OpenSSL 3.3.2

Source commit: 07d6d1e199ebcefe8d6913316b604235bc1d6021

libs/openssl/CHANGES.md

@@ -26,6 +26,30 @@ OpenSSL Releases
 OpenSSL 3.3
 -----------
 
+### Changes between 3.3.1 and 3.3.2 [3 Sep 2024]
+
+ * Fixed possible denial of service in X.509 name checks.
+
+   Applications performing certificate name checks (e.g., TLS clients checking
+   server certificates) may attempt to read an invalid memory address when
+   comparing the expected name with an `otherName` subject alternative name of
+   an X.509 certificate. This may result in an exception that terminates the
+   application program.
+
+   ([CVE-2024-6119])
+
+   *Viktor Dukhovni*
+
+ * Fixed possible buffer overread in SSL_select_next_proto().
+
+   Calling the OpenSSL API function SSL_select_next_proto with an empty
+   supported client protocols buffer may cause a crash or memory contents
+   to be sent to the peer.
+
+   ([CVE-2024-5535])
+
+   *Matt Caswell*
+
 ### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
 
  * Fixed potential use after free after SSL_free_buffers() is called.
@@ -68,6 +92,14 @@ OpenSSL 3.3
 
    *Tomáš Mráz*
 
+ * Improved EC/DSA nonce generation routines to avoid bias and timing
+   side channel leaks.
+
+   Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
+   and Hubert Kario from Red Hat for reporting the issues.
+
+   *Tomáš Mráz and Paul Dale*
+
 ### Changes between 3.2 and 3.3.0 [9 Apr 2024]
 
  * The `-verify` option to the `openssl crl` and `openssl req` will make
@@ -20653,6 +20685,8 @@ ndif
 
 <!-- Links -->
 
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

libs/openssl/CONTRIBUTING.md

@@ -3,7 +3,7 @@ HOW TO CONTRIBUTE TO OpenSSL
 
 Please visit our [Getting Started] page for other ideas about how to contribute.
 
-  [Getting Started]: <https://www.openssl.org/community/getting-started.html>
+  [Getting Started]: <https://openssl-library.org/community/getting-started>
 
 Development is done on GitHub in the [openssl/openssl] repository.
 
@@ -77,8 +77,8 @@ guidelines:
     Clean builds via GitHub Actions are required. They are started automatically
     whenever a PR is created or updated by committers.
 
-    [coding style]: https://www.openssl.org/policies/technical/coding-style.html
-    [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
+    [coding style]: https://openssl-library.org/policies/technical/coding-style/
+    [documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/
 
  5. When at all possible, code contributions should include tests. These can
     either be added to an existing test, or completely new.  Please see

libs/openssl/Configurations/10-main.conf

@@ -1414,6 +1414,25 @@ my %targets = (
         AR               => add("-X32"),
         RANLIB           => add("-X32"),
     },
+    # To enable openxl compiler for aix
+    # If 17.1 openxl runtime is available, -latomic can be used
+    # instead of -DBROKEN_CLANG_ATOMICS
+    "aix-clang" => {
+        inherit_from     => [ "aix-common" ],
+        CC               => "ibm-clang",
+        CFLAGS           => picker(debug   => "-O0 -g",
+                                   release => "-O"),
+        cflags           => combine("-Wno-implicit-function-declaration -mcmodel=large -DBROKEN_CLANG_ATOMICS",
+                            threads("-pthread")),
+        ex_libs          => add(threads("-pthread")),
+        bn_ops           => "BN_LLONG RC4_CHAR",
+        asm_arch         => 'ppc32',
+        perlasm_scheme   => "aix32",
+        shared_cflag     => "-fpic",
+        shared_ldflag    => add("-shared"),
+        AR               => add("-X32"),
+        RANLIB           => add("-X32"),
+    },
     # shared_target of "aix-solib" builds shared libraries packaged
     # without archives.  This improves the behavior of inter-library
     # references (libssl depending on libcrypto) when building with
@@ -1445,6 +1464,23 @@ my %targets = (
         AR               => add("-X64"),
         RANLIB           => add("-X64"),
     },
+    "aix64-clang" => {
+        inherit_from     => [ "aix-common" ],
+        CC               => "ibm-clang",
+        CFLAGS           => picker(debug   => "-O0 -g",
+                                   release => "-O"),
+        cflags           => combine("-maix64 -Wno-implicit-function-declaration -mcmodel=large",
+                            threads("-pthread")),
+        ex_libs          => add(threads("-pthread")),
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
+        asm_arch         => 'ppc64',
+        perlasm_scheme   => "aix64",
+        shared_cflag     => "-fpic",
+        shared_ldflag    => add("-shared"),
+        shared_extension => "64.so.\$(SHLIB_VERSION_NUMBER)",
+        AR               => add("-X64"),
+        RANLIB           => add("-X64"),
+    },
     "aix64-cc-solib" => {
         inherit_from     => [ "aix64-cc" ],
         shared_target    => "aix-solib",

libs/openssl/Configurations/15-ios.conf

@@ -11,7 +11,7 @@ my %targets = (
         template         => 1,
         inherit_from     => [ "darwin-common" ],
         sys_id           => "iOS",
-        disable          => [ "shared", "async" ],
+        disable          => [ "async" ],
     },
     "ios-xcrun" => {
         inherit_from     => [ "ios-common" ],

libs/openssl/Configure

@@ -167,7 +167,6 @@ my @gcc_devteam_warn = qw(
     -Wshadow
     -Wformat
     -Wno-type-limits
-    -Wno-tautological-constant-out-of-range-compare
     -Wundef
     -Werror
     -Wmissing-prototypes
@@ -184,11 +183,11 @@ my @gcc_devteam_warn = qw(
 #       -Wextended-offsetof -- no, needed in CMS ASN1 code
 my @clang_devteam_warn = qw(
     -Wno-unknown-warning-option
-    -Wswitch-default
     -Wno-parentheses-equality
     -Wno-language-extension-token
     -Wno-extended-offsetof
     -Wno-missing-braces
+    -Wno-tautological-constant-out-of-range-compare
     -Wconditional-uninitialized
     -Wincompatible-pointer-types-discards-qualifiers
     -Wmissing-variable-declarations
@@ -1658,7 +1657,7 @@ if (!$disabled{makedepend}) {
     disable('unavailable', 'makedepend') unless $config{makedep_scheme};
 }
 
-if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS') {
+if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS' && !$predefined_C{_AIX}) {
     # probe for -Wa,--noexecstack option...
     if ($predefined_C{__clang__}) {
         # clang has builtin assembler, which doesn't recognize --help,
@@ -3507,6 +3506,13 @@ sub absolutedir {
         return rel2abs($dir);
     }
 
+    # realpath() on Windows seems to check if the directory actually exists,
+    # which isn't what is wanted here.  All we want to know is if a directory
+    # spec is absolute, not if it exists.
+    if ($^O eq "MSWin32") {
+        return rel2abs($dir);
+    }
+
     # We use realpath() on Unix, since no other will properly clean out
     # a directory spec.
     use Cwd qw/realpath/;

libs/openssl/INSTALL.md

@@ -1291,7 +1291,7 @@ Configure OpenSSL
 ### Automatic Configuration
 
 In previous version, the `config` script determined the platform type and
-compiler and then called `Configure`. Starting with this release, they are
+compiler and then called `Configure`. Starting with version 3.0, they are
 the same.
 
 #### Unix / Linux / macOS
@@ -1746,7 +1746,7 @@ More about our support resources can be found in the [SUPPORT] file.
 
 ### Configuration Errors
 
-If the `./Configure` or `./Configure` command fails with an error message,
+If the `./config` or `./Configure` command fails with an error message,
 read the error message carefully and try to figure out whether you made
 a mistake (e.g., by providing a wrong option), or whether the script is
 working incorrectly. If you think you encountered a bug, please

libs/openssl/NEWS.md

@@ -21,6 +21,19 @@ OpenSSL Releases
 OpenSSL 3.3
 -----------
 
+### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [3 Sep 2024]
+
+OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
+release is Moderate.
+
+This release incorporates the following bug fixes and mitigations:
+
+  * Fixed possible denial of service in X.509 name checks
+    ([CVE-2024-6119])
+
+  * Fixed possible buffer overread in SSL_select_next_proto()
+    ([CVE-2024-5535])
+
 ### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024]
 
 OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this
@@ -1729,6 +1742,8 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

libs/openssl/VERSION.dat

@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=3
-PATCH=1
+PATCH=2
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="4 Jun 2024"
+RELEASE_DATE="3 Sep 2024"
 SHLIB_VERSION=3

libs/openssl/apps/cmp.c

@@ -3435,13 +3435,28 @@ int cmp_main(int argc, char **argv)
                             opt_extracertsout, "extra") < 0)
             goto err;
         if (newcert != NULL && (opt_cmd == CMP_IR || opt_cmd == CMP_CR
-                                || opt_cmd == CMP_KUR || opt_cmd == CMP_P10CR))
-            if (!save_cert_or_delete(newcert, opt_certout, "newly enrolled")
-                || save_free_certs(OSSL_CMP_CTX_get1_newChain(cmp_ctx),
-                                   opt_chainout, "chain") < 0
-                || save_free_certs(OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
-                                   opt_cacertsout, "CA") < 0)
+                                || opt_cmd == CMP_KUR || opt_cmd == CMP_P10CR)) {
+            STACK_OF(X509) *newchain = OSSL_CMP_CTX_get1_newChain(cmp_ctx);
+
+            if (newcert != NULL && newchain != NULL /* NULL is on error only */
+                && opt_certout != NULL && opt_chainout != NULL
+                && strcmp(opt_certout, opt_chainout) == 0) {
+                if (!X509_add_cert(newchain, newcert, X509_ADD_FLAG_PREPEND
+                                   | X509_ADD_FLAG_UP_REF)) {
+                    sk_X509_pop_free(newchain, X509_free);
+                    goto err;
+                }
+                if (!save_free_certs(newchain, opt_chainout, "newly enrolled cert and chain"))
+                    goto err;
+            } else {
+                if (save_free_certs(newchain, opt_chainout, "chain") < 0
+                    || !save_cert_or_delete(newcert, opt_certout, "newly enrolled"))
+                    goto err;
+            }
+            if (save_free_certs(OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
+                                opt_cacertsout, "CA") < 0)
                 goto err;
+        }
         if (!OSSL_CMP_CTX_reinit(cmp_ctx))
             goto err;
     }

libs/openssl/apps/cms.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -133,7 +133,7 @@ const OPTIONS cms_options[] = {
     {"binary", OPT_BINARY, '-',
      "Treat input as binary: do not translate to canonical form"},
     {"crlfeol", OPT_CRLFEOL, '-',
-     "Use CRLF as EOL termination instead of CR only" },
+     "Use CRLF as EOL termination instead of LF only" },
     {"asciicrlf", OPT_ASCIICRLF, '-',
      "Perform CRLF canonicalisation when signing"},
 

libs/openssl/apps/dgst.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -479,7 +479,7 @@ int dgst_main(int argc, char **argv)
 static void show_digests(const OBJ_NAME *name, void *arg)
 {
     struct doall_dgst_digests *dec = (struct doall_dgst_digests *)arg;
-    const EVP_MD *md = NULL;
+    EVP_MD *md = NULL;
 
     /* Filter out signed digests (a.k.a signature algorithms) */
     if (strstr(name->name, "rsa") != NULL || strstr(name->name, "RSA") != NULL)
@@ -491,8 +491,7 @@ static void show_digests(const OBJ_NAME *name, void *arg)
     /* Filter out message digests that we cannot use */
     md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq());
     if (md == NULL) {
-        md = EVP_get_digestbyname(name->name);
-        if (md == NULL)
+        if (EVP_get_digestbyname(name->name) == NULL)
             return;
     }
 
@@ -503,6 +502,8 @@ static void show_digests(const OBJ_NAME *name, void *arg)
     } else {
         BIO_printf(dec->bio, " ");
     }
+
+    EVP_MD_free(md);
 }
 
 /*

libs/openssl/apps/lib/opt.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -646,7 +646,7 @@ int opt_uintmax(const char *value, ossl_uintmax_t *result)
         opt_number_error(value);
         return 0;
     }
-    *result = (ossl_intmax_t)m;
+    *result = (ossl_uintmax_t)m;
     errno = oerrno;
     return 1;
 }

libs/openssl/apps/lib/s_cb.c

@@ -704,7 +704,7 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
     (void)BIO_flush(bio);
 }
 
-static STRINT_PAIR tlsext_types[] = {
+static const STRINT_PAIR tlsext_types[] = {
     {"server name", TLSEXT_TYPE_server_name},
     {"max fragment length", TLSEXT_TYPE_max_fragment_length},
     {"client certificate URL", TLSEXT_TYPE_client_certificate_url},
@@ -746,6 +746,7 @@ static STRINT_PAIR tlsext_types[] = {
     {"psk kex modes", TLSEXT_TYPE_psk_kex_modes},
     {"certificate authorities", TLSEXT_TYPE_certificate_authorities},
     {"post handshake auth", TLSEXT_TYPE_post_handshake_auth},
+    {"early_data", TLSEXT_TYPE_early_data},
     {NULL}
 };
 

libs/openssl/apps/lib/s_socket.c

@@ -84,9 +84,6 @@ int init_client(int *sock, const char *host, const char *port,
     int ret;
     int options = 0;
 
-    if (tfo && ba_ret != NULL)
-        *ba_ret = NULL;
-
     if (BIO_sock_init() != 1)
         return 0;
 

libs/openssl/apps/s_client.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -2167,6 +2167,9 @@ int s_client_main(int argc, char **argv)
     if (tfo)
         BIO_printf(bio_c_out, "Connecting via TFO\n");
  re_start:
+    /* peer_addr might be set from previous connections */
+    BIO_ADDR_free(peer_addr);
+    peer_addr = NULL;
     if (init_client(&sock, host, port, bindhost, bindport, socket_family,
                     socket_type, protocol, tfo, !isquic, &peer_addr) == 0) {
         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());

libs/openssl/apps/smime.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -118,7 +118,7 @@ const OPTIONS smime_options[] = {
      "Do not load certificates from the default certificates store"},
     {"nochain", OPT_NOCHAIN, '-',
      "set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
-    {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"},
+    {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only"},
 
     OPT_R_OPTIONS,
     OPT_V_OPTIONS,

libs/openssl/apps/speed.c

@@ -3031,7 +3031,7 @@ int speed_main(int argc, char **argv)
             ERR_print_errors(bio_err);
             op_count = 1;
         } else {
-            pkey_print_message("private", "rsa encrypt",
+            pkey_print_message("public", "rsa encrypt",
                                rsa_keys[testnum].bits, seconds.rsa);
             /* RSA_blinding_on(rsa_key[testnum],NULL); */
             Time_F(START);
@@ -3099,7 +3099,6 @@ int speed_main(int argc, char **argv)
             loopargs[i].sigsize = loopargs[i].buflen;
             if (loopargs[i].dsa_sign_ctx[testnum] == NULL
                 || EVP_PKEY_sign_init(loopargs[i].dsa_sign_ctx[testnum]) <= 0
-
                 || EVP_PKEY_sign(loopargs[i].dsa_sign_ctx[testnum],
                                  loopargs[i].buf2,
                                  &loopargs[i].sigsize,
@@ -3176,7 +3175,6 @@ int speed_main(int argc, char **argv)
             loopargs[i].sigsize = loopargs[i].buflen;
             if (loopargs[i].ecdsa_sign_ctx[testnum] == NULL
                 || EVP_PKEY_sign_init(loopargs[i].ecdsa_sign_ctx[testnum]) <= 0
-
                 || EVP_PKEY_sign(loopargs[i].ecdsa_sign_ctx[testnum],
                                  loopargs[i].buf2,
                                  &loopargs[i].sigsize,

libs/openssl/build.info

@@ -102,6 +102,11 @@ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
 ENDIF
 
 # This file sets the build directory up for CMake inclusion
+# Note: This generation of OpenSSLConfig[Version].cmake is used
+# for building openssl locally, and so the build variables are 
+# taken from builddata.pm rather than installdata.pm.  For exportable
+# versions of these generated files, you'll find them in the exporters
+# directory
 GENERATE[OpenSSLConfig.cmake]=exporters/cmake/OpenSSLConfig.cmake.in
 DEPEND[OpenSSLConfig.cmake]=builddata.pm
 GENERATE[OpenSSLConfigVersion.cmake]=exporters/cmake/OpenSSLConfigVersion.cmake.in
@@ -119,7 +124,8 @@ DEPEND[openssl.pc]=builddata.pm
 DEPEND[openssl.pc]=libcrypto.pc libssl.pc
 
 GENERATE[builddata.pm]=util/mkinstallvars.pl \
-    PREFIX=. BINDIR=apps LIBDIR= INCLUDEDIR=include APPLINKDIR=ms \
+    PREFIX=. BINDIR=apps APPLINKDIR=ms \
+    LIBDIR= INCLUDEDIR=include "INCLUDEDIR=$(SRCDIR)/include" \
     ENGINESDIR=engines MODULESDIR=providers \
     "VERSION=$(VERSION)" "LDLIBS=$(LIB_EX_LIBS)"
 

libs/openssl/crypto/aes/build.info

@@ -38,7 +38,7 @@ IF[{- !$disabled{asm} -}]
   $AESASM_parisc20_64=$AESASM_parisc11
   $AESDEF_parisc20_64=$AESDEF_parisc11
 
-  IF[{- $target{sys_id} ne "AIX" && $target{sys_id} ne "MACOSX" -}]
+  IF[{- $target{sys_id} ne "MACOSX" -}]
     $AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s
   ELSE
     $AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s

libs/openssl/crypto/asn1/a_d2i_fp.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -148,6 +148,9 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                     goto err;
                 }
                 len += i;
+                if ((size_t)i < want)
+                    continue;
+
             }
         }
         /* else data already loaded */

libs/openssl/crypto/asn1/a_strex.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <string.h>
 #include "internal/cryptlib.h"
+#include "internal/sizes.h"
 #include "crypto/asn1.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
@@ -343,8 +344,10 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
 
     if (lflags & ASN1_STRFLGS_SHOW_TYPE) {
         const char *tagname;
+
         tagname = ASN1_tag2str(type);
-        outlen += strlen(tagname);
+        /* We can directly cast here as tagname will never be too large. */
+        outlen += (int)strlen(tagname);
         if (!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1))
             return -1;
         outlen++;
@@ -370,7 +373,7 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
 
     if (type == -1) {
         len = do_dump(lflags, io_ch, arg, str);
-        if (len < 0)
+        if (len < 0 || len > INT_MAX - outlen)
             return -1;
         outlen += len;
         return outlen;
@@ -389,7 +392,7 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
     }
 
     len = do_buf(str->data, str->length, type, flags, &quotes, io_ch, NULL);
-    if (len < 0)
+    if (len < 0 || len > INT_MAX - 2 - outlen)
         return -1;
     outlen += len;
     if (quotes)

libs/openssl/crypto/asn1/a_verify.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -202,10 +202,12 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
     inl = ASN1_item_i2d(data, &buf_in, it);
     if (inl <= 0) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_INTERNAL_ERROR);
+        ret = -1;
         goto err;
     }
     if (buf_in == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
+        ret = -1;
         goto err;
     }
     inll = inl;

libs/openssl/crypto/asn1/tasn_fre.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -85,8 +85,12 @@ void ossl_asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed
 
     case ASN1_ITYPE_NDEF_SEQUENCE:
     case ASN1_ITYPE_SEQUENCE:
-        if (ossl_asn1_do_lock(pval, -1, it) != 0) /* if error or ref-counter > 0 */
+        if (ossl_asn1_do_lock(pval, -1, it) != 0) {
+            /* if error or ref-counter > 0 */
+            OPENSSL_assert(embed == 0);
+            *pval = NULL;
             return;
+        }
         if (asn1_cb) {
             i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL);
             if (i == 2)

libs/openssl/crypto/bio/bf_readbuff.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -222,10 +222,13 @@ static int readbuffer_gets(BIO *b, char *buf, int size)
     char *p;
     int i, j;
 
-    if (size == 0)
+    if (buf == NULL || size == 0)
         return 0;
     --size; /* the passed in size includes the terminator - so remove it here */
     ctx = (BIO_F_BUFFER_CTX *)b->ptr;
+
+    if (ctx == NULL || b->next_bio == NULL)
+        return 0;
     BIO_clear_retry_flags(b);
 
     /* If data is already buffered then use this first */

libs/openssl/crypto/bio/bio_addr.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -799,14 +799,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
         if (!RUN_ONCE(&bio_lookup_init, do_bio_lookup_init)) {
             /* Should this be raised inside do_bio_lookup_init()? */
             ERR_raise(ERR_LIB_BIO, ERR_R_CRYPTO_LIB);
-            ret = 0;
-            goto err;
+            return 0;
         }
 
-        if (!CRYPTO_THREAD_write_lock(bio_lookup_lock)) {
-            ret = 0;
-            goto err;
-        }
+        if (!CRYPTO_THREAD_write_lock(bio_lookup_lock))
+            return 0;
+        
         he_fallback_address = INADDR_ANY;
         if (host == NULL) {
             he = &he_fallback;

libs/openssl/crypto/cmp/cmp_vfy.c

@@ -632,7 +632,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
     default:
         scrt = ctx->srvCert;
         if (scrt == NULL) {
-            if (ctx->trusted == NULL) {
+            if (ctx->trusted == NULL && ctx->secretValue != NULL) {
                 ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
                 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR);
                 return 0;

libs/openssl/crypto/conf/conf_def.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -330,7 +330,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
 
         v = NULL;
         /* check for line continuation */
-        if (bufnum >= 1) {
+        if (!again && bufnum >= 1) {
             /*
              * If we have bytes and the last char '\\' and second last char
              * is not '\\'

libs/openssl/crypto/conf/conf_lib.c

@@ -476,6 +476,9 @@ int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
 
 void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings)
 {
+    if (settings == NULL)
+        return;
+
     free(settings->filename);
     free(settings->appname);
     free(settings);

libs/openssl/crypto/conf/conf_mod.c

@@ -99,7 +99,7 @@ static void module_lists_free(void)
 
 DEFINE_RUN_ONCE_STATIC(do_init_module_list_lock)
 {
-    module_list_lock = ossl_rcu_lock_new(1);
+    module_list_lock = ossl_rcu_lock_new(1, NULL);
     if (module_list_lock == NULL) {
         ERR_raise(ERR_LIB_CONF, ERR_R_CRYPTO_LIB);
         return 0;
@@ -518,13 +518,14 @@ void CONF_modules_unload(int all)
 
     old_modules = ossl_rcu_deref(&supported_modules);
     new_modules = sk_CONF_MODULE_dup(old_modules);
-    to_delete = sk_CONF_MODULE_new_null();
 
     if (new_modules == NULL) {
         ossl_rcu_write_unlock(module_list_lock);
         return;
     }
 
+    to_delete = sk_CONF_MODULE_new_null();
+
     /* unload modules in reverse order */
     for (i = sk_CONF_MODULE_num(new_modules) - 1; i >= 0; i--) {
         md = sk_CONF_MODULE_value(new_modules, i);

libs/openssl/crypto/conf/conf_sap.c

@@ -38,6 +38,8 @@ void OPENSSL_config(const char *appname)
         settings.appname = strdup(appname);
     settings.flags = DEFAULT_CONF_MFLAGS;
     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
+
+    free(settings.appname);
 }
 #endif
 

libs/openssl/crypto/context.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -29,6 +29,7 @@ struct ossl_lib_ctx_st {
     void *global_properties;
     void *drbg;
     void *drbg_nonce;
+    CRYPTO_THREAD_LOCAL rcu_local_key;
 #ifndef FIPS_MODULE
     void *provider_conf;
     void *bio_core;
@@ -81,9 +82,12 @@ static int context_init(OSSL_LIB_CTX *ctx)
 {
     int exdata_done = 0;
 
+    if (!CRYPTO_THREAD_init_local(&ctx->rcu_local_key, NULL))
+        return 0;
+
     ctx->lock = CRYPTO_THREAD_lock_new();
     if (ctx->lock == NULL)
-        return 0;
+        goto err;
 
     ctx->rand_crngt_lock = CRYPTO_THREAD_lock_new();
     if (ctx->rand_crngt_lock == NULL)
@@ -209,6 +213,7 @@ static int context_init(OSSL_LIB_CTX *ctx)
 
     CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock);
     CRYPTO_THREAD_lock_free(ctx->lock);
+    CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
     memset(ctx, '\0', sizeof(*ctx));
     return 0;
 }
@@ -355,6 +360,7 @@ static int context_deinit(OSSL_LIB_CTX *ctx)
     CRYPTO_THREAD_lock_free(ctx->lock);
     ctx->rand_crngt_lock = NULL;
     ctx->lock = NULL;
+    CRYPTO_THREAD_cleanup_local(&ctx->rcu_local_key);
     return 1;
 }
 
@@ -471,7 +477,7 @@ int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file)
 
 void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx)
 {
-    if (ossl_lib_ctx_is_default(ctx))
+    if (ctx == NULL || ossl_lib_ctx_is_default(ctx))
         return;
 
 #ifndef FIPS_MODULE
@@ -652,3 +658,11 @@ const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx)
     return "Non-default library context";
 #endif
 }
+
+CRYPTO_THREAD_LOCAL *ossl_lib_ctx_get_rcukey(OSSL_LIB_CTX *libctx)
+{
+    libctx = ossl_lib_ctx_get_concrete(libctx);
+    if (libctx == NULL)
+        return NULL;
+    return &libctx->rcu_local_key;
+}

libs/openssl/crypto/ec/ecdsa_ossl.c

@@ -172,7 +172,11 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
         ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
         goto err;
     }
-    order = EC_GROUP_get0_order(group);
+
+    if ((order = EC_GROUP_get0_order(group)) == NULL) {
+        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
+        goto err;
+    }
 
     /* Preallocate space */
     order_bits = BN_num_bits(order);
@@ -308,7 +312,11 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
         goto err;
     }
 
-    order = EC_GROUP_get0_order(group);
+    if ((order = EC_GROUP_get0_order(group)) == NULL) {
+        ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
+        goto err;
+    }
+
     i = BN_num_bits(order);
     /*
      * Need to truncate digest if it is too long: first truncate whole bytes.

libs/openssl/crypto/engine/eng_list.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -243,6 +243,7 @@ ENGINE *ENGINE_get_first(void)
         int ref;
 
         if (!CRYPTO_UP_REF(&ret->struct_ref, &ref)) {
+            CRYPTO_THREAD_unlock(global_engine_lock);
             ERR_raise(ERR_LIB_ENGINE, ERR_R_CRYPTO_LIB);
             return NULL;
         }
@@ -269,6 +270,7 @@ ENGINE *ENGINE_get_last(void)
         int ref;
 
         if (!CRYPTO_UP_REF(&ret->struct_ref, &ref)) {
+            CRYPTO_THREAD_unlock(global_engine_lock);
             ERR_raise(ERR_LIB_ENGINE, ERR_R_CRYPTO_LIB);
             return NULL;
         }
@@ -294,6 +296,7 @@ ENGINE *ENGINE_get_next(ENGINE *e)
 
         /* Return a valid structural reference to the next ENGINE */
         if (!CRYPTO_UP_REF(&ret->struct_ref, &ref)) {
+            CRYPTO_THREAD_unlock(global_engine_lock);
             ERR_raise(ERR_LIB_ENGINE, ERR_R_CRYPTO_LIB);
             return NULL;
         }
@@ -320,6 +323,7 @@ ENGINE *ENGINE_get_prev(ENGINE *e)
 
         /* Return a valid structural reference to the next ENGINE */
         if (!CRYPTO_UP_REF(&ret->struct_ref, &ref)) {
+            CRYPTO_THREAD_unlock(global_engine_lock);
             ERR_raise(ERR_LIB_ENGINE, ERR_R_CRYPTO_LIB);
             return NULL;
         }

libs/openssl/crypto/engine/eng_table.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -215,9 +215,11 @@ ENGINE *ossl_engine_table_select(ENGINE_TABLE **table, int nid,
                    f, l, nid);
         return NULL;
     }
-    ERR_set_mark();
+
     if (!CRYPTO_THREAD_write_lock(global_engine_lock))
-        goto end;
+        return NULL;
+
+    ERR_set_mark();
     /*
      * Check again inside the lock otherwise we could race against cleanup
      * operations. But don't worry about a debug printout

libs/openssl/crypto/evp/ctrl_params_translate.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -2845,7 +2845,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
         fixup_args_fn *fixup = default_fixup_args;
         int ret;
 
-        tmpl.action_type = action_type;
+        ctx.action_type = tmpl.action_type = action_type;
         tmpl.keytype1 = tmpl.keytype2 = keytype;
         tmpl.optype = optype;
         tmpl.param_key = params->key;
@@ -2854,7 +2854,6 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
         if (translation != NULL) {
             if (translation->fixup_args != NULL)
                 fixup = translation->fixup_args;
-            ctx.action_type = translation->action_type;
             ctx.ctrl_cmd = translation->ctrl_num;
         }
         ctx.pctx = pctx;

libs/openssl/crypto/evp/digest.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -425,7 +425,7 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
 
     /* Code below to be removed when legacy support is dropped. */
  legacy:
-    return ctx->update(ctx, data, count);
+    return ctx->update != NULL ? ctx->update(ctx, data, count) : 0;
 }
 
 /* The caller can assume that this removes any secret data from the context */

libs/openssl/crypto/evp/names.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -78,6 +78,7 @@ const EVP_CIPHER *evp_get_cipherbyname_ex(OSSL_LIB_CTX *libctx,
     const EVP_CIPHER *cp;
     OSSL_NAMEMAP *namemap;
     int id;
+    int do_retry = 1;
 
     if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS, NULL))
         return NULL;
@@ -94,9 +95,21 @@ const EVP_CIPHER *evp_get_cipherbyname_ex(OSSL_LIB_CTX *libctx,
      */
 
     namemap = ossl_namemap_stored(libctx);
+ retry:
     id = ossl_namemap_name2num(namemap, name);
-    if (id == 0)
-        return NULL;
+    if (id == 0) {
+        EVP_CIPHER *fetched_cipher;
+
+        /* Try to fetch it because the name might not be known yet. */
+        if (!do_retry)
+            return NULL;
+        do_retry = 0;
+        ERR_set_mark();
+        fetched_cipher = EVP_CIPHER_fetch(libctx, name, NULL);
+        EVP_CIPHER_free(fetched_cipher);
+        ERR_pop_to_mark();
+        goto retry;
+    }
 
     if (!ossl_namemap_doall_names(namemap, id, cipher_from_name, &cp))
         return NULL;
@@ -124,6 +137,7 @@ const EVP_MD *evp_get_digestbyname_ex(OSSL_LIB_CTX *libctx, const char *name)
     const EVP_MD *dp;
     OSSL_NAMEMAP *namemap;
     int id;
+    int do_retry = 1;
 
     if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL))
         return NULL;
@@ -140,9 +154,21 @@ const EVP_MD *evp_get_digestbyname_ex(OSSL_LIB_CTX *libctx, const char *name)
      */
 
     namemap = ossl_namemap_stored(libctx);
+ retry:
     id = ossl_namemap_name2num(namemap, name);
-    if (id == 0)
-        return NULL;
+    if (id == 0) {
+        EVP_MD *fetched_md;
+
+        /* Try to fetch it because the name might not be known yet. */
+        if (!do_retry)
+            return NULL;
+        do_retry = 0;
+        ERR_set_mark();
+        fetched_md = EVP_MD_fetch(libctx, name, NULL);
+        EVP_MD_free(fetched_md);
+        ERR_pop_to_mark();
+        goto retry;
+    }
 
     if (!ossl_namemap_doall_names(namemap, id, digest_from_name, &dp))
         return NULL;

libs/openssl/crypto/evp/pmeth_lib.c

@@ -1008,6 +1008,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
                                           int datalen)
 {
     OSSL_PARAM os_params[2];
+    const OSSL_PARAM *gettables;
     unsigned char *info = NULL;
     size_t info_len = 0;
     size_t info_alloc = 0;
@@ -1031,6 +1032,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
         return 1;
     }
 
+    /* Check for older provider that doesn't support getting this parameter */
+    gettables = EVP_PKEY_CTX_gettable_params(ctx);
+    if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
+        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
+                                              data, datalen);
+
     /* Get the original value length */
     os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
     os_params[1] = OSSL_PARAM_construct_end();
@@ -1038,9 +1045,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
     if (!EVP_PKEY_CTX_get_params(ctx, os_params))
         return 0;
 
-    /* Older provider that doesn't support getting this parameter */
+    /* This should not happen but check to be sure. */
     if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
-        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+        return 0;
 
     info_alloc = os_params[0].return_size + datalen;
     if (info_alloc == 0)

libs/openssl/crypto/o_str.c

@@ -225,12 +225,14 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
     int has_sep = (sep != CH_ZERO);
     size_t len = has_sep ? buflen * 3 : 1 + buflen * 2;
 
+    if (len == 0)
+        ++len;
     if (strlength != NULL)
         *strlength = len;
     if (str == NULL)
         return 1;
 
-    if (str_n < (unsigned long)len) {
+    if (str_n < len) {
         ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER);
         return 0;
     }
@@ -242,7 +244,7 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
         if (has_sep)
             *q++ = sep;
     }
-    if (has_sep)
+    if (has_sep && buflen > 0)
         --q;
     *q = CH_ZERO;
 

libs/openssl/crypto/objects/obj_dat.c

@@ -263,7 +263,7 @@ int OBJ_new_nid(int num)
 static int ossl_obj_add_object(const ASN1_OBJECT *obj, int lock)
 {
     ASN1_OBJECT *o = NULL;
-    ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop;
+    ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop[4];
     int i;
 
     if ((o = OBJ_dup(obj)) == NULL)
@@ -294,9 +294,21 @@ static int ossl_obj_add_object(const ASN1_OBJECT *obj, int lock)
         if (ao[i] != NULL) {
             ao[i]->type = i;
             ao[i]->obj = o;
-            aop = lh_ADDED_OBJ_insert(added, ao[i]);
-            /* memory leak, but should not normally matter */
-            OPENSSL_free(aop);
+            aop[i] = lh_ADDED_OBJ_retrieve(added, ao[i]);
+            if (aop[i] != NULL)
+                aop[i]->type = -1;
+            (void)lh_ADDED_OBJ_insert(added, ao[i]);
+            if (lh_ADDED_OBJ_error(added)) {
+                if (aop[i] != NULL)
+                    aop[i]->type = i;
+                while (i-- > ADDED_DATA) {
+                    lh_ADDED_OBJ_delete(added, ao[i]);
+                    if (aop[i] != NULL)
+                        aop[i]->type = i;
+                }
+                ERR_raise(ERR_LIB_OBJ, ERR_R_CRYPTO_LIB);
+                goto err;
+            }
         }
     }
     o->flags &=

libs/openssl/crypto/pkcs12/p12_crt.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -249,16 +249,19 @@ PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags,
     if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
         goto err;
     if (nid_key != -1) {
+        /* This call does not take ownership of p8 */
         bag = PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(nid_key, pass, -1, NULL, 0,
                                                      iter, p8, ctx, propq);
-        PKCS8_PRIV_KEY_INFO_free(p8);
-    } else
+    } else {
         bag = PKCS12_SAFEBAG_create0_p8inf(p8);
+        if (bag != NULL)
+           p8 = NULL; /* bag takes ownership of p8 */
+    }
+    /* This does not need to be in the error path */
+    if (p8 != NULL)
+        PKCS8_PRIV_KEY_INFO_free(p8);
 
-    if (!bag)
-        goto err;
-
-    if (!pkcs12_add_bag(pbags, bag))
+    if (bag == NULL || !pkcs12_add_bag(pbags, bag))
         goto err;
 
     return bag;

libs/openssl/crypto/pkcs7/pk7_doit.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -1234,36 +1234,29 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
                          void *value)
 {
     X509_ATTRIBUTE *attr = NULL;
+    int i, n;
 
     if (*sk == NULL) {
         if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
             return 0;
- new_attrib:
-        if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
-            return 0;
-        if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
-            X509_ATTRIBUTE_free(attr);
-            return 0;
-        }
-    } else {
-        int i;
-
-        for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
-            attr = sk_X509_ATTRIBUTE_value(*sk, i);
-            if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) {
-                X509_ATTRIBUTE_free(attr);
-                attr = X509_ATTRIBUTE_create(nid, atrtype, value);
-                if (attr == NULL)
-                    return 0;
-                if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
-                    X509_ATTRIBUTE_free(attr);
-                    return 0;
-                }
-                goto end;
-            }
-        }
-        goto new_attrib;
     }
+    n = sk_X509_ATTRIBUTE_num(*sk);
+    for (i = 0; i < n; i++) {
+        attr = sk_X509_ATTRIBUTE_value(*sk, i);
+        if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid)
+            goto end;
+    }
+    if (!sk_X509_ATTRIBUTE_push(*sk, NULL))
+        return 0;
+
  end:
+    attr = X509_ATTRIBUTE_create(nid, atrtype, value);
+    if (attr == NULL) {
+        if (i == n)
+            sk_X509_ATTRIBUTE_pop(*sk);
+        return 0;
+    }
+    X509_ATTRIBUTE_free(sk_X509_ATTRIBUTE_value(*sk, i));
+    (void) sk_X509_ATTRIBUTE_set(*sk, i, attr);
     return 1;
 }

libs/openssl/crypto/property/property.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -96,6 +96,8 @@ typedef struct {
 
 DEFINE_SPARSE_ARRAY_OF(ALGORITHM);
 
+DEFINE_STACK_OF(ALGORITHM)
+
 typedef struct ossl_global_properties_st {
     OSSL_PROPERTY_LIST *list;
 #ifndef FIPS_MODULE
@@ -461,33 +463,45 @@ static void alg_do_one(ALGORITHM *alg, IMPLEMENTATION *impl,
     fn(alg->nid, impl->method.method, fnarg);
 }
 
-struct alg_do_each_data_st {
-    void (*fn)(int id, void *method, void *fnarg);
-    void *fnarg;
-};
-
-static void alg_do_each(ossl_uintmax_t idx, ALGORITHM *alg, void *arg)
+static void alg_copy(ossl_uintmax_t idx, ALGORITHM *alg, void *arg)
 {
-    struct alg_do_each_data_st *data = arg;
-    int i, end = sk_IMPLEMENTATION_num(alg->impls);
-
-    for (i = 0; i < end; i++) {
-        IMPLEMENTATION *impl = sk_IMPLEMENTATION_value(alg->impls, i);
+    STACK_OF(ALGORITHM) *newalg = arg;
 
-        alg_do_one(alg, impl, data->fn, data->fnarg);
-    }
+    (void)sk_ALGORITHM_push(newalg, alg);
 }
 
 void ossl_method_store_do_all(OSSL_METHOD_STORE *store,
                               void (*fn)(int id, void *method, void *fnarg),
                               void *fnarg)
 {
-    struct alg_do_each_data_st data;
+    int i, j;
+    int numalgs, numimps;
+    STACK_OF(ALGORITHM) *tmpalgs;
+    ALGORITHM *alg;
 
-    data.fn = fn;
-    data.fnarg = fnarg;
-    if (store != NULL)
-        ossl_sa_ALGORITHM_doall_arg(store->algs, alg_do_each, &data);
+    if (store != NULL) {
+
+        if (!ossl_property_read_lock(store))
+            return;
+       
+        tmpalgs = sk_ALGORITHM_new_reserve(NULL,
+                                           ossl_sa_ALGORITHM_num(store->algs));
+        if (tmpalgs == NULL) {
+            ossl_property_unlock(store);
+            return;
+        }
+
+        ossl_sa_ALGORITHM_doall_arg(store->algs, alg_copy, tmpalgs);
+        ossl_property_unlock(store);
+        numalgs = sk_ALGORITHM_num(tmpalgs);
+        for (i = 0; i < numalgs; i++) {
+            alg = sk_ALGORITHM_value(tmpalgs, i);
+            numimps = sk_IMPLEMENTATION_num(alg->impls);
+            for (j = 0; j < numimps; j++)
+                alg_do_one(alg, sk_IMPLEMENTATION_value(alg->impls, j), fn, fnarg);
+        }
+        sk_ALGORITHM_free(tmpalgs);
+    }
 }
 
 int ossl_method_store_fetch(OSSL_METHOD_STORE *store,
@@ -643,10 +657,13 @@ static void impl_cache_flush_one_alg(ossl_uintmax_t idx, ALGORITHM *alg,
                                      void *v)
 {
     IMPL_CACHE_FLUSH *state = (IMPL_CACHE_FLUSH *)v;
+    unsigned long orig_down_load = lh_QUERY_get_down_load(alg->cache);
 
     state->cache = alg->cache;
+    lh_QUERY_set_down_load(alg->cache, 0);
     lh_QUERY_doall_IMPL_CACHE_FLUSH(state->cache, &impl_cache_flush_cache,
                                     state);
+    lh_QUERY_set_down_load(alg->cache, orig_down_load);
 }
 
 static void ossl_method_cache_flush_some(OSSL_METHOD_STORE *store)

libs/openssl/crypto/rand/randfile.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -16,6 +16,7 @@
 # include <sys/stat.h>
 #endif
 
+#include "internal/e_os.h"
 #include "internal/cryptlib.h"
 
 #include <errno.h>
@@ -208,8 +209,16 @@ int RAND_write_file(const char *file)
          * should be restrictive from the start
          */
         int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
-        if (fd != -1)
+
+        if (fd != -1) {
             out = fdopen(fd, "wb");
+            if (out == NULL) {
+                close(fd);
+                ERR_raise_data(ERR_LIB_RAND, RAND_R_CANNOT_OPEN_FILE,
+                               "Filename=%s", file);
+                return -1;
+            }
+        }
     }
 #endif
 

libs/openssl/crypto/rsa/rsa_oaep.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -184,7 +184,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
 
     mdlen = EVP_MD_get_size(md);
 
-    if (tlen <= 0 || flen <= 0)
+    if (tlen <= 0 || flen <= 0 || mdlen <= 0)
         return -1;
     /*
      * |num| is the length of the modulus; |flen| is the length of the

libs/openssl/crypto/sm3/sm3_local.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2017 Ribose Inc. All Rights Reserved.
  * Ported from Ribose contributions from Botan.
  *
@@ -39,7 +39,7 @@
 #  define HWSM3_CAPABLE (OPENSSL_armcap_P & ARMV8_SM3)
 void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num);
 # endif
-# if defined(__riscv) && __riscv_xlen == 64
+# if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
 #  include "crypto/riscv_arch.h"
 #  define HWSM3_CAPABLE 1
 void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num);

libs/openssl/crypto/threads_none.c

@@ -23,7 +23,8 @@ struct rcu_lock_st {
     struct rcu_cb_item *cb_items;
 };
 
-CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers)
+CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers,
+                                   ossl_unused OSSL_LIB_CTX *ctx)
 {
     struct rcu_lock_st *lock;
 

libs/openssl/crypto/threads_pthread.c

@@ -244,8 +244,6 @@ static ossl_inline uint64_t fallback_atomic_or_fetch(uint64_t *p, uint64_t m)
 #  define ATOMIC_OR_FETCH(p, v, o) fallback_atomic_or_fetch(p, v)
 # endif
 
-static CRYPTO_THREAD_LOCAL rcu_thr_key;
-
 /*
  * users is broken up into 2 parts
  * bits 0-15 current readers
@@ -300,6 +298,9 @@ struct rcu_lock_st {
     /* Callbacks to call for next ossl_synchronize_rcu */
     struct rcu_cb_item *cb_items;
 
+    /* The context we are being created against */
+    OSSL_LIB_CTX *ctx;
+
     /* rcu generation counter for in-order retirement */
     uint32_t id_ctr;
 
@@ -337,24 +338,6 @@ struct rcu_lock_st {
     pthread_cond_t prior_signal;
 };
 
-/*
- * Called on thread exit to free the pthread key
- * associated with this thread, if any
- */
-static void free_rcu_thr_data(void *ptr)
-{
-    struct rcu_thr_data *data =
-                        (struct rcu_thr_data *)CRYPTO_THREAD_get_local(&rcu_thr_key);
-
-    OPENSSL_free(data);
-    CRYPTO_THREAD_set_local(&rcu_thr_key, NULL);
-}
-
-static void ossl_rcu_init(void)
-{
-    CRYPTO_THREAD_init_local(&rcu_thr_key, NULL);
-}
-
 /* Read side acquisition of the current qp */
 static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock)
 {
@@ -403,22 +386,33 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock)
     return &lock->qp_group[qp_idx];
 }
 
+static void ossl_rcu_free_local_data(void *arg)
+{
+    OSSL_LIB_CTX *ctx = arg;
+    CRYPTO_THREAD_LOCAL *lkey = ossl_lib_ctx_get_rcukey(ctx);
+    struct rcu_thr_data *data = CRYPTO_THREAD_get_local(lkey);
+
+    OPENSSL_free(data);
+    CRYPTO_THREAD_set_local(lkey, NULL);
+}
+
 void ossl_rcu_read_lock(CRYPTO_RCU_LOCK *lock)
 {
     struct rcu_thr_data *data;
     int i, available_qp = -1;
+    CRYPTO_THREAD_LOCAL *lkey = ossl_lib_ctx_get_rcukey(lock->ctx);
 
     /*
      * we're going to access current_qp here so ask the
      * processor to fetch it
      */
-    data = CRYPTO_THREAD_get_local(&rcu_thr_key);
+    data = CRYPTO_THREAD_get_local(lkey);
 
     if (data == NULL) {
         data = OPENSSL_zalloc(sizeof(*data));
         OPENSSL_assert(data != NULL);
-        CRYPTO_THREAD_set_local(&rcu_thr_key, data);
-        ossl_init_thread_start(NULL, NULL, free_rcu_thr_data);
+        CRYPTO_THREAD_set_local(lkey, data);
+        ossl_init_thread_start(NULL, lock->ctx, ossl_rcu_free_local_data);
     }
 
     for (i = 0; i < MAX_QPS; i++) {
@@ -444,7 +438,8 @@ void ossl_rcu_read_lock(CRYPTO_RCU_LOCK *lock)
 void ossl_rcu_read_unlock(CRYPTO_RCU_LOCK *lock)
 {
     int i;
-    struct rcu_thr_data *data = CRYPTO_THREAD_get_local(&rcu_thr_key);
+    CRYPTO_THREAD_LOCAL *lkey = ossl_lib_ctx_get_rcukey(lock->ctx);
+    struct rcu_thr_data *data = CRYPTO_THREAD_get_local(lkey);
     uint64_t ret;
 
     assert(data != NULL);
@@ -637,22 +632,22 @@ void ossl_rcu_assign_uptr(void **p, void **v)
     ATOMIC_STORE(pvoid, p, v, __ATOMIC_RELEASE);
 }
 
-static CRYPTO_ONCE rcu_init_once = CRYPTO_ONCE_STATIC_INIT;
-
-CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers)
+CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
 {
     struct rcu_lock_st *new;
 
-    if (!CRYPTO_THREAD_run_once(&rcu_init_once, ossl_rcu_init))
-        return NULL;
-
     if (num_writers < 1)
         num_writers = 1;
 
+    ctx = ossl_lib_ctx_get_concrete(ctx);
+    if (ctx == NULL)
+        return 0;
+
     new = OPENSSL_zalloc(sizeof(*new));
     if (new == NULL)
         return NULL;
 
+    new->ctx = ctx;
     pthread_mutex_init(&new->write_lock, NULL);
     pthread_mutex_init(&new->prior_lock, NULL);
     pthread_mutex_init(&new->alloc_lock, NULL);

libs/openssl/crypto/threads_win.c

@@ -43,8 +43,6 @@ typedef struct {
 } CRYPTO_win_rwlock;
 # endif
 
-static CRYPTO_THREAD_LOCAL rcu_thr_key;
-
 # define READER_SHIFT 0
 # define ID_SHIFT 32 
 # define READER_SIZE 32 
@@ -92,6 +90,7 @@ struct rcu_thr_data {
  */
 struct rcu_lock_st {
     struct rcu_cb_item *cb_items;
+    OSSL_LIB_CTX *ctx;
     uint32_t id_ctr;
     struct rcu_qp *qp_group;
     size_t group_count;
@@ -106,26 +105,6 @@ struct rcu_lock_st {
     CRYPTO_CONDVAR *prior_signal;
 };
 
-/*
- * Called on thread exit to free the pthread key
- * associated with this thread, if any
- */
-static void free_rcu_thr_data(void *ptr)
-{
-    struct rcu_thr_data *data =
-                        (struct rcu_thr_data *)CRYPTO_THREAD_get_local(&rcu_thr_key);
-
-    OPENSSL_free(data);
-    CRYPTO_THREAD_set_local(&rcu_thr_key, NULL);
-}
-
-
-static void ossl_rcu_init(void)
-{
-    CRYPTO_THREAD_init_local(&rcu_thr_key, NULL);
-    ossl_init_thread_start(NULL, NULL, free_rcu_thr_data);
-}
-
 static struct rcu_qp *allocate_new_qp_group(struct rcu_lock_st *lock,
                                             int count)
 {
@@ -136,23 +115,23 @@ static struct rcu_qp *allocate_new_qp_group(struct rcu_lock_st *lock,
     return new;
 }
 
-static CRYPTO_ONCE rcu_init_once = CRYPTO_ONCE_STATIC_INIT;
-
-CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers)
+CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx)
 {
     struct rcu_lock_st *new;
 
-    if (!CRYPTO_THREAD_run_once(&rcu_init_once, ossl_rcu_init))
-        return NULL;
-
     if (num_writers < 1)
         num_writers = 1;
 
+    ctx = ossl_lib_ctx_get_concrete(ctx);
+    if (ctx == NULL)
+        return 0;
+
     new = OPENSSL_zalloc(sizeof(*new));
 
     if (new == NULL)
         return NULL;
 
+    new->ctx = ctx;
     new->write_lock = ossl_crypto_mutex_new();
     new->alloc_signal = ossl_crypto_condvar_new();
     new->prior_signal = ossl_crypto_condvar_new();
@@ -205,22 +184,33 @@ static ossl_inline struct rcu_qp *get_hold_current_qp(CRYPTO_RCU_LOCK *lock)
     return &lock->qp_group[qp_idx];
 }
 
+static void ossl_rcu_free_local_data(void *arg)
+{
+    OSSL_LIB_CTX *ctx = arg;
+    CRYPTO_THREAD_LOCAL *lkey = ossl_lib_ctx_get_rcukey(ctx);
+    struct rcu_thr_data *data = CRYPTO_THREAD_get_local(lkey);
+    OPENSSL_free(data);
+    CRYPTO_THREAD_set_local(lkey, NULL);
+}
+
 void ossl_rcu_read_lock(CRYPTO_RCU_LOCK *lock)
 {
     struct rcu_thr_data *data;
     int i;
     int available_qp = -1;
+    CRYPTO_THREAD_LOCAL *lkey = ossl_lib_ctx_get_rcukey(lock->ctx);
 
     /*
      * we're going to access current_qp here so ask the
      * processor to fetch it
      */
-    data = CRYPTO_THREAD_get_local(&rcu_thr_key);
+    data = CRYPTO_THREAD_get_local(lkey);
 
     if (data == NULL) {
         data = OPENSSL_zalloc(sizeof(*data));
         OPENSSL_assert(data != NULL);
-        CRYPTO_THREAD_set_local(&rcu_thr_key, data);
+        CRYPTO_THREAD_set_local(lkey, data);
+        ossl_init_thread_start(NULL, lock->ctx, ossl_rcu_free_local_data);
     }
 
     for (i = 0; i < MAX_QPS; i++) {
@@ -253,7 +243,8 @@ void ossl_rcu_write_unlock(CRYPTO_RCU_LOCK *lock)
 
 void ossl_rcu_read_unlock(CRYPTO_RCU_LOCK *lock)
 {
-    struct rcu_thr_data *data = CRYPTO_THREAD_get_local(&rcu_thr_key);
+    CRYPTO_THREAD_LOCAL *lkey = ossl_lib_ctx_get_rcukey(lock->ctx);
+    struct rcu_thr_data *data = CRYPTO_THREAD_get_local(lkey);
     int i;
     LONG64 ret;
 

libs/openssl/crypto/x509/v3_utl.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
             ASN1_STRING *cstr;
 
             gen = sk_GENERAL_NAME_value(gens, i);
-            if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
-                if (OBJ_obj2nid(gen->d.otherName->type_id) ==
-                    NID_id_on_SmtpUTF8Mailbox) {
-                    san_present = 1;
-
-                    /*
-                     * If it is not a UTF8String then that is unexpected and we
-                     * treat it as no match
-                     */
-                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
-                        cstr = gen->d.otherName->value->value.utf8string;
-
-                        /* Positive on success, negative on error! */
-                        if ((rv = do_check_string(cstr, 0, equal, flags,
-                                                chk, chklen, peername)) != 0)
-                            break;
-                    }
-                } else
+            switch (gen->type) {
+            default:
+                continue;
+            case GEN_OTHERNAME:
+		switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
+                default:
                     continue;
-            } else {
-                if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
+                case NID_id_on_SmtpUTF8Mailbox:
+                    /*-
+                     * https://datatracker.ietf.org/doc/html/rfc8398#section-3
+                     *
+                     *   Due to name constraint compatibility reasons described
+                     *   in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
+                     *   be used unless the local-part of the email address
+                     *   contains non-ASCII characters. When the local-part is
+                     *   ASCII, rfc822Name subjectAltName MUST be used instead
+                     *   of SmtpUTF8Mailbox. This is compatible with legacy
+                     *   software that supports only rfc822Name (and not
+                     *   SmtpUTF8Mailbox). [...]
+                     *
+                     *   SmtpUTF8Mailbox is encoded as UTF8String.
+                     *
+                     * If it is not a UTF8String then that is unexpected, and
+                     * we ignore the invalid SAN (neither set san_present nor
+                     * consider it a candidate for equality).  This does mean
+                     * that the subject CN may be considered, as would be the
+                     * case when the malformed SmtpUtf8Mailbox SAN is instead
+                     * simply absent.
+                     *
+                     * When CN-ID matching is not desirable, applications can
+                     * choose to turn it off, doing so is at this time a best
+                     * practice.
+                     */
+                    if (check_type != GEN_EMAIL
+                        || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
+                        continue;
+                    alt_type = 0;
+                    cstr = gen->d.otherName->value->value.utf8string;
+                    break;
+                }
+                break;
+            case GEN_EMAIL:
+                if (check_type != GEN_EMAIL)
                     continue;
-            }
-            san_present = 1;
-            if (check_type == GEN_EMAIL)
                 cstr = gen->d.rfc822Name;
-            else if (check_type == GEN_DNS)
+                break;
+            case GEN_DNS:
+                if (check_type != GEN_DNS)
+                    continue;
                 cstr = gen->d.dNSName;
-            else
+                break;
+            case GEN_IPADD:
+                if (check_type != GEN_IPADD)
+                    continue;
                 cstr = gen->d.iPAddress;
+                break;
+            }
+            san_present = 1;
             /* Positive on success, negative on error! */
             if ((rv = do_check_string(cstr, alt_type, equal, flags,
                                       chk, chklen, peername)) != 0)

libs/openssl/crypto/x509/x_name.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -480,8 +480,8 @@ static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
         v = sk_ASN1_VALUE_value(intname, i);
         ltmp = ASN1_item_ex_i2d(&v, in,
                                 ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1);
-        if (ltmp < 0)
-            return ltmp;
+        if (ltmp < 0 || len > INT_MAX - ltmp)
+            return -1;
         len += ltmp;
     }
     return len;

libs/openssl/doc/HOWTO/certificates.txt

@@ -89,7 +89,7 @@ was kind enough, your certificate is a raw DER thing in PEM format.
 Your key most definitely is if you have followed the examples above.
 However, some (most?) certificate authorities will encode them with
 things like PKCS7 or PKCS12, or something else.  Depending on your
-applications, this may be perfectly OK, it all depends on what they
+applications, this may be perfectly OK.  It all depends on what they
 know how to decode.  If not, there are a number of OpenSSL tools to
 convert between some (most?) formats.
 

libs/openssl/doc/fingerprints.txt

@@ -12,9 +12,6 @@ in the file named openssl-1.0.1h.tar.gz.asc.
 The following is the list of fingerprints for the keys that are
 currently in use to sign OpenSSL distributions:
 
-OpenSSL OMC:
-EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
-
 OpenSSL:
 BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF
 

libs/openssl/doc/internal/man3/ossl_rcu_lock_new.pod

@@ -13,7 +13,7 @@ ossl_rcu_assign_uptr
 
 =head1 SYNOPSIS
 
- CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers);
+ CRYPTO_RCU_LOCK *ossl_rcu_lock_new(int num_writers, OSSL_LIB_CTX *ctx);
  void ossl_rcu_read_lock(CRYPTO_RCU_LOCK *lock);
  void ossl_rcu_write_lock(CRYPTO_RCU_LOCK *lock);
  void ossl_rcu_write_unlock(CRYPTO_RCU_LOCK *lock);
@@ -65,7 +65,8 @@ ossl_rcu_lock_new() allocates a new RCU lock.  The I<num_writers> param
 indicates the number of write side threads which may execute
 ossl_synchronize_rcu() in parallel.  The value must be at least 1, but may be
 larger to obtain increased write side throughput at the cost of additional
-internal memory usage.  A value of 1 is generally recommended.
+internal memory usage.  A value of 1 is generally recommended. The I<ctx>
+parameter references the library context in which the lock is allocated.
 
 =item *
 

libs/openssl/doc/man1/openssl-ca.pod.in

@@ -177,7 +177,8 @@ See L<openssl-format-options(1)> for details.
 =item B<-sigopt> I<nm>:I<v>
 
 Pass options to the signature algorithm during sign operations.
-Names and values of these options are algorithm-specific.
+Names and values of these options are algorithm-specific and
+documented in L<provider-signature(7)/Signature parameters>.
 
 =item B<-vfyopt> I<nm>:I<v>
 
@@ -852,7 +853,7 @@ L<x509v3_config(5)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man1/openssl-cmp.pod.in

@@ -414,6 +414,12 @@ The file where any newly enrolled certificate should be saved.
 =item B<-chainout> I<filename>
 
 The file where the chain of any newly enrolled certificate should be saved.
+This chain excludes the leaf certificate, i.e., the newly enrolled certificate.
+Also the trust anchor (the root certificate) is not included.
+
+If the B<-certout> option is given, too, with equal I<filename> argument,
+then the file produced contains both outputs concatenated:
+the newly enrolled certificate followed by its chain.
 
 =back
 

libs/openssl/doc/man1/openssl-dgst.pod.in

@@ -126,7 +126,8 @@ See L<openssl-format-options(1)> for details.
 =item B<-sigopt> I<nm>:I<v>
 
 Pass options to the signature algorithm during sign or verify operations.
-Names and values of these options are algorithm-specific.
+Names and values of these options are algorithm-specific and documented
+in L<provider-signature(7)/Signature parameters>.
 
 =item B<-passin> I<arg>
 
@@ -278,7 +279,7 @@ The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man1/openssl-enc.pod.in

@@ -98,13 +98,19 @@ Base64 process the data. This means that if encryption is taking place
 the data is base64 encoded after encryption. If decryption is set then
 the input data is base64 decoded before being decrypted.
 
+When the B<-A> option not given,
+on encoding a newline is inserted after each 64 characters, and
+on decoding a newline is expected among the first 1024 bytes of input.
+
 =item B<-base64>
 
 Same as B<-a>
 
 =item B<-A>
 
-If the B<-a> option is set then base64 process the data on one line.
+If the B<-a> option is set then base64 encoding produces output without any
+newline character, and base64 decoding does not require any newlines.
+Therefore it can be helpful to use the B<-A> option when decoding unknown input.
 
 =item B<-k> I<password>
 
@@ -463,6 +469,9 @@ or
 =head1 BUGS
 
 The B<-A> option when used with large files doesn't work properly.
+On the other hand, when base64 decoding without the B<-A> option,
+if the first 1024 bytes of input do not include a newline character
+the first two lines of input are ignored.
 
 The B<openssl enc> command only supports a fixed number of algorithms with
 certain parameters. So if, for example, you want to use RC2 with a
@@ -480,7 +489,7 @@ The B<-saltlen> option was added in OpenSSL 3.2.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man1/openssl-passphrase-options.pod

@@ -46,26 +46,32 @@ the environment of other processes is visible on certain platforms
 
 =item B<file:>I<pathname>
 
-The first line of I<pathname> is the password. If the same I<pathname>
-argument is supplied to B<-passin> and B<-passout> arguments then the first
-line will be used for the input password and the next line for the output
-password. I<pathname> need not refer to a regular file: it could for example
-refer to a device or named pipe.
+Reads the password from the specified file I<pathname>, which can be a regular
+file, device, or named pipe. Only the first line, up to the newline character,
+is read from the stream.
+
+If the same I<pathname> argument is supplied to both B<-passin> and B<-passout>
+arguments, the first line will be used for the input password, and the next
+line will be used for the output password.
 
 =item B<fd:>I<number>
 
-Read the password from the file descriptor I<number>. This can be used to
-send the data via a pipe for example.
+Reads the password from the file descriptor I<number>. This can be useful for
+sending data via a pipe, for example. The same line handling as described for
+B<file:> applies to passwords read from file descriptors.
+
+B<fd:> is not supported on Windows.
 
 =item B<stdin>
 
-Read the password from standard input.
+Reads the password from standard input. The same line handling as described for
+B<file:> applies to passwords read from standard input.
 
 =back
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man1/openssl-s_client.pod.in

@@ -656,7 +656,11 @@ For example strings, see L<SSL_CTX_set1_sigalgs(3)>
 =item B<-curves> I<curvelist>
 
 Specifies the list of supported curves to be sent by the client. The curve is
-ultimately selected by the server. For a list of all curves, use:
+ultimately selected by the server.
+
+The list of all supported groups includes named EC parameters as well as X25519
+and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
+providers. For a list of named EC parameters, use:
 
     $ openssl ecparam -list_curves
 
@@ -1044,7 +1048,7 @@ options were added in OpenSSL 3.2.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man1/openssl-s_server.pod.in

@@ -671,7 +671,10 @@ Signature algorithms to support for client certificate authentication
 =item B<-named_curve> I<val>
 
 Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
-For a list of all possible curves, use:
+
+The list of all supported groups includes named EC parameters as well as X25519
+and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
+providers. For a list of named EC parameters, use:
 
     $ openssl ecparam -list_curves
 

libs/openssl/doc/man1/openssl-verification-options.pod

@@ -430,7 +430,7 @@ This option may be used multiple times.
 =item B<-policy> I<arg>
 
 Enable policy processing and add I<arg> to the user-initial-policy-set (see
-RFC5280). The policy I<arg> can be an object name an OID in numeric form.
+RFC5280). The policy I<arg> can be an object name or an OID in numeric form.
 This argument can appear more than once.
 
 =item B<-explicit_policy>
@@ -686,7 +686,7 @@ The checks enabled by B<-x509_strict> have been extended in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/ASN1_INTEGER_new.pod

@@ -18,6 +18,7 @@ ASN1_INTEGER_new, ASN1_INTEGER_free - ASN1_INTEGER allocation functions
 ASN1_INTEGER_new() returns an allocated B<ASN1_INTEGER> structure.
 
 ASN1_INTEGER_free() frees up a single B<ASN1_INTEGER> object.
+If the argument is NULL, nothing is done.
 
 B<ASN1_INTEGER> structure representing the ASN.1 INTEGER type
 
@@ -34,7 +35,7 @@ L<ERR_get_error(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/ASYNC_WAIT_CTX_new.pod

@@ -178,6 +178,9 @@ operation, normally it is detected by a polling function or an interrupt, as the
 user code set a callback by calling ASYNC_WAIT_CTX_set_callback() previously,
 then the registered callback will be called.
 
+ASYNC_WAIT_CTX_free() frees up a single B<ASYNC_WAIT_CTX> object.
+If the argument is NULL, nothing is done.
+
 =head1 RETURN VALUES
 
 ASYNC_WAIT_CTX_new() returns a pointer to the newly allocated B<ASYNC_WAIT_CTX>
@@ -216,7 +219,7 @@ were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/BIO_ADDR.pod

@@ -18,7 +18,7 @@ BIO_ADDR_path_string - BIO_ADDR routines
  BIO_ADDR *BIO_ADDR_new(void);
  int BIO_ADDR_copy(BIO_ADDR *dst, const BIO_ADDR *src);
  BIO_ADDR *BIO_ADDR_dup(const BIO_ADDR *ap);
- void BIO_ADDR_free(BIO_ADDR *);
+ void BIO_ADDR_free(BIO_ADDR *ap);
  void BIO_ADDR_clear(BIO_ADDR *ap);
  int BIO_ADDR_rawmake(BIO_ADDR *ap, int family,
                       const void *where, size_t wherelen, unsigned short port);
@@ -47,7 +47,7 @@ BIO_ADDR_dup() creates a new B<BIO_ADDR>, with a copy of the
 address data in B<ap>.
 
 BIO_ADDR_free() frees a B<BIO_ADDR> created with BIO_ADDR_new()
-or BIO_ADDR_dup();
+or BIO_ADDR_dup(). If the argument is NULL, nothing is done.
 
 BIO_ADDR_clear() clears any data held within the provided B<BIO_ADDR> and sets
 it back to an uninitialised state.
@@ -131,7 +131,7 @@ BIO_ADDR_copy() and BIO_ADDR_dup() were added in OpenSSL 3.2.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/BIO_ADDRINFO.pod

@@ -78,7 +78,7 @@ BIO_ADDRINFO_next() returns the next B<BIO_ADDRINFO> in the chain
 from the given one.
 
 BIO_ADDRINFO_free() frees the chain of B<BIO_ADDRINFO> starting
-with the given one.
+with the given one. If the argument is NULL, nothing is done.
 
 =head1 RETURN VALUES
 
@@ -103,7 +103,7 @@ The BIO_lookup_ex() function was added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/BIO_f_base64.pod

@@ -21,25 +21,23 @@ any data read through it.
 
 Base64 BIOs do not support BIO_gets() or BIO_puts().
 
-For writing, output is by default divided to lines of length 64
-characters and there is always a newline at the end of output.
+For writing, by default output is divided to lines of length 64
+characters and there is a newline at the end of output.
+This behavior can be changed with B<BIO_FLAGS_BASE64_NO_NL> flag.
 
-For reading, first line should be at most 1024
-characters long. If it is longer then it is ignored completely.
-Other input lines can be of any length. There must be a newline
-at the end of input.
-
-This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag.
+For reading, first line should be at most 1024 bytes long including newline
+unless the flag B<BIO_FLAGS_BASE64_NO_NL> is set.
+Further input lines can be of any length (i.e., newlines may appear anywhere
+in the input) and a newline at the end of input is not needed.
 
 BIO_flush() on a base64 BIO that is being written through is
 used to signal that no more data is to be encoded: this is used
 to flush the final block through the BIO.
 
-The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags().
+The flag B<BIO_FLAGS_BASE64_NO_NL> can be set with BIO_set_flags().
 For writing, it causes all data to be written on one line without
 newline at the end.
-For reading, it expects the data to be all on one line (with or
-without a trailing newline).
+For reading, it removes all expectations on newlines in the input data.
 
 =head1 NOTES
 
@@ -85,6 +83,10 @@ data to standard output:
 
 =head1 BUGS
 
+On decoding, if the flag B<BIO_FLAGS_BASE64_NO_NL> is not set and
+the first 1024 bytes of input do not include a newline character
+the first two lines of input are ignored.
+
 The ambiguity of EOF in base64 encoded data can cause additional
 data following the base64 encoded block to be misinterpreted.
 
@@ -93,7 +95,7 @@ to reliably determine EOF (for example a MIME boundary).
 
 =head1 COPYRIGHT
 
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/BIO_meth_new.pod

@@ -100,7 +100,7 @@ additionally have the "descriptor" bit set (B<BIO_TYPE_DESCRIPTOR>). See the
 L<BIO_find_type(3)> page for more information.
 
 BIO_meth_free() destroys a B<BIO_METHOD> structure and frees up any memory
-associated with it.
+associated with it. If the argument is NULL, nothing is done.
 
 BIO_meth_get_write_ex() and BIO_meth_set_write_ex() get and set the function
 used for writing arbitrary length data to the BIO respectively. This function

libs/openssl/doc/man3/BN_add.pod

@@ -14,9 +14,9 @@ arithmetic operations on BIGNUMs
 
  int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 
- int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 
- int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
 
  int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
             BN_CTX *ctx);
@@ -25,25 +25,25 @@ arithmetic operations on BIGNUMs
 
  int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
 
- int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
                 BN_CTX *ctx);
 
- int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
                 BN_CTX *ctx);
 
- int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+ int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
                 BN_CTX *ctx);
 
- int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
 
- BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
 
- int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
 
- int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx);
 
- int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 
 =head1 DESCRIPTION
 
@@ -135,7 +135,7 @@ L<BN_add_word(3)>, L<BN_set_bit(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/BN_generate_prime.pod

@@ -167,7 +167,8 @@ programs should prefer the "new" style, whilst the "old" style is provided
 for backwards compatibility purposes.
 
 A B<BN_GENCB> structure should be created through a call to BN_GENCB_new(),
-and freed through a call to BN_GENCB_free().
+and freed through a call to BN_GENCB_free(). If the argument is NULL,
+nothing is done.
 
 For "new" style callbacks a BN_GENCB structure should be initialised with a
 call to BN_GENCB_set(), where B<gencb> is a B<BN_GENCB *>, B<callback> is of
@@ -245,7 +246,7 @@ BN_check_prime() was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/BN_set_bit.pod

@@ -33,8 +33,11 @@ error occurs if B<a> is shorter than B<n> bits.
 BN_is_bit_set() tests if bit B<n> in B<a> is set.
 
 BN_mask_bits() truncates B<a> to an B<n> bit number
-(C<a&=~((~0)E<lt>E<lt>n)>).  An error occurs if B<a> already is
-shorter than B<n> bits.
+(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<n> is negative. An error is
+also returned if the internal representation of B<a> is already shorter than
+B<n> bits. The internal representation depends on the platform's word size, and
+this error can be safely ignored. Use L<BN_num_bits(3)> to determine the exact
+number of bits if needed.
 
 BN_lshift() shifts B<a> left by B<n> bits and places the result in
 B<r> (C<r=a*2^n>). Note that B<n> must be nonnegative. BN_lshift1() shifts
@@ -59,7 +62,7 @@ L<BN_num_bytes(3)>, L<BN_add(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/BUF_MEM_new.pod

@@ -34,6 +34,7 @@ should be allocated on the secure heap; see L<CRYPTO_secure_malloc(3)>.
 
 BUF_MEM_free() frees up an already existing buffer. The data is zeroed
 before freeing up in case the buffer contains sensitive data.
+If the argument is NULL, nothing is done.
 
 BUF_MEM_grow() changes the size of an already existing buffer to
 B<len>. Any data already in the buffer is preserved if it increases in
@@ -65,7 +66,7 @@ The BUF_MEM_new_ex() function was added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/COMP_CTX_new.pod

@@ -54,7 +54,9 @@ These functions provide compression support for OpenSSL. Compression is used wit
 the OpenSSL library to support TLS record and certificate compression.
 
 COMP_CTX_new() is used to create a new B<COMP_CTX> structure used to compress data.
+
 COMP_CTX_free() is used to free the returned B<COMP_CTX>.
+If the argument is NULL, nothing is done.
 
 COMP_CTX_get_method() returns the B<COMP_METHOD> of the given I<ctx>.
 
@@ -172,7 +174,7 @@ Brotli and Zstandard functions were added in OpenSSL 3.2.
 
 =head1 COPYRIGHT
 
-Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/CRYPTO_THREAD_run_once.pod

@@ -81,6 +81,7 @@ CRYPTO_THREAD_unlock() unlocks the previously locked I<lock>.
 =item *
 
 CRYPTO_THREAD_lock_free() frees the provided I<lock>.
+If the argument is NULL, nothing is done.
 
 =item *
 
@@ -213,10 +214,13 @@ This example safely initializes and uses a lock.
  {
      int ret = 0;
 
-     if (mylock()) {
-         /* Your code here, do not return without releasing the lock! */
-         ret = ... ;
+     if (!mylock()) {
+        /* Do not unlock unless the lock was successfully acquired. */
+        return 0;
      }
+
+     /* Your code here, do not return without releasing the lock! */
+     ret = ... ;
      myunlock();
      return ret;
  }
@@ -233,7 +237,7 @@ L<crypto(7)>, L<openssl-threads(7)>.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/CTLOG_STORE_new.pod

@@ -52,7 +52,7 @@ The expected format of the file is:
 
 Once a CTLOG_STORE is no longer required, it should be passed to
 CTLOG_STORE_free(). This will delete all of the CTLOGs stored within, along
-with the CTLOG_STORE itself.
+with the CTLOG_STORE itself. If the argument is NULL, nothing is done.
 
 =head1 NOTES
 
@@ -78,7 +78,7 @@ added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/CTLOG_new.pod

@@ -50,7 +50,7 @@ property query string are used.
 Regardless of whether CTLOG_new() or CTLOG_new_from_base64() is used, it is the
 caller's responsibility to pass the CTLOG to CTLOG_free() once it is no longer
 needed. This will delete it and, if created by CTLOG_new(), the EVP_PKEY that
-was passed to it.
+was passed to it. If the argument to CTLOG_free() is NULL, nothing is done.
 
 CTLOG_get0_name() returns the name of the log, as provided when the CTLOG was
 created. Ownership of the string remains with the CTLOG.
@@ -80,7 +80,7 @@ were added in OpenSSL 3.0. All other functions were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/CT_POLICY_EVAL_CTX_new.pod

@@ -105,7 +105,8 @@ The time should be in milliseconds since the Unix Epoch.
 Each setter has a matching getter for accessing the current value.
 
 When no longer required, the B<CT_POLICY_EVAL_CTX> should be passed to
-CT_POLICY_EVAL_CTX_free() to delete it.
+CT_POLICY_EVAL_CTX_free() to delete it. If the argument to
+CT_POLICY_EVAL_CTX_free() is NULL, nothing is done.
 
 =head1 NOTES
 
@@ -130,7 +131,7 @@ functions were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/DH_meth_new.pod

@@ -81,7 +81,7 @@ parameter. This might be useful for creating a new B<DH_METHOD> based on an
 existing one, but with some differences.
 
 DH_meth_free() destroys a B<DH_METHOD> structure and frees up any memory
-associated with it.
+associated with it. If the argument is NULL, nothing is done.
 
 DH_meth_get0_name() will return a pointer to the name of this DH_METHOD. This
 is a pointer to the internal name string and so should not be freed by the
@@ -166,7 +166,7 @@ The functions described here were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/DSA_SIG_new.pod

@@ -20,6 +20,7 @@ DSA_SIG_new() allocates an empty B<DSA_SIG> structure.
 
 DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
 values are erased before the memory is returned to the system.
+If the argument is NULL, nothing is done.
 
 DSA_SIG_get0() returns internal pointers to the B<r> and B<s> values contained
 in B<sig>.
@@ -48,7 +49,7 @@ L<ERR_get_error(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/DSA_meth_new.pod

@@ -110,7 +110,7 @@ parameter. This might be useful for creating a new B<DSA_METHOD> based on an
 existing one, but with some differences.
 
 DSA_meth_free() destroys a B<DSA_METHOD> structure and frees up any memory
-associated with it.
+associated with it. If the argument is NULL, nothing is done.
 
 DSA_meth_get0_name() will return a pointer to the name of this DSA_METHOD. This
 is a pointer to the internal name string and so should not be freed by the
@@ -214,7 +214,7 @@ The functions described here were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/ECDSA_SIG_new.pod

@@ -31,6 +31,7 @@ ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure.
 Note: before OpenSSL 1.1.0, the I<r> and I<s> components were initialised.
 
 ECDSA_SIG_free() frees the B<ECDSA_SIG> structure I<sig>.
+If the argument is NULL, nothing is done.
 
 ECDSA_SIG_get0() returns internal pointers the I<r> and I<s> values contained
 in I<sig> and stores them in I<*pr> and I<*ps>, respectively.
@@ -136,7 +137,7 @@ L<ECDSA_sign(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/ENGINE_add.pod

@@ -227,7 +227,8 @@ references such as; ENGINE_by_id(), ENGINE_get_first(), ENGINE_get_last(),
 ENGINE_get_next(), ENGINE_get_prev(). All structural references should be
 released by a corresponding to call to the ENGINE_free() function - the
 ENGINE object itself will only actually be cleaned up and deallocated when
-the last structural reference is released.
+the last structural reference is released. If the argument to ENGINE_free()
+is NULL, nothing is done.
 
 It should also be noted that many ENGINE API function calls that accept a
 structural reference will internally obtain another reference - typically
@@ -665,7 +666,7 @@ and should not be used.
 
 =head1 COPYRIGHT
 
-Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod

@@ -45,7 +45,7 @@ The returned value must eventually be freed with EVP_ASYM_CIPHER_free().
 EVP_ASYM_CIPHER_free() decrements the reference count for the B<EVP_ASYM_CIPHER>
 structure. Typically this structure will have been obtained from an earlier call
 to EVP_ASYM_CIPHER_fetch(). If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
 
 EVP_ASYM_CIPHER_up_ref() increments the reference count for an
 B<EVP_ASYM_CIPHER> structure.
@@ -102,7 +102,7 @@ The functions described here were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_CIPHER_meth_new.pod

@@ -80,6 +80,7 @@ EVP_CIPHER_meth_new() creates a new B<EVP_CIPHER> structure.
 EVP_CIPHER_meth_dup() creates a copy of B<cipher>.
 
 EVP_CIPHER_meth_free() destroys a B<EVP_CIPHER> structure.
+If the argument is NULL, nothing is done.
 
 EVP_CIPHER_meth_set_iv_length() sets the length of the IV.
 This is only needed when the implemented cipher mode requires it.
@@ -249,7 +250,7 @@ counted in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_DigestInit.pod

@@ -160,6 +160,7 @@ Increments the reference count for an B<EVP_MD> structure.
 
 Decrements the reference count for the fetched B<EVP_MD> structure.
 If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
 
 =item EVP_MD_CTX_new()
 
@@ -173,6 +174,7 @@ existing context.
 =item EVP_MD_CTX_free()
 
 Cleans up digest context I<ctx> and frees up the space allocated to it.
+If the argument is NULL, nothing is done.
 
 =item EVP_MD_CTX_ctrl()
 
@@ -548,9 +550,13 @@ can be used the manipulate and test these B<EVP_MD_CTX> flags:
 
 This flag instructs the digest to optimize for one update only, if possible.
 
-=for comment EVP_MD_CTX_FLAG_CLEANED is internal, don't mention it
+=item EVP_MD_CTX_FLAG_CLEANED
 
-=for comment EVP_MD_CTX_FLAG_REUSE is internal, don't mention it
+This flag is for internal use only and I<must not> be used in user code.
+
+=item EVP_MD_CTX_FLAG_REUSE
+
+This flag is for internal use only and I<must not> be used in user code.
 
 =for comment We currently avoid documenting flags that are only bit holder:
 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, EVP_MD_CTX_FLAGS_PAD_*

libs/openssl/doc/man3/EVP_EncodeInit.pod

@@ -41,7 +41,7 @@ EVP_ENCODE_CTX_new() allocates, initializes and returns a context to be used for
 the encode/decode functions.
 
 EVP_ENCODE_CTX_free() cleans up an encode/decode context B<ctx> and frees up the
-space allocated to it.
+space allocated to it. If the argument is NULL, nothing is done.
 
 Encoding of binary data is performed in blocks of 48 input bytes (or less for
 the final block). For each 48 byte input block encoded 64 bytes of base 64 data
@@ -151,7 +151,7 @@ L<evp(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_EncryptInit.pod

@@ -272,6 +272,7 @@ Increments the reference count for an B<EVP_CIPHER> structure.
 
 Decrements the reference count for the fetched B<EVP_CIPHER> structure.
 If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
 
 =item EVP_CIPHER_CTX_new()
 
@@ -280,9 +281,9 @@ Allocates and returns a cipher context.
 =item EVP_CIPHER_CTX_free()
 
 Clears all information from a cipher context and frees any allocated memory
-associated with it, including I<ctx> itself. This function should be called after
-all operations using a cipher are complete so sensitive information does not
-remain in memory.
+associated with it, including I<ctx> itself. This function should be called
+after all operations using a cipher are complete so sensitive information does
+not remain in memory. If the argument is NULL, nothing is done.
 
 =item EVP_CIPHER_CTX_dup()
 
@@ -374,9 +375,13 @@ exists.
 
 Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
 I<out>. The pointers I<out> and I<in> may point to the same location, in which
-case the encryption will be done in-place. If I<out> and I<in> point to different
-locations, the two buffers must be disjoint, otherwise the operation might fail
-or the outcome might be undefined.
+case the encryption will be done in-place. However, in-place encryption is
+guaranteed to work only if the encryption context (I<ctx>) has processed data in
+multiples of the block size. If the context contains an incomplete data block
+from previous operations, in-place encryption will fail.
+
+If I<out> and I<in> point to different locations, the two buffers must be
+disjoint, otherwise the operation might fail or the outcome might be undefined.
 
 This function can be called multiple times to encrypt successive blocks
 of data. The amount of data written depends on the block alignment of the

libs/openssl/doc/man3/EVP_KEM_free.pod

@@ -41,6 +41,7 @@ The returned value must eventually be freed with EVP_KEM_free().
 EVP_KEM_free() decrements the reference count for the B<EVP_KEM> structure.
 Typically this structure will have been obtained from an earlier call to
 EVP_KEM_fetch(). If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
 
 EVP_KEM_up_ref() increments the reference count for an B<EVP_KEM> structure.
 
@@ -95,7 +96,7 @@ The functions described here were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_KEYEXCH_free.pod

@@ -41,7 +41,7 @@ The returned value must eventually be freed with EVP_KEYEXCH_free().
 EVP_KEYEXCH_free() decrements the reference count for the B<EVP_KEYEXCH>
 structure. Typically this structure will have been obtained from an earlier call
 to EVP_KEYEXCH_fetch(). If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
 
 EVP_KEYEXCH_up_ref() increments the reference count for an B<EVP_KEYEXCH>
 structure.
@@ -101,7 +101,7 @@ The functions described here were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_KEYMGMT.pod

@@ -62,6 +62,7 @@ B<EVP_KEYMGMT> I<keymgmt>.
 
 EVP_KEYMGMT_free() decrements the reference count for the given
 B<EVP_KEYMGMT> I<keymgmt>, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
 
 EVP_KEYMGMT_get0_provider() returns the provider that has this particular
 implementation.
@@ -140,7 +141,7 @@ The functions described here were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_MD_meth_new.pod

@@ -74,6 +74,7 @@ EVP_MD_meth_dup() creates a copy of B<md>.
 
 EVP_MD_meth_free() decrements the reference count for the B<EVP_MD> structure.
 If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
 
 EVP_MD_meth_set_input_blocksize() sets the internal input block size
 for the method B<md> to B<blocksize> bytes.
@@ -194,7 +195,7 @@ counted in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_PKEY_ASN1_METHOD.pod

@@ -393,7 +393,7 @@ This function is not thread safe, it's recommended to only use this
 when initializing the application.
 
 EVP_PKEY_asn1_free() frees an existing B<EVP_PKEY_ASN1_METHOD> pointed
-by B<ameth>.
+by B<ameth>. If the argument is NULL, nothing is done.
 
 EVP_PKEY_asn1_add0() adds B<ameth> to the user defined stack of
 methods unless another B<EVP_PKEY_ASN1_METHOD> with the same NID is
@@ -439,7 +439,7 @@ parameter is now constified.
 
 =head1 COPYRIGHT
 
-Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_PKEY_meth_new.pod

@@ -407,7 +407,7 @@ of an B<EVP_PKEY_METHOD> is always called by the EVP framework while doing a
 digest signing operation by calling L<EVP_DigestSignFinal(3)>.
 
 EVP_PKEY_meth_free() frees an existing B<EVP_PKEY_METHOD> pointed by
-B<pmeth>.
+B<pmeth>. If the argument is NULL, nothing is done.
 
 EVP_PKEY_meth_copy() copies an B<EVP_PKEY_METHOD> object from B<src>
 to B<dst>.
@@ -456,7 +456,7 @@ has changed in OpenSSL 3.0 so its I<src> parameter is now constified.
 
 =head1 COPYRIGHT
 
-Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_RAND.pod

@@ -285,7 +285,7 @@ associated RAND ctx.
 Reads or set the number of elapsed seconds before reseeding the
 associated RAND ctx.
 
-=item "max_request" (B<OSSL_DRBG_PARAM_RESEED_REQUESTS>) <unsigned integer>
+=item "max_request" (B<OSSL_RAND_PARAM_MAX_REQUEST>) <unsigned integer>
 
 Specifies the maximum number of bytes that can be generated in a single
 call to OSSL_FUNC_rand_generate.
@@ -411,7 +411,7 @@ The remaining functions were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/EVP_SIGNATURE.pod

@@ -49,7 +49,7 @@ The returned value must eventually be freed with EVP_SIGNATURE_free().
 EVP_SIGNATURE_free() decrements the reference count for the B<EVP_SIGNATURE>
 structure. Typically this structure will have been obtained from an earlier call
 to EVP_SIGNATURE_fetch(). If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
 
 EVP_SIGNATURE_up_ref() increments the reference count for an B<EVP_SIGNATURE>
 structure.
@@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/HMAC.pod

@@ -87,7 +87,7 @@ created with HMAC_CTX_new().
 
 HMAC_CTX_free() erases the key and other data from the B<HMAC_CTX>,
 releases any associated resources and finally frees the B<HMAC_CTX>
-itself.
+itself. If the argument is NULL, nothing is done.
 
 The following functions may be used if the message is not completely
 stored in memory:
@@ -163,7 +163,7 @@ OpenSSL before version 1.0.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/MD5.pod

@@ -7,12 +7,12 @@ MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions
 
 =head1 SYNOPSIS
 
- #include <openssl/md2.h>
-
 The following functions have been deprecated since OpenSSL 3.0, and can be
 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
 see L<openssl_user_macros(7)>:
 
+ #include <openssl/md2.h>
+
  unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md);
 
  int MD2_Init(MD2_CTX *c);
@@ -20,25 +20,24 @@ see L<openssl_user_macros(7)>:
  int MD2_Final(unsigned char *md, MD2_CTX *c);
 
 
- #include <openssl/md4.h>
-
 The following functions have been deprecated since OpenSSL 3.0, and can be
 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
 see L<openssl_user_macros(7)>:
 
+ #include <openssl/md4.h>
+
  unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
 
  int MD4_Init(MD4_CTX *c);
  int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
  int MD4_Final(unsigned char *md, MD4_CTX *c);
 
-
- #include <openssl/md5.h>
-
 The following functions have been deprecated since OpenSSL 3.0, and can be
 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
 see L<openssl_user_macros(7)>:
 
+ #include <openssl/md5.h>
+
  unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
 
  int MD5_Init(MD5_CTX *c);
@@ -105,7 +104,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/NCONF_new_ex.pod

@@ -35,7 +35,7 @@ I<meth> is set to NULL then the default value of NCONF_default() is used.
 NCONF_new() is similar to NCONF_new_ex() but sets the I<libctx> to NULL.
 
 NCONF_free() frees the data associated with I<conf> and then frees the I<conf>
-object.
+object. If the argument is NULL, nothing is done.
 
 NCONF_load() parses the file named I<filename> and adds the values found to
 I<conf>. If an error occurs I<file> and I<eline> list the file and line that
@@ -74,7 +74,7 @@ in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/OCSP_REQUEST_new.pod

@@ -29,6 +29,7 @@ OCSP_request_onereq_get0 - OCSP request functions
 OCSP_REQUEST_new() allocates and returns an empty B<OCSP_REQUEST> structure.
 
 OCSP_REQUEST_free() frees up the request structure B<req>.
+If the argument is NULL, nothing is done.
 
 OCSP_request_add0_id() adds certificate ID B<cid> to B<req>. It returns
 the B<OCSP_ONEREQ> structure added so an application can add additional
@@ -108,7 +109,7 @@ L<OCSP_sendreq_new(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

libs/openssl/doc/man3/OCSP_cert_to_id.pod

@@ -38,6 +38,7 @@ issuer name B<issuerName>, issuer key hash B<issuerKey> and serial number
 B<serialNumber>.
 
 OCSP_CERTID_free() frees up B<id>.
+If the argument is NULL, nothing is done.
 
 OCSP_id_cmp() compares B<OCSP_CERTID> B<a> and B<b>.
 
@@ -79,7 +80,7 @@ L<OCSP_sendreq_new(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy