Fixes: #8737
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
GH: #8741
(cherry picked from commit 70b0b977f73cd70e17538af3095d18e0cf59132e)

This reverts commit dcb982d792d6064ed3493e79749208d8c257ff04.

This change is causing extended tests to fail.

[extended tests]
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8964)

(cherry picked from commit 2c23689402f1894861519d0c1ad762a3e52f4677)

This function only returns a status and does not modify the parameter.
Since similar function are already taking const parameters, also
change this function to have a const parameter.

Fixes #8934

CLA: trivial
Signed-off-by: NArne Schwabe <arne@rfc2549.org>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8945)

(cherry picked from commit c04b66b18d1a90f0c6326858e4b8367be5444582)

CLA: trivial
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8905)

(cherry picked from commit 3e4e43e609d6e9c36e5e526246d31802102cad4a)

CLA: trivial
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8889)

(cherry picked from commit 99592c73e7167990082626a46ea9286c152f85fd)

This change allows to pass the authentication tag after specifying
the AAD in CCM mode. This is already true for the other two supported
AEAD modes (GCM and OCB) and it seems appropriate to match the
behavior.

GCM and OCB also support to set the tag at any point before the call
to `EVP_*Final`, but this won't work for CCM due to a restriction
imposed by section 2.6 of RFC3610: The tag must be set before
actually decrypting data.

This commit also adds a test case for setting the tag after supplying
plaintext length and AAD.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7243)

(cherry picked from commit 67c81ec311d696464bdbf4c6d6f8a887a3ddf9f8)

Fixes #8875
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8876)

(cherry picked from commit 9acbe07d2300d34a7ea846d9756f33b4595e32fb)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8893)

(cherry picked from commit 260a16f33682a819414fcba6161708a5e6bdff50)

If the `openssl cms` command is called without specifying an
operation option, it replies with the following laconic error message:

    cms: Use -help for summary.

This commit adds a helpful error message:

    No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8861)

(cherry picked from commit 42151b8edb112d23d81f6e0d6606d98797771b4b)

Since commit 137096a7 it is possible to specify keywords instead
of negative magic numbers for the salt length. This commit replaces
the remaining occurrences of `rsa_pss_saltlen:-3` in the test recipes
by `rsa_pss_saltlen:max`.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8860)

(cherry picked from commit 31fc48ddc30c627416edaa62ec1448e66ef92908)

Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8803)

(cherry picked from commit 0c4e984de28b1477e002766b2751576f5c6c47d6)

- Allow user-defined RCFLAGS
- Pass RCFLAGS to RC
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8803)

(cherry picked from commit a583172dac8bce37e268943e570968f193e8b64b)

The reason is that the shared-info attributes may depend on %disabled,
so we need to process all enablings/disablings first.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8846)

(cherry picked from commit 8f0dd6d9eec0e52feb1b19725c7134684bff28bc)

The testutil support for doubles isn't present in 1.1.1.

This reverts commit 4a717667 from #8818.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8829)

Add a Chi^2 goodness of fit test to empirically provide a degree of confidence
in the uniformity of the output of the random range generation function.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8818)

(cherry picked from commit bb5b3e6dd0575a4fa96f5085228b716062c00502)

Return error if the output tag buffer size doesn't match
the tag size exactly. This prevents the caller from
using that portion of the tag buffer that remains
uninitialized after an otherwise succesfull call to
CRYPTO_ccm128_tag.

Bug found by OSS-Fuzz.

Fix suggested by Kurt Roeckx.
Signed-off-by: NGuido Vranken <guidovranken@gmail.com>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8810)

(cherry picked from commit 514c9da48b860153079748b0d588cd42191f0b6a)

CLA: trivial
Signed-off-by: NJakub Jelen <jjelen@redhat.com>
Reviewed-by: NPaul Yang <yang.yang@baishancloud.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8786)

(cherry picked from commit 87930507ff1c020d4ba1ca895ef3ef08e17253b3)

Disabling one thing may mean having to disable other things as well.
We already have a process to auto-disable things through cascading,
but that was under-used.

Making the cascading mechanism available through a function to be
called to disable stuff makes it more automatic, and helps us when we
forget how different disabling options affect others.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8812)

(cherry picked from commit 71ef78d71f638c7de893c635ee9b0fd16247c762)

Fixes #8787
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8812)

(cherry picked from commit 4650d10ff6ad1048785a009349c8b5d6e922fc7a)

This came about with the realisation that upper case CFLAGS, LDFLAGS
and so on aren't treated much after that, and this makes figuring out
user added flags significantly easier, just look in %config.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8812)

(cherry picked from commit c1a09254e4c763b62811bc412afa1498699fce50)

Check if num is 0 before trying to malloc memory. Otherwise for client hellos without extensions SSL_client_hello_get1_extensions_present will return MALLOC_FAILURE.
Reviewed-by: NPaul Yang <yang.yang@baishancloud.com>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8756)

(cherry picked from commit 6fda11ae5a06e28fd9463e5afb60735d074904b3)

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8780)

(cherry picked from commit a595b10d343845eca32cffb35f1d0a2f15ce40a9)

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8780)

(cherry picked from commit 6f3aae256d62cfcc48c07cc0ead5080b070f371b)

|str| was used for multiple conflicting purposes.  When using
'-strictpem', it's used to uniquely hold a reference to the loaded
payload.  However, when using '-strparse', |str| was re-used to hold
the position from where to start parsing.

So when '-strparse' and '-strictpem' are were together, |str| ended up
pointing into data pointed at by |at|, and was yet being freed, with
the result that the payload it held a reference to became a memory
leak, and there was a double free conflict when both |str| and |at|
were being freed.

The situation is resolved by always having |buf| hold the pointer to
the file data, and always and only use |str| to hold the position to
start parsing from.  Now, we only need to free |buf| properly and not
|str|.

Fixes #8752
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8753)

(cherry picked from commit 4f29f3a29b8b416a501c7166dbbca5284b198f81)

Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit 06add280d90de9625e9c18985f376ef8d0419a46)

Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit 3d42833d389134b7b05b655c264e4dba5a2179e9)

Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit d34bce03acc53c583df954bbed65d4800751563a)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit c9dc22bc3d7f2df670dff66f04935e540e1b931a)

Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit b238fb79709a180ba9b4d837101c9f75e2978dc0)

A couple of minor tweaks to match the style introduced in #7854:
- BIO_connect: remove line break to make more grep friendly
- SSL_CTX_new: harmoise the format of the HISTORY section
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

(cherry picked from commit 938e82f622eb04ebbfe534c79d234d0f6a0df035)
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8736)

SEE ALSO before HISTORY is the more common pattern in OpenSSL manual
pages and seems to be the prevalent order based on sampling my system
manual pages.

Fixes #8631
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

(cherry picked from commit b5c4bbbe54e112b976155004b3d702e47ce7d9d9)

 Conflicts:
	doc/man3/RAND_DRBG_generate.pod
	doc/man3/RAND_DRBG_reseed.pod
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8736)

Check that the HISTORY section is located after the SEE ALSO section,
this is a much more frequent order in OpenSSL manual pages (and UNIX
manual pages in general).

Also check that SEE ALSO comes after EXAMPLES, so that the tool can
ensure the correct manual section sequence.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

(cherry picked from commit 573ac8f2228241771f727ecd8ff10f54073536d3)
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8736)

Change to check_section_location(), a generic function to ensure that
section SECTION appears before section BEFORE in the man pages.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

(cherry picked from commit 95f92d57755a9bfc83135a585da69d497f7293d9)
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8736)

This patch checks if the EXAMPLES section in a pod file is placed
before the RETURN VALUES section.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

(cherry picked from commit cc838ee2d66f7295bf7a7e6695aab1080d6791e9)
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8736)

Reviewed-by: NRichard Levitte <levitte@openssl.org>

(cherry picked from commit 4564e77ae9dd1866e8a033f03511b6a1792c024e)

 Conflicts:
	doc/internal/man3/openssl_ctx_get_data.pod (non-existant)
	doc/man3/OPENSSL_s390xcap.pod (non-existant)
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8736)

This happens in ec_key_simple_check_key and EC_GROUP_check.
Since the the group order is not a secret scalar, it is
unnecessary to use coordinate blinding.

Fixes: #8731
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8734)

(cherry picked from commit 3051bf2afab7ac8b7b9c64e68755d1addd2fb8ff)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8697)

(cherry picked from commit 3a86f1db282569c538273cc48462a3fa5fcffa39)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8621)

(cherry picked from commit 491360e7ab2f09fdaadfcd9ff84c425c8f4e5b03)

CLA: trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8714)

(cherry picked from commit ee215c7eea91f193d4765127eb31332758753058)

Even with custome ciphers, the combination in == NULL && inl == 0
should not be passed down to the backend cipher function.  The reason
is that these are the values passed by EVP_*Final, and some of the
backend cipher functions do check for these to see if a "final" call
is made.

Fixes #8675
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8676)

(cherry picked from commit dcb982d792d6064ed3493e79749208d8c257ff04)