git.openssl.org Git - openssl.git/log

test/recipes/*.t: setup() doesn't play well with spaces in the argument

The argument translates into a directory name, and there are platforms
that don't allow spaces (at least not easily), which makes the test fail.
This modifies it to conform a bit better to the usual form for that arg.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18531)

(cherry picked from commit e3ba938b584275839dda404d846abdb06a88693f)

Fix for OSSL_PARAM sample code referencing OSSL_PARAM_UTF8_PTR

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18490)

(cherry picked from commit 809526a06c1305d67a8f231ca15cd27ec800efce)

Add an extra reduction step to RSAZ mod_exp implementations

Inspired by BoringSSL fix by David Benjamin.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18510)

(cherry picked from commit 6d702cebfce3ffd9d8c0cb2af80a987d3288e7a3)

Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.

This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime
would sometimes return m, the modulus, when it should have returned
zero. Thanks to Guido Vranken for reporting it. It is only a partial fix
because the same bug also exists in the "rsaz" codepath.

The bug only affects zero outputs (with non-zero inputs), so we believe
it has no security impact on our cryptographic functions.

The fx is to delete lowercase bn_from_montgomery altogether, and have the
mont5 path use the same BN_from_montgomery ending as the non-mont5 path.
This only impacts the final step of the whole exponentiation and has no
measurable perf impact.

See the original BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315
for further analysis.

Original-author: David Benjamin <davidben@google.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18510)

(cherry picked from commit 0ae365e1f80648f4c52aa3ac9bbc279b6192b23e)

test/ssl_old_test.c: Add check for OPENSSL_malloc

As the potential failure of the OPENSSL_malloc(),
it should be better to add the check and return
error if fails.

Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18555)

(cherry picked from commit b2feb9f0e394da6570346598837f1b01eb58c028)

Add sensitive memory clean in priv encode

Fixes #18540

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18541)

(cherry picked from commit 16249341bb64329c2542c3d1e23b97ed3c44fad3)

test/ssl_old_test.c: Add check for OPENSSL_zalloc

As the potential failure of the OPENSSL_zalloc(),
it should be better to add the check and return
error if fails.

Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18552)

(cherry picked from commit 4f4942a133bd57c4940fb1bc6ed7c8b67da4d8f0)

Fix a mem leak in evp_pkey_export_to_provider

If keymgmt is NULL, tmp_keymgmt is allocated and will not be freed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18499)

(cherry picked from commit 115eb945acd9a27bf81c6c8923f43768f9e487a8)

Fix a crash in X509v3_asid_subset()

If the asnum or rdi fields are NULL and the ASIdentifiers are otherwise
subsets then this will result in a crash. Of note is that rdi will usually
be NULL.

Reported by Theo Buehler (@botovq)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18514)

(cherry picked from commit 01fc9b6bce82f0534d6673659a0e59a71f57ee82)

providers/implementations/exchange/kdf_exch.c: Fix kdf_derive()

kdf_derive() calls EVP_KDF_derive(), but didn't do enough to adapt its input
buffer length arguments to fit the requirements to call EVP_KDF_derive().

Fixes #18517

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18533)

test/evp_test.c: Check too big output buffer sizes in PKEYKDF tests

EVP_PKEY_derive() should be able to cope with a too big buffer for fixed
size outputs. However, we don't test that.

This change modifies the PKEYKDF tests to ask EVP_PKEY_derive() what the
desired output buffer size is, and as long as the returned value isn't
absurd (indicating that anything goes), the output buffer is made to be
twice as big as what is expected.

Tests #18517

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18533)

Fix the export routines to not return success if param alloc failed

We fix the dsa, dh, ec and rsa export routines so that they are
consistent with each other and do not report success if the allocation
of parameters failed.

This is essentially the same fix as applied in #18483 but applied to all
relevant key types.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18507)

(cherry picked from commit 46c1c2d7fa9153da4eb5e1aefd7b0139dc507c00)

test_pkey_check: Positive testcase for private key with unknown parameters

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18099)

(cherry picked from commit 08e0aad293f1c283dccf7e9065ec28af5e143304)

ossl_dh_check_priv_key: Do not fail on private keys without q

Fixes #18098

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18099)

(cherry picked from commit 0615cedecda7ed18300db48b0bb56cec6d3527bd)

Testcase for regression by PPC64 fixed length montgomery multiplication

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18512)

(cherry picked from commit 14f95126c098358c434d59835834f9f0be7ea498)

Revert "bn: Add fixed length (n=6), unrolled PPC Montgomery Multiplication"

This reverts commit 0d40ca47bd86e74a95c3a2f5fb6c67cdbee93c79.

It was found that the computation produces incorrect results in some
cases.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18512)

(cherry picked from commit 712d9cc90e355b2c98a959d4e9398610d2269c9e)

Avoid reusing the init_lock for a different purpose

Otherwise we might cause a recursive locking.

Fixes #18535

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18545)

(cherry picked from commit e9a806b2c265da3a4ca472acb4a4286d9c1b5c9d)

RSA keygen update: Raise an error if no prime candidate q is found.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18429)

(cherry picked from commit d2399d8cd29f56e6614f0b3db4e7e563a745902a)

RSA Keygen update - When using the default provider fallback to default multiprime keygen if e is < 65537

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18429)

(cherry picked from commit 27c1cfd7653b7204af3301f93ccd2a3decfc309b)

RSA keygen fixes

Fixes #18321

Increase the iteration factor used when 'Computing a Probable Prime Factor Based on Auxiliary Primes' from 5 to 20.
This matches the algorithm update made in FIPS 186-5.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18429)

(cherry picked from commit ad7e0fd550a9eb2946edf38003ebc6d5b988dac7)

Include the modules directory in openssl.pc

Affected file: Configurations/unix-Makefile.tmpl

Fixes #18516

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18520)

sm2_dupctx: Avoid potential use after free of the md

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

(cherry picked from commit 926c698c6f0a197e0322d4617db0ecd0d40f6e06)

Check return of BIO_new() and always free pkey from evp_pkey_copy_downgraded()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

(cherry picked from commit d8732803c493cba7a863c5c16da62ee9d611c5ca)

add_provider_groups: Clean up algorithm pointer on failure

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

(cherry picked from commit a7863f994955c45fb7ce29e30b81a6206994c3dd)

parse_unquoted: Check returned value from ossl_property_value()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18494)

(cherry picked from commit f91568eb50e847d0db2441fd9b9c5ffc8c4fe934)

Fix a use after free in error handling of hmac_dup

dst->digest needs to be zeroized in case HMAC_CTX_copy
or ossl_prov_digest_copy return failure.

Fixes #18493

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18502)

(cherry picked from commit cec1699f1f54ba8b87f055776dc77b48dd37d5fa)

Assert that a property definition cache entry is the first

When adding a property definition cache entry for a given property query
string we add an assert that we are not replacing an existing entry. If we
are then that indicates a bug in the caller.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18458)

(cherry picked from commit 5f4b3db624a83b812f23412e698ffd9c4284f87a)

Fix a memory leak in ossl_method_store_add()

If the call to ossl_prop_defn_set() fails then the OSSL_PROPERTY_LIST
we just created will leak.

Found as a result of:
https://github.com/openssl/openssl/pull/18355#issuecomment-1139499881

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18458)

(cherry picked from commit fed8dbea27b7e01ee934951b25c6ffd40ad1d5c3)

Update SIV mode documentation

Fixes #18440

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18485)

(cherry picked from commit 9cef2a70b151b6a92eb1770ceb5fa90331305934)

Don't report success from ec_export if OSSL_PARAM_BLD_to_param failed

If the call to OSSL_PARAM_BLD_to_param() failed then ec_export was
reporting success, even though it has never called the param_cb.

Found due to:
https://github.com/openssl/openssl/pull/18355#issuecomment-1145993650

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18483)

(cherry picked from commit 7d6aad832b4cebb181c53ab80a3f61dc8549be08)

Fix a mem leak in evp_pkey_copy_downgraded()

If we get a failure during evp_pkey_copy_downgraded() and on entry *dest
was NULL then we leak the EVP_PKEY that was automatically allocated and
stored in *dest.

Found due to this comment:
https://github.com/openssl/openssl/pull/18355#issuecomment-1145028315

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18470)

Check return value of ossl_parse_property()

Also check if we have d2i_public_key() function pointer.

Fixes https://github.com/openssl/openssl/pull/18355#issuecomment-1144893289

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18462)

(cherry picked from commit 4fa5ed5ce5c345eaeaec8b86eda265add467f941)

CONF_modules_unload should fail if CONF_modules_finish fails

The module_list_lock is used by CONF_modules_unload(). That function relies
on the RUN_ONCE in CONF_modules_finish() to initialise that lock. However
if the RUN_ONCE fails that failure is not propagated to
CONF_modules_unload() and so it erroneously tries to use the lock anyway.

Found due to:
https://github.com/openssl/openssl/pull/18355#issuecomment-1144734604

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18460)

(cherry picked from commit 697d0b5ba146c232f5b2aa87f4e847a5495c1735)

Fix inadvertent NULL assignments in ternary ops

As identified by both clang with a warning and
$> git grep -P '(?<![!=])= NULL \?'

Signed-off-by: Clemens Lang <cllang@redhat.com>
CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18469)

(cherry picked from commit 1a01e5c29dfaf09af3960b4c8e6ec0f8171eda80)

Update further expiring certificates that affect tests

Namely the smime certificates used in test_cms and the
SM2 certificates will expire soon and affect tests.

Fixes #15179

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18467)

(cherry picked from commit 5d219937d067a761fb871483369a6020c60a3cb8)

Change the SCT issuer key to RSA 2048

This avoids the need to use SECLEVEL=1 in 12-ct.cnf.in.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18450)

(cherry picked from commit 479b9adb88b9050186c1e9fc94879906f378b14b)

Fix strict client chain check with TLS-1.3

When TLS-1.3 is used and the server does not send any CA names
the ca_dn will be NULL. sk_X509_NAME_num() returns -1 on null
argument.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17986)

(cherry picked from commit 89dd85430770d39cbfb15eb586c921958ca7687f)

Add VERSIONINFO resource to legacy provider if it is not builtin

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18416)

(cherry picked from commit 9510661400470d357c74c5c4d0ff01c7b813b974)

Add Windows VERSIONINFO resource to fips provider dll.

Fixes #18388

This just looks like an omission, as this is added to libcrypto and libssl

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18416)

(cherry picked from commit 18f0870d39eb055c8c67af8025fd1b9e01ce6a43)

Fix the checks of BIO_get_cipher_status

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit 48b571fe771f283d547ca2a5999ce5dd9a5509d0)

Fix the checks of EVP_PKEY_param_check

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit e85bef981c037a6ebc0ca39f61c11bd79ed89fb3)

Fix the checks of UI_add_input_string

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit 5755c11fd6e50028946e6e17c835afcd56995699)

Fix the checks of EVP_PKEY_private_check

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit babc818c3f669214fa192229003953e3dead1926)

Fix the checks of EVP_PKEY_public_check

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit bba14c6e28e9519b2d40fc5c551893996f2db246)

Fix the checks of EVP_PKEY_pairwise_check

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit d016758706d0a7a104ff09db94448aeec1b38193)

Fix the checks of EVP_PKEY_check

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit 92d0d7ea9be40909ee79fb8861641a61eead2431)

Fix the checks of RAND_bytes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18424)

(cherry picked from commit c2f7614fb7b93fe3792068077ff01384f42f39bc)

CTLOG_new_ex: Fix copy&paste error when setting propq

Fixes #18431

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18432)

(cherry picked from commit 163bf682fd93971d07e66e3da339c229b86dc849)

Fix possible null pointer dereference of evp_pkey_get_legacy()

evp_pkey_get_legacy() will return NULL on failure, however several
uses of it or its wrappers does not check the return value of
evp_pkey_get_legacy(), which could lead to NULL pointer dereference.

Fix those possible bugs by adding NULL checking.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17967)

(cherry picked from commit b9a86d5dd8b5bd33be42390bcbb5121fe0ae71a1)

Don't call ossl_provider_free() without first setting refcnt

The function ossl_provider_free() decrements the refcnt of the
provider and frees it if it has reached 0. This only works if the
refcnt has already been initialised. We must only call
ossl_provider_free() after this initialisation - otherwise it will fail
to free the provider correctly.

Addresses the issue mentioned here:
https://github.com/openssl/openssl/pull/18355#issuecomment-1138741857

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18417)

(cherry picked from commit c4ed6f6f0ee700e0473def049659061dd52fd3fc)

Fix a memory leak is ossl_provider_doall_activated

If the callback fails then we don't correctly free providers that were
already in our stack and that we up-refed earlier.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18413)

(cherry picked from commit b4be10dfcd370960cecfda9773e1bfcc568a7390)

Fix another decoder mem leak on an error path

If pushing the decoder onto a stack fails then we should free the ref
we just created.

Found due to the error report here:
https://github.com/openssl/openssl/pull/18355#issuecomment-1138205688

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18411)

(cherry picked from commit da3193976380b8bd697a472025ff9f384cbca7af)

Fix a decoder mem leak on an error path

If an error condition occurs then the the decoder that was up-refed in
ossl_decoder_instance_new can be leaked.

Found due to the error report here:
https://github.com/openssl/openssl/pull/18355#issuecomment-1138205688

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18410)

(cherry picked from commit 9ec9b968f93e4a8e7c90eb1e717f0d7cd4ab722d)

threadstest: Add missing framework for multithread tests

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18451)

Fix the checks of EVP_PKEY_CTX_set/get_* functions

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)

(cherry picked from commit 2cba2e160d5b028e4a777e8038744a8bc4280629)

Fix the check of evp_pkey_ctx_set_params_strict

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)

(cherry picked from commit 00d5193b688019a85d1bd0196f2837a4476394bb)

Fix the checks of EVP_PKEY_CTX_get/set_rsa_pss_saltlen

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)

(cherry picked from commit 7263a7fc3d0c0c17616c2e5309e0fd52ed654ecc)

Fix the erroneous checks of EVP_PKEY_CTX_set_group_name

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18399)

(cherry picked from commit 56876ae952b96b4a83266f6b2ec1393f599015d6)

doc: Fix keymgmt functions parameters

CLA: trivial

Make OSSL_FUNC_keymgmt_import and OSSL_FUNC_keymgmt_export documentation correspond to core_dispatch.h signatures

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18423)

(cherry picked from commit 70ed3046c5f156cab45a2bb2c8e36ab5d29a45ca)

Update expired SCT issuer certificate

Fixes #15179

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18444)

(cherry picked from commit 770aea88c3888cc5cb3ebc94ffcef706c68bc1d2)

Make OSSL_LIB_CTX_load_config thread safe

Fixes #18226.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18331)

(cherry picked from commit ef7a9b44f04ef18b652cb47cd9eb3826301cca9e)

changes: add note saying the locale based strcasecmp has been replaced

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18390)

Check that UnsafeLegacyServerConnect option exists

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18296)

(cherry picked from commit abe90105ba0908d5a2f500997f2bf2fceb263acd)

The -no_legacy_server_connect option applies to client

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18296)

(cherry picked from commit d1b3b6741380a1d7607da671b97f3fe5f54fa657)

Actually implement UnsafeLegacyServerConnect as documented

Fixes #18295

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18296)

(cherry picked from commit 65b2bb9ca0cff5e65938dc0d9dcd71c251bd67db)

Configurations/gentemplate.pm: Generate generators too, when necessary

A generator in a `GENERATE[generated]=generator` build.info statement may
itself be generated. That needs to be taken into account.

This was always meant to be, but we missed the spot, for lack of use cases.
Now we have one.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18263)

(cherry picked from commit 42b4a8ab961e3d3be4abffe3aea458448b2e47b4)

Generate the preprocessed .s files for chacha and poly 1305 on ia64

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18263)

(cherry picked from commit db24ed54302ed458d41ad85093e4189db4b2120b)

Revert "Use .s extension for ia64 assembler"

This reverts commit 6009997abd2594d5a7c0606176f404190922b74d.

The .s extension is incorrect as the assembler files contain
preprocessor directives.

Fixes #18259

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18263)

(cherry picked from commit debd9210061206be1b5b6e957033c1b85ac540e1)

Don't include sys/select.h on HP-UX as it doesn't exist

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18395)

(cherry picked from commit 737e849fd938a943cad207cde1c711e961f92294)

Fix the check of UI_method_set_ex_data

UI_method_set_ex_data returns 0 and 1 instead of negative numbers.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18397)

(cherry picked from commit 1aef2c10f10e0685298008be596c80e148c71a51)

Fix the incorrect checks of EVP_CIPHER_CTX_rand_key

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18397)

(cherry picked from commit f15e3f3aa95df743f0da793da952f87370efb4ff)

Fix the incorrect checks of EVP_CIPHER_CTX_set_key_length

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18397)

(cherry picked from commit 8d9fec1781751d2106d899c6076eeb3da6930bfe)

Fix the defective check of EVP_PKEY_get_params

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18367)

(cherry picked from commit 7e5e91176b770a68bdaf73a5c647f1fc0d7f2900)

Fix check of dtls1_process_record

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18369)

(cherry picked from commit 639e576023aa2492ca87e1e6503c40d2e8c9a24e)

Remove include/openssl/configuration.h from mandatory dependencies

Since this file is generated by configdata.pm, there's no need to include it
among the mandatory dependencies (which end up in the `GENERATE_MANDATORY`
Makefile variable). In fact, it shouldn't be there any more, as that would
also cause it to be removed by `make clean`.

To compensate, we add an explicit removal of that file in the `distclean`
target on all platform families.

Fixes #18396

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18398)

(cherry picked from commit ef8040bce02758de86fc55412ee4ac9102f9ffab)

Fix a memory leak in crl_set_issuers

This can be reproduced with my error injection patch.

The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.

$ ERROR_INJECT=1653520461 ../util/shlib_wrap.sh ./cms-test ./corpora/cms/3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1
log file: cms-3eff1d2f1232bd66d5635db2c3f9e7f23830dfd1-32454-test.out
ERROR_INJECT=1653520461
    #0 0x7fd5d8b8eeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
    #1 0x402fc4 in my_realloc fuzz/test-corpus.c:129
    #2 0x7fd5d8893c49 in sk_reserve crypto/stack/stack.c:198
    #3 0x7fd5d8893c49 in OPENSSL_sk_insert crypto/stack/stack.c:242
    #4 0x7fd5d88d6d7f in sk_GENERAL_NAMES_push include/openssl/x509v3.h:168
    #5 0x7fd5d88d6d7f in crl_set_issuers crypto/x509/x_crl.c:111
    #6 0x7fd5d88d6d7f in crl_cb crypto/x509/x_crl.c:246
    #7 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
    #8 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #9 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #10 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259
    #11 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
    #12 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #13 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #14 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633
    #15 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #16 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #17 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #18 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
    #19 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #20 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
    #21 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
    #22 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69
    #23 0x402845 in FuzzerTestOneInput fuzz/cms.c:43
    #24 0x402bbb in testfile fuzz/test-corpus.c:182
    #25 0x402626 in main fuzz/test-corpus.c:226
    #26 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #27 0x402706  (/home/ed/OPC/openssl/fuzz/cms-test+0x402706)

=================================================================
==29625==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 32 byte(s) in 1 object(s) allocated from:
    #0 0x7fd5d8b8309f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fd5d87c2430 in CRYPTO_zalloc crypto/mem.c:230
    #2 0x7fd5d889501f in OPENSSL_sk_new_reserve crypto/stack/stack.c:209
    #3 0x7fd5d85dcbc3 in sk_ASN1_VALUE_new_null include/openssl/asn1t.h:928
    #4 0x7fd5d85dcbc3 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:577
    #5 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #6 0x7fd5d85db104 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:178
    #7 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
    #8 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
    #9 0x7fd5d88f86d9 in X509V3_EXT_d2i crypto/x509v3/v3_lib.c:142
    #10 0x7fd5d88d6d3c in crl_set_issuers crypto/x509/x_crl.c:97
    #11 0x7fd5d88d6d3c in crl_cb crypto/x509/x_crl.c:246
    #12 0x7fd5d85dc032 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:432
    #13 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #14 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #15 0x7fd5d85db2b5 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:259
    #16 0x7fd5d85dc813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
    #17 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #18 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #19 0x7fd5d85dca28 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:633
    #20 0x7fd5d85dd288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #21 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #22 0x7fd5d85dcaf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #23 0x7fd5d85dd7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
    #24 0x7fd5d85db9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #25 0x7fd5d85ddd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
    #26 0x7fd5d85dde35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
    #27 0x7fd5d85a77e0 in ASN1_item_d2i_bio crypto/asn1/a_d2i_fp.c:69
    #28 0x402845 in FuzzerTestOneInput fuzz/cms.c:43
    #29 0x402bbb in testfile fuzz/test-corpus.c:182
    #30 0x402626 in main fuzz/test-corpus.c:226
    #31 0x7fd5d7c81f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: 32 byte(s) leaked in 1 allocation(s).

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18391)

(cherry picked from commit e9007e09792e3735d4973743634ff55d354fc7d8)

Update gost-engine to the last changes

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18381)

(cherry picked from commit 828613c3e44ca1de6407a37d34de64c673ca61e9)

Use safe pattern for buffer size determining in case of GOST key exchange

Related: CVE-2022-29242

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18381)

(cherry picked from commit 2b5e89992e3ada1131beebb2a22722168b9389c2)

Fix a crash in ssl_security_cert_chain

Prior to the crash there is an out of memory error
in X509_verify_cert which makes the chain NULL or
empty.  The error is ignored by ssl_add_cert_chain,
and ssl_security_cert_chain crashes due to the
unchecked null pointer.

This is reproducible with my error injection patch.

The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.

$ ERROR_INJECT=1652848273 ../util/shlib_wrap.sh ./server-test ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8# ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8
    #0 0x7f3a8f766eba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
    #1 0x403ba4 in my_malloc fuzz/test-corpus.c:114
    #2 0x7f3a8f39a430 in CRYPTO_zalloc crypto/mem.c:230
    #3 0x7f3a8f46bd3b in sk_reserve crypto/stack/stack.c:180
    #4 0x7f3a8f46bd3b in OPENSSL_sk_insert crypto/stack/stack.c:242
    #5 0x7f3a8f4a4fd8 in sk_X509_push include/openssl/x509.h:99
    #6 0x7f3a8f4a4fd8 in X509_verify_cert crypto/x509/x509_vfy.c:286
    #7 0x7f3a8fed726e in ssl_add_cert_chain ssl/statem/statem_lib.c:959
    #8 0x7f3a8fed726e in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
    #9 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
    #10 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
    #11 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
    #12 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
    #13 0x403202 in FuzzerTestOneInput fuzz/server.c:740
    #14 0x40371b in testfile fuzz/test-corpus.c:182
    #15 0x402856 in main fuzz/test-corpus.c:226
    #16 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #17 0x402936  (/home/ed/OPC/openssl/fuzz/server-test+0x402936)

AddressSanitizer:DEADLYSIGNAL
=================================================================
==8400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000158 (pc 0x7f3a8f4d822f bp 0x7ffc39b76190 sp 0x7ffc39b760a0 T0)
==8400==The signal is caused by a READ memory access.
==8400==Hint: address points to the zero page.
    #0 0x7f3a8f4d822f in x509v3_cache_extensions crypto/x509v3/v3_purp.c:386
    #1 0x7f3a8f4d9d3a in X509_check_purpose crypto/x509v3/v3_purp.c:84
    #2 0x7f3a8f4da02a in X509_get_extension_flags crypto/x509v3/v3_purp.c:921
    #3 0x7f3a8feff7d2 in ssl_security_cert_sig ssl/t1_lib.c:2518
    #4 0x7f3a8feff7d2 in ssl_security_cert ssl/t1_lib.c:2542
    #5 0x7f3a8feffa03 in ssl_security_cert_chain ssl/t1_lib.c:2562
    #6 0x7f3a8fed728d in ssl_add_cert_chain ssl/statem/statem_lib.c:963
    #7 0x7f3a8fed728d in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
    #8 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
    #9 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
    #10 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
    #11 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
    #12 0x403202 in FuzzerTestOneInput fuzz/server.c:740
    #13 0x40371b in testfile fuzz/test-corpus.c:182
    #14 0x402856 in main fuzz/test-corpus.c:226
    #15 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #16 0x402936  (/home/ed/OPC/openssl/fuzz/server-test+0x402936)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509v3/v3_purp.c:386 in x509v3_cache_extensions
==8400==ABORTING

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18376)

(cherry picked from commit dc0ef292f7df4ce0c49c64b47726a6768f9ac044)

Fix a memory leak in X509_issuer_and_serial_hash

This is reproducible with my error injection patch.

The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.

$ ERROR_INJECT=1653267699 ../util/shlib_wrap.sh ./x509-test ./corpora/x509/5f4034ae85d6587dcad4da3e812e80f3d312894d
ERROR_INJECT=1653267699
    #0 0x7fd485a6ad4f in __sanitizer_print_stack_trace ../../../../src/libsanitizer/asan/asan_stack.cc:36
    #1 0x55c12d268724 in my_malloc fuzz/test-corpus.c:114
    #2 0x7fd484f51a75 in CRYPTO_zalloc crypto/mem.c:230
    #3 0x7fd484ed778d in EVP_DigestInit_ex crypto/evp/digest.c:139
    #4 0x7fd4850a9849 in X509_issuer_and_serial_hash crypto/x509/x509_cmp.c:44
    #5 0x55c12d268951 in FuzzerTestOneInput fuzz/x509.c:44
    #6 0x55c12d268239 in testfile fuzz/test-corpus.c:182
    #7 0x55c12d267c7f in main fuzz/test-corpus.c:226
    #8 0x7fd483a42082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x55c12d267e5d in _start (/home/ed/OPCToolboxV5/Source/Core/OpenSSL/openssl/fuzz/x509-test+0x3e5d)

=================================================================
==1058475==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 268 byte(s) in 1 object(s) allocated from:
    #0 0x7fd485a5dc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x7fd484d2eb9b in BUF_MEM_grow crypto/buffer/buffer.c:97
    #2 0x7fd4850b2913 in X509_NAME_oneline crypto/x509/x509_obj.c:43
    #3 0x7fd4850a982f in X509_issuer_and_serial_hash crypto/x509/x509_cmp.c:41
    #4 0x55c12d268951 in FuzzerTestOneInput fuzz/x509.c:44
    #5 0x55c12d268239 in testfile fuzz/test-corpus.c:182
    #6 0x55c12d267c7f in main fuzz/test-corpus.c:226
    #7 0x7fd483a42082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: 268 byte(s) leaked in 1 allocation(s).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18371)

(cherry picked from commit b7e28c0bb1cdc07e36c7dc2467083236b931de31)

Fix undefined behaviour in EC_GROUP_new_from_ecparameters

This happens for instance with
fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
and causes the OPENSSL_malloc below to choke on the
zero length allocation request.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18365)

(cherry picked from commit 97de6145851922a33f7afd9c308adfc1b2e5732b)

Fix a memory leak in ec_key_simple_oct2priv

This is reproducible with my error injection patch.

The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.

$ ERROR_INJECT=1652710284 ../util/shlib_wrap.sh ./server-test ./corpora/server/4e48da8aecce6b9b58e8e4dbbf0523e6d2dd56dc
140587884632000:error:03078041:bignum routines:bn_expand_internal:malloc failure:crypto/bn/bn_lib.c:282:
140587884632000:error:10103003:elliptic curve routines:ec_key_simple_oct2priv:BN lib:crypto/ec/ec_key.c:662:
140587884632000:error:100DE08E:elliptic curve routines:old_ec_priv_decode:decode error:crypto/ec/ec_ameth.c:464:
140587884632000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140587884632000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR
140587884632000:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
140587884632000:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:

=================================================================
==19676==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7fdd2a6bb09f in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7fdd2a2fa430 in CRYPTO_zalloc crypto/mem.c:230
    #2 0x7fdd2a15df11 in BN_new crypto/bn/bn_lib.c:246
    #3 0x7fdd2a15df88 in BN_secure_new crypto/bn/bn_lib.c:257
    #4 0x7fdd2a247390 in ec_key_simple_oct2priv crypto/ec/ec_key.c:655
    #5 0x7fdd2a241fc5 in d2i_ECPrivateKey crypto/ec/ec_asn1.c:1030
    #6 0x7fdd2a23dac5 in old_ec_priv_decode crypto/ec/ec_ameth.c:463
    #7 0x7fdd2a109db7 in d2i_PrivateKey crypto/asn1/d2i_pr.c:46
    #8 0x7fdd2a33ab16 in PEM_read_bio_PrivateKey crypto/pem/pem_pkey.c:84
    #9 0x7fdd2a3330b6 in PEM_read_bio_ECPrivateKey crypto/pem/pem_all.c:151
    #10 0x402dba in FuzzerTestOneInput fuzz/server.c:592
    #11 0x40370b in testfile fuzz/test-corpus.c:182
    #12 0x402846 in main fuzz/test-corpus.c:226
    #13 0x7fdd297b9f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18366)

(cherry picked from commit 22a96c6be41897d11a18455b2ab142422bc57f3f)

Fix check of EVP_CIPHER_CTX_ctrl

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18368)

(cherry picked from commit d649c51a5388912277dffb56d921eb720db54be1)

x86asm: Generate endbr32 based on __CET__.

The VIA Nehemiah CPU is a x86-32 CPU without SSE2 support. It does not
support multi byte nops and considers the endb32 opcode as an invalid
instruction.

Add an ifdef around the endbr32 opcode on x86-32.

Fixes: #18334
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18353)

(cherry picked from commit 272138795ffa63d5811e985f98cac94acf658dbe)

Rename x86-32 assembly files from .s to .S.

Rename x86-32 assembly files from .s to .S. While processing the .S file
gcc will use the pre-processor whic will evaluate macros and ifdef. This
is turn will be used to enable the endbr32 opcode based on the __CET__
define.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18353)

(cherry picked from commit 9968c77539d6f7c5b1dcf0162fd4b57c144318c7)

Drop the last ossl_init_casecmp() call

This was missed in an earlier merge that removed it.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18380)

Test the default key length of the Blowfish ciphers

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18362)

(cherry picked from commit 091e60c42c5d2a194936da7f4de3ce82527b27a3)

Fix regression in default key length for Blowfish CFB and OFB ciphers

Fixes #18359

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18362)

(cherry picked from commit 7a9e93dda58118c0fb1bade8fe915306b845325b)

Fix a crash in asn1_item_embed_new

This happens usually if an template object is created
and there is an out of memory error before the ASN1_OP_NEW_POST
method is called, but asn1_item_embed_free calls now the
ASN1_OP_FREE_POST which may crash because the object is not
properly initialized.  Apparently that is only an issue with
the ASN1_OP_FREE_POST handling of crypot/x509/x_crl.c, which
ought to be tolerant to incomplete initialized objects.

The error can be reproduced with the reproducible error injection patch:

$ ERROR_INJECT=1652890550 ../util/shlib_wrap.sh ./asn1-test ./corpora/asn1/0ff17293911f54d1538b9896563a4048d67d9ee4
    #0 0x7faae9dbeeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
    #1 0x408dc4 in my_malloc fuzz/test-corpus.c:114
    #2 0x7faae99f2430 in CRYPTO_zalloc crypto/mem.c:230
    #3 0x7faae97f09e5 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341
    #4 0x7faae98118f7 in asn1_primitive_new crypto/asn1/tasn_new.c:318
    #5 0x7faae9812401 in asn1_item_embed_new crypto/asn1/tasn_new.c:78
    #6 0x7faae9812401 in asn1_template_new crypto/asn1/tasn_new.c:240
    #7 0x7faae9812315 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
    #8 0x7faae9812315 in asn1_template_new crypto/asn1/tasn_new.c:240
    #9 0x7faae9812a54 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
    #10 0x7faae9812a54 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
    #11 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
    #12 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
    #13 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #14 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #15 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #16 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
    #17 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #18 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
    #19 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
    #20 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
    #21 0x40893b in testfile fuzz/test-corpus.c:182
    #22 0x406b86 in main fuzz/test-corpus.c:226
    #23 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1194==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7faae9b0625f bp 0x7fffffe41a00 sp 0x7fffffe41920 T0)
==1194==The signal is caused by a READ memory access.
==1194==Hint: address points to the zero page.
    #0 0x7faae9b0625f in crl_cb crypto/x509/x_crl.c:258
    #1 0x7faae9811255 in asn1_item_embed_free crypto/asn1/tasn_fre.c:113
    #2 0x7faae9812a65 in asn1_item_embed_new crypto/asn1/tasn_new.c:150
    #3 0x7faae9812a65 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
    #4 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
    #5 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
    #6 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #7 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #8 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #9 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
    #10 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #11 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
    #12 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
    #13 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
    #14 0x40893b in testfile fuzz/test-corpus.c:182
    #15 0x406b86 in main fuzz/test-corpus.c:226
    #16 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509/x_crl.c:258 in crl_cb
==1194==ABORTING

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18360)

(cherry picked from commit 557825acd622f98fc21423aba092e374db84f483)

strcasecmp: implement strcasecmp and strncasecmp

Rather than relying on the locale code working, instead implement these
functions directly.

Fixes #18322

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18344)

(cherry picked from commit fb4cdca053fb9d3f0e11eeaf31f4b4ff87f69a95)

tolower: refine the tolower code to avoid a memory access

This improves the performance of this function and the ones that rely on it
(ossl_lh_strcasehash primarily).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18344)

(cherry picked from commit 286053fc8f78e34828a576830ef879c021640aee)

Building: For the FIPS module checksum, keep track of configuration,h

The FIPS module checksum needs to know that configuration.h is
generated from configuration.h.in, so that information is conserved.
To make this possible, it's now possible to have attributes with the
GENERATE keyword, and the attribute "skip" is added to make a keyword
a no-op, which makes it informative only.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/16378)

(cherry picked from commit 4d02d500aac80c136e3d6582b908e0fab77bbf42)

Configuration: produce include/openssl/configuration.h when configuring

The goal is to avoid having too much of the OpenSSL source rebuilt
because include/openssl/configuration.h, or even because it was a
Makefile target that was called upon (some make implementations
consider the use of a target as an update of that target, even if it
wasn't really updated).

To resolve this, we move the production of include/openssl/configuration.h
to configdata.pm, and only update it if there were any actual changes.

Fixes #16377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/16378)

(cherry picked from commit 2522889620446f1e56338367d1b6b028ea952bb4)

Configuration: only produce a new configdata.pm if it has changed contents

The goal is to avoid having too much of the OpenSSL source rebuilt
because configdata.pm got a new time stamp.  The conditions for
updating configdata.pm are now:

1.  its time stamp is older than Configure's, or...
2.  its contents has changed.

Fixes #16377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/16378)

(cherry picked from commit 764cf5b26306a8712e8b3d41599c44dc5ed07a25)

mdl: Don't enforce one space after list markers

Common markdown styles usually show 4-column indents to separate the
list marker and the list item text. That's a common template for
writing new markdown files.

On the other hand, we do have some files (such as CHANGES.md) where we
use a different style.

From a markdown perspective, both are perfectly OK, and there's no
reason to enforce either.

Therefore, the best thing is to exclude this particular rule.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18297)

(cherry picked from commit 2046f80bc84deff5f3b8e3f8ffe54528bc684658)

Documentation: X509_V_ERR_CERT_CHAIN_TOO_LONG is not unused

The Error `X509_V_ERR_CERT_CHAIN_TOO_LONG` is not unused. See e.g. here:

https://github.com/openssl/openssl/blob/598bd7741568a1aae678e5472f18aae1ab991e8d/crypto/x509/x509_vfy.c#L3318-L3319

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18330)

(cherry picked from commit 0db53e9312f9648874b283124655f9772dfa1690)

Missing changes entry about OPENSSL_str[n]casecmp

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18302)

(cherry picked from commit 8b97bfcccc4328c65156bff6886db8733df39fde)

Fix KTLS with BIO_new_connect

When a socket connection is done using BIO_new_connect,
the ktls_enable is done too early, and fails with ENOTCONN.
Therefore the KLTS ioctl will fail later with ENOPROTOOPT.
Fix that by doing the ktls_enable after the connection
succeeded, not when the socket is created as that will
always fail.

One example where this happens is doit_localhost in
test/ssl_old_test.c, and therefore, contrary to the expectation
the -client_ktls option did never enable the client KTLS
connection, but this was not noticed, because there was no
diagnostic output, and it was only visible with strace output.

Also enhanced the ssl_old_test -client_ktls/-server_ktls
options together with -v option to print a summary line
if and how KTLS was negotiated in server and client.

While I am already there adjusted the usage info of
the -s_cert, -s_key commands, and allow -time to print the
timings of ktls connections.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18318)

(cherry picked from commit 598bd7741568a1aae678e5472f18aae1ab991e8d)

Fix BIO_get_ktls_send/recv to return 0 or 1 only

Fixes #18176

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/18178)

(cherry picked from commit 524bac570702a79366b85ff1f66e07d3e002370c)

Add return value check of EVP_PKEY_copy_parameters () in ssl_set_cert_and_key()

It seems the return value of EVP_PKEY_copy_parameters() in
ssl_set_cert_and_key(), and could lead to null pointer dereference in
EVP_PKEY_eq() function.

However those functions are complicated and this fix is suggested by
a static analyzer, so please advise.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18071)

(cherry picked from commit 6646e015a50e5455117c22a27032011689db710f)