util/other.syms: sort OPENSSL_*cap lexicographically, add missing variables

The list includes OPENSSL_ia32cap, OPENSSL_riscvcap, and OPENSSL_s390xcap,
but not OPENSSL_armcap, OPENSSL_ppccap, or OPENSSL_sparcv9cap;  fix that.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28025)

apps/lib/apps.c: remove HARNESS_OSSL_PREFIX envvar handling

As the environment variable is no longer used by the test harness,
its support can be removed from the openssl command, along
with the possible unintended consequences of prefixing the standard
output of the openssl command with an arbitrary string set
in the environment.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28025)

Remove HARNESS_OSSL_PREFIX manipulation in the test harness

The aim of HARNESS_OSSL_PREFIX environment variable is to avoid contaminating
TAP producer's output with stanzas that can be interpreted by a TAP producer
by prefixing them with comment;  this can be achieved by processing
the output within the runner instead, as it already does for non-standard
prefixes;  it also has the added benefit of alleviating the need
to reset it for the external tests in order to avoid messing
with their output checks.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28025)

Pairwise check for DH keys import as part of FIPS

For DH key import, it appears the PCT and assurances are implemented in
the source but are not be performed by default.

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28058)

Update dh_pub to be pairwise consistent with dh_priv

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28058)

Exchange no-sm2 and no-ssl-trace between on PR and daily jobs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28106)

test-ec: Skip SM2 key import test if SM2 is disabled

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28106)

Fixed #27506, now the behavior with an empty IDN is the same as with
an incorrect IDN.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28080)

- adding a missing file

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)

- changes suggested by @t8m

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)

- fix RFC reference and indentation

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)

Update ssl/quic/quic_ackm.c

Co-authored-by: Andrew Dinh <andrewd@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)

Update ssl/quic/quic_ackm.c

Co-authored-by: Andrew Dinh <andrewd@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)

ACK manager must avoid infinite probe time when waiting handshake confirmation

According to RFC 9002, section 6.2.2.1 the client the client must keep PTO (probe
time out) armed if it has not seen HANDSHAKE_DONE quic message from server.
Not following RFC spec here may cause the QUIC session to stale during TLS handshake.

Fixes openssl/project#1266

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28023)

Add a test of 'openssl storeutl' with a BER-encoded PKCS#12 file

The test file (test-BER.p12) was given to us by David von Oheimb

Co-Authored-By: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28016)

Fix OSSL_STORE to consider cached info in the EOF check.

OSSL_STORE_load() called OSSL_STORE_eof() before checking if there is
cached OSSL_STORE_INFO to consider.  To fix this issue, the cached info
check is moved to OSSL_STORE_eof(), as that seems to make most common
sense.

This solves an issue with PKCS#12 files, where the cached info was never
considered because the underlying file IO layer signaled that EOF is
reached.

Fixes #28010

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/28016)

Update workflows to test msquic with OpenSSL

Update GitHub Workflows to build msquic with OpenSSL with TLS backend, push to Quay.io, and test with current QUIC interop workflow

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28045)

Add support for TLS 1.3 OCSP multi-stapling for server certs

Co-authored-by: Michael Krueger
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20945)

sm2: sm2_sign.c: check EC_KEY_get0_private_key() for NULL in sm2_sig_gen()

Static analysis revealed that sm2_sig_gen() dereferences the return value
of EC_KEY_get0_private_key() without checking for NULL. This could lead to
a crash if the private key is unset.

This patch adds a NULL check and raises ERR_R_PASSED_NULL_PARAMETER if the
key is missing.

Issue found by static analyzer:
> Return value of EC_KEY_get0_private_key() is dereferenced without checking for NULL (11/12 checked)

CLA: trivial
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27741)

fix SM2 privatekey decode(PEM format, ECPrivateKey).

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27963)

openssl rand command should use the loaded library context

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28075)

test/timing_load_creds.c: Add fclose() if error occurs

Add fclose() if error occurs to release fp.

Fixes: 6212fc6814 ("Add a stand-alone "timing" program")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28007)

LoongArch: Add SHA-512 assembly implementation for better performance on small-size data

Signed-off-by: Julian Zhu <jz531210@gmail.com>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27904)

LoongArch: Add SHA-256 assembly implementation for better performance

It can get about 25%~ better performance than compiler-generated code (gcc version 15.1.1).

Signed-off-by: Julian Zhu <jz531210@gmail.com>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27904)

--amend

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27467)

replace GitHub Actions in Windows jobs

Most of the GitHub Actions can be replaced with a couple of commands.
This will reduce dependencies bloating and some attacks surface.
This commit replaces all GitHub Actions which are not from GitHub
and Cygwin for Windows jobs with plain commands.

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27467)

Fix perl warnings on various scripts

Resolves: https://github.com/openssl/project/issues/1273

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28046)

sm2: add some signing tests.

Because SM2 uses entropy as part of it's signing process, there were no
signing tests under evp_test.  This corrects the shortcoming.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27997)

evp_test: add a new global "Test-Entropy" line to allow deterministic `random` input.

When specified, this directive replaces the public and private DRBGs
with a generator that returns the specified bytes.  If more bytes are
requested than are specified, the generator loops around the supplied
bytes to satisfy the request.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27997)

sm2 test: remove unnecessary available in lines

This test is only run against the default provider so no need to double
check this.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27997)

ECX/ED keymanager param getter fixes.

Fixes #28034

ECX and ED were sharing the same code for the getter, whilst also
maintaining seperate gettable tables.

The code has been reworked so that common code is shared, and algorithm
specific code is seperated out to make this clearer.

This fixes:
(1) The security category not being in the gettable table for ED
(2) The fips indicator for ED. i.e There is no fips indicator for ED
(previously there was no gettable, but the get() still tried to return
unapproved).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28039)

Raise PROV_R_NULL_OUTPUT_BUFFER if shsec is NULL in ml_kem_encapsulate()

Signed-off-by: lanming <lanming@huawei.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28009)

Add CODEOWNERS file

quarckster is the owner of the /.github/workflows/ directory.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28060)

pin GitHub Actions revisions from untrusted vendors

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27181)

Update container images in OS Zoo CI workflow

Replace outdated and unsupported distro versions with up-to-date ones.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28049)

evp_pkey_type: Make base_id_conversion table static

This commit fixes CI failures (when configured with --strict-warnings)

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28061)

Add AES-CFB128 optimizations with Intel AVX-512 and VAES

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26902)

Extract AES CFB implementation to cipher_aes_cfb*

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/26902)

Add workflow to check perl core modules for 5.10.1

The motivation is to notice if we would add a module which is not a core
module in the minimal supported perl version.

This does not fail on other errors or warnings by perl, but we should
clear out those also.

Resolves: https://github.com/openssl/project/issues/1269

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28024)

Deprecate ASN1_METH related tests

ASN1 tests had to be turned off, but the biggest change is the
ssl_test_ctx, where the NID resolution does not equal to the old one and
a little hack had to be used to make the test work.

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)

Deprecate ASN1_METH internal usage

Some of them are needed and were kept by adding `#include
"internal/deprecated"` and some had to be turned off.

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)

libcrypto.num: Deprecate EVP_PKEY_ASN1_METHOD related functions

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)

Update documentation on EVP_PKEY_ASN1_METHOD deprecation

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)

Deprecate EVP_PKEY_ASN1_METHOD related function declarations and definitions

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)

Add deprecation macros for 3.6.0

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)

providers/implementations/digests/sha3_prov.c optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

crypto/params.c optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

crypto/init.c optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

crypto/threads_pthread.c optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

crypto/mem.c optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

crypto/bn/bn_gf2m.c: optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

include/crypto/md32_common.h: optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

crypto/bn/bn_lib.c: optimize - seems to bring not much benefit

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

crypto/evp/digest.c: optimize ossl_(un)likely

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27961)

Update doc on CRYPTO_MEM_SEC(_MINSIZE)

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28036)

openssl: Add option to init sec mem at startup

Adding env variables OPENSSL_SEC_MEM and OPENSSL_SEC_MEM_MINSIZE, which
initializes the secure memory at the beginning of the openssl app.

Resolves: https://github.com/openssl/project/issues/786

Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28036)

LMS: Coverity Fix 1659010 (Unused Value)

This was a false positive in a test.
The code has been reordered to make the flow clearer.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28030)

LMS Coverity fix 1659009

Fix deref after free.

If ctx->key is already set and the passed in key is NULL then ctx->key
should not be set to NULL.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28030)

const up ERR_str_libraries

CLA: trivial

move this symbol out of the .data section

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28029)

sec_mem: add note about the perf implications

Testing secure storage for ml-kem/dsa [1] shows performace penalty
when secure storage is enabled.

| Threads | baseline usec/handshake | secmem usec/handshake |
|---------+-------------------------+-----------------------|
|       1 |              586.784756 |            588.306131 |
|       2 |              599.537648 |            601.007393 |
|       4 |              610.663361 |            613.600663 |
|       8 |              649.347376 |            869.693358 |
|      16 |             1176.402781 |           2487.335286 |
|      32 |             2345.594618 |           5155.747515 |
|      64 |             4697.556045 |          11170.627031 |

the test shows that sec mem is ok-ish up to the number of available cores,
and when the sec mem lock gets contended, performance goes down rapidly.
Tested on Apple M4 Pro.

[1] https://github.com/openssl/openssl/pull/27625

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28011)

ci: enable lms only on master

a new config option cannot be enabled globally because the option
was not backported to the older versions.

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28019)

Add lock contention checking to our pthreads implementation

Something we're missing in our ability to do performance monitoring
and diagnosis in openssl is the ability to check for lock contention.
While some tools exist for this (valgrinds drd tool for example), they
really only measure the time spent in critical sections, not the
instances in which they are contended.  For that we need something more
specific.

This patch introduces the REPORT_RWLOCK_CONTENTION macro.  When openssl
is built with:
./Configure -rdynamic -fno-omit-frame-pointer -DREPORT_RWLOCK_CONTENTION

We can now get output sent to a log file that looks like the following:

===============
lock blocked on WRITE for 1001 usec
/lib64/libasan.so.8(+0x525e7) [0x7fc5ef4525e7]
../../test/quic_radix_test(CRYPTO_THREAD_write_lock+0x151) [0x79d976]
../../test/quic_radix_test() [0x61e6fb]
../../test/quic_radix_test(test_vprintf_stderr+0x15) [0x61e78d]
../../test/quic_radix_test(test_printf_stderr+0x10f) [0x623ba4]
../../test/quic_radix_test(test_fail_message_prefix+0xf7) [0x62436b]
../../test/quic_radix_test() [0x6243b9]
../../test/quic_radix_test(test_info+0x133) [0x624842]
../../test/quic_radix_test() [0x415aad]
../../test/quic_radix_test() [0x417bad]
../../test/quic_radix_test() [0x41b1a9]
../../test/quic_radix_test() [0x41b2eb]
../../test/quic_radix_test() [0x8071fc]
/lib64/libasan.so.8(+0x28ee6) [0x7fc5ef428ee6]
/lib64/libc.so.6(+0x711d4) [0x7fc5ef27f1d4]
/lib64/libc.so.6(+0xf3cec) [0x7fc5ef301cec]
==============

Which tells us when a thread blocked because someone else was already
holding the lock, how long it was blocked for, and where the blocking
call originated from via its backtrace.

I think this should enable us to better determine where our contended
locking paths are for a given application, and give us some insight on
how to fix them.

Currently its linux only (as the backtrace functionality only exists
there, and there are few warts (like the need to use a file pointer
rather than a bio to record the log, see comments), but I think its
enough to give us a useful diagnostic tool to help drive some
performance improvements.

Fixes openssl/project#1237

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27884)

Make the lock in CRYPTO_secure_actual_size a read lock

there is no operations within critical section that would
require write lock.

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28014)

Add note about use of EVP_PKEY in different libctxs

Co-authored-by: Shane Lontis <slontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26309)

PEM_read_CMS.pod: Correct the deprecation notice

Fixes #27863

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27865)

Provide X509_CRL_get0_tbs_sigalg()

X509_CRL_get0_tbs_sigalg() corresponds to X509_get0_tbs_sigalg() and
retrieves the AlgorithmIdentifier inside the TBSCertList which is not
currently accessible in any sane way from public API.

This PR adds X509_get0_tbs_sigalg() to the public API, documents it,
adds a simple regress check so there is coverage and mentions the
addition in CHANGES.md.

On top of that, fix a typo in .gitignore and clean up some order
inconsistencies in X509_get0_signature.pod.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27971)

test/quic-openssl-docker/hq-interop/quic-hq-interop.c: Move BIO_free() to err label to avoid memory leak

Relocate the BIO_free() call to the 'err' label to ensure the memory is properly freed in case of an error.

Fixes: ec6200bf0f ("Move hq-interop code to test/quic-openssl-docker")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27995)

QUIC receiver may accidentally ACK packet it fails to process

we set ok to -1 as we enter ossl_quic_handle_frames().  If we
set ok to 0 here we effectively assume successful processing
of all frames found in packet. We do this just before
we return from function:

```
  1479
  1480     /* Now that special cases are out of the way, parse frames */
  1481     if (!PACKET_buf_init(&pkt, qpacket->hdr->data, qpacket->hdr->len)
  1482         || !depack_process_frames(ch, &pkt, qpacket,
  1483                                   enc_level,
  1484                                   qpacket->time,
  1485                                   &ackm_data))
  1486         goto end;
  1487
  1488     ok = 1;
  1489  end:
  1490     /*
  1491      * ASSUMPTION: If this function is called at all, |qpacket| is
  1492      * a legitimate packet, even if its contents aren't.
  1493      * Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as
  1494      * |ackm_data| has at least been initialized.
  1495      */
  1496     if (ok >= 0)
  1497         ossl_ackm_on_rx_packet(ch->ackm, &ackm_data);
  1498
  1499     return ok > 0;
```

if the call to `depack_process_frames()` at line 1492 fails, because
barticualr frame in packet is corrupted/invalid we take a branch
to `end:` goto target. In this case we must avoid the call to
`ossl_ackm_on_rx_packet()`. Packet with malformed/invalid frame
must not be accepted. See RFC 9000 section 13.1:

    Once the packet has been fully processed, a receiver acknowledges
    receipt by sending one or more ACK frames containing the packet
    number of the received packet.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28002)

DOC: Fixup FIPS provider documentation.

SHAKE3 was missing from the list.
Also clarified that KECCAK-KMAC is internal.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

LMS code review fixups

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add LMS evp_test using NIST ACVP test data.

This covers all LMS algorithm parameter sets.

The following changes were done to handle the tests:
 (1) Changed LMS to use OSSL_PKEY_PARAM_PUB_KEY instead of
OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY for import/export.
(There is no reason to have the encoded form for verify operations).
 (2) Fixed a bug for W=1 with truncated digests. The checksum was using
a value of 8-w, which was off by 1 for this case. A value was added to
the ots parameters that represents this value.
 (3) A check in evp_test for a NID was removed since LMS does not have
OIDS (HSS does).
 (4) the unused PROPERTIES param was removed from the LMS keymanager.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

test: get the LMS test recipe run non-FIPS tests

This places the FIPS specific tests in a skippable block.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

ci: enable LMS in a number of different builds

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

Make LMS disabled by default

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

lms_test: add key gen negative test

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

lms: add negative tests

For EVP_PKEY_sign_message_init and EVP_PKEY_paramgen_init.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

lms: add signing negative test

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

packet: add new utility function PACKET_get_4_len()

Get 4 bytes in network order from |pkt| and store the value in |*data|
Similar to PACKET_get_net_4() except the data is uint32_t

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

test: get provider compatibily tests working

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add changes entry for LMS verification

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

doc: document the additional LMS self test description

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

fips: add self test CAST for LMS verify

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

fips: add LMS description

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

Fix indentation

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add LMS documentation

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add LMS to the fips provider.

This required the LMS keymanager to have an export function.
The self test will be provided by HSS, which covers the LMS case.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

Allow SHA256-192 to be used internally in the FIPS provider.

Created an internal digest table that contains sha256_192.
Also moved the KECCAK_KMAC_128/256 entries to this internal table
since it is only used by KMAC.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add LMS Signature verification.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add LMS public key decoder.

This uses OSSL_DECODER_CTX_new_for_pkey().
"XDR" can be specified for the input type, and the key type is "LMS"

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add base code to load a LMS public key.

This loads a XDR encoded LMS public key.
It adds a simple LMS keymanager to import this key.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

Add Configurable "lms" option

This option will be used by the base code for enabling
Leighton-Micali Signatures (LMS)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27885)

HKDF updates

- prevent fixed-digest HKDF from having its digest changed
- implement gettable params in HKDF
- update fixed-digest HKDF tests

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27247)

Add fixed-digest HKDF documentation

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27247)

Add HKDF algorithms with fixed digests.

Add HKDF-SHA256, HKDF-SHA384 and HKDF-SHA512 which are versions
of HKDF that have the digest pre-set. The digest cannot be changed
for contexts of these types.

RFC 8619 defines algorithm identifiers for these combinations.
These algorithm identifiers will be used in future features, e.g.
KEMRecipientInfo.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27247)

Address coverity issue 1655295

Fixes: https://github.com/openssl/project/issues/1267
Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27989)

Address coverity issue 1655294

Fixes: https://github.com/openssl/project/issues/1267
Signed-off-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27989)

Introduce SSL_OP_SERVER_PREFERENCE to replace SSL_OP_CIPHER_SERVER_PREFERENCE misnomer

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27981)

Fixup non-optional use of IO::Socket::IP

IO::Socket::IP is an optionally used package in our perl scripts, and a
recent change of mine used it unilaterally, causing breakage on older
perl installations.  Fix it up to use it optionally again, falling back
to IO::Socket::INET when needed.

Fixes #27940

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27941)

Update rpki-client-portable to fix build

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28004)

crypto/slh_dsa/slh_hash.c: Add check for EVP_MD_get_size()

Add the check for the return value of EVP_MD_get_size() to avoid invalid size.

Fixes: 2f9e152d86 ("Add SLH_DSA signature verification.")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27900)