrypto/blob/master/notes/wrong-tag-issue2.md

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15067)

BIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and true

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15015)

Optimize RSA on armv8

Add Neon path for RSA on armv8, this optimisation targets to A72
and N1 that are ones of important cores of infrastructure. Other
platforms are not impacted.

A72
                        old new             improved
rsa  512 sign 9828.6 9738.7 -1%
rsa  512 verify 121497.2 122367.7 1%
rsa 1024 sign 1818 1816.9 0%
rsa 1024 verify 37175.6 37161.3 0%
rsa 2048 sign 267.3 267.4 0%
rsa 2048 verify 10127.6 10119.6 0%
rsa 3072 sign 86.8 87 0%
rsa 3072 verify 4604.2 4956.2 8%
rsa 4096 sign 38.3 38.5 1%
rsa 4096 verify 2619.8 2972.1 13%
rsa 7680 sign 5 7 40%
rsa 7680 verify 756       929.4 23%
rsa 15360 sign 0.8       1 25%
rsa 15360 verify 190.4 246 29%

N1
                        old new             improved
rsa  512 sign 12599.2 12596.7 0%
rsa  512 verify 148636.1 148656.2 0%
rsa 1024 sign 2150.6 2148.9 0%
rsa 1024 verify 42353.5 42265.2 0%
rsa 2048 sign 305.5 305.3 0%
rsa 2048 verify 11209.7 11205.2 0%
rsa 3072 sign 97.8 98.2 0%
rsa 3072 verify 5061.3 5990.7 18%
rsa 4096 sign 42.8 43 0%
rsa 4096 verify 2867.6 3509.8 22%
rsa 7680 sign 5.5 8.4 53%
rsa 7680 verify 823.5 1058.3 29%
rsa 15360 sign 0.9 1.1 22%
rsa 15360 verify 207 273.9 32%

CustomizedGitHooks: yes
Change-Id: I01c732cc429d793c4eb5ffd27ccd30ff9cebf8af
Jira: SECLIB-540

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14761)

FIPS checksums update

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15108)

Test oct2point for hybrid point encoding of (0, y)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15108)

Avoid division by zero in hybrid point encoding

In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x. For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x. The existing code only
considers the second possibility. It could thus incorrecly fail with a
division by zero error as found by Guido Vranken's cryptofuzz.

This commit adds a few explanatory comments to oct2point. The only
actual code change is in the last hunk which adds a BN_is_zero(x)
check to avoid the division by zero.

Fixes #15021

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15108)

tasn_dec: use do/while around statement macros

Use the do {} while (0) construct around macros whose bodies are complete
statements (including one that has internal control flow!). This is
safer and avoids any risk of misinterpretation if the macro is used in
an unexpected context.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15143)

80-test_cmp_http.t: Improve fuzzing exclusion pattern

Fixes #14966

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15158)

ssl.h.in: Fix deprecation exclusion for SRP-related declarations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15176)

Crypto: Add deprecation compatibility declarations for SHA* message digest functions

Also add hints to SHA256_Init.pod and CHANGES.md how to replace SHA256() etc.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14741)

Add quick one-shot EVP_Q_mac() and deprecation compensation decls for MAC functions

This helps compensating for deprecated functions such as HMAC()
and reduces clutter in the crypto lib, apps, and tests.
Also fixes memory leaks in generate_cookie_callback() of apps/lib/s_cb.c.
and replaces 'B<...>' by 'I<...>' where appropriate in HMAC.pod

Partially fixes #14628.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14664)

DOC: Fix all wrong occurrences of '<propq>' to 'I<propq>'

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14664)

apps/mac: Add digest and cipher command line options

Add -cipher and -digest as short forms of -macopt cipher: and -macopt digest:
respectively.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15189)

apps/mac: avoid need for two ^D when using stdin from a terminal

Fixes #13246

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15189)

apps: remove initial newline from mac output

Fixes #13247

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15189)

apps: add mac, cipher and digest arguments to the kdf applet.

This adds -digest, -mac and -cipher which correspond to -kdfopt digest: and
-kdfopt mac: and -kdfopt cipher: respectively.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15190)

Remove unused code from the fips module

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15167)

bn: Add fixed length (n=6), unrolled PPC Montgomery Multiplication

Overall improvement for p384 of ~18% on Power 9, compared to existing
Power assembling code.  See comment in code for more details.

Multiple unrolled versions could be generated for values other than
6.  However, for TLS 1.3 the only other ECC algorithms that might use
Montgomery Multiplication are p256 and p521, but these have custom
algorithms that don't use Montgomery Multiplication.  Non-ECC
algorithms are likely to use larger key lengths that won't fit into
the n <= 10 length limitation of this code.

Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15175)

BIO_printf.pod: Clarify that output is always null terminated.

The original text was ambiguous about termination for errors other
than insufficient space. See issue #14772.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15000)

FIPS checksum update

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15042)

provider: use a read lock when looking for a provider

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15042)

doc: document the new ossl_provider_clear_all_operation_bits() function

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15042)

test: add a provider load/unload cache flush test.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15042)

provider: flush the store cache when providers are loaded/unloaded.

When the providers change, the method cache needs to be flushed. This also
impacts the cache is full partial flushes and the algorithm flushing by ID.

A new function is introduced to clear all of the operation bits in all
providers in a library context.

Fixes #15032

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15042)

Updated gost-engine to latest commit from master branch

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15180)

Unify parameter types in documentation

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15178)

Fixes #14662. Return all EC parameters even for named curves

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15060)

Fixes #15070. Allow custom algorithm ID ASN.1 encoding for provided ciphers

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15130)

make update

The impact on the FIPS checksum files is pretty significant

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15171)

Drop libimplementations.a

libimplementations.a was a nice idea, but had a few flaws:

1.  The idea to have common code in libimplementations.a and FIPS
    sensitive helper functions in libfips.a / libnonfips.a didn't
    catch on, and we saw full implementation ending up in them instead
    and not appearing in libimplementations.a at all.

2.  Because more or less ALL algorithm implementations were included
    in libimplementations.a (the idea being that the appropriate
    objects from it would be selected automatically by the linker when
    building the shared libraries), it's very hard to find only the
    implementation source that should go into the FIPS module, with
    the result that the FIPS checksum mechanism include source files
    that it shouldn't

To mitigate, we drop libimplementations.a, but retain the idea of
collecting implementations in static libraries.  With that, we not
have:

libfips.a

    Includes all implementations that should become part of the FIPS
    provider.

liblegacy.a

    Includes all implementations that should become part of the legacy
    provider.

libdefault.a

    Includes all implementations that should become part of the
    default and base providers.

With this, libnonfips.a becomes irrelevant and is dropped.
libcommon.a is retained to include common provider code that can be
used uniformly by all providers.

Fixes #15157

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15171)

Rename files in providers/implementations/signatures

It was discovered that eddsa.c exist in two places, here and in
crypto/ec/curve448/, which would result in a file name clash if they
ever end up in the same library.

To mitigate, we rename the copy in providers/implementations/signatures
to have '_sig' in the file name, and do the same with all other source
files in this directory, for consistency.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15171)

changes: add note about application output formatting differences.

Fixes #13220

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15168)

Avoid sending alerts after shutdown

Fixes #11388

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15159)

Fix NULL dereference when ENCODER does not implement IMPORT_OBJECT

External ENCODER may not implement OSSL_FUNC_ENCODER_IMPORT_OBJECT,
so a check for NULL is needed.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14919)

evp_extra_test: Avoid potential double free of params

Fixes #14916

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15135)

Clarify where dispatch functions/ids are defined

When reading the comment for ossl_dispatch_st it seems to indicate that
the function_id numbers are defined further down in the same file. But I
was not able to find them there, but instead in core_dispatch.h.

This commit suggests updating the comment to point to core_dispatch.h

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15156)

Clarify two comments (typos) in fipsprov.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15150)

Prepare for 3.0 alpha 17

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Prepare for release of 3.0 alpha 16

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15181)

Update the FIPS checksums

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15177)

Add some tests for -inform/keyform enforcement

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)

Document the behavior of the -inform and related options

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)

provider-storemgmt: Document the input-type and properties parameters.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)

Update gost-engine to make it compatible with the added params

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)

Make the -inform option to be respected if possible

Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.

The input type format is enforced only in case the file
type file store is used.

By default we use FORMAT_UNDEF meaning the input type
is not enforced.

Fixes #14569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)

try to document changes in salt handling for the 'enc' command

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4486)

change salt handling, way 1

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4486)

coverity: fix 1478169: dereference after NULL check

The code path shouldn't occur in our code but could in an application.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15128)

Remove all trace of FIPS_mode functions

Removed error codes, and the mention of the functions.
This removal is already documented in the CHANGES doc.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15140)

Deprecate X509{,_CRL}_http_nbio() and simplify their definition

This is done by making use of OCSP_REQ_CTX_nbio_d2i().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15131)

APPS: Replace 'OPT_ERR = -1, OPT_EOF = 0, OPT_HELP' by OPT_COMMON macro

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)

APPS: Slightly extend and improve documentation of the opt_ API

Also remove redundant opt_name() and make names of opt_{i,u}ntmax() consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)

adapt tests to SSL_OP_LEGACY_SERVER_CONNECT change

The "bad DTLS" tests run into trouble due to the special behavior
for that "bad" version, and the SSL record tests need to set the
-legacy_server_connect flag to allow an SSLv2 ClientHello to work
against any TLS server (since SSLv2 ClientHello messages cannot
carry extensions as would be needed in order to negotiate the use
of the renegitiation_info extension).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)

Correct ssl_conf logic for "legacy_server_connect"

This option is only useful for the client, but it was previously
marked as only being applicable for servers.

Correct the entry to properly mark it as client-only, and update the
s_server/s_client manuals accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)