Initial ML-KEM documentation

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26037)

Add ML-KEM-768 KATs from BoringSSL

Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/

These KATs test key generation, encapsulation, and decapsulation for the
ML-KEM-768 algorithm.

Relevant notes:
- Added functionality to the ML-KEM key management to export/import. These may not
  be fully implemented yet (see openssl/openssl#25885)
- Exposed some more low-level ML-KEM API's to the provider implementation to
  allow for deterministic encapsulation/key generation
- Actually run 'mlkem_internal_test' with `make test`

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25938)

Add ML-KEM-768 implementation

Based on code from BoringSSL covered under Google CCLA
Original code at https://boringssl.googlesource.com/boringssl/+/HEAD/crypto/mlkem

- VSCode automatic formatting (andrewd@openssl.org)
- Just do some basic formatting to make diffs easier to read later: convert
  from 2 to 4 spaces, add newlines after function declarations, and move
  function open curly brace to new line (andrewd@openssl.org)
- Move variable init to beginning of each function (andrewd@openssl.org)
- Replace CBB API
- Fixing up constants and parameter lists
- Replace BORINGSSL_keccak calls with EVP calls
- Added library symbols and low-level test case
- Switch boringssl constant time routines for OpenSSL ones
- Data type assertion and negative test added
- Moved mlkem.h to include/crypto
- Changed function naming to be in line with ossl convention
- Remove Google license terms based on CCLA
- Add constant_time_lt_32
- Convert asserts to ossl_asserts where possible
- Add bssl keccak, pubK recreation, formatting
- Add provider interface to utilize mlkem768 code enabling TLS1.3 use
- Revert to OpenSSL DigestXOF
- Use EVP_MD_xof() to determine digest finalisation (pauli@openssl.org)
- Change APIs to return error codes; reference new IANA number; move static asserts
  to one place
- Remove boringssl keccak for good
- Fix coding style and return value checks
- ANSI C compatibility changes
- Remove static cache objects
- All internal retval functions used leading to some new retval functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25848)

Post-merge make update

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26715)

Ensure we accept the IANA name for sigalgs

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26654)

ML-DSA: Add TLS certificate test

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26654)

MLDSA: Fix no-ml-dsa configure option.

Added to 'bulk' group and CI

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26654)

Drop the session and PSK test from the clienthellotest

This test doesn't really give us much that the other tests don't already
achieve. Added to that the ClientHello is nearly too long for it to work
reliably. Small changes in the ClientHello length make this test break.
So this test is too brittle with little value - so we drop it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26654)

Teach SSL_trace() about ML-DSA

Ensure the ML-DSA based sigalgs are recognised by SSL_trace()
Also ensure the test_ssl_trace test passes correctly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26654)

ML-DSA: Add TLS-SIGALG capability to support ML-DSA signatures

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26654)

ml-dsa test: update ML-DSA key generation tests

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)

ml-dsa test: update ML-DSA signature verification tests to cover μ inputs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)

ml-dsa test: update ML-DSA signature generation tests to cover μ inputs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)

test: update the ACVP test data parser to include tests that use μ

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)

ml-dsa: allow signature operations to be provided a μ value

The μ value replaces the message and avoids some of the preliminary
processes.  This is part of FIPS 204.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)

params: add OSSL_SIGNATURE_PARAM_MU to param names

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)

doc: document OSSL_SIGNATURE_PARAM_MU for ML-DSA

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26637)

Fix docs/comments with ASN.1 private key syntax

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26674)

Reject private keys with an incorrect pk hash

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26674)

Make the ML-DSA seed gettable as documented

- Also fix the get_params keymgmt function to always return what's
  available.  Requested, but unavailable, parameters are simply left
  unmodified.  It is not an error to request more than is present.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26674)

Flexible encoders for ML-DSA

- Same UX as ML-KEM.  The main ASN.1 private key syntax is the one from
  Russ Housley's post on the LAMPS list, subsequently amended to tag the
  seed instead of the key (each of the three parameter sets will have a
  fixed size for the `expandedKey`):

    ML-DSA-PrivateKey ::= CHOICE {
      seed [0] IMPLICIT OCTET STRING SIZE (32),
      expandedKey OCTET STRING SIZE (2560 | 4032 | 4896)
      both SEQUENCE {
        seed OCTET STRING SIZE (32),
        expandedKey OCTET STRING SIZE (2560 | 4032 | 4896) } }

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26638)

 ML_DSA: Make apps.c do_X509_REQ_verify() call work correctly.

- Added sigid_algs for ML_DSA such that OBJ_find_sigid_algs() works.
- OBJ_sn2nid() was also being called, so the SN form of ML_DSA
  algorithms needed to be added to the provider dispatch tables.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26636)

endecoders: make ML-KEM endecoders have fips=yes property

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

doc: ML-DSA is in the FIPS provider too, so update docs

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

test: update endecode test in light of ML-DSA being in the FIPS provider

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ml-dsa(fips): add ML-DSA key generation self test

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ml-dsa(fips): add power up signature self tests for ML-DSA-65

This added self tests for ML-DSA.  IG 10.3.A.15 requires known answer
tests for both signing and verify.  This adds them.

The signature generation is constructed to encounter all three of the rejection
loop tests that are relevant for ML-DSA-65.  The message has been generated
so that:

    * it fails the z_max rejection test on iteration one
    * it fails the r0_max rejection test on iteration two
    * it fails the h_ones rejection test on iteration three
    * it successfully generates the signature on iteration four

It is thus an optimal self test in terms of iterations and coverage.

Key generation self tests will be dealt with separately.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ml-dsa: document self test names

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ml-dsa: add FIPS self test macro

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

test: run ML-DSA tests on FIPS provider

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ml-dsa: add PCT for FIPS provider

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ml-dsa: add to FIPS provider

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ml-dsa: add more to internal header

The ossl_ml_dsa_key_get0_libctx() and the various size macros are better in the intneral header

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

fips: build ML-DSA for FIPS provider

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

fips: build ML-DSA for FIPS provider

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

build: fix copy/paste mistake

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

Add ML-DSA to the FIPS provider

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)

ML-DSA Add digestsign tests - The digest must be NULL

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26575)

ML_DSA Add support for generation of X509 certificates using the openssl
commandline.

In order to support this gettables are required in both the key and
signature.:

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26575)

ML-DSA Updates to encoders required because of changes on the master
branch.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26575)

Add ML_DSA encoders

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26575)

ml-dsa: avoid param builder

Using param builder consumes more resources and it is only beneficial
when dealing with bignums.  Directly using the param helpers is a better
alternative.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26529)

ML-DSA: coverage testing fixups

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26505)

ML-DSA Add coverage tests

Also remove some ACVP test data from ml_dsa.inc since this is now
also done using evp_test.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26505)

Add ML-DSA design document.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26400)

Add ML-DSA documentation

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26400)

ML-DSA encoder fixups

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26483)

ML-DSA: Add python utility used to parse ACVP test data.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)

ML-DSA: Fix endian issue in ossl_ml_dsa_poly_sample_in_ball().

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)

ML-DSA: Add evp_test support for ML-DSA ACVP test vectors.

The evp_test line buffer was increased to 32K to deal with the large
lines required for PQ messages and signatures.
The test data files were generated by parsing AVCP test files using
a python script.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)

ML-DSA: Add support for dup.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)

ML_DSA: Fix partially uninitialised hint buffer.
The encoded hint data consists of omega + k bytes.
The bytes at the end of omega section of the buffer may be 0,
so the buffer must be cleared initially.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)

Add ML_DSA encoders

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)

ML-DSA fixups

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)

Add ML-DSA-44 and ML-DSA-87, fix endian issues & add fixups

- Make data encoding work on big-endian systems.

- Fix some ML-DSA-44 specific bugs related to w1-vector bits
  per-coefficient, overall size and high-bits rounding.

- Use "do { ... } while (pointer < end)" style consistently.

- Drop redundant reference counting of provided keys.

- Add parameter blocks for ML-DSA-44 and ML-DSA-87 and turn on
  associated provider glue.  These now pass both keygen and
  siggen tests (to be added separately).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)

Add ML-DSA sign/verify

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)

ML_DSA: Use pointers instead of arrays for polynomials in Vectors and Matrix.

A DSA_KEY when created will alloc enough space to hold its k & l
vectors and then just set the vectors to point to the allocated blob.

Local Vectors and Matricies can then be initialised in a similar way by
passing them an array of Polnomials that are on the local stack.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)

Add ML-DSA Keygen support

The key generation algorithm requires a significant portion of the many
algorithms present in FIPS 204.

This work is derived from the BoringSSL code located at
https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc

Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l.
To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a
prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object.

The ML_DSA_KEY object stores the encoded public and/or private key
whenever a key is loaded or generated. A public  key is always present
if the private key component exists.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)

Rework and simplify RCU code

Use __ATOMIC_RELAXED where possible.
Dont store additional values in the users field.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26690)

Revert "rcu: Ensure that updates to the ID field of a qp don't lose refs"

This reverts commit fbd34c03e3ca94d3805e97a01defdf8b6037f61c.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26690)

Test openssl ecparam -list_curves

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26525)

ecparam: process -list_curves before reading input

Fixes #26519

This is a regression from commit 1dbb67c4

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26525)

Fix arithmetic in a comment

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26707)

[vpsm4_ex][aarch64] Move constant to .rodata section

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26509)

[vpsm4][aarch64] Move constant to .rodata section

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26509)

[sm3][aarch64] Move constant to .rodata section

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26509)

[poly1305][aarch64] Extend address range by adrp + add

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26509)

[bsaes][aarch64] Move constant to .rodata section

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26509)

[chacha_sve][aarch64] Move constant to .rodata section

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26509)

[sm4][aarch64] Move constant to .rodata section

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26509)

Address coverity reports

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26703)

ossl_rand_ctx_new(): Use OPENSSL_strdup instead of strdup

Fixes Coverity 1642620

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26641)

X509_STORE_CTX_get1_issuer(): make happy path quicker again

Fixes #26588

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26600)

x509_vfy.c: refactor parameter of get0_best_issuer_sk() and adapt its use by build_chain()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26600)

http_client.c: fix error and default case handling in OSSL_HTTP_REQ_CTX_nbio() state machine

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25541)

http_client.c: fix OSSL_HTTP_REQ_CTX_nbio() to return content on non-fatal HTTP status code >=400

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25541)

http_client.c: fix redirection in OSSL_HTTP_REQ_CTX_nbio() when non-ASN.1 content is expected

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25541)

http_test.c: small beautifications

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25541)

http_client.c: distinguish better between request/response header and body, in particular when tracing

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25541)

http_client.c,OSSL_HTTP_REQ_CTX.pod,http.h: fixups for PR #23781 on max_response_hdr_lines

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25541)

remove parts of OSSL_HTTP_transfer.pod that are better described in OSSL_HTTP_transfer.pod

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25541)

Add documentation to explain DRBG changes

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26542)

Change also other DRBG's algorithm fetching

- DRBG_HASH
- DRBG_HMAC

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26542)

Filter provider should return proper provctx

...instead of the default one
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26542)

Prefer DRBG ciphers from the same provider

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26542)

test/quicapitest.c: Increase timeout of test_fin_only_blocking to 40ms

Running this test on heavily loaded systems may cause the SSL_read_ex() to
take more than 20ms, due to concurrent workload.

Increase the timeout to 40ms to allow a little bit more time.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26693)

Add a test for configuring provider certs via config

A bug existed where provider added cert algorithms caused a crash when
they were configured via a config file. We add a test for this scenario.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26663)

Fix configuring provider certificate algs via config file

A crash could occur when attempting to configure a certificate via a
config file, where the algorithm for the certificate key was added
dynamically via a provider.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26663)

Enable the quic-tls API to work, even in the case of no-quic

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26683)

Add a test for the quic-tls API

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26683)

Add a CHANGES.md entry

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26683)

Add documentation for the new third party QUIC stack API

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26683)

Add an API for other QUIC stacks to use our TLS implementation

We provide some callbacks for third party QUIC stacks to use in order
to be able to reuse the OpenSSL TLS implementation in that stack. This is
essentially a thin wrapper around the same API that OpenSSL's own QUIC
stack uses in order to integrate TLS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26683)

Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list

- The signature algorithms are already loaded in SSL_CTX_new()

- Calling ssl_load_sigalgs() again is non-productive, and does
  not look thread safe.

- And of course avoiding the call is cheaper.

- Also fix broken loop test in ssl_cert_lookup_by_pkey()

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26671)

Update CHANGES and NEWS for security release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Use ERR marks also when verifying server X.509 certs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>

With SSL_VERIFY_PEER client RPK should abort on X509 error

While RPK performs X.509 checks correctly, at the SSL layer the
SSL_VERIFY_PEER flag was not honoured and connections were allowed to
complete even when the server was not verified.  The client can of
course determine this by calling SSL_get_verify_result(), but some
may not know to do this.

Added tests to make sure this does not regress.

Fixes CVE-2024-12797

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>

Add support for multiple key shares

This PR is the implementation of concluded discussion that occurred in a
draft PR #25605. This changes were mainly authored by @martinschmatz
with some contribution from myself.

It addresses issue #21633

This extends the group list definition to support a more complex
definition while still retaining backward compatibility with the simple
form of colon separated groups.

Details of the agreed format and expected behaviour can be found in
#25605 and in the documentation changes.

Signed-off-by: Dave Kelsey <d_kelsey@uk.ibm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26445)

Revise CHANGES.md

The performance impact on Intel Sierra Forest is documented.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25751)

Remove unnecessary flag clearance in crypto/x86_64cpuid.pl

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25751)