Signed-off-by: Nwanghaixiang <wanghaixiang@huawei.com>

Signed-off-by: Nzhao_zhen_zhou <zhaozhenzhou@huawei.com>

Signed-off-by: Nhaixiangw <wanghaixiang@huawei.com>

A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

Patch written by Dmitry Belyavsky and Hubert Kario

CVE-2022-4304
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Signed-off-by: Ncode4lala <fengziteng2@huawei.com>

Signed-off-by: Nwanghao-free <wanghao453@h-partners.com>

If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.

Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.

Thanks to Octavio Galland for reporting this issue.
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
Signed-off-by: Ncode4lala <fengziteng2@huawei.com>

In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.

Thanks to Dawei Wang for reporting this issue.

Based on a proposed patch by Kurt Roeckx.

CVE-2022-4450
Reviewed-by: NPaul Dale <pauli@openssl.org>
Reviewed-by: NHugo Landau <hlandau@openssl.org>
Signed-off-by: Ncode4lala <fengziteng2@huawei.com>

Description:Openssl bugfix CVE-2019-1551
Team:OTHERS
Feature or Bugfix:Bugfix
Binary Source:No
PrivateCode(Yes/No):No

Change-Id: I73aa3eb8c8f1fcbd49183ddfe3e2ea17a4c12bc5
Reviewed-on: http://mgit-tm.rnd.huawei.com/9089040Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com>
Reviewed-by: Ndongjinguang 00268009 <dongjinguang@huawei.com>
Reviewed-by: Nhouyuezhou 00386575 <hou@huawei.com>
Reviewed-by: Nlinyibin 00246405 <linyibin@huawei.com>

Description:use openssl asm mode
Team:OTHERS
Feature or Bugfix:Bugfix
Binary Source:No
PrivateCode(Yes/No):No

Change-Id: Id449bd200b5e2ef817ac329fc6874190bc245ad4
Reviewed-on: http://mgit-tm.rnd.huawei.com/9083098Reviewed-by: Nhouyuezhou 00386575 <hou@huawei.com>
Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com>
Reviewed-by: Nlinyibin 00246405 <linyibin@huawei.com>

Description:openssl support to build by arm
Team:OTHERS
Feature or Bugfix:Bugfix
Binary Source:No
PrivateCode(Yes/No):No

Change-Id: Iedde66caa66b2baa5c1a4508240849da0e434efd
Reviewed-on: http://mgit-tm.rnd.huawei.com/8910856Reviewed-by: Ndongjinguang 00268009 <dongjinguang@huawei.com>
Reviewed-by: Nhouyuezhou 00386575 <hou@huawei.com>
Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com>
Reviewed-by: Nlinyibin 00246405 <linyibin@huawei.com>

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11445)

This partially reverts commit db943f43.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11400)

Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extensions.

[extended tests]
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10756)

Found by Coverity.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8274)

(cherry picked from commit 23dc8feba817560485da00d690d7b7b9e5b15682)

This should avoid half of the trial divisions in probable_prime_dh_safe
and avoid bn_probable_prime_dh generating primes with special properties.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9387)

Currently probable_prime makes sure that p-1 does not have
any prime factors from 3..17863, which is useful for safe primes,
but not necessarily for the general case.

Issue was initially reported here:
MIRONOV, I. Factoring RSA Moduli II.
https://windowsontheory.org/2012/05/17/factoring-rsa-moduli-part-ii/Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9387)

Reviewed-by: NPaul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11344)

The server-side ChangeCipherState processing stores the new cipher
in the SSL_SESSION object, so that the new state can be used if
this session gets resumed.  However, writing to the session is only
thread-safe for initial handshakes, as at other times the session
object may be in a shared cache and in use by another thread at the
same time.  Reflect this invariant in the code by only writing to
s->session->cipher when it is currently NULL (we do not cache sessions
with no cipher).  The code prior to this change would never actually
change the (non-NULL) cipher value in a session object, since our
server enforces that (pre-TLS-1.3) resumptions use the exact same
cipher as the initial connection, and non-abbreviated renegotiations
have produced a new session object before we get to this point.
Regardless, include logic to detect such a condition and abort the
handshake if it occurs, to avoid any risk of inadvertently using
the wrong cipher on a connection.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit 2e3ec2e1578977fca830a47fd7f521e290540e6d)

This reverts commit 68436f0a.

The OMC did not vote in favour of backporting this to 1.1.1, so this
change should be reverted.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11282)

Signed-off-by: NPatrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11229)

(cherry picked from commit af7f656cd91d99d62567e2b20c61f07cb4d81d0b)

Signed-off-by: NPatrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11234)

(cherry picked from commit 7b2ce4a6e817e4385ff77fea0c6e349294c7b756)

It happens when configured with ./config -ftest-coverage

see: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94029Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11246)

CLA: trivial
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11175)

(cherry picked from commit c590be6f12d0b725863961e41bc64a81c8cf30d6)

Description:openssl 1.1.1d used bu libhapverify
Team:OTHERS
Feature or Bugfix:Feature
Binary Source:Yes, it is
PrivateCode(Yes/No):No

Change-Id: I8968f9c0f146b587da17a3e603bd04fb7b4c505b
Reviewed-on: http://mgit-tm.rnd.huawei.com/7842784Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com>
Reviewed-by: Nhouyuezhou 00386575 <hou@huawei.com>
Reviewed-by: Nlinyibin 00246405 <linyibin@huawei.com>
Reviewed-by: Nweiping 00548480 <ping.wei@huawei.com>

Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10882)

If we hit an EOF while reading in libssl then we will report an error
back to the application (SSL_ERROR_SYSCALL) but errno will be 0. We add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.

Contains a partial fix for #10880
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10882)

If one of the perlasm xlate drivers crashes, OpenSSL's build will
currently swallow the error and silently truncate the output to however
far the driver got. This will hopefully fail to build, but better to
check such things.

Handle this by checking for errors when closing STDOUT (which is a pipe
to the xlate driver).

This is the OpenSSL 1.1.1 version of
https://github.com/openssl/openssl/pull/10883 and
https://github.com/openssl/openssl/pull/10930.
Reviewed-by: NMark J. Cox <mark@awe.com>
Reviewed-by: NPaul Dale David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/10931)

The future style that's coming with OpenSSL 3.0 was used, we need to
revert that back to "traditional" style.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11088)

Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11072)

CLA: trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10816)

(cherry picked from commit adc9086beb21a91ca59aaf0c619b38b82c223f9b)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8888)

(cherry picked from commit a05bf83c7964bb3928b323fe356b9f70f105036d)

Fixes #10998
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11000)

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
GH: #10786
(cherry picked from commit b744f915ca8bb37631909728dd2529289bda8438)

Configure creates an empty crypto/include which
gets not cleaned up with make distclean.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10893)

Move .cfi_startproc to the right place for RC4.  Add missing
.cfi_startproc and .cfi_endproc to RC4_options.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10872)

(cherry picked from commit 967ef73013becef2aec3439f8c45204b24121018)

Fixes #10853
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10857)

CLA: trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10794)

(cherry picked from commit 6a165fab239ec5b00b3cd68169a63b509207177d)

This reverts commit 7b18d1a5, which moved the
DEVRANDOM and DEVRANDOM_EGD defines into rand_unix.c. That change introduced
the regression that the compiler complains about missing declarations in
apps/version.c when OpenSSL is configured using `--with-rand-seed=devrandom`
(resp. `--with-rand-seed=egd`):

apps/version.c:173:42: error: 'DEVRANDOM' undeclared
             static const char *dev[] = { DEVRANDOM, NULL };
                                          ^~~~~~~~~

Fixes #10759
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10764)