Upgrading EVP_PKEYs from containing legacy keys to containing provider
side keys proved to be risky, with a number of unpleasant corner
cases, and with functions like EVP_PKEY_get0_DSA() failing
unexpectedly.

We therefore change course, and instead of upgrading legacy internal
keys to provider side internal keys, we downgrade provider side
internal keys to legacy ones.  To be able to do this, we add
|import_from| and make it a callback function designed for
evp_keymgmt_export().

This means that evp_pkey_upgrade_to_provider() is replaced with
evp_pkey_downgrade().

EVP_PKEY_copy_parameters() is the most deeply affected function of
this change.

Fixes #11366
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)

This function intialises an EVP_PKEY to contain a provider side internal
key.

We take the opportunity to also document the older EVP_PKEY_set_type()
and EVP_PKEY_set_type_str().
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)

EVP_PKEY is rather complex, even before provider side keys entered the
stage.
You could have untyped / unassigned keys (pk->type == EVP_PKEY_NONE),
keys that had been assigned a type but no data (pk->pkey.ptr == NULL),
and fully assigned keys (pk->type != EVP_PKEY_NONE && pk->pkey.ptr != NULL).

For provider side keys, the corresponding states weren't well defined,
and the code didn't quite account for all the possibilities.

We also guard most of the legacy fields in EVP_PKEY with FIPS_MODE, so
they don't exist at all in the FIPS module.

Most of all, code needs to adapt to the case where an EVP_PKEY's
|keymgmt| is non-NULL, but its |keydata| is NULL.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)

We can find no reason why everyone should have to call both
EC_curve_nist2nid() and ec_curve_name2nid() to find the NID for a
name, and it's too easy to forget EC_curve_nist2nid(), so we make life
simpler.

One could argue that FIPS only allows a limited set of names, but that
now gets handled internally, and those who really want to be really
sure to only get the NIST names can still do so with EC_curve_nist2nid()
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11391)

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11300)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11300)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11300)

Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11216)

EVP_PKEY_new_mac_key() was failing if the specified MAC was not available
in the default provider - even though that MAC is never actually needed
to successfully complete the function. The resulting EVP_PKEY can then
be used in some non-default libctx which *does* have the MAC loaded.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11360)

On Unix, a caught signal that exits the process does so with an exit
code that is 'signal | 128'.  This modifies util/wrap.pl to mimic
that.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11379)

CLA: trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11372)

We use AES-256-CBC to encrypt stateless session tickets. We should
ensure that the implementation is fetched from the appropriate provider.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11356)

We use the SHA256 digest of the ticket as a "fake" session id. We should
ensure that the SHA256 implementation is fetched from the appropriate
provider.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11356)

Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11357)

When constructing an RSA ClientKeyExchange make sure we construct our
EVP_PKEY_CTX using the correct libctx and properties
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11357)

Merge the NOTES section into the relevant parts of the manpage.
Add the $EXTRA parameter in consistent places (the end) to call
commands.  Document that multiple -extra-XXX might be needed.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11338)

Even though an application callS the new EVP_DigestSignInit_ex()
function to pass an mdname by string rather than EVP_MD, we may still end
up in legacy codepaths, and therefore we need to handle either mdname or
EVP_MD, in both legacy and non-legacy codepaths.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11353)

EVP_DigestSignInit_ex and EVP_DigestVerifyInit_ex did not provide the
capability to specify an explicit OPENSSL_CTX parameter. It is still
possible by explicitly setting an EVP_PKEY_CTX - but in most cases it
would be much simpler to just specify it in the Init call. We add the
capability to do that.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11353)

The export-to-provider functions for DH, DSA and EC_KEY assumed that a
public key is always present, and would fail if not.  This blocks any
attempt to export a key structure with only domain parameters.

While fixing this, we also modify the selection declaration to
evp_keymgmt_import() to be more adaptive, the diverse selection bits
are now added when the corresponding data is added to the OSSL_PARAM
array.
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11374)

in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *,
also some result types of new functions, which does not break compatibility
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10504)

Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extensions.

[extended tests]
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10755)

This was always a potential, we just haven't seen this need before now.
Reviewed-by: NPaul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11343)

Instead of fetching the EVP_KEYMGMT in the init for every different
operation, do it when creating the EVP_PKEY_CTX.

This allows certain control functions to be called between the
creation of the EVP_PKEY_CTX and the call of the operation's init
function.

Use case: EVP_PKEY_CTX_set1_id(), which is allowed to be called very
early with the legacy implementation, this should still be allowed
with provider implementations.
Reviewed-by: NPaul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11343)

There is NO PSK identity hint in TLSv1.3 so output a warning message
when inconsistent PSK / TLS options are mixed.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11322)

The self tests for the fips module are triggered on startup and they need to know the
core's libctx in order to function correctly. As the provider can be autoloaded via configuration
it then needs to propagate the callers libctx down to the provider via the config load.

Note that OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, ..) is still called, but will only load the default
configuration if the OPENSSL_CONF environment variable is set.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11240)

At various points in crypto/rsa we need to get random numbers. We should
ensure that we use the correct libctx when doing so.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11355)

We were doing an EVP_MAC_fetch without using the correct libctx.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11354)

EVP_MD_CTX_ctrl assumes that a digest has always been set. However in a
non-legacy EVP_DigestSign* operation this is not the case because the
digest is handled entirely by the underlying signature implementation.

This fixes one of the travis failures on the master branch.

[extended tests]
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11317)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11346)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11092)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11092)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11307)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11285)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11285)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11285)

- Add travis_wait to the build command
- And travis_retry to some apt-get commands.
- Use `make _tests` instead of `make test`
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11319)

This is largely based on the existing X25519 and X448 serializers - but
a few adjustments were necessary so that we can identify what type of key
we are using. Previously we used the keylen for this but X25519 and
ED25519 have the same keylen.
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11272)

We have no need for a new set of SSL_CTXs in test_ccs_change_cipher(), so
just keep using the original ones.  Also, fix a typo in a comment.

[extended tests]
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11336)

On 32 bit operating system,size_t is defined as unsigned int,
this is the return type of strlen(), but it isn't aligned with the %ld,
when compiling, warning will be reported.
Change the type to %zu to avoid the warning.

Change-Id: I2943d0dfba88ef42892f14230242008473d6263b
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11325)

With KTLS, writes to an SSL connection store the application buffer
pointer directly in the 'buf' member instead of allocating a separate
buffer to hold the encrypted data.  As a result,
ssl3_release_write_buffer() has to avoid freeing these 'buf' pointers.

Previously, ssl3_release_write_buffer() checked for KTLS being enabled
on the write BIO to determine if a buffer should be freed.  However, a
buffer can outlive a BIO.  For example, 'openssl s_time' creates new
write BIOs when reusing sessions.  Since the new BIO did not have KTLS
enabled at the start of a connection, ssl3_release_write_buffer()
would incorrectly try to free the 'buf' pointer from the previous KTLS
connection.  To fix, track the state of 'buf' explicitly in
SSL3_BUFFER to determine if the 'buf' should be freed or simply
cleared.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10489)