Fix EVP_Digest{Sign,Verify}Final() and EVP_Digest{Sign,Verify}() for provider only keys

For provider only keys where the initialization didn't catch, we may
end up crashing because the legacy code path didn't check that it had
support carefully enough.  This only happens if the caller didn't
check if initialization worked or not.

For the one-shot case, it's very simply handling the case where the
key has no legacy implementation an fall back to the standard
init+update+final mechanism.

While at it, EVP_DigestSignFinal() and EVP_DigestVerifyFinal() got a
slight code cleanup.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10806)

The MD2 test uses the EVP APIs not the low level ones.
The test can be moved into the EVP tests and the separate executable removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10821)

Remove duplicates

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10134)

Better documentation of -www,-WWW,-HTTP flags

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10134)

Refactor the tls/dlts version options

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10134)

Add a test for HMAC via EVP_DigestSign*

We test with both an implicitly fetched digest and an explicitly fetched
digest.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10796)

Always go the legacy route if EVP_MD_CTX_FLAG_NO_INIT is set

If we're using an explicitly fetched digest in an EVP_DigestUpdate
operation, then we should still go the legacy route if
EVP_MD_CTX_FLAG_NO_INIT has been set because we are being used in the
context of a legacy signature algorithm and EVP_DigestInit has not been
called.

This fixes a seg fault in EVP_DigestSignUpdate()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10796)

Deprecate the Low Level CAST APIs

Applications should instead use the higher level EVP APIs, e.g.
EVP_Encrypt*() and EVP_Decrypt*().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10742)

Deprecate Low Level Camellia APIs

Applications should instead use the higher level EVP APIs, e.g.
EVP_Encrypt*() and EVP_Decrypt*().

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10741)

handle new findings of find-doc-nits on fn typedefs w/ extra space

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10673)

make find-doc-nits report function typedef w/ space before arg list

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10673)

handle new findings of find-doc-nits for certain typedefs

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10673)

improve 'typedef' patterns of find-doc-nits

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10673)

Configure: use $list_separator_re only for defines and includes

This regexp was used a bit too uncontrolled, which had it split flag
values where it should not have.

Fixes #10792

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10793)

When deprecated symbols are removed, ensure liblegacy has WHIRLPOOL

The legacy module implements WHIRLPOOL, so we must ensure it has the
full functionality, even when libcrypto stops exporting the symbols.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10779)

Deprecate the low level Whirlpool functions.

Use of the low level Whirlpool functions has been informally discouraged for a
long time.  We now formally deprecate them.

Applications should instead use the EVP APIs, e.g. EVP_Digest,
EVP_DigestInit_ex, EVP_DigestUpdate and EVP_DigestFinal_ex.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10779)

whirlpool: fix preprocessor indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10779)

Deprecate the low level MDC2 functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10790)

mdc2: fix preprocessor indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10790)

Deprecate the low level MD4 functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10790)

md4: fix preprocessor indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10790)

Deprecate the low level MD2 functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10790)

md2: fix preprocessor indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10790)

Deprecate the low level RIPEMD160 functions.

Use of the low level RIPEMD160 functions has been informally discouraged for a
long time. We now formally deprecate them.

Applications should instead use the EVP APIs, e.g. EVP_Digest,
EVP_DigestInit_ex, EVP_DigestUpdate and EVP_DigestFinal_ex.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10789)

ripemd: fix preprocessor indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10789)

Add dsa signature alg to fips provider

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10615)

Tweak option error messages

Better messages for unknown option, unknown cipher, unknown digest.

Fixes #10773

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10774)

testutil_init.c: fix compilation error with enable-trace

In commit e79ae962fbed the tests were adapted to use the
new BIO_f_prefix() API which was introduced in 319cee9e2fc6.
This location was missed, because it is compiled only when
tracing is enabled.

Fixes #10731

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10732)

Add GCM support for EVP_CTRL_GCM_IV_GEN and EVP_CTRL_GCM_SET_IV_INV to providers

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10173)

Add test/bio_prefix_text to .gitignore

A new test binary was added as part of
51a7c4b5f2a0b2d0f6bc0c87ec2ee44b9697dc78
(from https://github.com/openssl/openssl/pull/10531 ).

This commit adds said binary to .gitignore to avoid cluttering of the
worktree.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10768)

PROV: Adjust the KEYMGMT name specs to include all names

This is very simply to allow the common case, where the KEYMGMT is
fetched first, and all names are needed at that time to secure that
they are found.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10647)

EVP: Adapt KEYEXCH, SIGNATURE and ASYM_CIPHER to handle key types better

The adaptation is to handle the case when key types and operations
that use these keys have different names.  For example, EC keys can be
used for ECDSA and ECDH.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10647)

CORE & EVP: Specify OP_query_operation_name() for KEYMGMT

This will allow keymgmt implementation for key types that need it to
specify the names of the diverse operation algorithms it can be used
with.  Currently, only one name per key type and operation is allowed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10647)

DOCS: The interpretation of OPENSSL_API_COMPAT has changed, update docs

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/10765)

add missing load_pkimsg() in test/cmp_testlib.c

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10633)

fix obsolete error codes in test/cmp_msg_test.c

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10633)

fix dependencies of cmp_{msg,protect}_test.c in test/build.info

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10633)

Add the DSA serializers to the default provider tools

The DSA serializers are implemented, but didn't get added to the
default provider's serializer algorithm table.

Fixes #10645

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10772)

EVP: If a key can't be exported to provider, fallback to legacy

Currently, the operations that do try to export a legacy key to
providers will fail if the export failed.  It makes more sense to
simply use the legacy method instead, as a fallback for things not
being implemented (yet) in a provider.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10771)

nmake: fix install_html_docs target

The nmake rule contains actually two errors:

1. The $< target[1] does not work for regular rules and is
expanded to an empty string after issuing the warning

    NMAKE : warning U4006: special macro undefined : '$<"'

Solution: replace $< by $?

2. The substitution regex is not quoted correctly, which leads
to the following error message by cmd.exe:

    'href' is not recognized as an internal or external command,
    operable program or batch file.

Solution: Quoting arguments for cmd.exe is really a nightmare,
but with the help of the excellent description [2] I was able to
properly quote the regex. Things were complicated by the fact that
a lot of levels of unquoting needed to be considered:

 * perl (windows-makefile.tmpl -> makefile)
 * make (reading the makefile)
 * cmd.exe (executed by make)
 * perl (scanning command line using CommandLineToArgvW())

The fix works, but the regex has become unmaintainable. It would actually
be better to wrap the entire command (including the regex) into a little
perl script which can be called by make directly.

[1] https://docs.microsoft.com/en-us/cpp/build/reference/filename-macros
[2] https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

Fixes #10648
Fixes #10749

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10719)

Deprecate Low Level Blowfish APIs

Applications should instead use the higher level EVP APIs, e.g.
EVP_Encrypt*() and EVP_Decrypt*().

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10740)

Make generated copyright year be "now"

Always use the current year in generating output files, rather than
trying to base is on the modtime of the script or input, as that can
vary depending on the ability of the local OS to keep those accurate.

Fixes #10744

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10776)

Refactor -engine documentation

Common wording courtesy Richard Levitte.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10128)

Modify the add_seeds_stringlist() macro to fix a preprocessor error

When OpenSSL is configured using `--with-rand-seed=devrandom`, the preprocessor
reports the following error

    crypto/info.c:104:66: error:
            macro "add_seeds_stringlist" passed 3 arguments, but takes just 2
            add_seeds_stringlist("random-device", { DEVRANDOM, NULL });

The reason why the preprocessor complains about three arguments being passed
is that according to [1], balanced braces in macro arguments don't prevent the
comma from acting as an argument separator:

    3.3 Macro Arguments
    ...
    Parentheses within each argument must balance;
    a comma within such parentheses does not end the argument.
    However, there is no requirement for square brackets or braces to balance,
    and they do not prevent a comma from separating arguments.

Also introduced an iteration pointer `p`, because `dev` is not an lvalue:

    crypto/info.c:78:41: error:
            lvalue required as increment operand
            for (; *dev != NULL; dev++) {

[1] https://gcc.gnu.org/onlinedocs/cpp/Macro-Arguments.html

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10762)

Move random-related defines to "crypto/rand.h"

This fixes commit 01036e2afbe116d608be048ed15930fc885ab2a8, which moved the
DEVRANDOM and DEVRANDOM_EGD defines into rand_unix.c. That change introduced
the regression that the compiler complains about missing declarations in
crypto/info.c when OpenSSL is configured using `--with-rand-seed=devrandom`
(resp. `--with-rand-seed=egd`)

Fixes #10759

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10762)

Configuration: synchronise the variables on the build file templates

For some reason, we didn't use some of the possible target attributes
in the Unix Makefile template, and there was a similar but much
smaller lack of use in the Windows makefile template as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10753)

Make ECDSA_size() use consistent asn1 encoder.

ECDSA signature lengths are calculated using i2d_ECDSA_SIG().
i2d_ECDSA_SIG() was changed in a previous PR to use a custom ASN1 encoder (using WPACKET)
so that the normal ASN1 encoder does not need to be pulled into the provider boundary.
For consistency ECDSA_size() has been changed to also use i2d_ECDSA_SIG() - this can now
be used directly inside the FIPS provider.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10577)

coverity 1201462: check error returns

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10760)

coverity 1201478: check BIO_indent returns

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10760)

Fix KMAC docs

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9970)

Add missing inclusion of "internal/deprecated.h"

A few provider implementations need this to build correctly with a
'no-deprecated' configuration.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10766)

Add `-passin` arg to `ocsp`
Fix #10682

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10718)

Deprecate the low level AES functions

Use of the low level AES functions has been informally discouraged for a
long time. We now formally deprecate them.

Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10580)

Don't use the low level AES key wrap APIs in CMS

We should not be using the low level AES APIs in CMS. Instead we should
be using EVP. There was a small amount of use of the low level key
wrap APIs - so we convert that to EVP.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10580)

Don't store an HMAC key for longer than we need

The HMAC_CTX structure stores the original key in case the ctx is reused
without changing the key.

However, HMAC_Init_ex() checks its parameters such that the only code path
where the stored key is ever used is in the case where HMAC_Init_ex is
called with a NULL key and an explicit md is provided which is the same as
the md that was provided previously. But in that case we can actually reuse
the pre-digested key that we calculated last time, so we can refactor the
code not to use the stored key at all.

With that refactor done it is no longer necessary to store the key in the
ctx at all. This means that long running ctx's will not keep the key in
memory for any longer than required. Note though that the digested key
*is* still kept in memory for the duration of the life of the ctx.

Fixes #10743

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10747)

EVP: Fix method to determine if a PKEY is legacy or not

For the implementation of EVP_PKEY_CTX_new(), we determined if an
EVP_PKEY wass legacy or not by looking at 'pkey->pkey.ptr'.  It turns
out that this code could get an unassigned EVP_PKEY, with that pointer
being NULL, and the determination proven incorrect.

The check now looks at 'pkey->ameth' instead.

Fixes #10704

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10758)

Move -nameopt to openssl.pod

Also clarify the description of the options.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10259)

Add AES_CBC_HMAC_SHA ciphers to providers.

Also Add ability for providers to dynamically exclude cipher algorithms.
Cipher algorithms are only returned from providers if their capable() method is either NULL,
or the method returns 1.
This is mainly required for ciphers that only have hardware implementations.
If there is no hardware support, then the algorithm needs to be not available.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10146)

Fix incorrect return code on ECDSA key verification

ECDSA_do_verify() is a function that verifies a ECDSA signature given a hash and a public EC key. The function is supposed to return 1 on valid signature, 0 on invalid signature and -1 on error. Previously, we returned 0 if the key did not have a verify_sig method. This is actually an error case and not an invalid signature. Consequently, this patch updates the return code to -1.

Fixes #8766

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10693)

Fix disabled ecdsa in apps/speed

This came from f3fdfbf78c6b. run = 1 should be done in pkey_print_message
as well, otherwise other tests printed with pkey_print_message won't run.

Change-Id: I0ba0b05256ad6509ada4735b26d10f8a73fd89ec

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10710)

Fix side channel in ecp_nistz256-armv8.pl

This change addresses a potential side-channel vulnerability in
the internals of nistz256 low level operations for armv8.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

Fix side channel in the ecp_nistz256.c reference implementation

This is only used if configured with
./config -DECP_NISTZ256_REFERENCE_IMPLEMENTATION

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

Improve side channel fix in ecp_nistz256-x86_64.pl

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

Fix side channel in ecp_nistz256-armv4.pl

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

Fix side channel in ecp_nistz256-x86.pl

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

Avoid leaking intermediate states in point doubling special case.

Cherry picked from
https://github.com/google/boringssl/commit/12d9ed670da3edd64ce8175cfe0e091982989c18

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

Fix potential SCA vulnerability in some EC_METHODs

This commit addresses a potential side-channel vulnerability in the
internals of some elliptic curve low level operations.
The side-channel leakage appears to be tiny, so the severity of this
issue is rather low.

The issue was reported by David Schrammel and Samuel Weiser.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

coverity 1456638: fix null check

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10748)

coverity 1456639: fix NULL dereference

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10748)

coverity 1456640: fix null check

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10748)

coverity 1456642: fix null check

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10748)

Add -iter option to pkcs12 command

Fixes #8194

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10130)

Run make update

The New Year has caused various files to appear out of date to "make
update". This causes Travis to fail. Therefore we update those file.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10738)

Update tls13_enc.c

Fix double + in hkdflabel declaration (FIXES #10675)
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10700)

Temporarily disable the explicit enable-asan build

The explicit enable-asan build fails in the memleak test for unknown
reasons. Therefore we disable it temporarily to get a green Travis.

Other builds that use -fsanitize=address in Travis seem to pass.

[extended tests]

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10689)

Temporarily disable some Travis external tests

The pyca-cryptography external test has been failing for a long time.
It looks like upstream needs to make some changes to adapt to 3.0.

[extended tests]

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10689)

Don't run test_conf in cross compiled builds

test_conf was failing in travis for mingw builds. We run these on linux
via wine. However due to line break differences the tests were failing.
We just skip these in a cross compiled build.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10689)

Fix a race condition in the speed command

The timer alarm sets run = 0, while the benchmark
does run = 1 in the initialization code.  That is
a race condition, if the timer goes off too early
the benchmark runs forever.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10680)

Configurations/windows-makefile.tmpl: HTMLDOCS are files, not directories

Remove them using "del", not "rmdir"

Fixes #10553

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10555)

Removed now documented stuff from util/missing*.txt

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10683)

util/find-doc-nits: when loading "missing" files, check if documented

It may be that some "missing" manuals have been written since their
insertion in the "missing" files.  Make sure to alert when such manual
references are found.

This works, because we collect all existing manual references into
%name_map first.

Fixes #10681

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10683)

Update the krb5 submodule

Bring us up to date with upstream's 1.17.1 release.  Among other
things, it includes commit c2497d46b4bad473e164943d67b58cd1ae261c3a
which fixes several issues that affect running the test suite under
Travis CI.  Hopefully those will work transitively for us as well.

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10690)

Add some missing cfi frame info in rc4-md5-x86_64.pl

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10679)

Add some missing cfi frame info in poly1305-x86_64.pl

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10678)

Add some missing cfi frame info in aesni-gcm-x86_64.pl

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10677)

Add some missing cfi frame info in x25519-x86_64.pl

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10676)

Fix aesni_cbc_sha256_enc_avx2 backtrace info

We store a secondary frame pointer info for the debugger
in the red zone.  This fixes a crash in the unwinder when
this function is interrupted.

Additionally the missing cfi function annotation is added
to aesni_cbc_sha256_enc_shaext.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10674)

Add some missing cfi frame info in ecp_nistz256-x86_64.pl

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10672)

Fix no-dsa builds

Add a guard in a build.info file for no-dsa builds

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10644)

Fix no-dh

The new serializer code broke no-dh builds so we add some more guards to fix it.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10644)

Fix evp_extra_test with no-dh

The new DH test in evp_extra_test.c broke the no-dh build so we add some
guards to fix it.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10644)

Add fips self test DEP for solaris and hpux

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10640)

Remove asn1 module dependency from RSASSA-PKCS1-v1_5 implementation.

Replace use of the asn1 module (X509_SIG, X509_ALGOR, ASN1_TYPE,
ASN1_OCTET_STRING, i2d_X509_SIG(), etc.) as well as OID lookups using
OBJ_nid2obj() with pre-generated DigestInfo encodings for MD2, MD5, MDC-2,
SHA-1, SHA-2 and SHA-3; the encoding is selected based on the NID. This is
similar to the approach used by the old FOM.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9138)

Rename doc/man7/provider-asymcipher.pod

The correct name is doc/man7/provider-asym_cipher.pod, to match the
name in the NAME section.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)

doc/man1/openssl-cmds.pod: Add invisble name 'openssl-cmds'

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)

OpenSSL::Util::extract_pod_info(): Allow invisible names

This should be very unusual, but we do have a case of a name we don't
want to display.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)

OpenSSL::Util::extract_pod_info(): Read the POD one paragraph at a time

POD files should always be treated this way

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)

Adjust all util/missing*.txt to include the section number

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)

util/find-doc-nits: Better checking of missing documentation

The names collected in util/missing*.txt are not file names, but
symbol names, and to compare properly with script data, the section
name must be included.

All symbols found in util/lib*.num are library functions, so we know
that they are in manual section 3 and can simply add that info.  The
same goes for all macros found in C headers.

Finally, we get rid of getdocced() and its associated hash table
%docced.  We already have the appropriate information in %name_map.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)

perl: OpenSSL::Util::Pod::extract_pod_info() now saves the file contents

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10621)