[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  0418e993c717a6863f206feaa40673a261de7395 (commit)
   via  38ac4415a9cc4cca307c866e5fc548b889fe2bb6 (commit)
  from  8aa353679f0ad72f478a4800c22ad30f6b972370 (commit)


- Log -
commit 0418e993c717a6863f206feaa40673a261de7395
Author: Bernd Edlinger 
Date:   Sun Jan 16 17:59:17 2022 +0100

Check for presence of 3.x openssl runtime

if the newly loaded engine contains the symbol
EVP_PKEY_get_base_id, we know it is linked to 3.x openssl.
Abort loading this engine, as it will definitely crash.

Reviewed-by: Richard Levitte 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17541)

commit 38ac4415a9cc4cca307c866e5fc548b889fe2bb6
Author: Bernd Edlinger 
Date:   Mon Nov 22 21:50:04 2021 +0100

Prevent crash with engine using different openssl runtime

This problem happens usually because an application
links libcrypto and/or libssl statically which
installs an atexit handler, but later an engine using
a shared instance of libcrypto is installed.
The problem is in simple words that both instances
of libcrypto have an atexit handler installed,
but both are unable to coordinate with each other,
which causes a crash, typically a use-after-free
in the engine's destroy function.

Work around that by preventing the engine's
libcrypto to install the atexit handler.
This may result in a small memory leak, but that
memory is still reachable.

Fixes #15898

Reviewed-by: Richard Levitte 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17541)

---

Summary of changes:
 crypto/engine/eng_dyn.c  | 11 ++-
 include/openssl/engine.h |  1 +
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 87c762edb8..b2c34b8da4 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -443,8 +443,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
  * We fail if the version checker veto'd the load *or* if it is
  * deferring to us (by returning its version) and we think it is too
  * old.
+ * Unfortunately the version checker does not distinguish between
+ * engines built for openssl 1.1.x and openssl 3.x, but loading
+ * an engine that is built for openssl 3.x will cause a fatal
+ * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
+ * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
+ * in openssl 1.1.x.  Therefore we take the presence of that symbol
+ * as an indication that the engine will be incompatible.
  */
-if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
+if (vcheck_res < OSSL_DYNAMIC_OLDEST
+|| DSO_bind_func(ctx->dynamic_dso,
+ "EVP_PKEY_get_base_id") != NULL) {
 /* Fail */
 ctx->bind_engine = NULL;
 ctx->v_check = NULL;
diff --git a/include/openssl/engine.h b/include/openssl/engine.h
index 0780f0fb5f..756751c6d3 100644
--- a/include/openssl/engine.h
+++ b/include/openssl/engine.h
@@ -722,6 +722,7 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char 
*id,
 CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \
  fns->mem_fns.realloc_fn, \
  fns->mem_fns.free_fn); \
+OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \
 skip_cbs: \
 if (!fn(e, id)) return 0; \
 return 1; }

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  8aa353679f0ad72f478a4800c22ad30f6b972370 (commit)
  from  191c9e6c242b85184b72ccd52d2d9af5e1122637 (commit)


- Log -
commit 8aa353679f0ad72f478a4800c22ad30f6b972370
Author: Pauli 
Date:   Tue Feb 1 12:37:25 2022 +1100

scrypt: increase memory usage beyond limit

This brings these tests in line with 3.0 and master and makes them
fail correctly.

Fixes #17612

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17619)

---

Summary of changes:
 test/recipes/30-test_evp_data/evpkdf.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/recipes/30-test_evp_data/evpkdf.txt 
b/test/recipes/30-test_evp_data/evpkdf.txt
index 34c7e6ae65..2824cb2f16 100644
--- a/test/recipes/30-test_evp_data/evpkdf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf.txt
@@ -294,12 +294,12 @@ Ctrl.r = r:8
 Ctrl.p = p:1
 Output = 
7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887
 
-# Out of memory
+# Out of memory - request > 2 GB of memory
 KDF = scrypt
 Ctrl.pass = pass:pleaseletmein
 Ctrl.salt = salt:SodiumChloride
-Ctrl.N = N:1048576
+Ctrl.N = N:2097152
 Ctrl.r = r:8
 Ctrl.p = p:1
-Result = KDF_MISMATCH
+Result = KDF_DERIVE_ERROR
 

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  191c9e6c242b85184b72ccd52d2d9af5e1122637 (commit)
  from  624f858c82a05c41c3185785a3a4a396a7e23161 (commit)


- Log -
commit 191c9e6c242b85184b72ccd52d2d9af5e1122637
Author: Thomas1664 <46387399+thomas1...@users.noreply.github.com>
Date:   Thu Jan 20 10:02:59 2022 +0100

Correct return type for BIO_ptr_ctrl

Fixes #17549
CLA: trivial

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17636)

(cherry picked from commit 984cc9a0284ee4800862aa305f9f178827baf459)

---

Summary of changes:
 doc/man3/BIO_ctrl.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man3/BIO_ctrl.pod b/doc/man3/BIO_ctrl.pod
index 2e438c3ce9..a87abc7994 100644
--- a/doc/man3/BIO_ctrl.pod
+++ b/doc/man3/BIO_ctrl.pod
@@ -16,7 +16,7 @@ BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb
 
  long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
  long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
- char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
+ void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
  long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
 
  int BIO_reset(BIO *b);

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  624f858c82a05c41c3185785a3a4a396a7e23161 (commit)
  from  b728ac98f23d7b32959ca26f1a40e843b7b969a3 (commit)


- Log -
commit 624f858c82a05c41c3185785a3a4a396a7e23161
Author: Richard Levitte 
Date:   Fri Feb 4 14:43:18 2022 +0100

Don't link test/ec_internal_test with libapps.a

It's not at all necessary, and on some platforms, it's disruptive
(leads to unresolved symbols because of object files that get included
in the link that depend on libssl).

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17637)

---

Summary of changes:
 test/build.info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/build.info b/test/build.info
index 726bd22127..6357a7f2fe 100644
--- a/test/build.info
+++ b/test/build.info
@@ -519,7 +519,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
  {- rebase_files("../apps",
   split(/\s+/, $target{apps_init_src})) -}
 INCLUDE[ec_internal_test]=../include ../crypto/ec
-DEPEND[ec_internal_test]=../apps/libapps.a ../libcrypto.a libtestutil.a
+DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a
 
 SOURCE[curve448_internal_test]=curve448_internal_test.c
 INCLUDE[curve448_internal_test]=.. ../include ../crypto/ec/curve448

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  b728ac98f23d7b32959ca26f1a40e843b7b969a3 (commit)
  from  7349bf14be158ed8190d7d94dad5c6dec22e4908 (commit)


- Log -
commit b728ac98f23d7b32959ca26f1a40e843b7b969a3
Author: Juan Manuel Guerrero 
Date:   Wed Feb 2 00:41:02 2022 +0100

Fix builds with DJGPP

CLA: trivial

To get the master branch compiled with DJGPP some minor
adjustments are required. They will have no impact on any other ports.
The DJGPP port uses the Watt-32 library to provide the required network
functionality and some of its headers need to be included.

Neither DJGPP nor the Watt-32 library provide in_addr_t thus it must be
provided as it is done for OPENSSL_SYS_WINDOWS in crypto/bio/b_addr.c.

In the DJGPP section of include/internal/sockets.h the following Watt-32
headers must be added:

  -  arpa/inet.h: to provide declaration of inet_ntoa required in 
crypto/bio/b_addr.c
  -  netinet/tcp.h: to provide defintion of TCP_NODELAY required in 
crypto/bio/b_sock2.c

Reviewed-by: Matt Caswell 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17623)

(cherry picked from commit b9b211fcb6b9068ef1d8729a4971fbe693fd2cde)

---

Summary of changes:
 crypto/bio/b_addr.c| 2 +-
 include/internal/sockets.h | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c
index 8ea32bce40..2e0c9d77ac 100644
--- a/crypto/bio/b_addr.c
+++ b/crypto/bio/b_addr.c
@@ -744,7 +744,7 @@ int BIO_lookup_ex(const char *host, const char *service, 
int lookup_type,
 # pragma pointer_size 32
 #endif
 /* Windows doesn't seem to have in_addr_t */
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
 static uint32_t he_fallback_address;
 static const char *he_fallback_addresses[] =
 { (char *)_fallback_address, NULL };
diff --git a/include/internal/sockets.h b/include/internal/sockets.h
index 39186efef2..7f3b8ea85d 100644
--- a/include/internal/sockets.h
+++ b/include/internal/sockets.h
@@ -30,6 +30,8 @@
 #   include 
 #   include 
 #   include 
+#   include 
+#   include 
 #  elif defined(_WIN32_WCE) && _WIN32_WCE<410
 #   define getservbyname _masked_declaration_getservbyname
 #  endif

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  7349bf14be158ed8190d7d94dad5c6dec22e4908 (commit)
   via  aaa583758ff42a5443ac853b19b6158791bbb8e1 (commit)
   via  588702d59995d29be00d4f3e2d9573ae4f3f11f9 (commit)
  from  0b13bd04d66d48490e7b27167b27b0086143 (commit)


- Log -
commit 7349bf14be158ed8190d7d94dad5c6dec22e4908
Author: Matt Caswell 
Date:   Thu Jan 13 15:16:39 2022 +

Document purpose and trust setting functions

In particular:
X509_STORE_CTX_set_purpose()
X509_STORE_CTX_set_trust();
X509_STORE_CTX_purpose_inherit();

Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/17604)

commit aaa583758ff42a5443ac853b19b6158791bbb8e1
Author: Matt Caswell 
Date:   Thu Dec 30 16:38:28 2021 +

Add a test for X509_STORE_CTX_set_purpose()

This function was previously incorrectly failing if it is called with
X509_PURPOSE_ANY. Add a test to catch this.

Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/17604)

commit 588702d59995d29be00d4f3e2d9573ae4f3f11f9
Author: Matt Caswell 
Date:   Thu Dec 30 16:37:06 2021 +

Ensure X509_STORE_CTX_purpose_inherit handles a 0 default purpose

The function X509_STORE_CTX_purpose_inherit() can be called with a 0
default purpose. If the main purpose was set to X509_PURPOSE_ANY this
would case the function to incorrectly return an error response.

Fixes #17367

Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/17604)

---

Summary of changes:
 crypto/x509/x509_vfy.c  |  11 ++--
 doc/man3/X509_STORE_CTX_new.pod |  69 +-
 test/recipes/70-test_verify_extra.t |   7 +--
 test/verify_extra_test.c| 114 +---
 4 files changed, 181 insertions(+), 20 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index e404fcc602..c084aea7a7 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2201,6 +2201,12 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, 
int def_purpose,
 /* If purpose not set use default */
 if (!purpose)
 purpose = def_purpose;
+/*
+ * If purpose is set but we don't have a default then set the default to
+ * the current purpose
+ */
+else if (def_purpose == 0)
+def_purpose = purpose;
 /* If we have a purpose then check it is valid */
 if (purpose) {
 X509_PURPOSE *ptmp;
@@ -2213,11 +2219,6 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, 
int def_purpose,
 ptmp = X509_PURPOSE_get0(idx);
 if (ptmp->trust == X509_TRUST_DEFAULT) {
 idx = X509_PURPOSE_get_by_id(def_purpose);
-/*
- * XXX: In the two callers above def_purpose is always 0, which is
- * not a known value, so idx will always be -1.  How is the
- * X509_TRUST_DEFAULT case actually supposed to be handled?
- */
 if (idx == -1) {
 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
 X509_R_UNKNOWN_PURPOSE_ID);
diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod
index aba7fff781..bd179e6274 100644
--- a/doc/man3/X509_STORE_CTX_new.pod
+++ b/doc/man3/X509_STORE_CTX_new.pod
@@ -11,7 +11,10 @@ X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
 X509_STORE_CTX_get_num_untrusted,
 X509_STORE_CTX_set_default,
 X509_STORE_CTX_set_verify,
-X509_STORE_CTX_verify_fn
+X509_STORE_CTX_verify_fn,
+X509_STORE_CTX_set_purpose,
+X509_STORE_CTX_set_trust,
+X509_STORE_CTX_purpose_inherit
 - X509_STORE_CTX initialisation
 
 =head1 SYNOPSIS
@@ -44,6 +47,11 @@ X509_STORE_CTX_verify_fn
  typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
  void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn 
verify);
 
+ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
+ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
+ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+int purpose, int trust);
+
 =head1 DESCRIPTION
 
 These functions initialise an B structure for subsequent use
@@ -120,6 +128,65 @@ following signature:
 This function should receive the current X509_STORE_CTX as a parameter and
 return 1 on success or 0 on failure.
 
+X509 certificates may contain information about what purposes keys contained
+within them can be used for. For example "TLS WWW Server Authentication" or
+"Email Protection". This "key usage" information is held internally to the
+certificate itself. In addition the trust store containing trusted certificates
+can declare what purposes we trust different certificates for. This "trust"

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  0b13bd04d66d48490e7b27167b27b0086143 (commit)
  from  4c5c2a5efbc315d7926cafbd5a19044ee3e087fa (commit)


- Log -
commit 0b13bd04d66d48490e7b27167b27b0086143
Author: Tomas Mraz 
Date:   Tue Jan 25 17:14:52 2022 +0100

lhash: Avoid 32 bit right shift of a 32 bit value

Fixes #17583

Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17589)

(cherry picked from commit 2ce0a3d19005271e7e3c351b562d9da93e2d4c80)

---

Summary of changes:
 crypto/lhash/lhash.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index 9dc887d91e..7918a74eed 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -343,7 +343,8 @@ unsigned long OPENSSL_LH_strhash(const char *c)
 v = n | (*c);
 n += 0x100;
 r = (int)((v >> 2) ^ v) & 0x0f;
-ret = (ret << r) | (ret >> (32 - r));
+/* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
 ret &= 0xL;
 ret ^= v * v;
 c++;
@@ -364,7 +365,8 @@ unsigned long openssl_lh_strcasehash(const char *c)
 for (n = 0x100; *c != '\0'; n += 0x100) {
 v = n | ossl_tolower(*c);
 r = (int)((v >> 2) ^ v) & 0x0f;
-ret = (ret << r) | (ret >> (32 - r));
+/* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
 ret &= 0xL;
 ret ^= v * v;
 c++;

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  4c5c2a5efbc315d7926cafbd5a19044ee3e087fa (commit)
   via  93dd7ab35f6ccfb8bde7a7a6e38ea5817c5b54e2 (commit)
  from  5e7098e11581b6b3a4083a1c17889ed817e8ac22 (commit)


- Log -
commit 4c5c2a5efbc315d7926cafbd5a19044ee3e087fa
Author: Matt Caswell 
Date:   Wed Dec 29 16:39:11 2021 +

Add a test for a custom digest created via EVP_MD_meth_new()

We check that the init and cleanup functions for the custom method are
called as expected.

Based on an original reproducer by Dmitry Belyavsky from issue #17149.

Reviewed-by: Paul Dale 
Reviewed-by: Bernd Edlinger 
(Merged from https://github.com/openssl/openssl/pull/17472)

commit 93dd7ab35f6ccfb8bde7a7a6e38ea5817c5b54e2
Author: Matt Caswell 
Date:   Fri Dec 10 17:17:27 2021 +

Fix a leak in EVP_DigestInit_ex()

If an EVP_MD_CTX is reused then memory allocated and stored in md_data
can be leaked unless the EVP_MD's cleanup function is called.

Fixes #17149

Reviewed-by: Paul Dale 
Reviewed-by: Bernd Edlinger 
(Merged from https://github.com/openssl/openssl/pull/17472)

---

Summary of changes:
 crypto/evp/digest.c   | 32 +
 test/evp_extra_test.c | 78 +++
 2 files changed, 99 insertions(+), 11 deletions(-)

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index d1bfa274ca..41ecdd8e5a 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -15,6 +15,22 @@
 #include "crypto/evp.h"
 #include "evp_local.h"
 
+
+static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force)
+{
+if (ctx->digest != NULL) {
+if (ctx->digest->cleanup != NULL
+&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
+ctx->digest->cleanup(ctx);
+if (ctx->md_data != NULL && ctx->digest->ctx_size > 0
+&& (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)
+|| force)) {
+OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
+ctx->md_data = NULL;
+}
+}
+}
+
 /* This call frees resources associated with the context */
 int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
 {
@@ -25,13 +41,8 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
  * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
  * sometimes only copies of the context are ever finalised.
  */
-if (ctx->digest && ctx->digest->cleanup
-&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
-ctx->digest->cleanup(ctx);
-if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
-&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
-OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-}
+cleanup_old_md_data(ctx, 0);
+
 /*
  * pctx should be freed by the user of EVP_MD_CTX
  * if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
@@ -76,6 +87,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, 
ENGINE *impl)
 if (ctx->engine && ctx->digest &&
 (type == NULL || (type->type == ctx->digest->type)))
 goto skip_to_init;
+
 if (type) {
 /*
  * Ensure an ENGINE left lying around from last time is cleared (the
@@ -119,10 +131,8 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, 
ENGINE *impl)
 }
 #endif
 if (ctx->digest != type) {
-if (ctx->digest && ctx->digest->ctx_size) {
-OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-ctx->md_data = NULL;
-}
+cleanup_old_md_data(ctx, 1);
+
 ctx->digest = type;
 if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
 ctx->update = type->update;
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index e4a0b180d7..538bff4659 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1762,6 +1762,83 @@ static int test_EVP_PKEY_set1_DH(void)
 }
 #endif /* OPENSSL_NO_DH */
 
+typedef struct {
+int data;
+} custom_dgst_ctx;
+
+static int custom_md_init_called = 0;
+static int custom_md_cleanup_called = 0;
+
+static int custom_md_init(EVP_MD_CTX *ctx)
+{
+custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
+
+if (p == NULL)
+return 0;
+
+custom_md_init_called++;
+return 1;
+}
+
+static int custom_md_cleanup(EVP_MD_CTX *ctx)
+{
+custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
+
+if (p == NULL)
+/* Nothing to do */
+return 1;
+
+custom_md_cleanup_called++;
+return 1;
+}
+
+static int test_custom_md_meth(void)
+{
+EVP_MD_CTX *mdctx = NULL;
+EVP_MD *tmp = NULL;
+char mess[] = "Test Message\n";
+unsigned char md_value[EVP_MAX_MD_SIZE];
+unsigned int md_len;
+int testresult = 0;
+int nid;
+
+custom_md_init_called = 

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  5e7098e11581b6b3a4083a1c17889ed817e8ac22 (commit)
  from  f4942134815f95845706993c15ca7e4fd6e44627 (commit)


- Log -
commit 5e7098e11581b6b3a4083a1c17889ed817e8ac22
Author: Bernd Edlinger 
Date:   Tue Jan 11 12:10:35 2022 +0100

Remove unsafe call to OPENSSL_cpuid_setup

This function is inherently thread-unsafe,
and moreover it is unnecessary here, because
OPENSSL_init_crypto always calls it in a thread-safe way.

Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17468)

---

Summary of changes:
 crypto/engine/eng_all.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index b675ed7892..c570aeda3d 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -12,9 +12,6 @@
 
 void ENGINE_load_builtin_engines(void)
 {
-/* Some ENGINEs need this */
-OPENSSL_cpuid_setup();
-
 OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
 }
 

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  f4942134815f95845706993c15ca7e4fd6e44627 (commit)
  from  52d9a1d0448432182a5fab0753c236b29819a2a5 (commit)


- Log -
commit f4942134815f95845706993c15ca7e4fd6e44627
Author: Bernd Edlinger 
Date:   Fri Jan 7 10:18:58 2022 +0100

Fix password_callback to handle short passwords

Fixes #17426

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17439)

---

Summary of changes:
 apps/apps.c   | 8 ++--
 test/recipes/15-test_genrsa.t | 7 ++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index c06241abb9..531fbec551 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -300,9 +300,13 @@ int password_callback(char *buf, int bufsiz, int verify, 
PW_CB_DATA *cb_tmp)
 int ui_flags = 0;
 const char *prompt_info = NULL;
 char *prompt;
+int pw_min_len = PW_MIN_LENGTH;
 
 if (cb_data != NULL && cb_data->prompt_info != NULL)
 prompt_info = cb_data->prompt_info;
+if (cb_data != NULL && cb_data->password != NULL
+&& *(const char*)cb_data->password != '\0')
+pw_min_len = 1;
 prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
 if (!prompt) {
 BIO_printf(bio_err, "Out of memory\n");
@@ -317,12 +321,12 @@ int password_callback(char *buf, int bufsiz, int verify, 
PW_CB_DATA *cb_tmp)
 (void)UI_add_user_data(ui, cb_data);
 
 ok = UI_add_input_string(ui, prompt, ui_flags, buf,
- PW_MIN_LENGTH, bufsiz - 1);
+ pw_min_len, bufsiz - 1);
 
 if (ok >= 0 && verify) {
 buff = app_malloc(bufsiz, "password buffer");
 ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
-  PW_MIN_LENGTH, bufsiz - 1, buf);
+  pw_min_len, bufsiz - 1, buf);
 }
 if (ok >= 0)
 do {
diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t
index e16a9a4042..c9bc6bdc8a 100644
--- a/test/recipes/15-test_genrsa.t
+++ b/test/recipes/15-test_genrsa.t
@@ -16,7 +16,7 @@ use OpenSSL::Test::Utils;
 
 setup("test_genrsa");
 
-plan tests => 5;
+plan tests => 7;
 
 # We want to know that an absurdly small number of bits isn't support
 is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, 
"genrsa -3 8");
@@ -52,3 +52,8 @@ ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 
'genrsatest.pem', $good ])),
"genrsa -f4 $good");
 ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
"rsa -check");
+ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 
'genrsatest-enc.pem',
+   '-aes256', '-passout', 'pass:x' ])),
+   "rsa encrypt");
+ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 
'pass:x' ])),
+   "rsa decrypt");

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  52d9a1d0448432182a5fab0753c236b29819a2a5 (commit)
  from  dd05385e36582f34e691b1350dd7daf74df5cc90 (commit)


- Log -
commit 52d9a1d0448432182a5fab0753c236b29819a2a5
Author: Tomas Mraz 
Date:   Tue Dec 28 13:32:57 2021 +0100

close_console: Always unlock as the lock is always held

Fixes #17364

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17395)

---

Summary of changes:
 crypto/ui/ui_openssl.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
index 9526c16536..eab29e288d 100644
--- a/crypto/ui/ui_openssl.c
+++ b/crypto/ui/ui_openssl.c
@@ -572,6 +572,8 @@ static int echo_console(UI *ui)
 
 static int close_console(UI *ui)
 {
+int ret = 1;
+
 if (tty_in != stdin)
 fclose(tty_in);
 if (tty_out != stderr)
@@ -584,12 +586,12 @@ static int close_console(UI *ui)
 BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
 UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
 ERR_add_error_data(2, "status=", tmp_num);
-return 0;
+ret = 0;
 }
 # endif
 CRYPTO_THREAD_unlock(ui->lock);
 
-return 1;
+return ret;
 }
 
 # if !defined(OPENSSL_SYS_WINCE)

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  dd05385e36582f34e691b1350dd7daf74df5cc90 (commit)
  from  692520a1fede55001dbce23618f992b4042ebbae (commit)


- Log -
commit dd05385e36582f34e691b1350dd7daf74df5cc90
Author: Peiwei Hu 
Date:   Tue Jan 4 09:10:32 2022 +0800

apps/passwd.c: free before error exiting

use goto instead of returning directly while error handling

Signed-off-by: Peiwei Hu 

Reviewed-by: Ben Kaduk 
Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17404)

(cherry picked from commit ea4d16bc60dee53feb71997c1e78379eeb69b7ac)

---

Summary of changes:
 apps/passwd.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/passwd.c b/apps/passwd.c
index d741d05335..2a4199d080 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -407,7 +407,7 @@ static char *md5crypt(const char *passwd, const char 
*magic, const char *salt)
 n >>= 1;
 }
 if (!EVP_DigestFinal_ex(md, buf, NULL))
-return NULL;
+goto err;
 
 for (i = 0; i < 1000; i++) {
 if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
@@ -633,7 +633,7 @@ static char *shacrypt(const char *passwd, const char 
*magic, const char *salt)
 n >>= 1;
 }
 if (!EVP_DigestFinal_ex(md, buf, NULL))
-return NULL;
+goto err;
 
 /* P sequence */
 if (!EVP_DigestInit_ex(md2, sha, NULL))
@@ -644,7 +644,7 @@ static char *shacrypt(const char *passwd, const char 
*magic, const char *salt)
 goto err;
 
 if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
-return NULL;
+goto err;
 
 if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
 goto err;
@@ -661,7 +661,7 @@ static char *shacrypt(const char *passwd, const char 
*magic, const char *salt)
 goto err;
 
 if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
-return NULL;
+goto err;
 
 if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
 goto err;

[openssl] OpenSSL_1_1_1-stable update

[dev]

The branch OpenSSL_1_1_1-stable has been updated
   via  692520a1fede55001dbce23618f992b4042ebbae (commit)
  from  4623700d4eaaa250b49032768be2e97a147f3a1e (commit)


- Log -
commit 692520a1fede55001dbce23618f992b4042ebbae
Author: Dr. David von Oheimb 
Date:   Mon Jan 3 13:40:55 2022 +0100

Update troublesome copyright years of auto-generated files to 2022

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17401)

---

Summary of changes:
 crypto/asn1/charmap.h | 2 +-
 crypto/bn/bn_prime.h  | 2 +-
 crypto/conf/conf_def.h| 2 +-
 crypto/objects/obj_dat.h  | 2 +-
 crypto/objects/obj_xref.h | 2 +-
 include/openssl/obj_mac.h | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h
index e234c9e615..5630291bd5 100644
--- a/crypto/asn1/charmap.h
+++ b/crypto/asn1/charmap.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by crypto/asn1/charmap.pl
  *
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h
index 1a25c28577..8f2d7e995a 100644
--- a/crypto/bn/bn_prime.h
+++ b/crypto/bn/bn_prime.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by crypto/bn/bn_prime.pl
  *
- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h
index 1e4a03e10b..0490236287 100644
--- a/crypto/conf/conf_def.h
+++ b/crypto/conf/conf_def.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by crypto/conf/keysets.pl
  *
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 24b49a2df2..63bf69e443 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by crypto/objects/obj_dat.pl
  *
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
index 5c3561ab7d..5ef094bbfd 100644
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by objxref.pl
  *
- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index eb812ed18d..53516a06c6 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by crypto/objects/objects.pl
  *
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at

[openssl] OpenSSL_1_1_1-stable update

[dev]

The branch OpenSSL_1_1_1-stable has been updated
   via  4623700d4eaaa250b49032768be2e97a147f3a1e (commit)
  from  e5050aa1bbce84e359bfd35de60dd745627e8d41 (commit)


- Log -
commit 4623700d4eaaa250b49032768be2e97a147f3a1e
Author: Dr. David von Oheimb 
Date:   Fri Dec 3 15:18:07 2021 +0100

OBJ_obj2txt(): fix off-by-one documentation of the result

This backports the doc improvements of #17188.

Reviewed-by: Tomas Mraz 

(cherry picked from commit e36d10925396b6519e1abd338e1ef62cd5b1c9e6)

---

Summary of changes:
 doc/man3/OBJ_nid2obj.pod | 32 
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod
index 74379ad817..81e57154f1 100644
--- a/doc/man3/OBJ_nid2obj.pod
+++ b/doc/man3/OBJ_nid2obj.pod
@@ -68,13 +68,15 @@ If I is 0 then long names and short names will be 
interpreted
 as well as numerical forms. If I is 1 only the numerical form
 is acceptable.
 
-OBJ_obj2txt() converts the B B into a textual representation.
-The representation is written as a null terminated string to B
-at most B bytes are written, truncating the result if necessary.
-The total amount of space required is returned. If B is 0 then
-if the object has a long or short name then that will be used, otherwise
-the numerical form will be used. If B is 1 then the numerical
-form will always be used.
+OBJ_obj2txt() converts the B I into a textual representation.
+Unless I is NULL,
+the representation is written as a NUL-terminated string to I, where
+at most I bytes are written, truncating the result if necessary.
+In any case it returns the total string length, excluding the NUL character,
+required for non-truncated representation, or -1 on error.
+If I is 0 then if the object has a long or short name
+then that will be used, otherwise the numerical form will be used.
+If I is 1 then the numerical form will always be used.
 
 i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I set to zero.
 
@@ -141,6 +143,13 @@ on error.
 OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
 a NID or B on error.
 
+OBJ_add_sigid() returns 1 on success or 0 on error.
+
+i2t_ASN1_OBJECT() an OBJ_obj2txt() return -1 on error.
+On success, they return the length of the string written to I if I is
+not NULL and I is big enough, otherwise the total string length.
+Note that this does not count the trailing NUL character.
+
 =head1 EXAMPLES
 
 Create an object for B:
@@ -161,15 +170,6 @@ Create a new object directly:
 
  obj = OBJ_txt2obj("1.2.3.4", 1);
 
-=head1 BUGS
-
-OBJ_obj2txt() is awkward and messy to use: it doesn't follow the
-convention of other OpenSSL functions where the buffer can be set
-to B to determine the amount of data that should be written.
-Instead B must point to a valid buffer and B should
-be set to a positive value. A buffer length of 80 should be more
-than enough to handle any OID encountered in practice.
-
 =head1 SEE ALSO
 
 L

[openssl] OpenSSL_1_1_1-stable update

[kaduk]

The branch OpenSSL_1_1_1-stable has been updated
   via  e5050aa1bbce84e359bfd35de60dd745627e8d41 (commit)
  from  c680b3f9c1ed6f70d68c3c597ee4e99b4ce0fa55 (commit)


- Log -
commit e5050aa1bbce84e359bfd35de60dd745627e8d41
Author: Piotr Kubaj 
Date:   Sat Dec 18 15:21:51 2021 +0100

Add support for BSD-riscv64 target

Reviewed-by: Tomas Mraz 
Reviewed-by: Ben Kaduk 
Reviewed-by: Paul Dale 

(cherry picked from commit c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15)
(cherry picked from commit fb72a093f88f7332069659994b67f6b19aceb865)

(Merged from https://github.com/openssl/openssl/pull/17341)

---

Summary of changes:
 Configurations/10-main.conf | 7 +++
 config  | 1 +
 2 files changed, 8 insertions(+)

diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 61c6689a0c..38c8eb3158 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -988,6 +988,13 @@ my %targets = (
 perlasm_scheme   => "elf",
 },
 
+# riscv64 below refers to contemporary RISCV Architecture
+# specifications,
+"BSD-riscv64" => {
+inherit_from => [ "BSD-generic64"],
+perlasm_scheme   => "linux64",
+},
+
 "bsdi-elf-gcc" => {
 inherit_from => [ "BASE_unix", asm("x86_elf_asm") ],
 CC   => "gcc",
diff --git a/config b/config
index 26225ca2a9..49422981ae 100755
--- a/config
+++ b/config
@@ -704,6 +704,7 @@ case "$GUESSOS" in
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;;
   powerpc64-*-*bsd*)   OUT="BSD-generic64";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
+  riscv64-*-*bsd*) OUT="BSD-riscv64" ;;
   sparc64-*-*bsd*) OUT="BSD-sparc64" ;;
   ia64-*-*bsd*)OUT="BSD-ia64" ;;
   x86_64-*-dragonfly*)  OUT="BSD-x86_64" ;;

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  c680b3f9c1ed6f70d68c3c597ee4e99b4ce0fa55 (commit)
  from  5da141ff6c617505777bee174bab8d58f8b7cae5 (commit)


- Log -
commit c680b3f9c1ed6f70d68c3c597ee4e99b4ce0fa55
Author: Matt Caswell 
Date:   Thu Dec 9 16:27:47 2021 +

Ensure s_client sends SNI data when used with -proxy

The use of -proxy prevented s_client from correctly sending the target
hostname as SNI data.

Fixes #17232

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17249)

---

Summary of changes:
 apps/s_client.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index 121cd1444f..00effc8037 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -938,6 +938,7 @@ int s_client_main(int argc, char **argv)
 struct timeval tv;
 #endif
 const char *servername = NULL;
+char *sname_alloc = NULL;
 int noservername = 0;
 const char *alpn_in = NULL;
 tlsextctx tlsextcbp = { NULL, 0 };
@@ -1588,6 +1589,15 @@ int s_client_main(int argc, char **argv)
"%s: -proxy argument malformed or ambiguous\n", prog);
 goto end;
 }
+if (servername == NULL && !noservername) {
+res = BIO_parse_hostserv(connectstr, _alloc, NULL, 
BIO_PARSE_PRIO_HOST);
+if (!res) {
+BIO_printf(bio_err,
+"%s: -connect argument malformed or ambiguous\n", 
prog);
+goto end;
+}
+servername = sname_alloc;
+}
 } else {
 int res = 1;
 char *tmp_host = host, *tmp_port = port;
@@ -3149,6 +3159,7 @@ int s_client_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SRP
 OPENSSL_free(srp_arg.srppassin);
 #endif
+OPENSSL_free(sname_alloc);
 OPENSSL_free(connectstr);
 OPENSSL_free(bindstr);
 OPENSSL_free(bindhost);

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  5da141ff6c617505777bee174bab8d58f8b7cae5 (commit)
  from  8a5dbc182d85eeb5778dcfd17cab945f7061c5ef (commit)


- Log -
commit 5da141ff6c617505777bee174bab8d58f8b7cae5
Author: Michael Baentsch 
Date:   Fri Dec 24 08:32:05 2021 +0100

document additional stack push error code

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17351)

---

Summary of changes:
 doc/man3/DEFINE_STACK_OF.pod | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/man3/DEFINE_STACK_OF.pod b/doc/man3/DEFINE_STACK_OF.pod
index 43a3214d58..6f4ac7ec0e 100644
--- a/doc/man3/DEFINE_STACK_OF.pod
+++ b/doc/man3/DEFINE_STACK_OF.pod
@@ -238,7 +238,8 @@ sk_TYPE_pop(), sk_TYPE_shift(), sk_TYPE_delete() and 
sk_TYPE_delete_ptr()
 return a pointer to the deleted element or B on error.
 
 sk_TYPE_insert(), sk_TYPE_push() and sk_TYPE_unshift() return the total
-number of elements in the stack and 0 if an error occurred.
+number of elements in the stack and 0 if an error occurred. sk_TYPE_push()
+further returns -1 if B is B.
 
 sk_TYPE_set() returns a pointer to the replacement element or B on
 error.

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  8a5dbc182d85eeb5778dcfd17cab945f7061c5ef (commit)
  from  f2f7cff20377f7402b132a19d953a9d998be26aa (commit)


- Log -
commit 8a5dbc182d85eeb5778dcfd17cab945f7061c5ef
Author: Alexandros Roussos 
Date:   Mon Dec 20 19:14:57 2021 +0100

Fix Configure variable spill

* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop

CLA: trivial

Fixes gh-17321

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17322)

(cherry picked from commit a595e3286ae9f033c56452967b3add2145f9085f)

---

Summary of changes:
 Configure | 22 +++---
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/Configure b/Configure
index faf57b155a..4bea49d7da 100755
--- a/Configure
+++ b/Configure
@@ -3161,25 +3161,25 @@ sub resolve_config {
 }
 }
 
-foreach (sort keys %all_keys) {
-my $previous = $combined_inheritance{$_};
+foreach my $key (sort keys %all_keys) {
+my $previous = $combined_inheritance{$key};
 
 # Current target doesn't have a value for the current key?
 # Assign it the default combiner, the rest of this loop body
 # will handle it just like any other coderef.
-if (!exists $table{$target}->{$_}) {
-$table{$target}->{$_} = $default_combiner;
+if (!exists $table{$target}->{$key}) {
+$table{$target}->{$key} = $default_combiner;
 }
 
-$table{$target}->{$_} = process_values($table{$target}->{$_},
-   $combined_inheritance{$_},
-   $target, $_);
-unless(defined($table{$target}->{$_})) {
-delete $table{$target}->{$_};
+$table{$target}->{$key} = process_values($table{$target}->{$key},
+   $combined_inheritance{$key},
+   $target, $key);
+unless(defined($table{$target}->{$key})) {
+delete $table{$target}->{$key};
 }
 #if ($extra_checks &&
-#$previous && !($add_called ||  $previous ~~ 
$table{$target}->{$_})) {
-#warn "$_ got replaced in $target\n";
+#$previous && !($add_called ||  $previous ~~ 
$table{$target}->{$key})) {
+#warn "$key got replaced in $target\n";
 #}
 }
 

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  f2f7cff20377f7402b132a19d953a9d998be26aa (commit)
  from  e9dc49c009a34b429d6dddcbb1813efa561481c7 (commit)


- Log -
commit f2f7cff20377f7402b132a19d953a9d998be26aa
Author: Kan 
Date:   Fri Dec 17 10:56:26 2021 +0800

Fix the null pointer dereference

Fixed #17296

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17302)

---

Summary of changes:
 crypto/bn/bn_print.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index 69749a9fa7..17ac6e7cac 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -142,7 +142,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
 continue;
 
 if (i == 0 || i > INT_MAX / 4)
-goto err;
+return 0;
 
 num = i + neg;
 if (bn == NULL)

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  e9dc49c009a34b429d6dddcbb1813efa561481c7 (commit)
   via  ac3cef223a4c61d6bee34527b6d4c8c6432494a7 (commit)
  from  b82cf49c6c3b5fae12bd21885e02eda6430a601f (commit)


- Log -
commit e9dc49c009a34b429d6dddcbb1813efa561481c7
Author: Matt Caswell 
Date:   Tue Dec 14 15:45:09 2021 +

Prepare for 1.1.1n-dev

Reviewed-by: Richard Levitte 

commit ac3cef223a4c61d6bee34527b6d4c8c6432494a7
Author: Matt Caswell 
Date:   Tue Dec 14 15:45:01 2021 +

Prepare for 1.1.1m release

Reviewed-by: Richard Levitte 

---

Summary of changes:
 CHANGES| 6 +-
 NEWS   | 6 +-
 README | 2 +-
 include/openssl/opensslv.h | 4 ++--
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 21f63950d1..8a33c22774 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,11 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
- Changes between 1.1.1l and 1.1.1m [xx XXX ]
+ Changes between 1.1.1m and 1.1.1n [xx XXX ]
+
+  *)
+
+ Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
 
   *) Avoid loading of a dynamic engine twice.
 
diff --git a/NEWS b/NEWS
index ecbe5c2b21..a10c981491 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [under development]
+  Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [under development]
+
+  o
+
+  Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
 
   o None
 
diff --git a/README b/README
index 0ac818f779..faf32e4cc9 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1m-dev
+ OpenSSL 1.1.1n-dev
 
  Copyright (c) 1998-2021 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 2a5fb9f46f..094082bd99 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x101010d0L
-# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1m-dev  xx XXX "
+# define OPENSSL_VERSION_NUMBER  0x101010e0L
+# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1n-dev  xx XXX "
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  b82cf49c6c3b5fae12bd21885e02eda6430a601f (commit)
  from  defe51c178e3dc9f07514c179121021fd78691b4 (commit)


- Log -
commit b82cf49c6c3b5fae12bd21885e02eda6430a601f
Author: Richard Levitte 
Date:   Tue Dec 14 16:12:56 2021 +0100

Update NEWS for 1.1.1m

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/17273)

---

Summary of changes:
 NEWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index eb0f63c960..ecbe5c2b21 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
 
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [under development]
 
-  o
+  o None
 
   Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
 

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  defe51c178e3dc9f07514c179121021fd78691b4 (commit)
  from  4f281f000cb8b130c92cc6d67d82270e1715ed66 (commit)


- Log -
commit defe51c178e3dc9f07514c179121021fd78691b4
Author: Matt Caswell 
Date:   Tue Dec 14 14:44:33 2021 +

Update copyright year

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/17271)

---

Summary of changes:
 apps/ciphers.c| 2 +-
 apps/dgst.c   | 2 +-
 apps/s_client.c   | 2 +-
 apps/speed.c  | 2 +-
 crypto/asn1/a_print.c | 2 +-
 crypto/bio/bss_dgram.c| 2 +-
 crypto/bio/bss_mem.c  | 2 +-
 crypto/bn/asm/mips.pl | 2 +-
 crypto/cms/cms_env.c  | 2 +-
 crypto/dh/dh_ameth.c  | 2 +-
 crypto/ec/curve448/field.h| 2 +-
 crypto/ec/ec_curve.c  | 2 +-
 crypto/engine/eng_dyn.c   | 2 +-
 crypto/engine/eng_lib.c   | 2 +-
 crypto/engine/eng_list.c  | 2 +-
 crypto/engine/eng_local.h | 2 +-
 crypto/err/err.c  | 2 +-
 crypto/evp/p_lib.c| 2 +-
 crypto/objects/o_names.c  | 2 +-
 crypto/pem/pem_lib.c  | 2 +-
 crypto/rand/rand_vms.c| 2 +-
 crypto/x509/x_name.c  | 2 +-
 doc/man1/passwd.pod   | 2 +-
 doc/man3/BN_rand.pod  | 2 +-
 doc/man3/ENGINE_add.pod   | 2 +-
 doc/man3/ERR_load_strings.pod | 2 +-
 doc/man3/EVP_EncryptInit.pod  | 2 +-
 doc/man3/OBJ_nid2obj.pod  | 2 +-
 doc/man3/SSL_CTX_set_num_tickets.pod  | 2 +-
 doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 2 +-
 doc/man3/SSL_get_session.pod  | 2 +-
 doc/man3/SSL_set_fd.pod   | 2 +-
 doc/man3/d2i_X509.pod | 2 +-
 doc/man7/ossl_store.pod   | 2 +-
 engines/e_afalg.c | 2 +-
 engines/e_dasync.c| 2 +-
 include/crypto/rand.h | 2 +-
 include/openssl/ec.h  | 2 +-
 ssl/s3_cbc.c  | 2 +-
 ssl/ssl_asn1.c| 2 +-
 ssl/ssl_ciph.c| 2 +-
 ssl/statem/extensions_cust.c  | 2 +-
 ssl/statem/statem_lib.c   | 2 +-
 test/afalgtest.c  | 2 +-
 test/danetest.c   | 2 +-
 test/ec_internal_test.c   | 2 +-
 test/evp_test.c   | 2 +-
 test/packettest.c | 2 +-
 test/recipes/01-test_symbol_presence.t| 2 +-
 test/recipes/20-test_dgst.t   | 2 +-
 test/recipes/30-test_evp_data/evpkdf.txt  | 2 +-
 test/recipes/80-test_dane.t   | 2 +-
 test/ssltest_old.c| 2 +-
 test/testutil/format_output.c | 2 +-
 test/testutil/tests.c | 2 +-
 55 files changed, 55 insertions(+), 55 deletions(-)

diff --git a/apps/ciphers.c b/apps/ciphers.c
index e403130eeb..aade3fbf56 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/apps/dgst.c b/apps/dgst.c
index b07fff3fb3..f9b184be4c 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/apps/s_client.c b/apps/s_client.c
index fe34487787..121cd1444f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/apps/speed.c b/apps/speed.c
index 9eafb2c448..89bf18480f 100644
--- a/apps/speed.c
+++ 

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  4f281f000cb8b130c92cc6d67d82270e1715ed66 (commit)
  from  e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb (commit)


- Log -
commit 4f281f000cb8b130c92cc6d67d82270e1715ed66
Author: Richard Levitte 
Date:   Tue Dec 14 14:52:53 2021 +0100

Add some CHANGES entries for 1.1.1m

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/17269)

---

Summary of changes:
 CHANGES | 18 +-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 75a61905ac..21f63950d1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,23 @@
 
  Changes between 1.1.1l and 1.1.1m [xx XXX ]
 
-  *)
+  *) Avoid loading of a dynamic engine twice.
+
+ [Bernd Edlinger]
+
+  *) Fixed building on Debian with kfreebsd kernels
+
+ [Mattias Ellert]
+
+  *) Prioritise DANE TLSA issuer certs over peer certs
+
+ [Viktor Dukhovni]
+
+  *) Fixed random API for MacOS prior to 10.12
+
+ These MacOS versions don't support the CommonCrypto APIs
+
+ [Lenny Primak]
 
  Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
 

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb (commit)
  from  8b35838b44e83f323eaa5d7aeecc45c8e2321cf8 (commit)


- Log -
commit e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb
Author: Bernd Edlinger 
Date:   Sat Dec 11 20:28:11 2021 +0100

Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets

bn_sqr_comba8 does for instance compute a wrong result for the value:
a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45

The correct result is:
r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899

but the actual result was:
r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899

so the forth word of the result was 0x75be8e3c but should have been
0x75be8e3d instead.

Likewise bn_sqr_comba4 has an identical bug for the same value as well:
a=0x022181ba fd3aa878 899b2346 ee210f45

correct result:
r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899

wrong result:
r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899

Fortunately the bn_mul_comba4/8 code paths are not affected.

Also the mips64 target does in fact not handle the carry propagation
correctly.

Example:
a=0x4aaac919 62056c84 fba7334e 1a6be678
022181ba fd3aa878 899b234635dad283 ee210f450001

correct result:
r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a0001

wrong result:
r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a0001

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17258)

(cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590)

---

Summary of changes:
 crypto/bn/asm/mips.pl |  4 
 test/bntest.c | 45 +
 2 files changed, 49 insertions(+)

diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
index 8ad715bda4..74101030f2 100644
--- a/crypto/bn/asm/mips.pl
+++ b/crypto/bn/asm/mips.pl
@@ -1984,6 +1984,8 @@ $code.=<<___;
sltu$at,$c_2,$t_1
$ADDU   $c_3,$t_2,$at
$ST $c_2,$BNSZ($a0)
+   sltu$at,$c_3,$t_2
+   $ADDU   $c_1,$at
mflo($t_1,$a_2,$a_0)
mfhi($t_2,$a_2,$a_0)
 ___
@@ -2194,6 +2196,8 @@ $code.=<<___;
sltu$at,$c_2,$t_1
$ADDU   $c_3,$t_2,$at
$ST $c_2,$BNSZ($a0)
+   sltu$at,$c_3,$t_2
+   $ADDU   $c_1,$at
mflo($t_1,$a_2,$a_0)
mfhi($t_2,$a_2,$a_0)
 ___
diff --git a/test/bntest.c b/test/bntest.c
index b58028a301..bab34ba54b 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -627,6 +627,51 @@ static int test_modexp_mont5(void)
 if (!TEST_BN_eq(c, d))
 goto err;
 
+/*
+ * Regression test for overflow bug in bn_sqr_comba4/8 for
+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets.
+ */
+{
+static const char *ehex[] = {
+"95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee",
+"38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5",
+"8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a",
+"5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985",
+"2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1",
+"a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680",
+"b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e",
+"da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465",
+NULL};
+static const char *phex[] = {
+"f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241",
+"a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31",
+"2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053",
+"c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439",
+"dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5",
+

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  8b35838b44e83f323eaa5d7aeecc45c8e2321cf8 (commit)
  from  f560b4cda1d3d8f8d7f5355a1f797699241a3ae8 (commit)


- Log -
commit 8b35838b44e83f323eaa5d7aeecc45c8e2321cf8
Author: Richard Levitte 
Date:   Thu Nov 25 08:58:21 2021 +0100

Fix faulty detail in BN_rand() manual

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17131)

---

Summary of changes:
 doc/man3/BN_rand.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man3/BN_rand.pod b/doc/man3/BN_rand.pod
index d57348e62b..a183ff7db1 100644
--- a/doc/man3/BN_rand.pod
+++ b/doc/man3/BN_rand.pod
@@ -38,7 +38,7 @@ the number will be set to 1, so that the product of two such 
random
 numbers will always have 2*B length.
 If B is B, the number will be odd; if it
 is B it can be odd or even.
-If B is 1 then B cannot also be B.
+If B is 1 then B cannot also be B.
 
 BN_rand_range() generates a cryptographically strong pseudo-random
 number B in the range 0 E= B E B.

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  f560b4cda1d3d8f8d7f5355a1f797699241a3ae8 (commit)
  from  ca607d6e94e11f5332abcc8fa4a4ccb967347efa (commit)


- Log -
commit f560b4cda1d3d8f8d7f5355a1f797699241a3ae8
Author: Tomas Mraz 
Date:   Mon Dec 6 12:38:48 2021 +0100

CI: Replace windows-2016 with windows-2022

Windows 2016 environment is going to be discontinued.

We also replace windows-latest with windows-2019 so
there aren't two identical builds done once windows-latest
is switched to mean windows-2022.

Fixes #17177

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17211)

---

Summary of changes:
 .github/workflows/windows.yml | 15 +--
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index c11242a56f..6f1b50552e 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -9,8 +9,8 @@ jobs:
 strategy:
   matrix:
 os:
-- windows-latest
-- windows-2016
+- windows-2019
+- windows-2022
 platform:
 - arch: win64
   config: VC-WIN64A
@@ -25,6 +25,7 @@ jobs:
 - uses: ilammy/setup-nasm@v1
   with:
 platform: ${{ matrix.platform.arch }}
+- uses: shogo82148/actions-setup-perl@v1
 - name: prepare the build directory
   run: mkdir _build
 - name: config
@@ -49,12 +50,13 @@ jobs:
 strategy:
   matrix:
 os:
-- windows-latest
-- windows-2016
+- windows-2019
+- windows-2022
 runs-on: ${{matrix.os}}
 steps:
 - uses: actions/checkout@v2
 - uses: ilammy/msvc-dev-cmd@v1
+- uses: shogo82148/actions-setup-perl@v1
 - name: prepare the build directory
   run: mkdir _build
 - name: config
@@ -72,12 +74,13 @@ jobs:
 strategy:
   matrix:
 os:
-- windows-latest
-- windows-2016
+- windows-2019
+- windows-2022
 runs-on: ${{matrix.os}}
 steps:
 - uses: actions/checkout@v2
 - uses: ilammy/msvc-dev-cmd@v1
+- uses: shogo82148/actions-setup-perl@v1
 - name: prepare the build directory
   run: mkdir _build
 - name: config

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  ca607d6e94e11f5332abcc8fa4a4ccb967347efa (commit)
  from  7a045a4e5ad97f7e123ea33f1f188d2f1a03974b (commit)


- Log -
commit ca607d6e94e11f5332abcc8fa4a4ccb967347efa
Author: Bernd Edlinger 
Date:   Wed Dec 8 14:14:48 2021 +0100

Fix a deadlock in OBJ_NAME_add

This happened after an out of memory error:
CRYPTO_THREAD_write_lock may hang in OBJ_NAME_add.

Reviewed-by: Tomas Mraz 
Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17236)

---

Summary of changes:
 crypto/objects/o_names.c | 14 +-
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index 979d83577c..15639d6778 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -67,8 +67,14 @@ static CRYPTO_ONCE init = CRYPTO_ONCE_STATIC_INIT;
 DEFINE_RUN_ONCE_STATIC(o_names_init)
 {
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+names_lh = NULL;
 obj_lock = CRYPTO_THREAD_lock_new();
+if (obj_lock != NULL)
+names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+if (names_lh == NULL) {
+CRYPTO_THREAD_lock_free(obj_lock);
+obj_lock = NULL;
+}
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
 return names_lh != NULL && obj_lock != NULL;
 }
@@ -217,10 +223,8 @@ int OBJ_NAME_add(const char *name, int type, const char 
*data)
 type &= ~OBJ_NAME_ALIAS;
 
 onp = OPENSSL_malloc(sizeof(*onp));
-if (onp == NULL) {
-/* ERROR */
-goto unlock;
-}
+if (onp == NULL)
+return 0;
 
 onp->name = name;
 onp->alias = alias;

[openssl] OpenSSL_1_1_1-stable update

[dev]

The branch OpenSSL_1_1_1-stable has been updated
   via  7a045a4e5ad97f7e123ea33f1f188d2f1a03974b (commit)
  from  b1553c89285cb05a28d185423bc3df9b505db92a (commit)


- Log -
commit 7a045a4e5ad97f7e123ea33f1f188d2f1a03974b
Author: Dr. David von Oheimb 
Date:   Tue Dec 7 14:01:32 2021 +0100

OBJ_nid2obj.pod: Replace remaining 'B<' by 'I<' were appropriate

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17221)

---

Summary of changes:
 doc/man3/OBJ_nid2obj.pod | 28 ++--
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod
index f84d5b1eb3..7705b6c763 100644
--- a/doc/man3/OBJ_nid2obj.pod
+++ b/doc/man3/OBJ_nid2obj.pod
@@ -46,26 +46,26 @@ Deprecated:
 The ASN1 object utility functions process ASN1_OBJECT structures which are
 a representation of the ASN1 OBJECT IDENTIFIER (OID) type.
 For convenience, OIDs are usually represented in source code as numeric
-identifiers, or Bs.  OpenSSL has an internal table of OIDs that
+identifiers, or Is.  OpenSSL has an internal table of OIDs that
 are generated when the library is built, and their corresponding NIDs
 are available as defined constants.  For the functions below, application
 code should treat all returned values -- OIDs, NIDs, or names -- as
 constants.
 
-OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B to
+OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID I to
 an ASN1_OBJECT structure, its long name and its short name respectively,
 or B if an error occurred.
 
 OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID
-for the object B, the long name  or the short name  respectively
+for the object I, the long name  or the short name  respectively
 or NID_undef if an error occurred.
 
-OBJ_txt2nid() returns NID corresponding to text string . B can be
+OBJ_txt2nid() returns NID corresponding to text string I. I can be
 a long name, a short name or the numerical representation of an object.
 
-OBJ_txt2obj() converts the text string B into an ASN1_OBJECT structure.
-If B is 0 then long names and short names will be interpreted
-as well as numerical forms. If B is 1 only the numerical form
+OBJ_txt2obj() converts the text string I into an ASN1_OBJECT structure.
+If I is 0 then long names and short names will be interpreted
+as well as numerical forms. If I is 1 only the numerical form
 is acceptable.
 
 OBJ_obj2txt() converts the B B into a textual representation.
@@ -76,20 +76,20 @@ if the object has a long or short name then that will be 
used, otherwise
 the numerical form will be used. If B is 1 then the numerical
 form will always be used.
 
-i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the B set to zero.
+i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I set to zero.
 
-OBJ_cmp() compares B to B. If the two are identical 0 is returned.
+OBJ_cmp() compares I to I. If the two are identical 0 is returned.
 
-OBJ_dup() returns a copy of B.
+OBJ_dup() returns a copy of I.
 
-OBJ_create() adds a new object to the internal table. B is the
-numerical form of the object, B the short name and B the
+OBJ_create() adds a new object to the internal table. I is the
+numerical form of the object, I the short name and I the
 long name. A new NID is returned for the created object in case of
 success and NID_undef in case of failure.
 
-OBJ_length() returns the size of the content octets of B.
+OBJ_length() returns the size of the content octets of I.
 
-OBJ_get0_data() returns a pointer to the content octets of B.
+OBJ_get0_data() returns a pointer to the content octets of I.
 The returned pointer is an internal pointer which B be freed.
 
 OBJ_cleanup() releases any resources allocated by creating new objects.

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  b1553c89285cb05a28d185423bc3df9b505db92a (commit)
  from  54c358382e917a6adc912ee0958989609c8ee136 (commit)


- Log -
commit b1553c89285cb05a28d185423bc3df9b505db92a
Author: Matt Caswell 
Date:   Mon Dec 6 11:37:26 2021 +

Fix documentation for tlsext_ticket_key

The tlsext_ticket_key functions are documented as returning 0 on success.
In fact they return 1 on success.

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17210)

(cherry picked from commit b0be101326f369f0dd547556d2f3eb3ef5ed0e33)

---

Summary of changes:
 doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod 
b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
index b2637efc1a..d7563d27e2 100644
--- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -123,7 +123,7 @@ enable an attacker to obtain the session keys.
 
 =head1 RETURN VALUES
 
-returns 0 to indicate the callback function was set.
+Returns 1 to indicate the callback function was set and 0 otherwise.
 
 =head1 EXAMPLES
 

[openssl] OpenSSL_1_1_1-stable update

[dev]

The branch OpenSSL_1_1_1-stable has been updated
   via  54c358382e917a6adc912ee0958989609c8ee136 (commit)
   via  f623a68efad0b00c698b3e10963f51971f55ffba (commit)
  from  76eb12aa278cb30a495bcee3fdc176d0a6c35052 (commit)


- Log -
commit 54c358382e917a6adc912ee0958989609c8ee136
Author: Dr. David von Oheimb 
Date:   Thu Sep 30 11:12:49 2021 +0200

BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17135)

commit f623a68efad0b00c698b3e10963f51971f55ffba
Author: Dr. David von Oheimb 
Date:   Mon Sep 27 14:22:40 2021 +0200

Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17135)

---

Summary of changes:
 doc/man3/BIO_f_ssl.pod | 17 -
 ssl/bio_ssl.c  |  7 +++
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/doc/man3/BIO_f_ssl.pod b/doc/man3/BIO_f_ssl.pod
index 641ee2329e..8866785cfe 100644
--- a/doc/man3/BIO_f_ssl.pod
+++ b/doc/man3/BIO_f_ssl.pod
@@ -54,26 +54,26 @@ The SSL BIO is then reset to the initial accept or connect 
state.
 If the close flag is set when an SSL BIO is freed then the internal
 SSL structure is also freed using SSL_free().
 
-BIO_set_ssl() sets the internal SSL pointer of BIO B to B using
+BIO_set_ssl() sets the internal SSL pointer of SSL BIO B to B using
 the close flag B.
 
-BIO_get_ssl() retrieves the SSL pointer of BIO B, it can then be
+BIO_get_ssl() retrieves the SSL pointer of SSL BIO B, it can then be
 manipulated using the standard SSL library functions.
 
 BIO_set_ssl_mode() sets the SSL BIO mode to B. If B
 is 1 client mode is set. If B is 0 server mode is set.
 
-BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count
+BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count of SSL BIO B
 to B. When set after every B bytes of I/O (read and write)
 the SSL session is automatically renegotiated. B must be at
 least 512 bytes.
 
-BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout to
-B. When the renegotiate timeout elapses the session is
-automatically renegotiated.
+BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout of SSL BIO B
+to B.
+When the renegotiate timeout elapses the session is automatically renegotiated.
 
 BIO_get_num_renegotiates() returns the total number of session
-renegotiations due to I/O or timeout.
+renegotiations due to I/O or timeout of SSL BIO B.
 
 BIO_new_ssl() allocates an SSL BIO using SSL_CTX B and using
 client mode if B is non zero.
@@ -82,8 +82,7 @@ BIO_new_ssl_connect() creates a new BIO chain consisting of an
 SSL BIO (using B) followed by a connect BIO.
 
 BIO_new_buffer_ssl_connect() creates a new BIO chain consisting
-of a buffering BIO, an SSL BIO (using B) and a connect
-BIO.
+of a buffering BIO, an SSL BIO (using B), and a connect BIO.
 
 BIO_ssl_copy_session_id() copies an SSL session id between
 BIO chains B and B. It does this by locating the
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index c4239345b6..67097d5cca 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -76,13 +76,12 @@ static int ssl_free(BIO *a)
 if (a == NULL)
 return 0;
 bs = BIO_get_data(a);
-if (bs->ssl != NULL)
-SSL_shutdown(bs->ssl);
 if (BIO_get_shutdown(a)) {
+if (bs->ssl != NULL)
+SSL_shutdown(bs->ssl);
 if (BIO_get_init(a))
 SSL_free(bs->ssl);
-/* Clear all flags */
-BIO_clear_flags(a, ~0);
+BIO_clear_flags(a, ~0); /* Clear all flags */
 BIO_set_init(a, 0);
 }
 OPENSSL_free(bs);

[openssl] OpenSSL_1_1_1-stable update

[beldmit]

The branch OpenSSL_1_1_1-stable has been updated
   via  76eb12aa278cb30a495bcee3fdc176d0a6c35052 (commit)
  from  162bd56e99b2e73cfdc6777acb3f1b3dafccc9ba (commit)


- Log -
commit 76eb12aa278cb30a495bcee3fdc176d0a6c35052
Author: Dmitry Belyavskiy 
Date:   Mon Nov 29 16:37:32 2021 +0100

No EtM for GOST ciphers

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17158)

---

Summary of changes:
 ssl/statem/extensions_clnt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 621fcfa561..9d38ac23b5 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1741,7 +1741,9 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int 
context, X509 *x,
 /* Ignore if inappropriate ciphersuite */
 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
-&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
+&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
+&& s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
+&& s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12)
 s->ext.use_etm = 1;
 
 return 1;

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  162bd56e99b2e73cfdc6777acb3f1b3dafccc9ba (commit)
  from  37dc4f9530d131b4f581582c34c08074abbc9923 (commit)


- Log -
commit 162bd56e99b2e73cfdc6777acb3f1b3dafccc9ba
Author: Richard Levitte 
Date:   Thu Nov 25 09:55:09 2021 +0100

TEST: Enable and fix test_bn2padded() in test/bntest.c

This looks like old code, written when the padded variety of BN_bn2bin()
was developped, and disabled by default...  and forgotten.

A few simple changes to update it to the current API is all that was
needed to enable it.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17133)

(cherry picked from commit 23750f677ef61b6bea4e81f23f335ad08fc49b51)

---

Summary of changes:
 test/bntest.c | 34 +++---
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/test/bntest.c b/test/bntest.c
index 236501e679..b58028a301 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -27,7 +27,6 @@
 /*
  * Things in boring, not in openssl.  TODO we should add them.
  */
-#define HAVE_BN_PADDED 0
 #define HAVE_BN_SQRT 0
 
 typedef struct filetest_st {
@@ -1731,52 +1730,52 @@ static int file_gcd(STANZA *s)
 
 static int test_bn2padded(void)
 {
-#if HAVE_BN_PADDED
 uint8_t zeros[256], out[256], reference[128];
-BIGNUM *n = BN_new();
+size_t bytes;
+BIGNUM *n;
 int st = 0;
 
 /* Test edge case at 0. */
-if (n == NULL)
+if (!TEST_ptr((n = BN_new(
 goto err;
-if (!TEST_true(BN_bn2bin_padded(NULL, 0, n)))
+if (!TEST_int_eq(BN_bn2binpad(n, NULL, 0), 0))
 goto err;
 memset(out, -1, sizeof(out));
-if (!TEST_true(BN_bn2bin_padded(out, sizeof(out)), n))
+if (!TEST_int_eq(BN_bn2binpad(n, out, sizeof(out)), sizeof(out)))
 goto err;
 memset(zeros, 0, sizeof(zeros));
 if (!TEST_mem_eq(zeros, sizeof(zeros), out, sizeof(out)))
 goto err;
 
 /* Test a random numbers at various byte lengths. */
-for (size_t bytes = 128 - 7; bytes <= 128; bytes++) {
+for (bytes = 128 - 7; bytes <= 128; bytes++) {
 # define TOP_BIT_ON 0
 # define BOTTOM_BIT_NOTOUCH 0
 if (!TEST_true(BN_rand(n, bytes * 8, TOP_BIT_ON, BOTTOM_BIT_NOTOUCH)))
 goto err;
-if (!TEST_int_eq(BN_num_bytes(n),A) bytes
-|| TEST_int_eq(BN_bn2bin(n, reference), bytes))
+if (!TEST_int_eq(BN_num_bytes(n), bytes)
+|| !TEST_int_eq(BN_bn2bin(n, reference), bytes))
 goto err;
 /* Empty buffer should fail. */
-if (!TEST_int_eq(BN_bn2bin_padded(NULL, 0, n)), 0)
+if (!TEST_int_eq(BN_bn2binpad(n, NULL, 0), -1))
 goto err;
 /* One byte short should fail. */
-if (BN_bn2bin_padded(out, bytes - 1, n))
+if (!TEST_int_eq(BN_bn2binpad(n, out, bytes - 1), -1))
 goto err;
 /* Exactly right size should encode. */
-if (!TEST_true(BN_bn2bin_padded(out, bytes, n))
-|| TEST_mem_eq(out, bytes, reference, bytes))
+if (!TEST_int_eq(BN_bn2binpad(n, out, bytes), bytes)
+|| !TEST_mem_eq(out, bytes, reference, bytes))
 goto err;
 /* Pad up one byte extra. */
-if (!TEST_true(BN_bn2bin_padded(out, bytes + 1, n))
+if (!TEST_int_eq(BN_bn2binpad(n, out, bytes + 1), bytes + 1)
 || !TEST_mem_eq(out + 1, bytes, reference, bytes)
 || !TEST_mem_eq(out, 1, zeros, 1))
 goto err;
 /* Pad up to 256. */
-if (!TEST_true(BN_bn2bin_padded(out, sizeof(out)), n)
+if (!TEST_int_eq(BN_bn2binpad(n, out, sizeof(out)), sizeof(out))
 || !TEST_mem_eq(out + sizeof(out) - bytes, bytes,
 reference, bytes)
-|| !TEST_mem_eq(out, sizseof(out) - bytes,
+|| !TEST_mem_eq(out, sizeof(out) - bytes,
 zeros, sizeof(out) - bytes))
 goto err;
 }
@@ -1785,9 +1784,6 @@ static int test_bn2padded(void)
  err:
 BN_free(n);
 return st;
-#else
-return ctx != NULL;
-#endif
 }
 
 static int test_dec2bn(void)

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  37dc4f9530d131b4f581582c34c08074abbc9923 (commit)
  from  791bfd91bcb02ee51bf16b195293daeeccc3d84c (commit)


- Log -
commit 37dc4f9530d131b4f581582c34c08074abbc9923
Author: Chenglong Zhang 
Date:   Thu Nov 25 16:21:06 2021 +0800

Fix speed, use OPENSSL_free instead of free

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17132)

---

Summary of changes:
 apps/speed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/speed.c b/apps/speed.c
index 7f2d3165f9..9eafb2c448 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3494,7 +3494,7 @@ static int do_multi(int multi, int size_num)
 close(fd[1]);
 mr = 1;
 usertime = 0;
-free(fds);
+OPENSSL_free(fds);
 return 0;
 }
 printf("Forked child %d\n", n);
@@ -3607,7 +3607,7 @@ static int do_multi(int multi, int size_num)
 
 fclose(f);
 }
-free(fds);
+OPENSSL_free(fds);
 return 1;
 }
 #endif

[openssl] OpenSSL_1_1_1-stable update

[dev]

The branch OpenSSL_1_1_1-stable has been updated
   via  791bfd91bcb02ee51bf16b195293daeeccc3d84c (commit)
  from  5f422920c171077d8e8d49ad69632711f1ac7e5a (commit)


- Log -
commit 791bfd91bcb02ee51bf16b195293daeeccc3d84c
Author: Dr. David von Oheimb 
Date:   Fri Nov 19 20:38:27 2021 +0100

BIO_push.pod: fix confusing text and add details on corner cases

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17086)

(cherry picked from commit 7a37fd09a8f3607ed8acf55e03479861595be069)

---

Summary of changes:
 doc/man3/BIO_push.pod | 53 ++-
 1 file changed, 31 insertions(+), 22 deletions(-)

diff --git a/doc/man3/BIO_push.pod b/doc/man3/BIO_push.pod
index 8b98bee498..e16daafe88 100644
--- a/doc/man3/BIO_push.pod
+++ b/doc/man3/BIO_push.pod
@@ -8,22 +8,27 @@ BIO_push, BIO_pop, BIO_set_next - add and remove BIOs from a 
chain
 
  #include 
 
- BIO *BIO_push(BIO *b, BIO *append);
+ BIO *BIO_push(BIO *b, BIO *next);
  BIO *BIO_pop(BIO *b);
  void BIO_set_next(BIO *b, BIO *next);
 
 =head1 DESCRIPTION
 
-The BIO_push() function appends the BIO B to B, it returns
-B.
+BIO_push() pushes I on I.
+If I is NULL the function does nothing and returns I.
+Otherwise it prepends I, which may be a single BIO or a chain of BIOs,
+to I (unless I is NULL).
+It then makes a control call on I and returns I.
 
-BIO_pop() removes the BIO B from a chain and returns the next BIO
-in the chain, or NULL if there is no next BIO. The removed BIO then
-becomes a single BIO with no association with the original chain,
-it can thus be freed or attached to a different chain.
+BIO_pop() removes the BIO I from any chain is is part of.
+If I is NULL the function does nothing and returns NULL.
+Otherwise it makes a control call on I and
+returns the next BIO in the chain, or NULL if there is no next BIO.
+The removed BIO becomes a single BIO with no association with
+the original chain, it can thus be freed or be made part of a different chain.
 
 BIO_set_next() replaces the existing next BIO in a chain with the BIO pointed 
to
-by B. The new chain may include some of the same BIOs from the old chain
+by I. The new chain may include some of the same BIOs from the old chain
 or it may be completely different.
 
 =head1 NOTES
@@ -33,41 +38,45 @@ joins two BIO chains whereas BIO_pop() deletes a single BIO 
from a chain,
 the deleted BIO does not need to be at the end of a chain.
 
 The process of calling BIO_push() and BIO_pop() on a BIO may have additional
-consequences (a control call is made to the affected BIOs) any effects will
-be noted in the descriptions of individual BIOs.
+consequences (a control call is made to the affected BIOs).
+Any effects will be noted in the descriptions of individual BIOs.
 
 =head1 RETURN VALUES
 
-BIO_push() returns the end of the chain, B.
+BIO_push() returns the head of the chain,
+which usually is I, or I if I is NULL.
 
-BIO_pop() returns the next BIO in the chain, or NULL if there is no next
-BIO.
+BIO_pop() returns the next BIO in the chain,
+or NULL if there is no next BIO.
 
 =head1 EXAMPLES
 
-For these examples suppose B and B are digest BIOs, B is
-a base64 BIO and B is a file BIO.
+For these examples suppose I and I are digest BIOs,
+I is a base64 BIO and I is a file BIO.
 
 If the call:
 
  BIO_push(b64, f);
 
-is made then the new chain will be B. After making the calls
+is made then the new chain will be I. After making the calls
 
  BIO_push(md2, b64);
  BIO_push(md1, md2);
 
-the new chain is B. Data written to B will be digested
-by B and B, B encoded and written to B.
+the new chain is I. Data written to I will be digested
+by I and I, base64 encoded, and finally written to I.
 
 It should be noted that reading causes data to pass in the reverse
-direction, that is data is read from B, B decoded and digested
-by B and B. If the call:
+direction, that is data is read from I, base64 decoded,
+and digested by I and then I.
+
+The call:
 
  BIO_pop(md2);
 
-The call will return B and the new chain will be B data can
-be written to B as before.
+will return I and the new chain will be I.
+Data can be written to and read from I as before,
+except that I will no more be applied.
 
 =head1 SEE ALSO
 

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  5f422920c171077d8e8d49ad69632711f1ac7e5a (commit)
  from  fd0fd729bb6c75e266b881580d69d679af044cad (commit)


- Log -
commit 5f422920c171077d8e8d49ad69632711f1ac7e5a
Author: Pauli 
Date:   Wed Nov 24 13:32:47 2021 +1000

doc: fix macro name

OSSL_STORE_INFO_X509 doesn't exist.  It should be OSSL_STORE_INFO_CERT.

Fixes #17121

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/17125)

(cherry picked from commit 01fde90eec721b64bc0e1c01cd94a9fd431adcc6)

---

Summary of changes:
 doc/man7/ossl_store.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man7/ossl_store.pod b/doc/man7/ossl_store.pod
index b706196851..dd23d76fa5 100644
--- a/doc/man7/ossl_store.pod
+++ b/doc/man7/ossl_store.pod
@@ -58,7 +58,7 @@ other encoding is undefined.
   * here just one example
   */
  switch (OSSL_STORE_INFO_get_type(info)) {
- case OSSL_STORE_INFO_X509:
+ case OSSL_STORE_INFO_CERT:
  /* Print the X.509 certificate text */
  X509_print_fp(stdout, OSSL_STORE_INFO_get0_CERT(info));
  /* Print the X.509 certificate PEM output */

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  fd0fd729bb6c75e266b881580d69d679af044cad (commit)
  from  19706a3ddf72de9c7d11d28e4d2e86ac80d75896 (commit)


- Log -
commit fd0fd729bb6c75e266b881580d69d679af044cad
Author: Matt Caswell 
Date:   Tue Nov 23 12:24:39 2021 +

Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs

The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG
can be called.

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17111)

(cherry picked from commit 3607b8ad8ee1980a079e985333a196e0c79f8f00)

---

Summary of changes:
 doc/man3/EVP_EncryptInit.pod | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 0d8a780bb7..ffd1aab2b3 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -380,18 +380,20 @@ B.
 
 =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)
 
-Sets the expected tag to C bytes from C.
-The tag length can only be set before specifying an IV.
+When decrypting, this call sets the expected tag to C bytes from 
C.
 C must be between 1 and 16 inclusive.
+The tag must be set prior to any call to EVP_DecryptFinal() or
+EVP_DecryptFinal_ex().
 
 For GCM, this call is only valid when decrypting data.
 
 For OCB, this call is valid when decrypting data to set the expected tag,
-and before encryption to set the desired tag length.
+and when encrypting to set the desired tag length.
 
-In OCB mode, calling this before encryption with C set to C sets the
-tag length.  If this is not called prior to encryption, a default tag length is
-used.
+In OCB mode, calling this when encrypting with C set to C sets the
+tag length. The tag length can only be set before specifying an IV. If this is
+not called prior to setting the IV during encryption, then a default tag length
+is used.
 
 For OCB AES, the default tag length is 16 (i.e. 128 bits).  It is also the
 maximum tag length for OCB.

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  19706a3ddf72de9c7d11d28e4d2e86ac80d75896 (commit)
  from  6052078d410cb00b58ebd5eb44e8f746a4850321 (commit)


- Log -
commit 19706a3ddf72de9c7d11d28e4d2e86ac80d75896
Author: Allan Jude 
Date:   Fri Nov 19 15:14:30 2021 +

Fix detection of ARMv7 and ARM64 CPU features on FreeBSD

OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.

OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT
resulting in all ARM acceleration features being disabled.

CLA: trivial

Reviewed-by: Ben Kaduk 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17082)

(cherry picked from commit c1dabe26e3e96cdce0ffc929e9677840ad089ba5)

---

Summary of changes:
 crypto/armcap.c | 15 +--
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/crypto/armcap.c b/crypto/armcap.c
index c5685bde58..48c5d4d64e 100644
--- a/crypto/armcap.c
+++ b/crypto/armcap.c
@@ -106,20 +106,23 @@ static unsigned long getauxval(unsigned long key)
  * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas
  * AArch64 used AT_HWCAP.
  */
+# ifndef AT_HWCAP
+#  define AT_HWCAP   16
+# endif
+# ifndef AT_HWCAP2
+#  define AT_HWCAP2  26
+# endif
 # if defined(__arm__) || defined (__arm)
-#  define HWCAP  16
-  /* AT_HWCAP */
+#  define HWCAP  AT_HWCAP
 #  define HWCAP_NEON (1 << 12)
 
-#  define HWCAP_CE   26
-  /* AT_HWCAP2 */
+#  define HWCAP_CE   AT_HWCAP2
 #  define HWCAP_CE_AES   (1 << 0)
 #  define HWCAP_CE_PMULL (1 << 1)
 #  define HWCAP_CE_SHA1  (1 << 2)
 #  define HWCAP_CE_SHA256(1 << 3)
 # elif defined(__aarch64__)
-#  define HWCAP  16
-  /* AT_HWCAP */
+#  define HWCAP  AT_HWCAP
 #  define HWCAP_NEON (1 << 1)
 
 #  define HWCAP_CE   HWCAP

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  6052078d410cb00b58ebd5eb44e8f746a4850321 (commit)
  from  6d022b04748c2a89b7f032a41965df19c584e0cf (commit)


- Log -
commit 6052078d410cb00b58ebd5eb44e8f746a4850321
Author: Richard Levitte 
Date:   Sun Nov 21 10:36:18 2021 +0100

DOC: Add a few previously documented functions

d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp()
were documented in OpenSSL 1.0.2.  In a grand unification of the
documentation of (almost) all d2i and i2d functions, these were
dropped, most likely by mistake.

This simply adds them back.

Fixes #17091

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/17093)

---

Summary of changes:
 doc/man3/d2i_X509.pod | 4 
 1 file changed, 4 insertions(+)

diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index e42049d2ba..704f6b9eaf 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -158,6 +158,8 @@ d2i_TS_TST_INFO_bio,
 d2i_TS_TST_INFO_fp,
 d2i_USERNOTICE,
 d2i_X509,
+d2i_X509_bio,
+d2i_X509_fp,
 d2i_X509_ALGOR,
 d2i_X509_ALGORS,
 d2i_X509_ATTRIBUTE,
@@ -338,6 +340,8 @@ i2d_TS_TST_INFO_bio,
 i2d_TS_TST_INFO_fp,
 i2d_USERNOTICE,
 i2d_X509,
+i2d_X509_bio,
+i2d_X509_fp,
 i2d_X509_ALGOR,
 i2d_X509_ALGORS,
 i2d_X509_ATTRIBUTE,

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  6d022b04748c2a89b7f032a41965df19c584e0cf (commit)
  from  79ef18759a4f89af0b1e015766a73fa289095673 (commit)


- Log -
commit 6d022b04748c2a89b7f032a41965df19c584e0cf
Author: Bernd Edlinger 
Date:   Fri Nov 19 16:38:55 2021 +0100

Add a test case for duplicate engine loading

Reviewed-by: Tomas Mraz 
Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/17083)

---

Summary of changes:
 test/data.bin   |  4 
 test/recipes/20-test_dgst.t | 23 +--
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 test/data.bin

diff --git a/test/data.bin b/test/data.bin
new file mode 100644
index 00..3442255280
--- /dev/null
+++ b/test/data.bin
@@ -0,0 +1,4 @@
+TEST DATA
+
+Please note that if a test involves a new testing executable,
+you will need to do some additions in test/build.info.
diff --git a/test/recipes/20-test_dgst.t b/test/recipes/20-test_dgst.t
index 13c2b3af4b..d1cbabe290 100644
--- a/test/recipes/20-test_dgst.t
+++ b/test/recipes/20-test_dgst.t
@@ -11,12 +11,12 @@ use strict;
 use warnings;
 
 use File::Spec;
-use OpenSSL::Test qw/:DEFAULT with srctop_file/;
+use OpenSSL::Test qw/:DEFAULT with srctop_file bldtop_file/;
 use OpenSSL::Test::Utils;
 
 setup("test_dgst");
 
-plan tests => 5;
+plan tests => 6;
 
 sub tsignverify {
 my $testtext = shift;
@@ -102,3 +102,22 @@ SKIP: {
 srctop_file("test","tested448pub.pem"));
 };
 }
+
+SKIP: {
+skip "dgst with engine is not supported by this OpenSSL build", 1
+if disabled("engine") || disabled("dynamic-engine");
+
+subtest "SHA1 generation by engine with `dgst` CLI" => sub {
+plan tests => 1;
+
+my $testdata = srctop_file('test', 'data.bin');
+# intentionally using -engine twice, please do not remove the 
duplicate line
+my @macdata = run(app(['openssl', 'dgst', '-sha1',
+   '-engine', $^O eq 'linux' ? 
bldtop_file("engines", "ossltest.so") : "ossltest",
+   '-engine', $^O eq 'linux' ? 
bldtop_file("engines", "ossltest.so") : "ossltest",
+   $testdata]), capture => 1);
+chomp(@macdata);
+my $expected = qr/SHA1\(\Q$testdata\E\)= 
000102030405060708090a0b0c0d0e0f10111213/;
+ok($macdata[0] =~ $expected, "SHA1: Check HASH value is as expected 
($macdata[0]) vs ($expected)");
+}
+}

[openssl] OpenSSL_1_1_1-stable update

[dev]

The branch OpenSSL_1_1_1-stable has been updated
   via  79ef18759a4f89af0b1e015766a73fa289095673 (commit)
  from  9b06ebb1edfddffea083ba36090af7eb7cad207b (commit)


- Log -
commit 79ef18759a4f89af0b1e015766a73fa289095673
Author: Richard Levitte 
Date:   Fri Nov 19 07:37:29 2021 +0100

ERR: Add a missing common reason string

There was no string present for ERR_R_PASSED_INVALID_ARGUMENT

Reviewed-by: David von Oheimb 
(Merged from https://github.com/openssl/openssl/pull/17069)

---

Summary of changes:
 crypto/err/err.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/err/err.c b/crypto/err/err.c
index 1372d52f80..70a4cd402c 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -129,6 +129,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
 {ERR_R_INTERNAL_ERROR, "internal error"},
 {ERR_R_DISABLED, "called a function that was disabled at compile-time"},
 {ERR_R_INIT_FAIL, "init fail"},
+{ERR_R_PASSED_INVALID_ARGUMENT, "passed invalid argument"},
 {ERR_R_OPERATION_FAIL, "operation fail"},
 
 {0, NULL},

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  9b06ebb1edfddffea083ba36090af7eb7cad207b (commit)
  from  c28bcc507be1b03523789218128383c3f2be (commit)


- Log -
commit 9b06ebb1edfddffea083ba36090af7eb7cad207b
Author: Bernd Edlinger 
Date:   Fri Nov 19 11:33:34 2021 +0100

Avoid loading of a dynamic engine twice

Use the address of the bind function as a DYNAMIC_ID,
since the true name of the engine is not known
before the bind function returns,
but invoking the bind function before the engine
is unloaded results in memory corruption.

Fixes #17023

Reviewed-by: Tomas Mraz 
Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/17073)

(cherry picked from commit e2571e02d2b0cd83ed1c79d384fe941f27e603c0)

---

Summary of changes:
 crypto/engine/eng_dyn.c   |  4 ++-
 crypto/engine/eng_lib.c   |  2 ++
 crypto/engine/eng_list.c  | 87 +++
 crypto/engine/eng_local.h |  9 +
 4 files changed, 101 insertions(+), 1 deletion(-)

diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 06e677290a..cb1a30799e 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -477,7 +477,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
 engine_set_all_null(e);
 
 /* Try to bind the ENGINE onto our own ENGINE structure */
-if (!ctx->bind_engine(e, ctx->engine_id, )) {
+if (!engine_add_dynamic_id(e, (ENGINE_DYNAMIC_ID)ctx->bind_engine, 1)
+|| !ctx->bind_engine(e, ctx->engine_id, )) {
+engine_remove_dynamic_id(e, 1);
 ctx->bind_engine = NULL;
 ctx->v_check = NULL;
 DSO_free(ctx->dynamic_dso);
diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c
index 5bd584c599..29da4a1699 100644
--- a/crypto/engine/eng_lib.c
+++ b/crypto/engine/eng_lib.c
@@ -67,6 +67,7 @@ void engine_set_all_null(ENGINE *e)
 e->load_pubkey = NULL;
 e->cmd_defns = NULL;
 e->flags = 0;
+e->dynamic_id = NULL;
 }
 
 int engine_free_util(ENGINE *e, int not_locked)
@@ -92,6 +93,7 @@ int engine_free_util(ENGINE *e, int not_locked)
  */
 if (e->destroy)
 e->destroy(e);
+engine_remove_dynamic_id(e, not_locked);
 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, >ex_data);
 OPENSSL_free(e);
 return 1;
diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
index 1352fb7c96..4f9eb99d15 100644
--- a/crypto/engine/eng_list.c
+++ b/crypto/engine/eng_list.c
@@ -24,6 +24,12 @@
 static ENGINE *engine_list_head = NULL;
 static ENGINE *engine_list_tail = NULL;
 
+/*
+ * The linked list of currently loaded dynamic engines.
+ */
+static ENGINE *engine_dyn_list_head = NULL;
+static ENGINE *engine_dyn_list_tail = NULL;
+
 /*
  * This cleanup function is only needed internally. If it should be called,
  * we register it with the "engine_cleanup_int()" stack to be called during
@@ -126,6 +132,85 @@ static int engine_list_remove(ENGINE *e)
 return 1;
 }
 
+/* Add engine to dynamic engine list. */
+int engine_add_dynamic_id(ENGINE *e, ENGINE_DYNAMIC_ID dynamic_id,
+  int not_locked)
+{
+int result = 0;
+ENGINE *iterator = NULL;
+
+if (e == NULL)
+return 0;
+
+if (e->dynamic_id == NULL && dynamic_id == NULL)
+return 0;
+
+if (not_locked && !CRYPTO_THREAD_write_lock(global_engine_lock))
+return 0;
+
+if (dynamic_id != NULL) {
+iterator = engine_dyn_list_head;
+while (iterator != NULL) {
+if (iterator->dynamic_id == dynamic_id)
+goto err;
+iterator = iterator->next;
+}
+if (e->dynamic_id != NULL)
+goto err;
+e->dynamic_id = dynamic_id;
+}
+
+if (engine_dyn_list_head == NULL) {
+/* We are adding to an empty list. */
+if (engine_dyn_list_tail != NULL)
+goto err;
+engine_dyn_list_head = e;
+e->prev_dyn = NULL;
+} else {
+/* We are adding to the tail of an existing list. */
+if (engine_dyn_list_tail == NULL
+|| engine_dyn_list_tail->next_dyn != NULL)
+goto err;
+engine_dyn_list_tail->next_dyn = e;
+e->prev_dyn = engine_dyn_list_tail;
+}
+
+engine_dyn_list_tail = e;
+e->next_dyn = NULL;
+result = 1;
+
+ err:
+if (not_locked)
+CRYPTO_THREAD_unlock(global_engine_lock);
+return result;
+}
+
+/* Remove engine from dynamic engine list. */
+void engine_remove_dynamic_id(ENGINE *e, int not_locked)
+{
+if (e == NULL || e->dynamic_id == NULL)
+return;
+
+if (not_locked && !CRYPTO_THREAD_write_lock(global_engine_lock))
+return;
+
+e->dynamic_id = NULL;
+
+/* un-link e from the chain. */
+if (e->next_dyn != NULL)
+

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  c28bcc507be1b03523789218128383c3f2be (commit)
  from  4204cd6429b8d25e2d96b38b264ef7fa1b67d7be (commit)


- Log -
commit c28bcc507be1b03523789218128383c3f2be
Author: zhaozg 
Date:   Fri Nov 12 23:12:46 2021 +0800

evp: fix EVP_PKEY_get0_EC_KEY when EC_KEY is SM2

EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2) will change pkey->type to 
EVP_PKEY_SM2

CLA: trivial

Reviewed-by: Tomas Mraz 
Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17015)

---

Summary of changes:
 crypto/evp/p_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 7e262c573b..eb3e117b52 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -525,7 +525,7 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
 
 EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
 {
-if (pkey->type != EVP_PKEY_EC) {
+if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
 EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
 return NULL;
 }

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  4204cd6429b8d25e2d96b38b264ef7fa1b67d7be (commit)
  from  ce287b72e49a2b064550508631d638124f85e693 (commit)


- Log -
commit 4204cd6429b8d25e2d96b38b264ef7fa1b67d7be
Author: x2018 
Date:   Wed Oct 27 17:26:48 2021 +0800

free the Post-Handshake Auth digest when there is an error saving the digest

Reviewed-by: Tomas Mraz 
Reviewed-by: Bernd Edlinger 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16924)

---

Summary of changes:
 ssl/statem/statem_lib.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c3b6f8f456..c218992e46 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -2410,6 +2410,8 @@ int tls13_save_handshake_digest_for_pha(SSL *s)
 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
  ERR_R_INTERNAL_ERROR);
+EVP_MD_CTX_free(s->pha_dgst);
+s->pha_dgst = NULL;
 return 0;
 }
 }

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  ce287b72e49a2b064550508631d638124f85e693 (commit)
  from  45838e536c08c74e68536501d6dc2ef9f4d499da (commit)


- Log -
commit ce287b72e49a2b064550508631d638124f85e693
Author: Matt Caswell 
Date:   Thu Nov 11 16:59:43 2021 +

Reset the rwstate before calling ASYNC_start_job()

If an async job pauses while processing a TLS connection then the
rwstate gets set to SSL_ASYNC_PAUSED. When resuming the job we should
reset the rwstate back to SSL_NOTHING. In fact we can do this
unconditionally since if we're about to call ASYNC_start_job() then either
we are about to start the async job for the first time (in which case the
rwstate should already by SSL_NOTHING), or we are restarting it after a
pause (in which case reseting it to SSL_NOTHING is the correct action).

Fixes #16809

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17013)

(cherry picked from commit 07f620e3acf0dd76a3a03ada9911c544aa483aa7)

---

Summary of changes:
 ssl/ssl_lib.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ffd0a0bc6d..9c411a3293 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1684,6 +1684,8 @@ static int ssl_start_async_job(SSL *s, struct 
ssl_async_args *args,
 if (s->waitctx == NULL)
 return -1;
 }
+
+s->rwstate = SSL_NOTHING;
 switch (ASYNC_start_job(>job, s->waitctx, , func, args,
 sizeof(struct ssl_async_args))) {
 case ASYNC_ERR:

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  45838e536c08c74e68536501d6dc2ef9f4d499da (commit)
  from  80e52bb852673cf6f1908549ff9960d02a644d51 (commit)


- Log -
commit 45838e536c08c74e68536501d6dc2ef9f4d499da
Author: PW Hu 
Date:   Fri Nov 5 17:16:03 2021 +0800

Fix: invoking x509_name_cannon improperly

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16974)

(cherry picked from commit 09235289c377ff998964bb6b074bb2a3ad768fd2)

---

Summary of changes:
 crypto/x509/x_name.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c
index aa7f4722b6..2214e580c8 100644
--- a/crypto/x509/x_name.c
+++ b/crypto/x509/x_name.c
@@ -217,8 +217,8 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char 
**out,
 if (ret < 0)
 return ret;
 ret = x509_name_canon(a);
-if (ret < 0)
-return ret;
+if (!ret)
+return -1;
 }
 ret = a->bytes->length;
 if (out != NULL) {

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  80e52bb852673cf6f1908549ff9960d02a644d51 (commit)
  from  bdaf55d0850056fcf3362e5dc1c868f2c8324f25 (commit)


- Log -
commit 80e52bb852673cf6f1908549ff9960d02a644d51
Author: Bernd Edlinger 
Date:   Wed Nov 3 09:19:39 2021 +0100

Fix a memory leak in ssl_create_cipher_list

Reviewed-by: Paul Dale 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/16955)

---

Summary of changes:
 ssl/ssl_ciph.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 735a483c64..0820f2cd0c 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1601,6 +1601,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const 
SSL_METHOD *ssl_method,
 for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
 if (!sk_SSL_CIPHER_push(cipherstack,
 sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
+OPENSSL_free(co_list);
 sk_SSL_CIPHER_free(cipherstack);
 return NULL;
 }

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  bdaf55d0850056fcf3362e5dc1c868f2c8324f25 (commit)
  from  afbea17ded816aba6d7106671b405de82da5c6f3 (commit)


- Log -
commit bdaf55d0850056fcf3362e5dc1c868f2c8324f25
Author: Bernd Edlinger 
Date:   Wed Nov 3 09:40:59 2021 +0100

Fix a memory leak in tls_parse_stoc_key_share

Reviewed-by: Paul Dale 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/16957)

---

Summary of changes:
 ssl/statem/extensions_clnt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index ce8a75794c..621fcfa561 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1872,6 +1872,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, 
unsigned int context, X509 *x,
 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  ERR_R_MALLOC_FAILURE);
+EVP_PKEY_free(skey);
 return 0;
 }
 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(_pt),

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  afbea17ded816aba6d7106671b405de82da5c6f3 (commit)
  from  886e6855c3fd5ea977b36afea5a2aa31b7cdd01c (commit)


- Log -
commit afbea17ded816aba6d7106671b405de82da5c6f3
Author: x2018 
Date:   Mon Nov 1 20:36:54 2021 +0800

check the return value of BN_new() and BN_dup()

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16948)

(cherry picked from commit d99004fe5de934120765d342586f08d22131b8ed)

---

Summary of changes:
 test/testutil/tests.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/test/testutil/tests.c b/test/testutil/tests.c
index a60af0764f..bd05f34250 100644
--- a/test/testutil/tests.c
+++ b/test/testutil/tests.c
@@ -393,8 +393,8 @@ int test_BN_eq_word(const char *file, int line, const char 
*bns, const char *ws,
 
 if (a != NULL && BN_is_word(a, w))
 return 1;
-bw = BN_new();
-BN_set_word(bw, w);
+if ((bw = BN_new()) != NULL)
+BN_set_word(bw, w);
 test_fail_bignum_message(NULL, file, line, "BIGNUM", bns, ws, "==", a, bw);
 BN_free(bw);
 return 0;
@@ -407,10 +407,10 @@ int test_BN_abs_eq_word(const char *file, int line, const 
char *bns,
 
 if (a != NULL && BN_abs_is_word(a, w))
 return 1;
-bw = BN_new();
-aa = BN_dup(a);
-BN_set_negative(aa, 0);
-BN_set_word(bw, w);
+if ((aa = BN_dup(a)) != NULL)
+BN_set_negative(aa, 0);
+if ((bw = BN_new()) != NULL)
+BN_set_word(bw, w);
 test_fail_bignum_message(NULL, file, line, "BIGNUM", bns, ws, "abs==",
  aa, bw);
 BN_free(bw);

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  886e6855c3fd5ea977b36afea5a2aa31b7cdd01c (commit)
  from  c03fa13e4ab4c27ef22284e56e6ddb43798e5874 (commit)


- Log -
commit 886e6855c3fd5ea977b36afea5a2aa31b7cdd01c
Author: Pauli 
Date:   Wed Oct 27 08:30:51 2021 +1000

speed: range check the argument given to -multi for 1.1.1

Fixes #16899 for 1.1.1 branch.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16922)

---

Summary of changes:
 apps/speed.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/apps/speed.c b/apps/speed.c
index d4ae7ab7bf..7f2d3165f9 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1590,6 +1590,10 @@ int speed_main(int argc, char **argv)
 case OPT_MULTI:
 #ifndef NO_FORK
 multi = atoi(opt_arg());
+if (multi >= INT_MAX / (int)sizeof(int)) {
+BIO_printf(bio_err, "%s: multi argument too large\n", prog);
+return 0;
+}
 #endif
 break;
 case OPT_ASYNCJOBS:

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  c03fa13e4ab4c27ef22284e56e6ddb43798e5874 (commit)
  from  95fd012db5827d4e29f33213b0ba178a4628c40d (commit)


- Log -
commit c03fa13e4ab4c27ef22284e56e6ddb43798e5874
Author: Matt Caswell 
Date:   Fri Oct 22 10:17:14 2021 +0100

Fix a gcc 11.2.0 warning

gcc 11.2.0 is the default on Ubuntu 21.10. It emits a (spurious) warning
when compiling test/packettest.c, which causes --strict-warnings builds
to fail. A simple fix avoids the warning.

Reviewed-by: Paul Dale 
Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16887)

(cherry picked from commit 37467b2752f75ce80437120f704452982b7c1998)

---

Summary of changes:
 test/packettest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/packettest.c b/test/packettest.c
index 6c82d04414..83168c0261 100644
--- a/test/packettest.c
+++ b/test/packettest.c
@@ -302,7 +302,7 @@ static int test_PACKET_forward(void)
 
 static int test_PACKET_buf_init(void)
 {
-unsigned char buf1[BUF_LEN];
+unsigned char buf1[BUF_LEN] = { 0 };
 PACKET pkt;
 
 /* Also tests PACKET_remaining() */

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  95fd012db5827d4e29f33213b0ba178a4628c40d (commit)
  from  0ad7578822b188447b1946e65a0ec4b5b07ead3f (commit)


- Log -
commit 95fd012db5827d4e29f33213b0ba178a4628c40d
Author: Matt Caswell 
Date:   Fri Oct 22 16:09:44 2021 +0100

Fix no-cmac

Reviewed-by: Bernd Edlinger 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16894)

(cherry picked from commit ef2fb64f9dfde1965cb0b8a5f8765c4f467c1604)

---

Summary of changes:
 test/evp_extra_test.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 74b7e0bcb8..e4a0b180d7 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1786,6 +1786,12 @@ static int test_signatures_with_engine(int tst)
 size_t maclen = 0;
 int ret;
 
+#  ifdef OPENSSL_NO_CMAC
+/* Skip CMAC tests in a no-cmac build */
+if (tst <= 1)
+return 1;
+#  endif
+
 if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
 return 0;
 

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  0ad7578822b188447b1946e65a0ec4b5b07ead3f (commit)
  from  b28d41afbfebd8c668ee039d10d1a0edbed09dba (commit)


- Log -
commit 0ad7578822b188447b1946e65a0ec4b5b07ead3f
Author: Matt Caswell 
Date:   Thu Oct 14 17:31:36 2021 +0100

Fix the s_server psk_server_cb for use in DTLS

Commit 0007ff257c added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.

Fixes #16707

Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/16838)

(cherry picked from commit 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c)

---

Summary of changes:
 apps/s_server.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 938e244222..64d53e68d0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -134,12 +134,12 @@ static unsigned int psk_server_cb(SSL *ssl, const char 
*identity,
 if (s_debug)
 BIO_printf(bio_s_out, "psk_server_cb\n");
 
-if (SSL_version(ssl) >= TLS1_3_VERSION) {
+if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
 /*
- * This callback is designed for use in TLSv1.2. It is possible to use
- * a single callback for all protocol versions - but it is preferred to
- * use a dedicated callback for TLSv1.3. For TLSv1.3 we have
- * psk_find_session_cb.
+ * This callback is designed for use in (D)TLSv1.2 (or below). It is
+ * possible to use a single callback for all protocol versions - but it
+ * is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
+ * have psk_find_session_cb.
  */
 return 0;
 }

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  b28d41afbfebd8c668ee039d10d1a0edbed09dba (commit)
  from  851abe78b4ea7b8f238a652cd911420cd0950ff6 (commit)


- Log -
commit b28d41afbfebd8c668ee039d10d1a0edbed09dba
Author: Peiwei Hu 
Date:   Sat Oct 9 09:25:27 2021 +0800

Fix BIO_get_md_ctx return value check

Reviewed-by: Shane Lontis 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16792)

---

Summary of changes:
 apps/dgst.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/dgst.c b/apps/dgst.c
index e595f7d818..b07fff3fb3 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -316,7 +316,7 @@ int dgst_main(int argc, char **argv)
 EVP_MD_CTX *mctx = NULL;
 EVP_PKEY_CTX *pctx = NULL;
 int r;
-if (!BIO_get_md_ctx(bmd, )) {
+if (BIO_get_md_ctx(bmd, ) <= 0) {
 BIO_printf(bio_err, "Error getting context\n");
 ERR_print_errors(bio_err);
 goto end;
@@ -345,7 +345,7 @@ int dgst_main(int argc, char **argv)
 /* we use md as a filter, reading from 'in' */
 else {
 EVP_MD_CTX *mctx = NULL;
-if (!BIO_get_md_ctx(bmd, )) {
+if (BIO_get_md_ctx(bmd, ) <= 0) {
 BIO_printf(bio_err, "Error getting context\n");
 ERR_print_errors(bio_err);
 goto end;

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  851abe78b4ea7b8f238a652cd911420cd0950ff6 (commit)
  from  69211b0fce408537bdfec7dd4cc5814b3c4eda8c (commit)


- Log -
commit 851abe78b4ea7b8f238a652cd911420cd0950ff6
Author: PW Hu 
Date:   Sat Oct 9 15:21:00 2021 +0800

Fix some documentation errors related to return values

Reviewed-by: Shane Lontis 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16794)

(cherry picked from commit f1d077f1108b1bc2334350a4d53a46e29e082910)

---

Summary of changes:
 doc/man3/ENGINE_add.pod   | 5 ++---
 doc/man3/ERR_load_strings.pod | 4 ++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod
index 369900c248..74589538b2 100644
--- a/doc/man3/ENGINE_add.pod
+++ b/doc/man3/ENGINE_add.pod
@@ -597,8 +597,7 @@ B implementations.
 
 All ENGINE_register_TYPE() functions return 1 on success or 0 on error.
 
-ENGINE_register_complete() and ENGINE_register_all_complete() return 1 on 
success
-or 0 on error.
+ENGINE_register_complete() and ENGINE_register_all_complete() always return 1.
 
 ENGINE_ctrl() returns a positive value on success or others on error.
 
@@ -609,7 +608,7 @@ ENGINE_ctrl_cmd() and ENGINE_ctrl_cmd_string() return 1 on 
success or 0 on error
 ENGINE_new() returns a valid B structure on success or NULL if an error
 occurred.
 
-ENGINE_free() returns 1 on success or 0 on error.
+ENGINE_free() always returns 1.
 
 ENGINE_up_ref() returns 1 on success or 0 on error.
 
diff --git a/doc/man3/ERR_load_strings.pod b/doc/man3/ERR_load_strings.pod
index 3167f27150..8c708584c0 100644
--- a/doc/man3/ERR_load_strings.pod
+++ b/doc/man3/ERR_load_strings.pod
@@ -9,7 +9,7 @@ arbitrary error strings
 
  #include 
 
- void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
+ int ERR_load_strings(int lib, ERR_STRING_DATA *str);
 
  int ERR_get_next_error_library(void);
 
@@ -38,7 +38,7 @@ to user libraries at runtime.
 
 =head1 RETURN VALUES
 
-ERR_load_strings() returns no value. ERR_PACK() return the error code.
+ERR_load_strings() returns 1 for success and 0 for failure. ERR_PACK() returns 
the error code.
 ERR_get_next_error_library() returns zero on failure, otherwise a new
 library number.
 

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  69211b0fce408537bdfec7dd4cc5814b3c4eda8c (commit)
   via  3ce10cc8037bb8cdd1b1f383110d76f922b35808 (commit)
  from  2f8b8045e6b9a7780873c28c569a8a6388e11306 (commit)


- Log -
commit 69211b0fce408537bdfec7dd4cc5814b3c4eda8c
Author: Matt Caswell 
Date:   Fri Oct 15 16:30:45 2021 +0100

Add tests for ENGINE problems

Add some tests which would have caught the issues fixed in the previous
commit related to engine handling.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16860)

commit 3ce10cc8037bb8cdd1b1f383110d76f922b35808
Author: Matt Caswell 
Date:   Fri Oct 15 16:23:31 2021 +0100

Ensure pkey_set_type handles ENGINE references correctly

pkey_set_type should not consume the ENGINE references that may be
passed to it.

Fixes #16757

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16860)

---

Summary of changes:
 crypto/evp/p_lib.c|   9 ++-
 test/evp_extra_test.c | 169 +-
 2 files changed, 175 insertions(+), 3 deletions(-)

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 9f1a485a5b..7e262c573b 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -212,10 +212,15 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int 
type, const char *str,
 }
 if (pkey) {
 pkey->ameth = ameth;
-pkey->engine = e;
-
 pkey->type = pkey->ameth->pkey_id;
 pkey->save_type = type;
+# ifndef OPENSSL_NO_ENGINE
+if (eptr == NULL && e != NULL && !ENGINE_init(e)) {
+EVPerr(EVP_F_PKEY_SET_TYPE, EVP_R_INITIALIZATION_ERROR);
+return 0;
+}
+# endif
+pkey->engine = e;
 }
 return 1;
 }
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 3eea4b0fba..74b7e0bcb8 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -10,6 +10,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -19,6 +20,7 @@
 #include 
 #include 
 #include 
+#include 
 #include "testutil.h"
 #include "internal/nelem.h"
 #include "crypto/evp.h"
@@ -1758,10 +1760,166 @@ static int test_EVP_PKEY_set1_DH(void)
 
 return ret;
 }
-#endif
+#endif /* OPENSSL_NO_DH */
+
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
+/* Test we can create a signature keys with an associated ENGINE */
+static int test_signatures_with_engine(int tst)
+{
+ENGINE *e;
+const char *engine_id = "dasync";
+EVP_PKEY *pkey = NULL;
+const unsigned char badcmackey[] = { 0x00, 0x01 };
+const unsigned char cmackey[] = {
+0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+0x0c, 0x0d, 0x0e, 0x0f
+};
+const unsigned char ed25519key[] = {
+0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+};
+const unsigned char msg[] = { 0x00, 0x01, 0x02, 0x03 };
+int testresult = 0;
+EVP_MD_CTX *ctx = NULL;
+unsigned char *mac = NULL;
+size_t maclen = 0;
+int ret;
+
+if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
+return 0;
+
+if (!TEST_true(ENGINE_init(e))) {
+ENGINE_free(e);
+return 0;
+}
+
+switch (tst) {
+case 0:
+pkey = EVP_PKEY_new_CMAC_key(e, cmackey, sizeof(cmackey),
+ EVP_aes_128_cbc());
+break;
+case 1:
+pkey = EVP_PKEY_new_CMAC_key(e, badcmackey, sizeof(badcmackey),
+ EVP_aes_128_cbc());
+break;
+case 2:
+pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, e, ed25519key,
+sizeof(ed25519key));
+break;
+default:
+TEST_error("Invalid test case");
+goto err;
+}
+if (tst == 1) {
+/*
+ * In 1.1.1 CMAC keys will fail to during EVP_PKEY_new_CMAC_key() if 
the
+ * key is bad. In later versions this isn't detected until later.
+ */
+if (!TEST_ptr_null(pkey))
+goto err;
+} else {
+if (!TEST_ptr(pkey))
+goto err;
+}
+
+if (tst == 0 || tst == 1) {
+/*
+ * We stop the test here for tests 0 and 1. The dasync engine doesn't
+ * actually support CMAC in 1.1.1.
+ */
+testresult = 1;
+goto err;
+}
+
+if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
+goto err;
+
+ret = EVP_DigestSignInit(ctx, NULL, tst == 2 ? NULL : EVP_sha256(), NULL,
+ pkey);
+if (tst == 0) {
+if (!TEST_true(ret))
+

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  2f8b8045e6b9a7780873c28c569a8a6388e11306 (commit)
  from  bf07844312caf4ac251f5303993230c254e7c771 (commit)


- Log -
commit 2f8b8045e6b9a7780873c28c569a8a6388e11306
Author: Peiwei Hu 
Date:   Tue Oct 12 10:50:12 2021 +0800

test/ssl_old_test.c: Fix potential leak

Reviewed-by: Kurt Roeckx 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16806)

(cherry picked from commit 34563be5368fb8e6ade7d06d8376522ba83cd6ac)

---

Summary of changes:
 test/ssltest_old.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index cc98e4f866..b6e21e4e18 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -841,12 +841,14 @@ static SSL_SESSION *read_session(const char *filename)
 
 static int write_session(const char *filename, SSL_SESSION *sess)
 {
-BIO *f = BIO_new_file(filename, "w");
+BIO *f;
 
 if (sess == NULL) {
 BIO_printf(bio_err, "No session information\n");
 return 0;
 }
+
+f = BIO_new_file(filename, "w");
 if (f == NULL) {
 BIO_printf(bio_err, "Can't open session file %s\n", filename);
 ERR_print_errors(bio_err);

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  bf07844312caf4ac251f5303993230c254e7c771 (commit)
  from  6b0f7a67f71e03b90b654ed20786acca54d20fae (commit)


- Log -
commit bf07844312caf4ac251f5303993230c254e7c771
Author: Richard Levitte 
Date:   Thu Oct 14 18:49:11 2021 +0200

Fix test/recipes/01-test_symbol_presence.t to disregard version info

The output of 'nm -DPg' contains version info attached to the symbols,
which makes the test fail.  Simply dropping the version info makes the
test work again.

Fixes #16810 (followup)

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/16840)

(cherry picked from commit 73970cb91fdf8e7b4b434d479b875a47a0aa0dbc)

---

Summary of changes:
 test/recipes/01-test_symbol_presence.t | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/test/recipes/01-test_symbol_presence.t 
b/test/recipes/01-test_symbol_presence.t
index 39ed4d447b..e75d2c3e72 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -57,7 +57,17 @@ foreach my $libname (@libnames) {
 note "Number of lines in \@def_lines before massaging: ", scalar 
@def_lines;
 
 # Massage the nm output to only contain defined symbols
-@nm_lines = sort map { s| .*||; $_ } grep(m|.* [BCDST] .*|, @nm_lines);
+@nm_lines =
+sort
+map {
+# Drop the first space and everything following it
+s| .*||;
+# Drop OpenSSL dynamic version information if there is any
+s|\@\@OPENSSL_[0-9._]+[a-z]?$||;
+# Return the result
+$_
+}
+grep(m|.* [BCDST] .*|, @nm_lines);
 
 # Massage the mkdef.pl output to only contain global symbols
 # The output we got is in Unix .map format, which has a global

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  6b0f7a67f71e03b90b654ed20786acca54d20fae (commit)
  from  993ae6d207be1ae8c1901ea70a34adf0414e3e71 (commit)


- Log -
commit 6b0f7a67f71e03b90b654ed20786acca54d20fae
Author: Richard Levitte 
Date:   Wed Oct 13 09:09:05 2021 +0200

Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries

It's a small change to the 'nm' call, to have it look at dynamic symbols
rather than the normal ones.

Fixes #16810

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16822)

(cherry picked from commit a85b4de6a6cbe03c46219d4b1c3b2828ca3fd51c)

---

Summary of changes:
 test/recipes/01-test_symbol_presence.t | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/recipes/01-test_symbol_presence.t 
b/test/recipes/01-test_symbol_presence.t
index 7f2a2d75b8..39ed4d447b 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -37,12 +37,12 @@ foreach my $libname (@libnames) {
 *OSTDOUT = *STDOUT;
 open STDERR, ">", devnull();
 open STDOUT, ">", devnull();
-my @nm_lines = map { s|\R$||; $_ } `nm -Pg $shlibpath 2> /dev/null`;
+my @nm_lines = map { s|\R$||; $_ } `nm -DPg $shlibpath 2> /dev/null`;
 close STDERR;
 close STDOUT;
 *STDERR = *OSTDERR;
 *STDOUT = *OSTDOUT;
-skip "Can't run 'nm -Pg $shlibpath' => $?...  ignoring", 2
+skip "Can't run 'nm -DPg $shlibpath' => $?...  ignoring", 2
 unless $? == 0;
 
 my $bldtop = bldtop_dir();

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  993ae6d207be1ae8c1901ea70a34adf0414e3e71 (commit)
   via  f5ed4f0bbe31617b6df897ac6a28af9b3c8fd18e (commit)
  from  a653e037ef0236ea9cd84ec4c94f0bb94aca56ab (commit)


- Log -
commit 993ae6d207be1ae8c1901ea70a34adf0414e3e71
Author: Matt Caswell 
Date:   Mon Sep 20 14:36:42 2021 +0100

Extend custom extension testing

Test the scenario where we add a custom extension to a cetificate
request and expect a response in the client's certificate message.

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16634)

(cherry picked from commit 0db3a9904fa00569905be130854a31dab7b8f49d)

commit f5ed4f0bbe31617b6df897ac6a28af9b3c8fd18e
Author: Matt Caswell 
Date:   Mon Sep 20 14:15:18 2021 +0100

New extensions can be sent in a certificate request

Normally we expect a client to send new  extensions in the ClientHello,
which may be echoed back by the server in subsequent messages. However the
server can also send a new extension in the certificate request message to
be echoed back in a certificate message

Fixes #16632

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16634)

(cherry picked from commit cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0)

---

Summary of changes:
 ssl/statem/extensions_cust.c | 11 ++-
 test/sslapitest.c| 37 -
 2 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index a0ba18efa7..fa24344db7 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -146,11 +146,12 @@ int custom_ext_parse(SSL *s, unsigned int context, 
unsigned int ext_type,
 }
 
 /*
- * Extensions received in the ClientHello are marked with the
- * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
- * extensions in the ServerHello/EncryptedExtensions message
+ * Extensions received in the ClientHello or CertificateRequest are marked
+ * with the SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
+ * extensions in the response messages
  */
-if ((context & SSL_EXT_CLIENT_HELLO) != 0)
+if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST))
+!= 0)
 meth->ext_flags |= SSL_EXT_FLAG_RECEIVED;
 
 /* If no parse function set return success */
@@ -192,7 +193,7 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 
*x, size_t chainidx,
 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
 | SSL_EXT_TLS1_3_CERTIFICATE
 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) {
-/* Only send extensions present in ClientHello. */
+/* Only send extensions present in ClientHello/CertificateRequest 
*/
 if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED))
 continue;
 }
diff --git a/test/sslapitest.c b/test/sslapitest.c
index d311bb2ad3..21322ceec5 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -4110,6 +4110,11 @@ static int sni_cb(SSL *s, int *al, void *arg)
 return SSL_TLSEXT_ERR_OK;
 }
 
+static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+return 1;
+}
+
 /*
  * Custom call back tests.
  * Test 0: Old style callbacks in TLSv1.2
@@ -4117,6 +4122,7 @@ static int sni_cb(SSL *s, int *al, void *arg)
  * Test 2: New style callbacks in TLSv1.2 with SNI
  * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
  * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
+ * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
  */
 static int test_custom_exts(int tst)
 {
@@ -4158,7 +4164,19 @@ static int test_custom_exts(int tst)
 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
 }
 
-if (tst == 4) {
+if (tst == 5) {
+context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+  | SSL_EXT_TLS1_3_CERTIFICATE;
+SSL_CTX_set_verify(sctx,
+   SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+   verify_cb);
+if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
+  SSL_FILETYPE_PEM), 1)
+|| !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
+SSL_FILETYPE_PEM), 
1)
+|| !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
+goto end;
+} else if (tst == 4) {
 context = SSL_EXT_CLIENT_HELLO
   | SSL_EXT_TLS1_2_SERVER_HELLO

[openssl] OpenSSL_1_1_1-stable update

[beldmit]

The branch OpenSSL_1_1_1-stable has been updated
   via  a653e037ef0236ea9cd84ec4c94f0bb94aca56ab (commit)
  from  14357a51130510d87fe5f31e45baaf70bd5c9027 (commit)


- Log -
commit a653e037ef0236ea9cd84ec4c94f0bb94aca56ab
Author: Dmitry Belyavskiy 
Date:   Thu Oct 7 19:14:50 2021 +0200

Bindhost/bindport should be freed

Reviewed-by: Matt Caswell 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16775)

(cherry picked from commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9)

---

Summary of changes:
 apps/s_client.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index 83b3fc9c7f..fe34487787 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3151,6 +3151,8 @@ int s_client_main(int argc, char **argv)
 #endif
 OPENSSL_free(connectstr);
 OPENSSL_free(bindstr);
+OPENSSL_free(bindhost);
+OPENSSL_free(bindport);
 OPENSSL_free(host);
 OPENSSL_free(port);
 X509_VERIFY_PARAM_free(vpm);

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  14357a51130510d87fe5f31e45baaf70bd5c9027 (commit)
  from  503eb0e108ca5819dacd5ae171aedd37268654d9 (commit)


- Log -
commit 14357a51130510d87fe5f31e45baaf70bd5c9027
Author: Bernd Edlinger 
Date:   Tue Oct 5 21:38:55 2021 +0200

Fix double-free in e_dasync.c

When the cipher is copied, the inner_cihper_data
need to be copied as well, using the EVP_CTRL_COPY method.
The EVP_CIPH_CUSTOM_COPY bit needs to be set as well.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16751)

---

Summary of changes:
 engines/e_dasync.c | 21 +++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/engines/e_dasync.c b/engines/e_dasync.c
index 07793037df..1f5d4117f2 100644
--- a/engines/e_dasync.c
+++ b/engines/e_dasync.c
@@ -244,7 +244,8 @@ static int bind_dasync(ENGINE *e)
 || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc,
   EVP_CIPH_FLAG_DEFAULT_ASN1
   | EVP_CIPH_CBC_MODE
-  | EVP_CIPH_FLAG_PIPELINE)
+  | EVP_CIPH_FLAG_PIPELINE
+  | EVP_CIPH_CUSTOM_COPY)
 || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc,
  dasync_aes128_init_key)
 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc,
@@ -270,7 +271,8 @@ static int bind_dasync(ENGINE *e)
 EVP_CIPH_CBC_MODE
   | EVP_CIPH_FLAG_DEFAULT_ASN1
   | EVP_CIPH_FLAG_AEAD_CIPHER
-  | EVP_CIPH_FLAG_PIPELINE)
+  | EVP_CIPH_FLAG_PIPELINE
+  | EVP_CIPH_CUSTOM_COPY)
 || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1,
  dasync_aes128_cbc_hmac_sha1_init_key)
 || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1,
@@ -629,6 +631,21 @@ static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, 
int type, int arg,
 }
 }
 
+case EVP_CTRL_COPY:
+{
+const EVP_CIPHER *cipher = aeadcapable
+   ? EVP_aes_128_cbc_hmac_sha1()
+   : EVP_aes_128_cbc();
+size_t data_size = EVP_CIPHER_impl_ctx_size(cipher);
+void *cipher_data = OPENSSL_malloc(data_size);
+
+if (cipher_data == NULL)
+return 0;
+memcpy(cipher_data, pipe_ctx->inner_cipher_data, data_size);
+pipe_ctx->inner_cipher_data = cipher_data;
+return 1;
+}
+
 default:
 return 0;
 }

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  503eb0e108ca5819dacd5ae171aedd37268654d9 (commit)
  from  2fd9c433712a08474af071cef538ffcd94dc4b57 (commit)


- Log -
commit 503eb0e108ca5819dacd5ae171aedd37268654d9
Author: Bernd Edlinger 
Date:   Wed Oct 6 09:23:17 2021 +0200

Fix some possible memory leaks in EVP_CipherInit_ex

An EVP_CONTEXT with zero cipher but non-zero engine,
and/or cipher_data is possible if an error happens
in EVP_CTRL_INIT or in EVP_CTRL_COPY, the error handling
will just clear the cipher in that case.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16756)

---

Summary of changes:
 crypto/evp/evp_enc.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index e3c165d48e..d835968f25 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -85,7 +85,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER 
*cipher,
  * previous check attempted to avoid this if the same ENGINE and
  * EVP_CIPHER could be used).
  */
-if (ctx->cipher) {
+if (ctx->cipher
+#ifndef OPENSSL_NO_ENGINE
+|| ctx->engine
+#endif
+|| ctx->cipher_data) {
 unsigned long flags = ctx->flags;
 EVP_CIPHER_CTX_reset(ctx);
 /* Restore encrypt and flags */
@@ -105,11 +109,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const 
EVP_CIPHER *cipher,
 /* There's an ENGINE for this job ... (apparently) */
 const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
 if (!c) {
-/*
- * One positive side-effect of US's export control history,
- * is that we should at least be able to avoid using US
- * misspellings of "initialisation"?
- */
+ENGINE_finish(impl);
 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
 return 0;
 }

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  2fd9c433712a08474af071cef538ffcd94dc4b57 (commit)
  from  1be120ac5bf613a7277250b6e73f3c60adad4517 (commit)


- Log -
commit 2fd9c433712a08474af071cef538ffcd94dc4b57
Author: Bernd Edlinger 
Date:   Mon Oct 4 19:45:19 2021 +0200

Fix a memory leak in the afalg engine

Fixes: #16743

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16744)

(cherry picked from commit 6f6a5e0c7c41b6b3639e51f435cd98bb3ae061bc)

---

Summary of changes:
 engines/e_afalg.c |  7 ++-
 test/afalgtest.c  | 42 +++---
 2 files changed, 21 insertions(+), 28 deletions(-)

diff --git a/engines/e_afalg.c b/engines/e_afalg.c
index 4b17228461..ccf838a9ea 100644
--- a/engines/e_afalg.c
+++ b/engines/e_afalg.c
@@ -624,11 +624,8 @@ static int afalg_cipher_cleanup(EVP_CIPHER_CTX *ctx)
 }
 
 actx = (afalg_ctx *) EVP_CIPHER_CTX_get_cipher_data(ctx);
-if (actx == NULL || actx->init_done != MAGIC_INIT_NUM) {
-ALG_WARN("%s afalg ctx passed\n",
- ctx == NULL ? "NULL" : "Uninitialised");
-return 0;
-}
+if (actx == NULL || actx->init_done != MAGIC_INIT_NUM)
+return 1;
 
 close(actx->sfd);
 close(actx->bfd);
diff --git a/test/afalgtest.c b/test/afalgtest.c
index adb2977f30..0bd5653dba 100644
--- a/test/afalgtest.c
+++ b/test/afalgtest.c
@@ -21,26 +21,7 @@
 
 #ifndef OPENSSL_NO_ENGINE
 static ENGINE *e;
-#endif
-
 
-#ifndef OPENSSL_NO_AFALGENG
-# include 
-# define K_MAJ   4
-# define K_MIN1  1
-# define K_MIN2  0
-# if LINUX_VERSION_CODE < KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2)
-/*
- * If we get here then it looks like there is a mismatch between the linux
- * headers and the actual kernel version, so we have tried to compile with
- * afalg support, but then skipped it in e_afalg.c. As far as this test is
- * concerned we behave as if we had been configured without support
- */
-#  define OPENSSL_NO_AFALGENG
-# endif
-#endif
-
-#ifndef OPENSSL_NO_AFALGENG
 static int test_afalg_aes_cbc(int keysize_idx)
 {
 EVP_CIPHER_CTX *ctx;
@@ -112,9 +93,25 @@ static int test_afalg_aes_cbc(int keysize_idx)
 EVP_CIPHER_CTX_free(ctx);
 return ret;
 }
-#endif
 
-#ifndef OPENSSL_NO_ENGINE
+static int test_pr16743(void)
+{
+int ret = 0;
+const EVP_CIPHER * cipher;
+EVP_CIPHER_CTX *ctx;
+
+if (!TEST_true(ENGINE_init(e)))
+return 0;
+cipher = ENGINE_get_cipher(e, NID_aes_128_cbc);
+ctx = EVP_CIPHER_CTX_new();
+if (cipher != NULL && ctx != NULL)
+ret = EVP_EncryptInit_ex(ctx, cipher, e, NULL, NULL);
+TEST_true(ret);
+EVP_CIPHER_CTX_free(ctx);
+ENGINE_finish(e);
+return ret;
+}
+
 int global_init(void)
 {
 ENGINE_load_builtin_engines();
@@ -132,9 +129,8 @@ int setup_tests(void)
 /* Probably a platform env issue, not a test failure. */
 TEST_info("Can't load AFALG engine");
 } else {
-# ifndef OPENSSL_NO_AFALGENG
 ADD_ALL_TESTS(test_afalg_aes_cbc, 3);
-# endif
+ADD_TEST(test_pr16743);
 }
 #endif
 

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  1be120ac5bf613a7277250b6e73f3c60adad4517 (commit)
  from  c23abef43ef482e129f440d40c98eb6d3a094e2b (commit)


- Log -
commit 1be120ac5bf613a7277250b6e73f3c60adad4517
Author: Bernd Edlinger 
Date:   Thu Sep 30 17:18:44 2021 +0200

Fix a NPD bug in engines/e_dasync.c

The dasync_aes_128_cbc_hmac_sha1 cipher depends on
EVP_aes_128_cbc_hmac_sha1() returning a NON-NULL value.
We should simply not advertise this cipher otherwise.

Fixes: #7950

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16722)

---

Summary of changes:
 engines/e_dasync.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/engines/e_dasync.c b/engines/e_dasync.c
index 5cdacb66a0..07793037df 100644
--- a/engines/e_dasync.c
+++ b/engines/e_dasync.c
@@ -182,8 +182,8 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER 
**cipher,
const int **nids, int nid);
 
 static int dasync_cipher_nids[] = {
-NID_aes_128_cbc,
 NID_aes_128_cbc_hmac_sha1,
+NID_aes_128_cbc,
 0
 };
 
@@ -264,6 +264,7 @@ static int bind_dasync(ENGINE *e)
 16 /* block size */,
 16 /* key len */);
 if (_hidden_aes_128_cbc_hmac_sha1 == NULL
+|| EVP_aes_128_cbc_hmac_sha1() == NULL
 || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16)
 || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1,
 EVP_CIPH_CBC_MODE
@@ -371,6 +372,10 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER 
**cipher,
 int ok = 1;
 if (cipher == NULL) {
 /* We are returning a list of supported nids */
+if (dasync_aes_128_cbc_hmac_sha1() == NULL) {
+*nids = dasync_cipher_nids + 1;
+return 1;
+}
 *nids = dasync_cipher_nids;
 return (sizeof(dasync_cipher_nids) -
 1) / sizeof(dasync_cipher_nids[0]);

[openssl] OpenSSL_1_1_1-stable update

[matthias . st . pierre]

The branch OpenSSL_1_1_1-stable has been updated
   via  c23abef43ef482e129f440d40c98eb6d3a094e2b (commit)
  from  b9b45aa45873c63b8207eb527249f430288c17a0 (commit)


- Log -
commit c23abef43ef482e129f440d40c98eb6d3a094e2b
Author: Dr. Matthias St. Pierre 
Date:   Tue Sep 28 16:12:32 2021 +0200

doc/man3/SSL_set_fd.pod: add note about Windows compiler warning

According to an old stackoverflow thread [1], citing an even older comment 
by
Andy Polyakov (1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05),
a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because 
although
the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 
- 2),
in practice the socket() implementation on Windows returns an index into 
the kernel
handle table, the size of which is limited to 2^24 [3].

Add this note to the manual page to avoid unnecessary roundtrips to 
StackOverflow.

[1] 
https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64
[2] 
https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2
[3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16699)

(cherry picked from commit f8dd5869bca047a23599ac925aace70efcf487ad)

---

Summary of changes:
 doc/man3/SSL_set_fd.pod | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/doc/man3/SSL_set_fd.pod b/doc/man3/SSL_set_fd.pod
index 6780d515f9..1e1496cfee 100644
--- a/doc/man3/SSL_set_fd.pod
+++ b/doc/man3/SSL_set_fd.pod
@@ -45,6 +45,17 @@ The operation succeeded.
 
 =back
 
+=head1 NOTES
+
+On Windows, a socket handle is a 64-bit data type (UINT_PTR), which leads to a
+compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) 
when
+passing the socket handle to SSL_set_*fd(). For the time being, this warning 
can
+safely be ignored, because although the Microsoft documentation claims that the
+upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the current socket()
+implementation returns an index into the kernel handle table, the size of which
+is limited to 2^24.
+
+
 =head1 SEE ALSO
 
 L, L,

[openssl] OpenSSL_1_1_1-stable update

[nic . tuv]

The branch OpenSSL_1_1_1-stable has been updated
   via  b9b45aa45873c63b8207eb527249f430288c17a0 (commit)
  from  5cd84a9db8446eacb688bab318c5476a45c41ec4 (commit)


- Log -
commit b9b45aa45873c63b8207eb527249f430288c17a0
Author: Mingjun.Yang 
Date:   Mon Sep 6 15:30:19 2021 +0800

Add sm2 encryption test case from GM/T 0003.5-2012

Reviewed-by: Nicola Tuveri 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16511)

(cherry picked from commit 8ba65c35ea3af347c3b2adc8e665066b541a1c35)

---

Summary of changes:
 test/sm2_internal_test.c | 41 +
 1 file changed, 41 insertions(+)

diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
index 18b1407c97..4951cd3e30 100644
--- a/test/sm2_internal_test.c
+++ b/test/sm2_internal_test.c
@@ -210,6 +210,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
 static int sm2_crypt_test(void)
 {
 int testresult = 0;
+EC_GROUP *gm_group = NULL;
 EC_GROUP *test_group =
 create_EC_group
 ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3",
@@ -252,9 +253,49 @@ static int sm2_crypt_test(void)
 "88E3C5AAFC0413229E6C9AEE2BB92CAD649FE2C035689785DA33"))
 goto done;
 
+/* From Annex C in both GM/T0003.5-2012 and GB/T 32918.5-2016.*/
+gm_group = create_EC_group(
+ "fffe",
+ "fffefffc",
+ "28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93",
+ "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7",
+ "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0",
+ "fffe7203df6b21c6052b53bbf40939d54123",
+ "1");
+
+if (!TEST_ptr(gm_group))
+goto done;
+
+if (!test_sm2_crypt(
+gm_group,
+EVP_sm3(),
+/* privkey (from which the encrypting public key is derived) */
+"3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8",
+/* plaintext message */
+"encryption standard",
+/* ephemeral nonce k */
+"59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21",
+/*
+ * expected ciphertext, the field values are from GM/T 0003.5-2012
+ * (Annex C), but serialized following the ASN.1 format specified
+ * in GM/T 0009-2012 (Sec. 7.2).
+ */
+"307C" /* SEQUENCE, 0x7c bytes */
+  "0220" /* INTEGER, 0x20 bytes */
+
"04EBFC718E8D1798620432268E77FEB6415E2EDE0E073C0F4F640ECD2E149A73"
+  "0221" /* INTEGER, 0x21 bytes */
+"00" /* leading 00 due to DER for pos. int with topmost bit 
set */
+
"E858F9D81E5430A57B36DAAB8F950A3C64E6EE6A63094D99283AFF767E124DF0"
+  "0420" /* OCTET STRING, 0x20 bytes */
+
"59983C18F809E262923C53AEC295D30383B54E39D609D160AFCB1908D0BD8766"
+  "0413" /* OCTET STRING, 0x13 bytes */
+"21886CA989CA9C7D58087307CA93092D651EFA"))
+goto done;
+
 testresult = 1;
  done:
 EC_GROUP_free(test_group);
+EC_GROUP_free(gm_group);
 
 return testresult;
 }

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  5cd84a9db8446eacb688bab318c5476a45c41ec4 (commit)
  from  5402f96aba9dd3d0b3006b8b2651bd27d3cbf326 (commit)


- Log -
commit 5cd84a9db8446eacb688bab318c5476a45c41ec4
Author: Tianjia Zhang 
Date:   Mon Sep 27 09:44:29 2021 +1000

ssl: Correct filename in README

Reviewed-by: Matt Caswell 
Reviewed-by: Richard Levitte 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16671)

---

Summary of changes:
 ssl/statem/README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/statem/README b/ssl/statem/README
index 86cc066372..bafe33060c 100644
--- a/ssl/statem/README
+++ b/ssl/statem/README
@@ -55,7 +55,7 @@ Conceptually the state machine component is designed as 
follows:
|   |   |  |
V___V   V__V___
   | | |   |
-  | statem_both.c   | | statem_dtls.c |
+  | statem_lib.c| | statem_dtls.c |
   | | |   |
   | Non core functions common   | | Non core functions common to  |
   | to both servers and clients | | both DTLS servers and clients |

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  5402f96aba9dd3d0b3006b8b2651bd27d3cbf326 (commit)
  from  97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f (commit)


- Log -
commit 5402f96aba9dd3d0b3006b8b2651bd27d3cbf326
Author: Matt Caswell 
Date:   Sat Sep 11 09:58:52 2021 +0100

Correct the documentation for SSL_set_num_tickets()

The behaviour for what happens in a resumption connection was not quite
described correctly.

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16582)

(cherry picked from commit 4603b782e6dbed493d2f38db111abc05df66fb99)

---

Summary of changes:
 doc/man3/SSL_CTX_set_num_tickets.pod | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod 
b/doc/man3/SSL_CTX_set_num_tickets.pod
index ad13ed15f4..2224b35c30 100644
--- a/doc/man3/SSL_CTX_set_num_tickets.pod
+++ b/doc/man3/SSL_CTX_set_num_tickets.pod
@@ -25,10 +25,10 @@ the client after a full handshake. Set the desired value 
(which could be 0) in
 the B argument. Typically these functions should be called before
 the start of the handshake.
 
-The default number of tickets is 2; the default number of tickets sent 
following
-a resumption handshake is 1 but this cannot be changed using these functions.
-The number of tickets following a resumption handshake can be reduced to 0 
using
-custom session ticket callbacks (see L).
+The default number of tickets is 2. Following a resumption the number of 
tickets
+issued will never be more than 1 regardless of the value set via
+SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to
+0 then no tickets will be issued for either a normal connection or a 
resumption.
 
 Tickets are also issued on receipt of a post-handshake certificate from the
 client following a request by the server using

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f (commit)
  from  2f3b120401533db82e99ed28de5fc8aab1b76b33 (commit)


- Log -
commit 97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f
Author: Matt Caswell 
Date:   Sat Sep 11 10:02:21 2021 +0100

Clarify what SSL_get_session() does on the server side in TLSv1.3

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16582)

(cherry picked from commit 9e51f877930dbd4216438a5da3c9612bf4d0a918)

---

Summary of changes:
 doc/man3/SSL_get_session.pod | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod
index 7c04570635..4d8527aecf 100644
--- a/doc/man3/SSL_get_session.pod
+++ b/doc/man3/SSL_get_session.pod
@@ -37,8 +37,11 @@ L for information on how to 
determine whether an
 SSL_SESSION object can be used for resumption or not.
 
 Additionally, in TLSv1.3, a server can send multiple messages that establish a
-session for a single connection. In that case the above functions will only
-return information on the last session that was received.
+session for a single connection. In that case, on the client side, the above
+functions will only return information on the last session that was received. 
On
+the server side they will only return information on the last session that was
+sent, or if no session tickets were sent then the session for the current
+connection.
 
 The preferred way for applications to obtain a resumable SSL_SESSION object is
 to use a new session callback as described in L.

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  2f3b120401533db82e99ed28de5fc8aab1b76b33 (commit)
  from  9e44ffc281326330937eee0e94b6fd4bfcaa98eb (commit)


- Log -
commit 2f3b120401533db82e99ed28de5fc8aab1b76b33
Author: Lenny Primak 
Date:   Sat Sep 11 18:53:45 2021 -0500

MacOS prior to 10.12 does not support random API correctly

Fixes #16517

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16587)

---

Summary of changes:
 include/crypto/rand.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/crypto/rand.h b/include/crypto/rand.h
index 674f840fd1..8247d16c55 100644
--- a/include/crypto/rand.h
+++ b/include/crypto/rand.h
@@ -22,7 +22,7 @@
 
 # if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
 #  include 
-#  if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && 
__MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \
+#  if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && 
__MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \
  (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && 
__IPHONE_OS_VERSION_MIN_REQUIRED >= 8)
 #   define OPENSSL_APPLE_CRYPTO_RANDOM 1
 #   include 

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  9e44ffc281326330937eee0e94b6fd4bfcaa98eb (commit)
  from  2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91 (commit)


- Log -
commit 9e44ffc281326330937eee0e94b6fd4bfcaa98eb
Author: Nikita Ivanov 
Date:   Tue Sep 7 11:31:17 2021 +0300

Fix nc_email to check ASN1 strings with NULL byte in the middle

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16524)

(cherry picked from commit 485d0790ac1a29a0d4e7391d804810d485890376)

---

Summary of changes:
 crypto/x509v3/v3_ncons.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index d985aa91da..60cb4ceaa8 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -602,6 +602,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING 
*base)
 if (baseat != baseptr) {
 if ((baseat - baseptr) != (emlat - emlptr))
 return X509_V_ERR_PERMITTED_VIOLATION;
+if (memchr(baseptr, 0, baseat - baseptr) ||
+memchr(emlptr, 0, emlat - emlptr))
+return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
 /* Case sensitive match of local part */
 if (strncmp(baseptr, emlptr, emlat - emlptr))
 return X509_V_ERR_PERMITTED_VIOLATION;

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91 (commit)
  from  61ac53426e7873ead414b9259eb4446e2608209b (commit)


- Log -
commit 2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91
Author: Richard Levitte 
Date:   Wed Sep 8 10:49:27 2021 +0200

VMS: Fix misspelt type

'__int64', not 'int64_t'

Ref: commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16557)

---

Summary of changes:
 crypto/rand/rand_vms.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/rand/rand_vms.c b/crypto/rand/rand_vms.c
index fe516c3ca5..4afc101295 100644
--- a/crypto/rand/rand_vms.c
+++ b/crypto/rand/rand_vms.c
@@ -484,7 +484,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
 struct {
 pid_t pid;
 CRYPTO_THREAD_ID tid;
-unsigned __int64_t time;
+unsigned __int64 time;
 } data = { 0 };
 
 /*
@@ -582,7 +582,7 @@ int rand_pool_add_additional_data(RAND_POOL *pool)
 {
 struct {
 CRYPTO_THREAD_ID tid;
-unsigned __int64_t time;
+unsigned __int64 time;
 } data = { 0 };
 
 /*

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  61ac53426e7873ead414b9259eb4446e2608209b (commit)
  from  2e5cdbc18a1a26bfc817070a52689886fa0669c2 (commit)


- Log -
commit 61ac53426e7873ead414b9259eb4446e2608209b
Author: Richard Levitte 
Date:   Tue Sep 7 11:48:07 2021 +0200

DOCS: Update the page for 'openssl passwd' to not duplicate some info

The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.

Fixes #16529

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16531)

(cherry picked from commit 116799ff6a8fc803ec4685fc432c7329d0511e23)

---

Summary of changes:
 doc/man1/passwd.pod | 2 --
 1 file changed, 2 deletions(-)

diff --git a/doc/man1/passwd.pod b/doc/man1/passwd.pod
index c5760fe76e..c651f65544 100644
--- a/doc/man1/passwd.pod
+++ b/doc/man1/passwd.pod
@@ -31,8 +31,6 @@ The B command computes the hash of a password typed at
 run-time or the hash of each password in a list.  The password list is
 taken from the named file for option B<-in file>, from stdin for
 option B<-stdin>, or from the command line, or from the terminal otherwise.
-The Unix standard algorithm B and the MD5-based BSD password
-algorithm B<1>, its Apache variant B, and its AIX variant are available.
 
 =head1 OPTIONS
 

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  2e5cdbc18a1a26bfc817070a52689886fa0669c2 (commit)
  from  ed96022218e71efcf50c69cd6997ed85a2c37ffe (commit)


- Log -
commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2
Author: Richard Levitte 
Date:   Mon Sep 6 13:40:43 2021 +0200

VMS: Compensate for compiler type incompatibility

The compiler says that 'unsigned long long' isn't the same as
'unsigned __int64'.  Sure, and considering that crypto/rand/rand_vms.c
is specific VMS only code, it's easy to just change the type to the
exact same as what's specified in the system headers.

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/15613)

---

Summary of changes:
 crypto/rand/rand_vms.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/rand/rand_vms.c b/crypto/rand/rand_vms.c
index 61c2f10299..fe516c3ca5 100644
--- a/crypto/rand/rand_vms.c
+++ b/crypto/rand/rand_vms.c
@@ -484,7 +484,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
 struct {
 pid_t pid;
 CRYPTO_THREAD_ID tid;
-uint64_t time;
+unsigned __int64_t time;
 } data = { 0 };
 
 /*
@@ -582,7 +582,7 @@ int rand_pool_add_additional_data(RAND_POOL *pool)
 {
 struct {
 CRYPTO_THREAD_ID tid;
-uint64_t time;
+unsigned __int64_t time;
 } data = { 0 };
 
 /*

[openssl] OpenSSL_1_1_1-stable update

[Richard Levitte]

The branch OpenSSL_1_1_1-stable has been updated
   via  ed96022218e71efcf50c69cd6997ed85a2c37ffe (commit)
  from  09126044f0120b0039b13365b30465d4b6d0f8f0 (commit)


- Log -
commit ed96022218e71efcf50c69cd6997ed85a2c37ffe
Author: Richard Levitte 
Date:   Mon Sep 6 11:26:56 2021 +0200

test/ec_internal_test: link with libapps.a too

Whenever the source from $target{apps_init_src} is added to the source
of a test program, it needs to be linked with libapps.a as well.  Some
init sources depend on that.

Without this, builds break on VMS because of the unresolved symbol
'app_malloc'.

On platforms that do not need anything from libapps.a, adding it is a
no-op.

This is for OpenSSL 1.1.1 only.  OpenSSL 3.0 and beyond have a
different solution.

Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16512)

---

Summary of changes:
 test/build.info | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/build.info b/test/build.info
index 6357a7f2fe..726bd22127 100644
--- a/test/build.info
+++ b/test/build.info
@@ -519,7 +519,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
  {- rebase_files("../apps",
   split(/\s+/, $target{apps_init_src})) -}
 INCLUDE[ec_internal_test]=../include ../crypto/ec
-DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a
+DEPEND[ec_internal_test]=../apps/libapps.a ../libcrypto.a libtestutil.a
 
 SOURCE[curve448_internal_test]=curve448_internal_test.c
 INCLUDE[curve448_internal_test]=.. ../include ../crypto/ec/curve448

[openssl] OpenSSL_1_1_1-stable update

[Viktor Dukhovni]

The branch OpenSSL_1_1_1-stable has been updated
   via  09126044f0120b0039b13365b30465d4b6d0f8f0 (commit)
   via  5d9be38211fdb8b6a1d4c9257715e8c28832a317 (commit)
  from  9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba (commit)


- Log -
commit 09126044f0120b0039b13365b30465d4b6d0f8f0
Author: Viktor Dukhovni 
Date:   Mon Aug 30 15:09:43 2021 -0400

Test for DANE cross cert fix

Reviewed-by: Tomáš Mráz 

commit 5d9be38211fdb8b6a1d4c9257715e8c28832a317
Author: Viktor Dukhovni 
Date:   Mon Aug 30 14:17:16 2021 -0400

Prioritise DANE TLSA issuer certs over peer certs

When building the certificate chain, prioritise any Cert(0) Full(0)
certificates from TLSA records over certificates received from the peer.

This is important when the server sends a cross cert, but TLSA records 
include
the underlying root CA cert.  We want to construct a chain with the issuer 
from
the TLSA record, which can then match the TLSA records (while the associated
cross cert may not).

Reviewed-by: Tomáš Mráz 

---

Summary of changes:
 crypto/x509/x509_vfy.c |  62 --
 test/certs/cross-key.pem   |  28 ++
 test/certs/cross-root.pem  |  18 +++
 test/certs/root-cross-cert.pem |  18 +++
 test/certs/setup.sh|   2 +
 test/dane-cross.in | 113 +
 test/danetest.c|   2 +-
 test/recipes/80-test_dane.t|   6 ++-
 8 files changed, 221 insertions(+), 28 deletions(-)
 create mode 100644 test/certs/cross-key.pem
 create mode 100644 test/certs/cross-root.pem
 create mode 100644 test/certs/root-cross-cert.pem
 create mode 100644 test/dane-cross.in

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 20a36e763c..e404fcc602 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2924,6 +2924,26 @@ static int get_issuer(X509 **issuer, X509_STORE_CTX 
*ctx, X509 *cert)
 return ok;
 }
 
+static int augment_stack(STACK_OF(X509) *src, STACK_OF(X509) **dstPtr)
+{
+if (src) {
+STACK_OF(X509) *dst;
+int i;
+
+if (*dstPtr == NULL)
+return ((*dstPtr = sk_X509_dup(src)) != NULL);
+
+for (dst = *dstPtr, i = 0; i < sk_X509_num(src); ++i) {
+if (!sk_X509_push(dst, sk_X509_value(src, i))) {
+sk_X509_free(dst);
+*dstPtr = NULL;
+return 0;
+}
+}
+}
+return 1;
+}
+
 static int build_chain(X509_STORE_CTX *ctx)
 {
 SSL_DANE *dane = ctx->dane;
@@ -2967,18 +2987,7 @@ static int build_chain(X509_STORE_CTX *ctx)
 }
 
 /*
- * Shallow-copy the stack of untrusted certificates (with TLS, this is
- * typically the content of the peer's certificate message) so can make
- * multiple passes over it, while free to remove elements as we go.
- */
-if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
-X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-ctx->error = X509_V_ERR_OUT_OF_MEM;
-return 0;
-}
-
-/*
- * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add
+ * If we got any "Cert(0) Full(0)" issuer certificates from DNS, *prepend*
  * them to our working copy of the untrusted certificate stack.  Since the
  * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
  * no corresponding stack of untrusted certificates, we may need to create
@@ -2987,20 +2996,21 @@ static int build_chain(X509_STORE_CTX *ctx)
  * containing at least the leaf certificate, but we must be prepared for
  * this to change. ]
  */
-if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
-if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {
-X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-ctx->error = X509_V_ERR_OUT_OF_MEM;
-return 0;
-}
-for (i = 0; i < sk_X509_num(dane->certs); ++i) {
-if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {
-sk_X509_free(sktmp);
-X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-ctx->error = X509_V_ERR_OUT_OF_MEM;
-return 0;
-}
-}
+if (DANETLS_ENABLED(dane) && !augment_stack(dane->certs, )) {
+X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+ctx->error = X509_V_ERR_OUT_OF_MEM;
+return 0;
+}
+
+/*
+ * Shallow-copy the stack of untrusted certificates (with TLS, this is
+ * typically the content of the peer's certificate message) so can make
+ * multiple passes over it, while free to remove elements as we go.
+ */
+if (!augment_stack(ctx->untrusted, )) {
+X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+ 

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba (commit)
  from  1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0 (commit)


- Log -
commit 9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba
Author: Pauli 
Date:   Wed Sep 1 09:52:03 2021 +1000

doc: document the rsa_oaep_md: pkeyopt

This was missing but essential for using non-SHA1 digests with OAEP.

Fixes #15998

Manual backport of #16410

Reviewed-by: Tomas Mraz 
Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/16488)

---

Summary of changes:
 doc/man1/pkeyutl.pod | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index 3b350efadd..f6fd48d5b5 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -246,6 +246,11 @@ B block structure.
 For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not
 explicitly set in PSS mode then the signing digest is used.
 
+=item BI
+
+Sets the digest used for the OAEP hash function. If not explicitly set then
+SHA1 is used.
+
 =back
 
 =head1 RSA-PSS ALGORITHM
@@ -319,6 +324,11 @@ seed consisting of the single byte 0xFF:
  openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
 -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump
 
+Decrypt some data using a private key with OAEP padding using SHA256:
+
+ openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \
+-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
+
 =head1 SEE ALSO
 
 L, L, L

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0 (commit)
  from  35cefdcab0f474deafcd769a2eb93f2c0f07051e (commit)


- Log -
commit 1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0
Author: Mattias Ellert 
Date:   Tue Aug 31 08:26:06 2021 +0200

Openssl fails to compile on Debian with kfreebsd kernels
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:

../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this 
function)
   50 | return getauxval(AT_SECURE) != 0;
  |  ^

This commit changes the code to use the freebsd code in this case.
This fixes the compilation.

CLA: trivial

Reviewed-by: Ben Kaduk 
Reviewed-by: Tomas Mraz 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16477)

(cherry picked from commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113)

---

Summary of changes:
 crypto/uid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/uid.c b/crypto/uid.c
index 5e3315eeb2..a9eae36818 100644
--- a/crypto/uid.c
+++ b/crypto/uid.c
@@ -17,7 +17,7 @@ int OPENSSL_issetugid(void)
 return 0;
 }
 
-#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || 
defined(__DragonFly__)
+#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || 
defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__))
 
 # include OPENSSL_UNISTD
 

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  35cefdcab0f474deafcd769a2eb93f2c0f07051e (commit)
   via  5f9c384a1cd54ff28707d8c652343d2bf636c245 (commit)
  from  a9972440d26e482cec9d7a8c4c0063baa20d9eac (commit)


- Log -
commit 35cefdcab0f474deafcd769a2eb93f2c0f07051e
Author: Tomas Mraz 
Date:   Fri Aug 27 11:41:04 2021 +0200

ci: Add -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to asan build

Reviewed-by: Bernd Edlinger 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16441)

commit 5f9c384a1cd54ff28707d8c652343d2bf636c245
Author: Tomas Mraz 
Date:   Fri Aug 27 11:37:10 2021 +0200

Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests

Fixes #16428

Reviewed-by: Bernd Edlinger 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16441)

---

Summary of changes:
 .github/workflows/ci.yml |  2 +-
 crypto/asn1/a_print.c|  7 ---
 crypto/asn1/asn1_lib.c   | 11 ---
 ssl/ssl_asn1.c   |  2 +-
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6b61af9c03..367b8cf41f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -113,7 +113,7 @@ jobs:
 steps:
 - uses: actions/checkout@v2
 - name: config
-  run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 
enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump
+  run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 
enable-ec_nistp_64_gcc_128 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION && perl 
configdata.pm --dump
 - name: make
   run: make -s -j4
 - name: make test
diff --git a/crypto/asn1/a_print.c b/crypto/asn1/a_print.c
index 85a631a27a..f86623fdfa 100644
--- a/crypto/asn1/a_print.c
+++ b/crypto/asn1/a_print.c
@@ -18,12 +18,13 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
 int ia5 = 0;
 int t61 = 0;
 
-if (len <= 0)
-len = -1;
 if (s == NULL)
 return V_ASN1_PRINTABLESTRING;
 
-while ((*s) && (len-- != 0)) {
+if (len < 0)
+len = strlen((const char *)s);
+
+while (len-- > 0) {
 c = *(s++);
 if (!ossl_isasn1print(c))
 ia5 = 1;
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 3d99d1383d..b9b7ad8e9e 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -294,7 +294,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, 
int len_in)
 c = str->data;
 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 /* No NUL terminator in fuzzing builds */
-str->data = OPENSSL_realloc(c, len);
+str->data = OPENSSL_realloc(c, len != 0 ? len : 1);
 #else
 str->data = OPENSSL_realloc(c, len + 1);
 #endif
@@ -307,7 +307,11 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, 
int len_in)
 str->length = len;
 if (data != NULL) {
 memcpy(str->data, data, len);
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+/* Set the unused byte to something non NUL and printable. */
+if (len == 0)
+str->data[len] = '~';
+#else
 /*
  * Add a NUL terminator. This should not be necessary - but we add it 
as
  * a safety precaution
@@ -375,7 +379,8 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING 
*b)
 
 i = (a->length - b->length);
 if (i == 0) {
-i = memcmp(a->data, b->data, a->length);
+if (a->length != 0)
+i = memcmp(a->data, b->data, a->length);
 if (i == 0)
 return a->type - b->type;
 else
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 799fee771b..dd4a2e3203 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -225,7 +225,7 @@ static int ssl_session_strndup(char **pdst, 
ASN1_OCTET_STRING *src)
 static int ssl_session_memcpy(unsigned char *dst, size_t *pdstlen,
   ASN1_OCTET_STRING *src, size_t maxlen)
 {
-if (src == NULL) {
+if (src == NULL || src->length == 0) {
 *pdstlen = 0;
 return 1;
 }

[openssl] OpenSSL_1_1_1-stable update

[nic . tuv]

The branch OpenSSL_1_1_1-stable has been updated
   via  a9972440d26e482cec9d7a8c4c0063baa20d9eac (commit)
   via  f397efb0b999af6a54bc192ce8551e76c79ff245 (commit)
   via  45487dba0fb8c36fe390fa8131204403c00c01fc (commit)
   via  3d97638062595efb23b32f9150c38d60db89de7f (commit)
  from  f661c76a9e27a87f4bbbed135faf89a3fccac75f (commit)


- Log -
commit a9972440d26e482cec9d7a8c4c0063baa20d9eac
Author: Bernd Edlinger 
Date:   Fri Aug 20 20:42:55 2021 +0200

Use applink to fix windows tests

(cherry picked from commit 
)

Reviewed-by: Tomas Mraz 
Reviewed-by: Nicola Tuveri 
(Merged from https://github.com/openssl/openssl/pull/12457)

commit f397efb0b999af6a54bc192ce8551e76c79ff245
Author: Nicola Tuveri 
Date:   Thu Jul 16 03:23:26 2020 +0300

[ec] Do not default to OPENSSL_EC_NAMED_CURVE for curves without OID

Some curves don't have an associated OID: for those we should not
default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and instead
set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`.

This is a follow-up to https://github.com/openssl/openssl/pull/12312

(cherry picked from commit 7aa3dfc42104588f65301d20324388ac2c9a6b11)

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/12457)

commit 45487dba0fb8c36fe390fa8131204403c00c01fc
Author: Nicola Tuveri 
Date:   Thu Jul 16 02:02:16 2020 +0300

Fix d2i_ECPKParameters_fp and i2d_ECPKParameters_fp macros

These functions are part of the public API but we don't have tests
covering their usage.
They are actually implemented as macros and the absence of tests has
caused them to fall out-of-sync with the latest changes to ASN1 related
functions and cause compilation warnings.

This commit fixes the public headers to reflect these changes.

Fixes #12443

(cherry picked from commit cca8a4cedaafe63b0b5729b72133661ece24ff08)

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/12457)

commit 3d97638062595efb23b32f9150c38d60db89de7f
Author: Nicola Tuveri 
Date:   Thu Jul 16 01:57:09 2020 +0300

Add tests for i2d_TYPE_fp and d2i_TYPE_fp

These functions are part of the public API but we don't have tests
covering their usage.
They are actually implemented as macros and the absence of tests has
caused them to fall out-of-sync with the latest changes to ASN1 related
functions and cause compilation warnings.

@@ Note: This commit limits to ECPKParameters as a type.

(cherry picked from commit ea1128e94e36fa9fa25278dc6b3f5b42d8735782)

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/12457)

---

Summary of changes:
 crypto/ec/ec_asn1.c |  2 +-
 crypto/ec/ec_curve.c| 27 +++
 include/openssl/ec.h| 15 +--
 test/build.info |  4 +++-
 test/ec_internal_test.c | 43 +++
 5 files changed, 83 insertions(+), 8 deletions(-)

diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index c8ee1e6f17..4335b3da1a 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -548,7 +548,7 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP 
*group,
 ECPARAMETERS_free(ret->value.parameters);
 }
 
-if (EC_GROUP_get_asn1_flag(group)) {
+if (EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE) {
 /*
  * use the asn1 OID to describe the elliptic curve parameters
  */
diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
index 8de486cbd7..dfe5263f59 100644
--- a/crypto/ec/ec_curve.c
+++ b/crypto/ec/ec_curve.c
@@ -12,6 +12,7 @@
 #include "ec_local.h"
 #include 
 #include 
+#include 
 #include 
 #include "internal/nelem.h"
 
@@ -3097,6 +3098,32 @@ static EC_GROUP *ec_group_new_from_data(const 
ec_list_element curve)
 goto err;
 }
 }
+
+if (EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE) {
+/*
+ * Some curves don't have an associated OID: for those we should not
+ * default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and
+ * instead set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`.
+ *
+ * Note that `OPENSSL_EC_NAMED_CURVE` is set as the default ASN1 flag 
on
+ * `EC_GROUP_new()`, when we don't have enough elements to determine if
+ * an OID for the curve name actually exists.
+ * We could implement this check on `EC_GROUP_set_curve_name()` but
+ * overloading the simple setter with this lookup could have a negative
+ * performance impact and unexpected consequences.
+ */
+

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  f661c76a9e27a87f4bbbed135faf89a3fccac75f (commit)
  from  0888183816636f994a3384cde211c88e0d4d1f6a (commit)


- Log -
commit f661c76a9e27a87f4bbbed135faf89a3fccac75f
Author: Bernd Edlinger 
Date:   Fri Aug 27 21:34:37 2021 +0200

Fix no-tls1_3 tests

This recently added test needs DH2048 to work without tls1_3.

Fixes: #16335

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16453)

---

Summary of changes:
 .github/workflows/run-checker-ci.yml|  3 +--
 .github/workflows/run-checker-daily.yml |  3 +--
 test/recipes/80-test_ssl_old.t  |  2 +-
 test/ssltest_old.c  | 41 +
 4 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/run-checker-ci.yml 
b/.github/workflows/run-checker-ci.yml
index 7a171bff9d..a999492207 100644
--- a/.github/workflows/run-checker-ci.yml
+++ b/.github/workflows/run-checker-ci.yml
@@ -20,8 +20,7 @@ jobs:
   no-tests,
   no-threads,
   no-tls,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-#  no-tls1_3,
+  no-tls1_3,
   no-ts,
   no-ui,
 ]
diff --git a/.github/workflows/run-checker-daily.yml 
b/.github/workflows/run-checker-daily.yml
index c1b0327ae3..e335b87b31 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -50,8 +50,7 @@ jobs:
   no-egd,
   no-engine,
   no-external-tests,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-#  no-tls1_3,
+  no-tls1_3,
   no-fuzz-afl,
   no-fuzz-libfuzzer,
   no-gost,
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 6f5fdb7669..9800de0fc8 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -519,7 +519,7 @@ sub testssl {
skip "skipping auto PSK tests", 1
if ($no_dh || $no_psk || $no_ec);
 
-   ok(run(test(['ssltest_old', '-psk', '0102030405', '-cipher', 
'@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
+   ok(run(test(['ssltest_old', '-dhe2048', '-psk', '0102030405', 
'-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
   'test auto DH meets security strength');
  }
}
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 36e6031f3a..cc98e4f866 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -95,6 +95,7 @@ struct app_verify_arg {
 static DH *get_dh512(void);
 static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
+static DH *get_dh2048(void);
 #endif
 
 static char *psk_key = NULL;/* by default PSK is not used */
@@ -641,6 +642,8 @@ static void sv_usage(void)
 " -dhe1024  - use 1024 bit key (safe prime) for DHE (default, 
no-op)\n");
 fprintf(stderr,
 " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for 
DHE\n");
+fprintf(stderr,
+" -dhe2048  - use 2048 bit key (rfc3526 pime) for DHE\n");
 fprintf(stderr, " -no_dhe   - disable DHE\n");
 #endif
 #ifndef OPENSSL_NO_EC
@@ -895,6 +898,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
 DH *dh;
 int dhe512 = 0, dhe1024dsa = 0;
+int dhe2048 = 0;
 #endif
 int no_dhe = 0;
 int no_psk = 0;
@@ -989,6 +993,13 @@ int main(int argc, char *argv[])
 #else
 fprintf(stderr,
 "ignoring -dhe512, since I'm compiled without DH\n");
+#endif
+} else if (strcmp(*argv, "-dhe2048") == 0) {
+#ifndef OPENSSL_NO_DH
+dhe2048 = 1;
+#else
+fprintf(stderr,
+"ignoring -dhe2048, since I'm compiled without DH\n");
 #endif
 } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
 #ifndef OPENSSL_NO_DH
@@ -1482,6 +1493,8 @@ int main(int argc, char *argv[])
 dh = get_dh1024dsa();
 } else if (dhe512)
 dh = get_dh512();
+else if (dhe2048)
+dh = get_dh2048();
 else
 dh = get_dh1024();
 SSL_CTX_set_tmp_dh(s_ctx, dh);
@@ -3019,6 +3032,34 @@ static DH *get_dh1024dsa(void)
 DH_set_length(dh, 160);
 return dh;
 }
+
+static DH *get_dh2048(void)
+{
+BIGNUM *p = NULL, *g = NULL;
+DH *dh = NULL;
+
+if ((dh = DH_new()) == NULL)
+return NULL;
+
+g = BN_new();
+if (g == NULL || !BN_set_word(g, 2))
+goto err;
+
+p = BN_get_rfc3526_prime_2048(NULL);
+if (p == NULL)
+goto err;
+
+if (!DH_set0_pqg(dh, p, NULL, g))
+goto err;
+
+return dh;
+
+ err:
+DH_free(dh);
+BN_free(p);
+BN_free(g);
+return NULL;
+}
 #endif
 
 #ifndef OPENSSL_NO_PSK

[openssl] OpenSSL_1_1_1-stable update

[beldmit]

The branch OpenSSL_1_1_1-stable has been updated
   via  0888183816636f994a3384cde211c88e0d4d1f6a (commit)
  from  dc3520b1ad3e1d70b899210bacc002318ebe276a (commit)


- Log -
commit 0888183816636f994a3384cde211c88e0d4d1f6a
Author: Daniel Krügler 
Date:   Fri Aug 27 18:32:20 2021 +0200

Ensure that _GNU_SOURCE is defined for bss_dgram.c

This fixes the following error with gcc10 under strict ANSI conditions:

.../crypto/bio/bss_dgram.c:373:20: error: 'const struct in6_addr' has no 
member named 's6_addr32'

CLA: trivial
Fixes #16449

Reviewed-by: Bernd Edlinger 
Reviewed-by: Paul Dale 
Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16451)

(cherry picked from commit e8e1f6d1a9e599d575431f559200018b8f822e0f)

---

Summary of changes:
 crypto/bio/bss_dgram.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index 942fd8b514..2b2e4d5f88 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -7,6 +7,10 @@
  * https://www.openssl.org/source/license.html
  */
 
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE
+#endif
+
 #include 
 #include 
 

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  dc3520b1ad3e1d70b899210bacc002318ebe276a (commit)
  from  876b7e97b848ba179c1dbe4a4a265dfffae0eba6 (commit)


- Log -
commit dc3520b1ad3e1d70b899210bacc002318ebe276a
Author: Bernd Edlinger 
Date:   Fri Aug 27 13:11:39 2021 +0200

Fix the "Out of memory" EVP KDF scrypt test

This test did not really execute, since usually
the OPENSSL_malloc(0) will fail and prevent the
execution of the KDF.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16446)

---

Summary of changes:
 test/evp_test.c  | 2 +-
 test/recipes/30-test_evp_data/evpkdf.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/evp_test.c b/test/evp_test.c
index abb51384e8..d4cca6dbcb 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1777,7 +1777,7 @@ static int kdf_test_run(EVP_TEST *t)
 unsigned char *got = NULL;
 size_t got_len = expected->output_len;
 
-if (!TEST_ptr(got = OPENSSL_malloc(got_len))) {
+if (!TEST_ptr(got = OPENSSL_malloc(got_len == 0 ? 1 : got_len))) {
 t->err = "INTERNAL_ERROR";
 goto err;
 }
diff --git a/test/recipes/30-test_evp_data/evpkdf.txt 
b/test/recipes/30-test_evp_data/evpkdf.txt
index 9a6cc28385..8fe0df3972 100644
--- a/test/recipes/30-test_evp_data/evpkdf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf.txt
@@ -301,5 +301,5 @@ Ctrl.salt = salt:SodiumChloride
 Ctrl.N = N:1048576
 Ctrl.r = r:8
 Ctrl.p = p:1
-Result = INTERNAL_ERROR
+Result = KDF_MISMATCH
 

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  876b7e97b848ba179c1dbe4a4a265dfffae0eba6 (commit)
  from  e93a82da60f52e6fc799323b99499ee51e8c7215 (commit)


- Log -
commit 876b7e97b848ba179c1dbe4a4a265dfffae0eba6
Author: Bernd Edlinger 
Date:   Thu Aug 26 20:10:16 2021 +0200

Fix enable-asan with C++ buildtest

the following config:

./config no-shared enable-asan enable-buildtest-c++ enable-external-tests

fails to build with unresolved asan symbols when linking
test/ossl_shim/ossl_shim

Fixed by passing all sanitizer-flags to cxxflags.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16434)

---

Summary of changes:
 Configure | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Configure b/Configure
index b286dd0678..faf57b155a 100755
--- a/Configure
+++ b/Configure
@@ -1304,16 +1304,19 @@ if ($disabled{"dynamic-engine"}) {
 
 unless ($disabled{asan}) {
 push @{$config{cflags}}, "-fsanitize=address";
+push @{$config{cxxflags}}, "-fsanitize=address" if $config{CXX};
 }
 
 unless ($disabled{ubsan}) {
 # -DPEDANTIC or -fnosanitize=alignment may also be required on some
 # platforms.
 push @{$config{cflags}}, "-fsanitize=undefined", 
"-fno-sanitize-recover=all";
+push @{$config{cxxflags}}, "-fsanitize=undefined", 
"-fno-sanitize-recover=all" if $config{CXX};
 }
 
 unless ($disabled{msan}) {
   push @{$config{cflags}}, "-fsanitize=memory";
+  push @{$config{cxxflags}}, "-fsanitize=memory" if $config{CXX};
 }
 
 unless ($disabled{"fuzz-libfuzzer"} && $disabled{"fuzz-afl"}

[openssl] OpenSSL_1_1_1-stable update

[nic . tuv]

The branch OpenSSL_1_1_1-stable has been updated
   via  e93a82da60f52e6fc799323b99499ee51e8c7215 (commit)
  from  58e1e397c6774be11b903c0f88e85bd2b8c4206f (commit)


- Log -
commit e93a82da60f52e6fc799323b99499ee51e8c7215
Author: Bernd Edlinger 
Date:   Wed Aug 25 14:30:12 2021 +0200

Fix instances of pointer addition with the NULL pointer

ubsan found undefined pointer addtions in
crypto/bio/bss_mem.c (mem_ctrl),
crypto/pem/pem_lib.c (PEM_read_bio_ex),
test/testutil/format_output.c (test_fail_string_common,
test_fail_memory_common).

Mostly a straight back-port-of: a07dc81

Additionally enable the ubsan run-checker, to prevent regressions.

Reviewed-by: Tomas Mraz 
Reviewed-by: Nicola Tuveri 
(Merged from https://github.com/openssl/openssl/pull/16423)

---

Summary of changes:
 .github/workflows/run-checker-merge.yml |  3 +--
 crypto/bio/bss_mem.c|  2 +-
 crypto/pem/pem_lib.c| 23 +--
 test/testutil/format_output.c   | 12 
 4 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/run-checker-merge.yml 
b/.github/workflows/run-checker-merge.yml
index 29419a2396..ff2d666b6d 100644
--- a/.github/workflows/run-checker-merge.yml
+++ b/.github/workflows/run-checker-merge.yml
@@ -16,8 +16,7 @@ jobs:
   no-engine no-shared,
   no-err,
   no-filenames,
-# ubsan build is temporarily disabled, due to failures to be investigated 
separately
-#  enable-ubsan no-asm -DPEDANTIC -DOPENSSL_SMALL_FOOTPRINT 
-fno-sanitize=alignment,
+  enable-ubsan no-asm -DPEDANTIC -DOPENSSL_SMALL_FOOTPRINT 
-fno-sanitize=alignment,
   no-unit-test,
   enable-weak-ssl-ciphers,
   enable-zlib,
diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c
index 7cb4a57813..14bfd00173 100644
--- a/crypto/bio/bss_mem.c
+++ b/crypto/bio/bss_mem.c
@@ -280,7 +280,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
 ret = (long)bm->length;
 if (ptr != NULL) {
 pptr = (char **)ptr;
-*pptr = (char *)&(bm->data[0]);
+*pptr = (char *)bm->data;
 }
 break;
 case BIO_C_SET_BUF_MEM:
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index a26322119a..92dcd90a7f 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -899,18 +899,13 @@ err:
 int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
 unsigned char **data, long *len_out, unsigned int flags)
 {
-EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
+EVP_ENCODE_CTX *ctx = NULL;
 const BIO_METHOD *bmeth;
 BIO *headerB = NULL, *dataB = NULL;
 char *name = NULL;
 int len, taillen, headerlen, ret = 0;
 BUF_MEM * buf_mem;
 
-if (ctx == NULL) {
-PEMerr(PEM_F_PEM_READ_BIO_EX, ERR_R_MALLOC_FAILURE);
-return 0;
-}
-
 *len_out = 0;
 *name_out = *header = NULL;
 *data = NULL;
@@ -933,9 +928,20 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char 
**header,
 if (!get_header_and_data(bp, , , name, flags))
 goto end;
 
-EVP_DecodeInit(ctx);
 BIO_get_mem_ptr(dataB, _mem);
 len = buf_mem->length;
+
+/* There was no data in the PEM file */
+if (len == 0)
+goto end;
+
+ctx = EVP_ENCODE_CTX_new();
+if (ctx == NULL) {
+PEMerr(PEM_F_PEM_READ_BIO_EX, ERR_R_MALLOC_FAILURE);
+goto end;
+}
+
+EVP_DecodeInit(ctx);
 if (EVP_DecodeUpdate(ctx, (unsigned char*)buf_mem->data, ,
  (unsigned char*)buf_mem->data, len) < 0
 || EVP_DecodeFinal(ctx, (unsigned char*)&(buf_mem->data[len]),
@@ -946,9 +952,6 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
 len += taillen;
 buf_mem->length = len;
 
-/* There was no data in the PEM file; avoid malloc(0). */
-if (len == 0)
-goto end;
 headerlen = BIO_get_mem_data(headerB, NULL);
 *header = pem_malloc(headerlen + 1, flags);
 *data = pem_malloc(len, flags);
diff --git a/test/testutil/format_output.c b/test/testutil/format_output.c
index 6ee2a1d266..f42141fd8d 100644
--- a/test/testutil/format_output.c
+++ b/test/testutil/format_output.c
@@ -107,8 +107,10 @@ static void test_fail_string_common(const char *prefix, 
const char *file,
 if (diff && i > 0)
 test_printf_stderr("% 4s%s\n", "", bdiff);
 }
-m1 += n1;
-m2 += n2;
+if (m1 != NULL)
+m1 += n1;
+if (m2 != NULL)
+m2 += n2;
 l1 -= n1;
 l2 -= n2;
 cnt += width;
@@ -495,8 +497,10 @@ static void test_fail_memory_common(const char *prefix, 
const char *file,
 if (diff && i > 0)
 test_printf_stderr("% 4s  

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  58e1e397c6774be11b903c0f88e85bd2b8c4206f (commit)
  from  96ac8f13f4d0ee96baf5724d9f96c44c34b8606c (commit)


- Log -
commit 58e1e397c6774be11b903c0f88e85bd2b8c4206f
Author: zhaozg 
Date:   Tue Aug 24 22:43:18 2021 +0800

cms: fix memleaks in cms_env.c

CLA: trivial

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16403)

---

Summary of changes:
 crypto/cms/cms_env.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 04940146fd..fe078f1a7f 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -737,6 +737,7 @@ static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo 
*cms,
 goto err;
 }
 
+OPENSSL_clear_free(ec->key, ec->keylen);
 ec->key = ukey;
 ec->keylen = ukeylen;
 

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  96ac8f13f4d0ee96baf5724d9f96c44c34b8606c (commit)
  from  15d1ddde5de9d28b671d3f6fe8757f4b87e67821 (commit)


- Log -
commit 96ac8f13f4d0ee96baf5724d9f96c44c34b8606c
Author: David Carlier 
Date:   Tue Aug 24 22:40:14 2021 +0100

Darwin platform allows to build on releases before Yosemite/ios 8.

issue #16407 #16408

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16409)

---

Summary of changes:
 crypto/rand/rand_unix.c |  5 +
 include/crypto/rand.h   | 10 ++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
index 43f1069d15..0f4525106a 100644
--- a/crypto/rand/rand_unix.c
+++ b/crypto/rand/rand_unix.c
@@ -34,9 +34,6 @@
 #if defined(__OpenBSD__)
 # include 
 #endif
-#if defined(__APPLE__)
-# include 
-#endif
 
 #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__)
 # include 
@@ -381,7 +378,7 @@ static ssize_t syscall_random(void *buf, size_t buflen)
 if (errno != ENOSYS)
 return -1;
 }
-#  elif defined(__APPLE__)
+#  elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
 if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
return (ssize_t)buflen;
 
diff --git a/include/crypto/rand.h b/include/crypto/rand.h
index 5350d3a931..674f840fd1 100644
--- a/include/crypto/rand.h
+++ b/include/crypto/rand.h
@@ -20,6 +20,16 @@
 
 # include 
 
+# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
+#  include 
+#  if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && 
__MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \
+ (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && 
__IPHONE_OS_VERSION_MIN_REQUIRED >= 8)
+#   define OPENSSL_APPLE_CRYPTO_RANDOM 1
+#   include 
+#   include 
+#  endif
+# endif
+
 /* forward declaration */
 typedef struct rand_pool_st RAND_POOL;
 

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  15d1ddde5de9d28b671d3f6fe8757f4b87e67821 (commit)
  from  5d91c74fa3fcd8c17184ab8f51745de8354f7362 (commit)


- Log -
commit 15d1ddde5de9d28b671d3f6fe8757f4b87e67821
Author: zhaozg 
Date:   Wed Aug 18 15:40:22 2021 +0800

ts: fix memleaks caused by TS_VERIFY_CTX_set_imprint

CLA: trivial

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16347)

(cherry picked from commit 62bae84d4587ec9a56d0ce830e36e4a5b2fa8a33)

---

Summary of changes:
 crypto/ts/ts_verify_ctx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c
index 32cd2f542b..b504649a41 100644
--- a/crypto/ts/ts_verify_ctx.c
+++ b/crypto/ts/ts_verify_ctx.c
@@ -70,6 +70,7 @@ STACK_OF(X509) *TS_VERIFY_CTS_set_certs(TS_VERIFY_CTX *ctx,
 unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
  unsigned char *hexstr, long len)
 {
+OPENSSL_free(ctx->imprint);
 ctx->imprint = hexstr;
 ctx->imprint_len = len;
 return ctx->imprint;

[openssl] OpenSSL_1_1_1-stable update

[bernd . edlinger]

The branch OpenSSL_1_1_1-stable has been updated
   via  5d91c74fa3fcd8c17184ab8f51745de8354f7362 (commit)
  from  7a1a91556cc271d38944410b133a2ab5e2cf8ca8 (commit)


- Log -
commit 5d91c74fa3fcd8c17184ab8f51745de8354f7362
Author: Bernd Edlinger 
Date:   Mon Aug 23 11:13:26 2021 +0200

Check for null-pointer dereference in dh_cms_set_peerkey

Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16382)

---

Summary of changes:
 crypto/dh/dh_ameth.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index d53004080d..0d4026c206 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -629,16 +629,18 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
 goto err;
 
 pk = EVP_PKEY_CTX_get0_pkey(pctx);
-if (!pk)
-goto err;
-if (pk->type != EVP_PKEY_DHX)
+if (pk == NULL || pk->type != EVP_PKEY_DHX)
 goto err;
+
 /* Get parameters from parent key */
 dhpeer = DHparams_dup(pk->pkey.dh);
+if (dhpeer == NULL)
+goto err;
+
 /* We have parameters now set public key */
 plen = ASN1_STRING_length(pubkey);
 p = ASN1_STRING_get0_data(pubkey);
-if (!p || !plen)
+if (p == NULL || plen == 0)
 goto err;
 
 if ((public_key = d2i_ASN1_INTEGER(NULL, , plen)) == NULL) {
@@ -655,6 +657,7 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
 pkpeer = EVP_PKEY_new();
 if (pkpeer == NULL)
 goto err;
+
 EVP_PKEY_assign(pkpeer, pk->ameth->pkey_id, dhpeer);
 dhpeer = NULL;
 if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  7a1a91556cc271d38944410b133a2ab5e2cf8ca8 (commit)
  from  18622c7625436d7f99c0f51895c4d3cea233c62e (commit)


- Log -
commit 7a1a91556cc271d38944410b133a2ab5e2cf8ca8
Author: Tianjia Zhang 
Date:   Mon Aug 23 17:40:22 2021 +0800

apps/ciphers: Fix wrong return value when using -convert parameter

Command 'openssl ciphers -convert ' always returns failure,
this patch set the correct return value.

Signed-off-by: Tianjia Zhang 

Reviewed-by: Paul Yang 
Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16383)

(cherry picked from commit 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd)

---

Summary of changes:
 apps/ciphers.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/ciphers.c b/apps/ciphers.c
index 0bb33a4aca..e403130eeb 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -172,6 +172,7 @@ int ciphers_main(int argc, char **argv)
 if (convert != NULL) {
 BIO_printf(bio_out, "OpenSSL cipher name: %s\n",
OPENSSL_cipher_name(convert));
+ret = 0;
 goto end;
 }
 

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  18622c7625436d7f99c0f51895c4d3cea233c62e (commit)
  from  cf2b1d6f11aa7ec4aa909ff1ecb9bee6892285d9 (commit)


- Log -
commit 18622c7625436d7f99c0f51895c4d3cea233c62e
Author: Bernd Edlinger 
Date:   Sun Aug 22 21:28:51 2021 +0200

Fix some strict gcc-12 warnings

Reviewed-by: Paul Dale 
Reviewed-by: Richard Levitte 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16375)

---

Summary of changes:
 crypto/ec/curve448/field.h | 2 +-
 ssl/s3_cbc.c   | 2 +-
 ssl/ssl_local.h| 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h
index ccd04482d2..4ce263d436 100644
--- a/crypto/ec/curve448/field.h
+++ b/crypto/ec/curve448/field.h
@@ -62,7 +62,7 @@ mask_t gf_eq(const gf x, const gf y);
 mask_t gf_lobit(const gf x);
 mask_t gf_hibit(const gf x);
 
-void gf_serialize(uint8_t *serial, const gf x, int with_highbit);
+void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit);
 mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit,
   uint8_t hi_nmask);
 
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index aa7d63f84a..ae2a330ba5 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -128,7 +128,7 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
unsigned char *md_out,
size_t *md_out_size,
-   const unsigned char header[13],
+   const unsigned char *header,
const unsigned char *data,
size_t data_plus_mac_size,
size_t data_plus_mac_plus_padding_size,
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index f92472117a..9f346e30e8 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2622,7 +2622,7 @@ __owur char ssl3_cbc_record_digest_supported(const 
EVP_MD_CTX *ctx);
 __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
   unsigned char *md_out,
   size_t *md_out_size,
-  const unsigned char header[13],
+  const unsigned char *header,
   const unsigned char *data,
   size_t data_plus_mac_size,
   size_t data_plus_mac_plus_padding_size,

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  cf2b1d6f11aa7ec4aa909ff1ecb9bee6892285d9 (commit)
  from  801abbe01ebd380a9b66f08d59fcc5e8738134a5 (commit)


- Log -
commit cf2b1d6f11aa7ec4aa909ff1ecb9bee6892285d9
Author: Bernd Edlinger 
Date:   Mon Aug 23 11:11:29 2021 +0200

Avoid using undefined value in generate_stateless_cookie_callback

Reviewed-by: Paul Yang 
Reviewed-by: Paul Dale 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16381)

---

Summary of changes:
 apps/s_cb.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index dee1b2e5b4..d066a423de 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -819,7 +819,9 @@ int generate_stateless_cookie_callback(SSL *ssl, unsigned 
char *cookie,
 {
 unsigned int temp;
 int res = generate_cookie_callback(ssl, cookie, );
-*cookie_len = temp;
+
+if (res != 0)
+*cookie_len = temp;
 return res;
 }
 

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  801abbe01ebd380a9b66f08d59fcc5e8738134a5 (commit)
  from  a2056b09fbef58bcb79b0fe8b88b592c560eb32f (commit)


- Log -
commit 801abbe01ebd380a9b66f08d59fcc5e8738134a5
Author: Bernd Edlinger 
Date:   Mon Aug 23 14:03:20 2021 +0200

Fix the array size of dtlsseq in tls1_enc

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16385)

(cherry picked from commit 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4)

---

Summary of changes:
 ssl/record/ssl3_record.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index e6a8bbd710..f158544789 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1039,7 +1039,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, 
int sending)
 
 if (SSL_IS_DTLS(s)) {
 /* DTLS does not support pipelining */
-unsigned char dtlsseq[9], *p = dtlsseq;
+unsigned char dtlsseq[8], *p = dtlsseq;
 
 s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(>rlayer) :
 DTLS_RECORD_LAYER_get_r_epoch(>rlayer), p);

[openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

The branch OpenSSL_1_1_1-stable has been updated
   via  a2056b09fbef58bcb79b0fe8b88b592c560eb32f (commit)
   via  fb047ebc87b18bdc4cf9ddee9ee1f5ed93e56aff (commit)
   via  4e5d5077096c7bff1bfe2ae835957f827334e9c6 (commit)
   via  6f2a7abe22de08bdaacf0025349b30d46826108a (commit)
   via  4f8ce5b7cf4a4342a5f7c028077411fed59189ba (commit)
   via  515ac8b5e544dd713a2b4cabfc54b722d122c218 (commit)
   via  733fa41c3fc4bcac37f94aa917f7242420f8a5a6 (commit)
   via  59f5e75f3bced8fc0e130d72a3f582cf7b480b46 (commit)
   via  8c74c9d1ade0fbdab5b815ddb747351b8b839641 (commit)
   via  d9bfd68295146b6afad288ef4145aeb5eb0e6c66 (commit)
   via  94d23fcff9b2a7a8368dfe52214d5c2569882c11 (commit)
   via  2d0e5d4a4a5d4332325b5e5cea492fad2be633e1 (commit)
   via  bb4d2ed4091408404e18b3326e3df67848ef63d0 (commit)
   via  4de66925203ca99189c842136ec4a623137ea447 (commit)
   via  8393de42498f8be75cf0353f5c9f906a43a748d2 (commit)
   via  23446958685a593d4d9434475734b99138902ed2 (commit)
   via  5f54e57406ca17731b9ade3afd561d3c652e07f2 (commit)
   via  174ba8048a7f2f5e1fca31cfb93b1730d9db8300 (commit)
  from  4f850d7221ef6d9010053434d8ae43da13ad8fde (commit)


- Log -
commit a2056b09fbef58bcb79b0fe8b88b592c560eb32f
Author: Matt Caswell 
Date:   Tue Aug 24 14:39:03 2021 +0100

Prepare for 1.1.1m-dev

Reviewed-by: Richard Levitte 

commit fb047ebc87b18bdc4cf9ddee9ee1f5ed93e56aff
Author: Matt Caswell 
Date:   Tue Aug 24 14:38:47 2021 +0100

Prepare for 1.1.1l release

Reviewed-by: Richard Levitte 

commit 4e5d5077096c7bff1bfe2ae835957f827334e9c6
Author: Matt Caswell 
Date:   Tue Aug 24 14:32:25 2021 +0100

Run make update

Reviewed-by: Richard Levitte 

commit 6f2a7abe22de08bdaacf0025349b30d46826108a
Author: Matt Caswell 
Date:   Tue Aug 24 14:14:34 2021 +0100

Update copyright year

Reviewed-by: Richard Levitte 

commit 4f8ce5b7cf4a4342a5f7c028077411fed59189ba
Author: Matt Caswell 
Date:   Tue Aug 24 13:41:40 2021 +0100

Updates to CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte 

commit 515ac8b5e544dd713a2b4cabfc54b722d122c218
Author: Matt Caswell 
Date:   Fri Aug 13 16:58:21 2021 +0100

Check the plaintext buffer is large enough when decrypting SM2

Previously there was no check that the supplied buffer was large enough.
It was just assumed to be sufficient. Instead we should check and fail if
not.

Reviewed-by: Paul Dale 
Reviewed-by: Nicola Tuveri 

commit 733fa41c3fc4bcac37f94aa917f7242420f8a5a6
Author: Matt Caswell 
Date:   Fri Aug 13 14:49:47 2021 +0100

Extend tests for SM2 decryption

Check the case where C1y < 32 bytes in length (i.e. short overhead), and
also the case with longer plaintext and C1x and C1y > 32 bytes in length
(i.e. long overhead)

Reviewed-by: Paul Dale 
Reviewed-by: Nicola Tuveri 

commit 59f5e75f3bced8fc0e130d72a3f582cf7b480b46
Author: Matt Caswell 
Date:   Fri Aug 13 14:14:51 2021 +0100

Correctly calculate the length of SM2 plaintext given the ciphertext

Previously the length of the SM2 plaintext could be incorrectly calculated.
The plaintext length was calculated by taking the ciphertext length and
taking off an "overhead" value.

The overhead value was assumed to have a "fixed" element of 10 bytes.
This is incorrect since in some circumstances it can be more than 10 bytes.
Additionally the overhead included the length of two integers C1x and C1y,
which were assumed to be the same length as the field size (32 bytes for
the SM2 curve). However in some cases these integers can have an additional
padding byte when the msb is set, to disambiguate them from negative
integers. Additionally the integers can also be less than 32 bytes in
length in some cases.

If the calculated overhead is incorrect and larger than the actual value
this can result in the calculated plaintext length being too small.
Applications are likely to allocate buffer sizes based on this and therefore
a buffer overrun can occur.

CVE-2021-3711

Issue reported by John Ouyang.

Reviewed-by: Paul Dale 
Reviewed-by: Nicola Tuveri 

commit 8c74c9d1ade0fbdab5b815ddb747351b8b839641
Author: Matt Caswell 
Date:   Fri Aug 20 15:23:32 2021 +0100

Fix the error handling in i2v_AUTHORITY_KEYID

Previously if an error path is entered a leak could result.

Reviewed-by: Viktor Dukhovni 
Reviewed-by: Paul Dale 

commit d9bfd68295146b6afad288ef4145aeb5eb0e6c66
Author: Matt Caswell 
Date:   Thu Aug 19 15:25:04 2021 +0100

Allow fuzz builds to detect string overruns

If FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION is defined then we don't NUL
terminate ASN1_STRING datatypes. This shouldn't be necessary but we add it
any for safety in 

[openssl] OpenSSL_1_1_1-stable update

[nic . tuv]

The branch OpenSSL_1_1_1-stable has been updated
   via  4f850d7221ef6d9010053434d8ae43da13ad8fde (commit)
   via  e22819f1c811b7741b4db408ce18860fa77bc97f (commit)
  from  a7ce0c00a2eb8fe88786c4eb28e9ed385581eab7 (commit)


- Log -
commit 4f850d7221ef6d9010053434d8ae43da13ad8fde
Author: Pauli 
Date:   Mon May 31 15:33:22 2021 +1000

sparc: fix cross compile build

(cherry picked from commit 64fac96de81d3dc19cc0c9045c341f0dec818075)

Reviewed-by: Nicola Tuveri 
(Merged from https://github.com/openssl/openssl/pull/16336)

commit e22819f1c811b7741b4db408ce18860fa77bc97f
Author: Nicola Tuveri 
Date:   Thu Aug 19 01:16:10 2021 +0300

Revert "[github-ci][cross-compiles.yml] Disable sparcv9"

This reverts commit aa23aa759cf33b4f481fc719d42cb7bae8b2eaf0.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16336)

---

Summary of changes:
 .github/workflows/cross-compiles.yml | 15 +++
 crypto/evp/e_aes.c   | 12 ++--
 crypto/evp/e_camellia.c  |  8 
 crypto/sparcv9cap.c  |  1 +
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/cross-compiles.yml 
b/.github/workflows/cross-compiles.yml
index dfc6b15b90..e40bcf5852 100644
--- a/.github/workflows/cross-compiles.yml
+++ b/.github/workflows/cross-compiles.yml
@@ -106,14 +106,13 @@ jobs:
 tests: none
   },
 
-  # sparcv9 is temporarily disabled due to failures during compilation
-  # # This build doesn't execute either with or without shared 
libraries.
-  # {
-  #   arch: sparc64-linux-gnu,
-  #   libs: libc6-dev-sparc64-cross,
-  #   target: linux64-sparcv9,
-  #   tests: none
-  # }
+  # This build doesn't execute either with or without shared libraries.
+  {
+arch: sparc64-linux-gnu,
+libs: libc6-dev-sparc64-cross,
+target: linux64-sparcv9,
+tests: none
+  }
 ]
 runs-on: ubuntu-latest
 steps:
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 73cadbf593..a7c6b3cca3 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -611,22 +611,22 @@ void aes_t4_decrypt(const unsigned char *in, unsigned 
char *out,
  */
 void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY *key,
-   unsigned char *ivec);
+   unsigned char *ivec, int /*unused*/);
 void aes128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY *key,
-   unsigned char *ivec);
+   unsigned char *ivec, int /*unused*/);
 void aes192_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY *key,
-   unsigned char *ivec);
+   unsigned char *ivec, int /*unused*/);
 void aes192_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY *key,
-   unsigned char *ivec);
+   unsigned char *ivec, int /*unused*/);
 void aes256_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY *key,
-   unsigned char *ivec);
+   unsigned char *ivec, int /*unused*/);
 void aes256_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
size_t len, const AES_KEY *key,
-   unsigned char *ivec);
+   unsigned char *ivec, int /*unused*/);
 void aes128_t4_ctr32_encrypt(const unsigned char *in, unsigned char *out,
  size_t blocks, const AES_KEY *key,
  unsigned char *ivec);
diff --git a/crypto/evp/e_camellia.c b/crypto/evp/e_camellia.c
index 502d6936cc..87580cd39b 100644
--- a/crypto/evp/e_camellia.c
+++ b/crypto/evp/e_camellia.c
@@ -55,16 +55,16 @@ void cmll_t4_decrypt(const unsigned char *in, unsigned char 
*out,
 
 void cmll128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
 size_t len, const CAMELLIA_KEY *key,
-unsigned char *ivec);
+unsigned char *ivec, int /*unused*/);
 void cmll128_t4_cbc_decrypt(const unsigned char *in, unsigned char *out,
 size_t len, const CAMELLIA_KEY *key,
-unsigned char *ivec);
+unsigned char *ivec, int /*unused*/);
 void cmll256_t4_cbc_encrypt(const unsigned char *in, 

[openssl] OpenSSL_1_1_1-stable update

[nic . tuv]

The branch OpenSSL_1_1_1-stable has been updated
   via  a7ce0c00a2eb8fe88786c4eb28e9ed385581eab7 (commit)
   via  9e12ea3ae5d546f2be11a7c9864c80e7a1adfd73 (commit)
   via  854b6fa89afcd4a683b3e91d701a4a045db60ad7 (commit)
   via  ce5b8f101db2b96bf893ddcc4c5a16a07fc41751 (commit)
   via  6398f974e9cb26a8508584e732b9683797125652 (commit)
   via  7952f04ddf8065ba4df7887f91fd5199d34a9d11 (commit)
   via  aa23aa759cf33b4f481fc719d42cb7bae8b2eaf0 (commit)
   via  4c7b49d37dd7957d534da9cb1ff9b15886e34cda (commit)
   via  4c038f59a3d962715344168412e60be7e9785f0a (commit)
   via  048c06124d19f82ddefd2aa270327def6e1be917 (commit)
   via  d9fdb3a69e4192266f71d579143b9d504ebfb014 (commit)
   via  c10d86c9fdbbbf615c98a8679cf0fddab29b0265 (commit)
  from  9d868840b821fddf895e3bf6b589ecf6be7b1b13 (commit)


- Log -
commit a7ce0c00a2eb8fe88786c4eb28e9ed385581eab7
Author: Pauli 
Date:   Tue Aug 17 23:34:52 2021 +1000

[github-ci] Add comment about our approach to GitHub Actions CI

Reviewed-by: Nicola Tuveri 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit 9e12ea3ae5d546f2be11a7c9864c80e7a1adfd73
Author: Nicola Tuveri 
Date:   Sat Aug 7 09:54:08 2021 +0300

[github-ci][run-checker-merge.yml] Disable ubsan build

This commit temporarily disables the ubsan build,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit 854b6fa89afcd4a683b3e91d701a4a045db60ad7
Author: Nicola Tuveri 
Date:   Sat Aug 7 13:49:03 2021 +0300

[github-ci][ci.yml] Disable memory sanitizer build

In 1.1.1 currently we do not support running multiple tests in parallel,
and the `--debug -O1` msan build required more than 3h to run the tests.

This commit temporarily disables this build configuration.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit ce5b8f101db2b96bf893ddcc4c5a16a07fc41751
Author: Nicola Tuveri 
Date:   Sat Aug 7 10:15:16 2021 +0300

[github-ci][run-checker-ci.yml] Disable no-tls1_3 tests

This commit temporarily disables tests for no-tls1_3,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit 6398f974e9cb26a8508584e732b9683797125652
Author: Nicola Tuveri 
Date:   Sat Aug 7 09:54:08 2021 +0300

[github-ci][ci.yml] Disable pyca external tests

This commit temporarily disables pyca external tests,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit 7952f04ddf8065ba4df7887f91fd5199d34a9d11
Author: Nicola Tuveri 
Date:   Sat Aug 7 09:53:08 2021 +0300

[github-ci][ci.yml] Disable krb5 external tests

This commit temporarily disables krb5 external tests,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit aa23aa759cf33b4f481fc719d42cb7bae8b2eaf0
Author: Nicola Tuveri 
Date:   Sat Aug 7 09:46:19 2021 +0300

[github-ci][cross-compiles.yml] Disable sparcv9

This commit temporarily disables cross-compiling tests for sparcv9, due
to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit 4c7b49d37dd7957d534da9cb1ff9b15886e34cda
Author: Nicola Tuveri 
Date:   Fri Aug 6 18:37:02 2021 +0300

[github-ci] Import run-checker daily workflow from master

The daily run-checker is scheduled to start at 6:42, instead of the
start of the hour.

The official GitHub documentation remarks the following regarding
scheduled workflows:

> Note: The schedule event can be delayed during periods of high loads
> of GitHub Actions workflow runs. High load times include the start of
> every hour. To decrease the chance of delay, schedule your workflow to
> run at a different time of the hour.

42, obviously, has been picked because it is the answer to the ultimate
question of life, the universe, and everything.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit 4c038f59a3d962715344168412e60be7e9785f0a
Author: Nicola Tuveri 
Date:   Fri Aug 6 18:37:02 2021 +0300

[github-ci] Import run-checker workflows from master

This commit does not include the daily run-checker workflow.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/16252)

commit 048c06124d19f82ddefd2aa270327def6e1be917
Author: Nicola Tuveri 
Date:   Fri Aug 6 18:26:11 2021 +0300

[github-ci] Import cross-compiles.yml workflow 

[openssl] OpenSSL_1_1_1-stable update

[Dr . Paul Dale]

The branch OpenSSL_1_1_1-stable has been updated
   via  9d868840b821fddf895e3bf6b589ecf6be7b1b13 (commit)
  from  bc8c36272067f8443f875164831ce3a5a739df3f (commit)


- Log -
commit 9d868840b821fddf895e3bf6b589ecf6be7b1b13
Author: Pauli 
Date:   Tue Aug 17 13:19:32 2021 +1000

pkcs12: check for zero length digest to avoid division by zero

Fixes #16331

Reviewed-by: Dmitry Belyavskiy 
Reviewed-by: Kurt Roeckx 
(Merged from https://github.com/openssl/openssl/pull/16333)

---

Summary of changes:
 crypto/pkcs12/p12_key.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c
index ab31a61295..b814f79216 100644
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@@ -101,7 +101,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, 
unsigned char *salt,
 #endif
 v = EVP_MD_block_size(md_type);
 u = EVP_MD_size(md_type);
-if (u < 0 || v <= 0)
+if (u <= 0 || v <= 0)
 goto err;
 D = OPENSSL_malloc(v);
 Ai = OPENSSL_malloc(u);

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  bc8c36272067f8443f875164831ce3a5a739df3f (commit)
   via  32f7f60ccae59c7027010ec0b54c118ade087a41 (commit)
  from  75a4f263ba9d3ec1e9d55ca5024aee62aec70475 (commit)


- Log -
commit bc8c36272067f8443f875164831ce3a5a739df3f
Author: Ingo Franzki 
Date:   Wed Aug 11 12:53:09 2021 +0200

Test EVP Cipher updating the context's IV

Ensure that an EVP_CipherUpdate operation updates the context's
IV for AES CBC, CFB, OFB, and CTR. An application can get the
updated IV via EVP_CIPHER_CTX_iv().

The s390x implementation of the CFB and OFB ciphers did not
update the IV in the context, but only within its s390x specific
context data.

Signed-off-by: Ingo Franzki 

Reviewed-by: Patrick Steuer 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16292)

commit 32f7f60ccae59c7027010ec0b54c118ade087a41
Author: Ingo Franzki 
Date:   Wed Aug 11 09:39:46 2021 +0200

s390x: AES OFB/CFB: Maintain running IV from cipher context

Copy the current IV from the cipher context into the kmo/kmf param before
the operation, and copy the modified IV back to the context afterwards.
Without this, an application that obtains the running IV from the context
would still get the original IV, but not the updated one.

Signed-off-by: Ingo Franzki 

Reviewed-by: Patrick Steuer 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16292)

---

Summary of changes:
 crypto/evp/e_aes.c|  12 ++
 test/evp_extra_test.c | 110 ++
 2 files changed, 122 insertions(+)

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index b5ea4032fd..73cadbf593 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -1240,9 +1240,12 @@ static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, 
unsigned char *out,
 const unsigned char *in, size_t len)
 {
 S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
+const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
 int n = cctx->res;
 int rem;
 
+memcpy(cctx->kmo.param.cv, iv, ivlen);
 while (n && len) {
 *out = *in ^ cctx->kmo.param.cv[n];
 n = (n + 1) & 0xf;
@@ -1271,6 +1274,7 @@ static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, 
unsigned char *out,
 }
 }
 
+memcpy(iv, cctx->kmo.param.cv, ivlen);
 cctx->res = n;
 return 1;
 }
@@ -1311,10 +1315,13 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, 
unsigned char *out,
 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
 const int keylen = EVP_CIPHER_CTX_key_length(ctx);
 const int enc = EVP_CIPHER_CTX_encrypting(ctx);
+const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
 int n = cctx->res;
 int rem;
 unsigned char tmp;
 
+memcpy(cctx->kmf.param.cv, iv, ivlen);
 while (n && len) {
 tmp = *in;
 *out = cctx->kmf.param.cv[n] ^ tmp;
@@ -1347,6 +1354,7 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, 
unsigned char *out,
 }
 }
 
+memcpy(iv, cctx->kmf.param.cv, ivlen);
 cctx->res = n;
 return 1;
 }
@@ -1382,8 +1390,12 @@ static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, 
unsigned char *out,
  const unsigned char *in, size_t len)
 {
 S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
+const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
 
+memcpy(cctx->kmf.param.cv, iv, ivlen);
 s390x_kmf(in, len, out, cctx->fc, >kmf.param);
+memcpy(iv, cctx->kmf.param.cv, ivlen);
 return 1;
 }
 
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 754b2d1bf1..16b3542efa 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -797,7 +797,116 @@ static int test_gcm_reinit(int idx)
 return testresult;
 }
 
+typedef struct {
+const char *cipher;
+int enc;
+} EVP_UPDATED_IV_TEST_st;
+
+static const EVP_UPDATED_IV_TEST_st evp_updated_iv_tests[] = {
+{
+"aes-128-cfb", 1
+},
+{
+"aes-128-cfb", 0
+},
+{
+"aes-128-cfb1", 1
+},
+{
+"aes-128-cfb1", 0
+},
+{
+"aes-128-cfb128", 1
+},
+{
+"aes-128-cfb128", 0
+},
+{
+"aes-128-cfb8", 1
+},
+{
+"aes-128-cfb8", 0
+},
+{
+"aes-128-ofb", 1
+},
+{
+"aes-128-ofb", 0
+},
+{
+"aes-128-ctr", 1
+},
+{
+"aes-128-ctr", 0
+},
+{
+"aes-128-cbc", 1
+},
+{
+"aes-128-cbc", 0
+}
+};
 
+/*

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  33e8f03e98acdf3c505b2ee82dd7e595d11e3b6f (commit)
   via  331c4b59077603c88d27f9ab663d86843339d034 (commit)
   via  d84596449df6b572332fd6a107c242f308bd81ec (commit)
   via  eacd2fefa0f9fa0be98cb19a920e01a6ae439022 (commit)
   via  8b169d433c026188219f3b4ca0b92d08e3012e58 (commit)
  from  5b31b9df7f89d2c2cb935c5e50a912cd048c07c9 (commit)


- Log -
commit 33e8f03e98acdf3c505b2ee82dd7e595d11e3b6f
Author: Tomas Mraz 
Date:   Fri Aug 13 13:01:38 2021 +0200

Revert "TEST: Check that i2d refuses to encode non-optional items with no 
content"

This reverts commit 12e9b74c513a8ed3c1c260cf25221a465ae14b84.

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16308)

commit 331c4b59077603c88d27f9ab663d86843339d034
Author: Tomas Mraz 
Date:   Fri Aug 13 13:01:37 2021 +0200

Revert "ASN.1: Refuse to encode to DER if non-optional items are missing"

This reverts commit 006906cddda37e24a66443199444ef4476697477.

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16308)

commit d84596449df6b572332fd6a107c242f308bd81ec
Author: Tomas Mraz 
Date:   Fri Aug 13 13:01:35 2021 +0200

Revert "Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN"

This reverts commit 5434acb6c4d56507d761b28f7e142ccab808a8fa.

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16308)

commit eacd2fefa0f9fa0be98cb19a920e01a6ae439022
Author: Tomas Mraz 
Date:   Fri Aug 13 13:01:34 2021 +0200

Revert "Fix test/asn1_encode_test.c to handle encoding/decoding failure"

This reverts commit f1d97905bbd8679b7647c992b97f526791069040.

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16308)

commit 8b169d433c026188219f3b4ca0b92d08e3012e58
Author: Tomas Mraz 
Date:   Fri Aug 13 13:01:29 2021 +0200

Revert "make update (adds a new function code)"

This reverts commit ea26844c4f624ef515d9228d3b623761a369b049.

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16308)

---

Summary of changes:
 crypto/asn1/asn1_err.c|  4 +---
 crypto/asn1/tasn_enc.c| 30 
 crypto/err/openssl.txt|  1 -
 include/openssl/asn1err.h |  3 +--
 test/asn1_encode_test.c   | 59 ++-
 test/asn1_internal_test.c | 38 --
 6 files changed, 38 insertions(+), 97 deletions(-)

diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 50003a8531..cc0a59ca4c 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -82,8 +82,6 @@ static const ERR_STRING_DATA ASN1_str_functs[] = {
  "ASN1_STRING_type_new"},
 {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_EX_D2I, 0),
  "asn1_template_ex_d2i"},
-{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_EX_I2D, 0),
- "asn1_template_ex_i2d"},
 {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_NEW, 0), "asn1_template_new"},
 {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 0),
  "asn1_template_noexp_d2i"},
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index 6eb300a21e..bcc96337bc 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -213,7 +213,7 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
 static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
 const ASN1_TEMPLATE *tt, int tag, int iclass)
 {
-int i, ret, flags, ttag, tclass, ndef, len;
+int i, ret, flags, ttag, tclass, ndef;
 ASN1_VALUE *tval;
 flags = tt->flags;
 
@@ -300,17 +300,13 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, 
unsigned char **out,
 /* Determine total length of items */
 skcontlen = 0;
 for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+int tmplen;
 skitem = sk_ASN1_VALUE_value(sk, i);
-len = ASN1_item_ex_i2d(, NULL, ASN1_ITEM_ptr(tt->item),
-   -1, iclass);
-if (len == -1 || (skcontlen > INT_MAX - len))
-return -1;
-if (len == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) {
-ASN1err(ASN1_F_ASN1_TEMPLATE_EX_I2D,
-ASN1_R_ILLEGAL_ZERO_CONTENT);
+tmplen = ASN1_item_ex_i2d(, NULL, 

[openssl] OpenSSL_1_1_1-stable update

[tomas]

The branch OpenSSL_1_1_1-stable has been updated
   via  75a4f263ba9d3ec1e9d55ca5024aee62aec70475 (commit)
  from  33e8f03e98acdf3c505b2ee82dd7e595d11e3b6f (commit)


- Log -
commit 75a4f263ba9d3ec1e9d55ca5024aee62aec70475
Author: Todd Short 
Date:   Fri Aug 13 09:59:59 2021 -0400

Fix potential double-free

The `sk` variable is assigned to `s->session->peer_chain`.
If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
non-NULL, and subsequently freed on the error return. When the session
is freed, it will then attempt to free `s->session->peer_chain`,
resulting in a double-free (of `sk`).

Reviewed-by: Matt Caswell 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16309)

(cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef)

---

Summary of changes:
 ssl/statem/statem_srvr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 30d20f1297..d701c46b43 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, 
PACKET *pkt)
 
 sk_X509_pop_free(s->session->peer_chain, X509_free);
 s->session->peer_chain = sk;
+sk = NULL;
 
 /*
  * Freeze the handshake buffer. For