Enable PKEY MAC bridge signature algs to take ctx params

The underlying MAC implementations may take ctx params. Therefore we allow
the bridge to pass these through.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)

Make ssl3_cbc_digest_record() use the real data_size

Previously we passed it the data plus mac size. Now we just pass it the
data size. We already know the mac size.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)

Start using the provider side TLS HMAC implementation

This commit just moves the TLS1 and above implementation to use the TLS
HMAC implementation in the providers.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)

Add an HMAC implementation that is TLS aware

The TLS HMAC implementation should take care to calculate the MAC in
constant time in the case of MAC-Then-Encrypt where we have a variable
amount of padding.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)

Avoid AIX compiler issue by making the macro argument names not match any substring

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12767)

Fix typo in FIPS_MODULE endif macro comment

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12755)

Fix post-condition in algorithm_do_this

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12760)

Fix use of OPENSSL_realloc in provider

Fix OPENSSL_realloc failure case; `provider->operation_bits` memory
is lost when `OPENSSL_realloc()` returns NULL.

`operation_bits_sz` is never set to the length of the allocated array.
This means that operation_bits is always reallocated in
`ossl_provider_set_operation_bit()`, possibly shrinking the array.
In addition, it means that the `memset()` always zeros out the
whole reallocated array, not just the new part. Also, because
`operation_bits_sz` is always zero, the value of `*result` in
`ossl_provider_test_operation_bit()` will always be zero.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12760)

apps/cmp.c: Clean up loading of certificates and CRLs

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12751)

Avoid uninitialised variable warning for jobs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12762)

Add -verbosity option to apps/cmp.c and add log output also in crypto/cmp

* In the cmp app so far the -verbosity option had been missing.
* Extend log output helpful for debugging CMP applications
  in setup_ssl_ctx() of the cmp app, ossl_cmp_msg_add_extraCerts(),
  OSSL_CMP_validate_msg(), and OSSL_CMP_MSG_http_perform().
* Correct suppression of log output with insufficient severity.
* Add logging/severity level OSSL_CMP_LOG_TRACE = OSSL_CMP_LOG_MAX.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12739)

also zero pad DHE public key in ClientKeyExchange message for interop

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12331)

Use global 'libctx' with RAND_bytes_ex to generate sendfile temp data.

While here, check for failure from RAND_bytes_ex as well.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Fix two issues with AES-CCM KTLS tests.

- Apply the cipher list to the server context as well as the client
  context.  The tests still worked for AES-GCM cipher suites as those
  are in the default list of ciphers.  AES-CCM cipher suites are not
  in the default list and require the cipher list to be set.

- Use the correct cipher name for AES-CCM.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Skip tests using KTLS RX for TLS 1.3.

KTLS RX is not yet supported for TLS 1.3.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Skip tests using KTLS RX if KTLS RX is not supported.

This skips tests using KTLS RX when run on systems that only support
KTLS TX.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Refactor the KTLS tests to minimize code duplication.

Use the low 4 bits of the test number directly as flags for which of
the connection sides should use KTLS or not for each test instead of
having 16 nearly identical functions to do the same thing.

This makes it easier to skip tests that aren't supported (e.g. KTLS RX
on TLS 1.3).

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Move KTLS inline functions only used by libssl into ssl/ktls.c.

These functions are a bit large to inline and are not usable outside
of libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Support for KTLS TX on FreeBSD for TLS 1.3.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Don't check errno if ktls_read_record() returned 0.

errno is only valid if ktls_read_record() fails with a negative return
value.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Add support for KTLS receive for TLS 1.1-1.2 on FreeBSD.

Similar to KTLS receive for Linux, KTLS receive for FreeBSD is enabled
by passing a session key to the kernel via a new socket option.  Once
KTLS receive is enabled on a socket, the socket returns records via
recvmsg().  A control message attached to each record supplies the
original TLS header, and the decrypted plaintext is returned in the
data buffer passed to recvmsg().

To support the case that the userland buffer may already contain
pending encrypted records (which is already handled by Linux's KTLS
receive), the socket option structure for FreeBSD has been extended to
include the initial sequence number.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Add helper functions for FreeBSD KTLS.

These are similar to the helpers added in 95badfeb60.  I've adjusted
the arguments passed to ktls_check_supported_cipher and
ktls_configure_crypto so that FreeBSD and Linux can both use the same
signature to avoid OS-specific #ifdef's in libssl.  This also required
moving the check on valid TLS versions into
ktls_check_supported_cipher for Linux.  This has largely removed
OS-specific code and OS-specific #ifdef's for KTLS outside of
<internal/ktls.h>.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Add a ktls_crypto_info_t typedef.

This type is defined to hold the OS-specific structure passed to
BIO_set_ktls.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)

Update test data for DSA public key text

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12688)

Add the correct enum value for DSA public key serialization

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12688)

Fix ECX serializer import calls to use correct selection flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12698)

Fix RSA serializer import calls to use correct selection flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12698)

Fix DSA serializer import calls to use correct selection flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12698)

Fix DH serializer import calls to use correct selection flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12698)

Fix PKCS#7 so that it still works with non fetchable cipher algorithms.

Fixes #12697

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12740)

Fix PKCS#7 so that it still works with non fetchable digest algorithms.

Fixes #12684
Partially fixes #12697

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12740)

Check whether we have MD5-SHA1 and whether we need it

If we don't have MD5-SHA1 then we must be use (D)TLSv1.2 or above. We
check that this is consistent with the way we've been configured. We also
ensure that we never attempt to negotiate <(D)TLSv1.2 if MD5-SHA1 is not
available.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12733)

Improve some error messages if a digest is not available

If a digest is not available we just get an "internal error" error
message - which isn't very helpful for diagnosing problems. Instead we
explicitly state that we couldn't find a suitable digest.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12733)

Include "legacy" in the name of the various MAC bridge functions

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Add some documentation about the EVP_PKEY MAC interface

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Improve code reuse in the provider MAC bridge

We reuse concepts such as PROV_CIPHER, and make use of some common code
in provider_util.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Document the EVP_PKEY_new_CMAC_key_with_libctx() function

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Extend test_CMAC_keygen in evp_extra_test

The test only setup the generation of a key. It did not complete that
generation. We extend the test to complete the generation and to use the
generated key. We also compare the result with a key generated in a
different way.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Delete unused PKEY MAC files

Now that the all the legacy PKEY MAC bridge code has been moved to the
providers we no longer need the old bridge and it can be removed.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Extend the provider MAC bridge for CMAC

The previous commits added support for HMAC, SIPHASH and Poly1305 into
the provider MAC bridge. We now extend that for CMAC too.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Extend the provider MAC bridge for Poly1305

The previous commits added support for HMAC and SIPHASH into the provider
MAC bridge. We now extend that for Poly1305 too.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Don't require a default digest from signature algorithms

Some signature algorithms don't need a default digest, so don't fail if
we don't have one.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Extend the provider MAC bridge for SIPHASH

The previous commits added support for HMAC into the provider MAC bridge.
We now extend that for SIPHASH too.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Ensure libssl creates libctx aware MAC keys

Convert various mac key creation function calls to use the _with_libctx
variants.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Fix some EVP_MD_CTX_* functions

Fixes some issues with EVP_MD_CTX_* functions when doing EVP_DigestSign*
and EVP_DigestVerify* functions.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Convert EVP_PKEY_CTX_set_mac_key() into a function

Previously it was a macro. We now make it into a function that is params
aware.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Fix evp_extra_test to not assume that HMAC is legacy

evp_extra_test had a test that checks whether an EVP_PKEY_CTX can still
be created for HMAC even though there are no providers loaded because it
is a legacy algorithm. However after the earlier commits this is no longer
the case. We swap the check to a different legacy algorithm (SM2).
Hopefully before too long there will be no legacy algorithms left and the
test can be deleted.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Make the provider side EVP PKEY MAC bridge available in default and fips

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Implement signature functions for EVP_PKEY MAC to EVP_MAC provider bridge

Some MAC implementations were available before the current EVP_MAC API. They
were used via EVP_DigestSign*. There exists a bridge between the oldAPI and
the EVP_MAC API however this bridge itself uses a legacy EVP_PKEY_METHOD.
This commit implements the signature functions for the provider side bridge
without having to use any legacy code.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

Implement key management for the EVP_PKEY MAC to EVP_MAC provider bridge

Some MAC implementations were available before the current EVP_MAC API. They
were used via EVP_DigestSign*. There exists a bridge between the old API and
the EVP_MAC API however this bridge itself uses a legacy EVP_PKEY_METHOD.
This commit implements the key management for provider side bridge without
having to useany legacy code.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)

TEST: Adapt some tests for a stricter PEM_write_bio_PrivateKey_traditional()

- test/endecode_test.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12728)

Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8

PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER.  However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers.  If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that.  If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.

To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added.  If it is NULL, an error is returned.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12728)

Correct description of BN_mask_bits

CLA: trivial

Correct right shift to left shift.
Pseudo code `a&=~((~0)>>n)` means "get higher n-bits of a", but actually crypto lib gives lower n-bits.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12727)

conf: add diagnostic option

Add an option to configuration files "config_diagnostics" that when set to a
non-zero value, overrides the error ignoring flags.  The outcome is that
diagnostic option is produced when e.g. sections are missing.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)

provider_conf: report missing section on error

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)

Ignore vendor name in Clang version number.

For example, FreeBSD prepends "FreeBSD" to version string, e.g.,

FreeBSD clang version 11.0.0 (git@github.com:llvm/llvm-project.git llvmorg-11.0.0-rc2-0-g414f32a9e86)
Target: x86_64-unknown-freebsd13.0
Thread model: posix
InstalledDir: /usr/bin

This prevented us from properly detecting AVX support, etc.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12725)

rand: instantiate the DRBGs upon first use.

Fixes #12714

[skip ci]

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12717)

rand: add a note about a potentially misleading code analyzer warning.

When seeding from a parent DRBG, the pointer to the child is used as
additional data.  This triggers static code analysers.  Rearrange and
expand the comments to make this more obvious.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12724)

apps/pkcs12.c: Add -untrusted option

Also improve EE cert selection, user guidance, and documentation.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12643)

X509_add_certs(): Add to doc some warning notes on memory management

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12643)

Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()

This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify()
function.  This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that
if any certificate in the OCSP response is in the trust store, then
trust it.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12666)

apps: -msg flag enhancement 2/2

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12310)

apps: -msg flag enhancement 1/2

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12310)

EVP: NULL pctx pointer after free.

Not doing so can result in a double free.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12718)

Replace hierogliphs with stub to pass tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

Documentation for internal PUNYCODE-related functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

EAI test script and data

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

RFC 8398: documentation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

Add NID_id_on_SmtpUTF8Mailbox to table of X.509 attributes

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

RFC 8398: EAI comparison

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

RFC 8398: Name constraints validation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

Punycode decoding implementation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9654)

crypto/x509/v3_utl.c: Fix IPv6 output in ipaddr_to_asc()

Fixes #12695

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12696)

TEST: Fix CMP tests so they load keys in the current library context

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12705)

Add CLI tests in FIPS configuration

Add positive and negative tests of CLI apps using configuration files
via environment variables to force FIPS mode.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12291)

STORE: Change all error recording to use ERR_raise() / ERR_raise_data()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

STORE: Modify to support loading with provider based loaders

This adds the needed code to make the OSSL_STORE API functions handle
provided STORE implementations.

This also modifies OSSL_STORE_attach() for have the URI, the
library context and the properties in the same order as
OSSL_STORE_open_with_libctx().

The most notable change, though, is how this creates a division of
labor between libcrypto and any storemgmt implementation that wants to
pass X.509, X.509 CRL, etc structures back to libcrypto.  Since those
structures aren't directly supported in the libcrypto <-> provider
interface (asymmetric keys being the only exception so far), we resort
to a libcrypto object callback that can handle passed data in DER form
and does its part of figuring out what the DER content actually is.

This also adds the internal x509_crl_set0_libctx(), which works just
like x509_set0_libctx(), but for X509_CRL.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

DECODER: Add function to set an OSSL_PASSPHRASE_CALLBACK type callback

This makes it possible to use OSSL_DECODER in functions that are passed
a OSSL_PASSPHRASE_CALLBACK already.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

OSSL_PARAM: Add string pointer getters

When some function receives an OSSL_PARAM array to pilfer for data,
and there is a string of some sort, and all the code needs is to get
the pointer to the data, rather than a copy, there is currently no
other way than to use |param->data| directly.  This is of course a
valid method, but lacks any safety check (is |param->data_type|
correct, for example?).

OSSL_PARAM_get_utf8_string_ptr() and OSSL_PARAM_get_octet_string_ptr()
helps the programmer with such things, by setting the argument pointer
to |param->data|.
Additionally, the handle the data types OSSL_PARAM_UTF8_PTR and
OSSL_PARAM_OCTET_PTR as well.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

STORE: Add the base functions to support provider based loaders

This includes fixing a bug that could only be discovered when no
loaders were registered.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

STORE for providers: define libcrypto <-> provider interface

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

STORE: Add missing function OSSL_STORE_LOADER_set_open_with_libctx()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

CORE: Generalise internal pass phrase prompter

The pass phrase prompter that's part of OSSL_ENCODER and OSSL_DECODER
is really a passphrase callback bridge between the diverse forms of
prompters that exist within OpenSSL: pem_password_cb, ui_method and
OSSL_PASSPHRASE_CALLBACK.

This can be generalised, to be re-used by other parts of OpenSSL, and
to thereby allow the users to specify whatever form of pass phrase
callback they need, while being able to pass that on to other APIs
that are called internally, in the form that those APIs demand.

Additionally, we throw in the possibility to cache pass phrases during
a "session" (we leave it to each API to define what a "session" is).
This is useful for any API that implements discovery and therefore may
need to get the same password more than once, such as OSSL_DECODER and
OSSL_STORE.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

CORE: Define provider-native abstract objects

This is placed as CORE because the core of libcrypto is the authority
for what is possible to do and what's required to make these abstract
objects work.

In essence, an abstract object is an OSSL_PARAM array with well
defined parameter keys and values:

-   an object type, which is a number indicating what kind of
    libcrypto structure the object in question can be used with.  The
    currently possible numbers are defined in <openssl/core_object.h>.
-   an object data type, which is a string that indicates more closely
    what the contents of the object are.
-   the object data, an octet string.  The exact encoding used depends
    on the context in which it's used.  For example, the decoder
    sub-system accepts any encoding, as long as there is a decoder
    implementation that takes that as input.  If central code is to
    handle the data directly, DER encoding is assumed. (*)
-   an object reference, also an octet string.  This octet string is
    not the object contents, just a mere reference to a provider-native
    object. (**)
-   an object description, which is a human readable text string that
    can be displayed if some software desires to do so.

The intent is that certain provider-native operations (called X
here) are able to return any sort of object that belong with other
operations, or an object that has no provider support otherwise.

(*) A future extension might be to be able to specify encoding.

(**) The possible mechanisms for dealing with object references are:

-   An object loading function in the target operation.  The exact
    target operation is determined by the object type (for example,
    OSSL_OBJECT_PKEY implies that the target operation is a KEYMGMT)
    and the implementation to be fetched by its object data type (for
    an OSSL_OBJECT_PKEY, that's the KEYMGMT keytype to be fetched).
    This loading function is only useful for this if the implementations
    that are involved (X and KEYMGMT, for example) are from the same
    provider.

-   An object exporter function in the operation X implementation.
    That exporter function can be used to export the object data in
    OSSL_PARAM form that can be imported by a target operation's
    import function.  This can be used when it's not possible to fetch
    the target operation implementation from the same provider.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12512)

Fix coverity CID #1452770 - Dereference before NULL check in CRYPTO_siv128_init()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1452773 - Dereference before NULL check in EVP_DigestFinal_ex()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1452775 & #1452772- Dereference before NULL check in evp_lib.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1454638 - Dereference after NULL check in EVP_MD_CTX_gettable_params()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1455335 - Dereference after NULL check in fromdata_init()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1458641 - Dereference before NULL check when setting ctx->flag_allow_md in rsa.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1458644 - Negative return passed to function taking size_t in ecdh_cms_set_shared_info()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1458645 - Dereference before NULL check in rsa_digest_verify_final()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1458647 - Use after free in clean_tbuf() which uses ctx->rsa

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1458648 - Wrong sizeof() arg in rsa_freectx()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1465525 - NULL pointer dereference in OSSL_DECODER_CTX_new_by_EVP_PKEY()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1465531 - Negative return passed to a function param using size_t in asn1_item_digest_with_libctx()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1465790 - Dereference after NULL check in evp_test.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1465794 - Uninitialized pointer read in x942_encode_otherinfo()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1465795 - Incorrect free deallocator used in SSL_add1_host()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)

Fix coverity CID #1465797 - Negative loop bound in collect_deserializer

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12628)