Create new TLS_GROUP_ENTRY values for these groups.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19315)

This partially reverts commit 0a10825a in order to reimplement it in a
simpler way in the next commit. The reverted aspects are all related to
the TLSv1.3 brainpool curves in the supported_groups extension. Rather
than special casing the handling of these curves we simply add new entries
to the groups table to represent them. They can then be handled without
any additional special casing. This makes the code simpler to maintain.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19315)

In the "Stop raising ERR_R_MALLOC_FAILURE in most places" commit, some
fixes of this file weren't done quite right, leading to a symbol being
undeclared depending on building circumstances.
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19360)

3.1 has been decided to be a FIPS 140-3 release, springing from the branch
openssl-3.0, and the master branch to continue with the development of
OpenSSL 3.2.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19350)

The way it was implemented didn't play well with perl's join(), so it's
reimplemented a bit differently.
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19347)

Also, remove inclusions of internal/e_os.h where it seems no longer
necessary.
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19330)

ossl_sleep() was implemented as a static inline function in internal/e_os.h,
using usleep() on Unix and Sleep() on Windows.  So far well and good.
However, it also has a fallback implementation for systems that do not have
usleep() or Sleep(), and that implementation happens to use ossl_time_now(),
which is a normal function, private to libcrypto, and is judged to be too
complex to sanely make into a static inline function.

This fallback creates a problem, because we do use ossl_sleep() in apps/ and
a few test programs in test/, and when they are linked with libcrypto in
shared library form, ossl_time_now() can't be found, since it's not publicly
exposed.

Something needs to give, and the easiest, and hopefully sanest answer is to
make ossl_sleep() a publicly exposed function, which requires a slight name
change.

Documentation and 'make update' result included.
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19330)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)

We also convert to passing COMP_METHOD rather than SSL_COMP to the record
layer. The former is a public type while the latter is internal only - and
the only thing we need from SSL_COMP is the method.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19159)

This fixes regression from commit 8e39049d. There is also no point
in setting the modified flag after just calling i2d.

Fixes #19297
Reviewed-by: NHugo Landau <hlandau@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19299)

Engines lacked the possibility to refer to themselves in this form:

    WHATEVERerr(WHATEVER_F_SOMETHING, WHATEVER_R_WHATEVER_LIB);

This little change makes that possible, and gets used in e_capi.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19301)

Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and
at least handle the file name and line number they are called from,
there's no need to report ERR_R_MALLOC_FAILURE where they are called
directly, or when SSLfatal() and RLAYERfatal() is used, the reason
`ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`.

There were a number of places where `ERR_R_MALLOC_FAILURE` was reported
even though it was a function from a different sub-system that was
called.  Those places are changed to report ERR_R_{lib}_LIB, where
{lib} is the name of that sub-system.
Some of them are tricky to get right, as we have a lot of functions
that belong in the ASN1 sub-system, and all the `sk_` calls or from
the CRYPTO sub-system.

Some extra adaptation was necessary where there were custom OPENSSL_malloc()
wrappers, and some bugs are fixed alongside these changes.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19301)

In other words, make it raise ERR_R_MALLOC_FAILURE appropriately.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19301)

Fixes #19334
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19335)

Fixes #19331
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19332)

Detection of this feature is unreliable so only use it if requested.
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18852)

Fixes openssl#19185
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19292)

VMS linking complains a lot about multiply defined symbols unless told
otherwise, especially when shareable images are involved.  For example, this
involves the legacy provider, where there are overriding implementations of
certain ERR functions.

To quiet the linker down, we need to say that symbols should be searched
selectively in shareable images.

However, that's not quite enough.  The order in which the VMS linker
processes files isn't necessarily top to bottom as given on the command line
or the option file(s), which may result in some symbols appearing undefined,
even though they are.  To remedy that, it's necessary to explicitly include
all object files and object libraries into a cluster, thus ensuring that
they will be processed first.  This allows the search for remaining symbol
references to be done in the as desired in the shareable images that follow.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19327)

BN_check_prime() is supposed to return 0 for a composite number and -1
on error. Properly translate the return value of the internal function
ossl_bn_miller_rabin_is_prime(), where 0 means an error.

The confusion prevented BN_GENCB callbacks from aborting the primality
test or key generation routines utilizing this.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19314)

Fixes openssl#8825
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19329)

This change adds the 'C' command character to allow a user to drop the
current session and reconnect to the server. It has the same behavior as
the `-reconnect` option except this allows reconnect to be triggered at
an arbitrary point in the session.

The primary use case for this change is to provide a way for the user to
probe a server for TLS1.3 session resumption support. This is not
currently reliably supported by the `-reconnect` option.
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18683)

Test that a custom EVP_CIPHER gets used in EVP_CipherInit_ex() calls.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19300)

In some circumstances we were not calling the cleanup() function to
remove cipher specific data from an EVP_CIPHER_CTX.
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19300)

If a custom EVP_CIPHER object has been passed to EVP_CipherInit() then it
should be used in preference to a fetched cipher.

We also fix a possible NULL pointer deref in the same code for digests.

If the custom cipher passed to EVP_CipherInit() happens to use NID_undef
(which should be a discouraged practice), then in the previous
implementation this could result in the NULL cipher being fetched and
hence NULL encryption being unexpectedly used.

CVE-2022-3358

Fixes #18970
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19300)

References: draft-ietf-sidrops-signed-tal
Title: "RPKI Signed Object for Trust Anchor Key"

OID permanently assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1

CLA: trivial
Reviewed-by: NHugo Landau <hlandau@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19221)

The IRIX mips64-cpu, n32-abi configurations include SIXTY_FOUR_BIT in bn_ops,
but it is missing from mips64*-linux-*abin32 (which OpenSSL calls
"linux-mips64").  This causes heap corruption when verifying TLS certificates
(which tend to be RSA-signed) with openssl 1.1.1q:

```
nix@oak:~$ /nix/store/4k04dh6a1zs6hxiacwcg4a4nvxvgli2j-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443free(): invalid pointer
Aborted
```

and a slightly different failure with current HEAD:

```
nix@oak:~$ /nix/store/9bqxharxajsl9fid0c8ls6fb9wxp8kdc-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443
Connecting to 142.250.180.4
CONNECTED(00000003)
Fatal glibc error: malloc assertion failure in sysmalloc: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)
Aborted
```

Applying this patch and recompiling produces the expected output instead of a
crash.

Note that Gentoo (and to my knowledge all other other distributions which
support mips64n32) use the `linux-generic32` configuration, which uses only
32-bit arithmetic (rather than full 64-bit arithmetic) and lacks assembler
implementations for the SHA hash functions:

  https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/openssl/files/gentoo.config-1.0.2#n102

For support in nixpkgs we would like to use the full 64-bit integer registers
and perlasm routines, so I'm submitting this upstream as well.

Fixes #19319

CLA: trivial
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19320)

CLA: trivial
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19310)

Don't add 1 if strchr returns NULL

PR update

Fixes #19279
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19282)

except those throwing ERR_R_MALLOC_FAILURE
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19302)

Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)

Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)

Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)

Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)

Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15913)

Reviewed-by: NTomas Mraz <tomas@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18895)

Reviewed-by: NHugo Landau <hlandau@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19285)

The MACHINE value from POSIX::uname() isn't trustworthy at all.
MACHINE names like this has been seen:

    _HP__VMM___(1.67GHz/9.0MB)

Perl's `$Config{archname}` is much more trustworthy, especially since
VMS isn't a multiarch operating system, at least yet.
Reviewed-by: NHugo Landau <hlandau@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19285)

Since cl knows what architecture it builds fore, all depending on what
the user set up, it makes sense to ask it, and use that result primarly,
and only use the POSIX::uname() MACHINE value as a fallback.

Also, this does indeed determine if cl is present or not.

We drop the explicit names in .github/workflows/windows.yml as proof
of concept.

Fixes #19281
Reviewed-by: NHugo Landau <hlandau@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19285)