Explorar el Código

OpenSSL 3.1.4

Source commit: b17dc3b811472e27709a965f523c0ea60eb5edf8
Martin Prikryl hace 2 años
padre
commit
d2e3df7f98
Se han modificado 100 ficheros con 1131 adiciones y 421 borrados
  1. 9 0
      libs/openssl/CHANGES.md
  2. 147 147
      libs/openssl/Configurations/unix-Makefile.tmpl
  3. 2 2
      libs/openssl/INSTALL.md
  4. 6 0
      libs/openssl/NEWS.md
  5. 2 2
      libs/openssl/VERSION.dat
  6. 2 0
      libs/openssl/apps/dgst.c
  7. 3 1
      libs/openssl/apps/dhparam.c
  8. 3 1
      libs/openssl/apps/dsaparam.c
  9. 4 1
      libs/openssl/apps/enc.c
  10. 3 1
      libs/openssl/apps/gendsa.c
  11. 3 1
      libs/openssl/apps/genpkey.c
  12. 3 1
      libs/openssl/apps/genrsa.c
  13. 10 6
      libs/openssl/apps/lib/apps.c
  14. 2 0
      libs/openssl/apps/req.c
  15. 2 1
      libs/openssl/apps/speed.c
  16. 4 4
      libs/openssl/crypto/bn/bn_gcd.c
  17. 0 2
      libs/openssl/crypto/build.info
  18. 3 2
      libs/openssl/crypto/cms/cms_enc.c
  19. 3 1
      libs/openssl/crypto/cms/cms_err.c
  20. 11 3
      libs/openssl/crypto/cms/cms_sd.c
  21. 2 1
      libs/openssl/crypto/dh/dh_check.c
  22. 1 2
      libs/openssl/crypto/dh/dh_key.c
  23. 3 1
      libs/openssl/crypto/dh/dh_lib.c
  24. 5 3
      libs/openssl/crypto/dsa/dsa_check.c
  25. 3 1
      libs/openssl/crypto/dsa/dsa_lib.c
  26. 0 1
      libs/openssl/crypto/dsa/dsa_ossl.c
  27. 43 1
      libs/openssl/crypto/engine/eng_pkey.c
  28. 1 0
      libs/openssl/crypto/engine/eng_table.c
  29. 2 0
      libs/openssl/crypto/err/openssl.txt
  30. 42 1
      libs/openssl/crypto/evp/evp_enc.c
  31. 69 1
      libs/openssl/crypto/evp/evp_rand.c
  32. 6 2
      libs/openssl/crypto/evp/legacy_sha.c
  33. 1 1
      libs/openssl/crypto/evp/p_lib.c
  34. 3 2
      libs/openssl/crypto/evp/pmeth_lib.c
  35. 2 0
      libs/openssl/crypto/ex_data.c
  36. 5 11
      libs/openssl/crypto/ffc/ffc_key_validate.c
  37. 22 4
      libs/openssl/crypto/initthread.c
  38. 3 3
      libs/openssl/crypto/lhash/lhash.c
  39. 9 3
      libs/openssl/crypto/mem.c
  40. 32 10
      libs/openssl/crypto/objects/obj_dat.c
  41. 7 6
      libs/openssl/crypto/param_build_set.c
  42. 30 4
      libs/openssl/crypto/property/property_parse.c
  43. 78 8
      libs/openssl/crypto/provider_core.c
  44. 62 6
      libs/openssl/crypto/rand/prov_seed.c
  45. 3 1
      libs/openssl/crypto/rand/rand_err.c
  46. 97 9
      libs/openssl/crypto/rand/rand_lib.c
  47. 6 2
      libs/openssl/crypto/rand/rand_pool.c
  48. 1 13
      libs/openssl/crypto/rsa/rsa_backend.c
  49. 23 9
      libs/openssl/crypto/rsa/rsa_lib.c
  50. 48 10
      libs/openssl/doc/internal/man3/ossl_rand_get_entropy.pod
  51. 5 3
      libs/openssl/doc/man3/CMS_add1_signer.pod
  52. 5 1
      libs/openssl/doc/man3/DH_generate_parameters.pod
  53. 2 2
      libs/openssl/doc/man3/DSA_generate_parameters.pod
  54. 1 7
      libs/openssl/doc/man3/EVP_aes_128_gcm.pod
  55. 1 1
      libs/openssl/doc/man3/EVP_aria_128_gcm.pod
  56. 1 1
      libs/openssl/doc/man3/EVP_bf_cbc.pod
  57. 1 1
      libs/openssl/doc/man3/EVP_blake2b512.pod
  58. 1 1
      libs/openssl/doc/man3/EVP_camellia_128_ecb.pod
  59. 1 1
      libs/openssl/doc/man3/EVP_cast5_cbc.pod
  60. 1 1
      libs/openssl/doc/man3/EVP_chacha20.pod
  61. 1 1
      libs/openssl/doc/man3/EVP_des_cbc.pod
  62. 1 1
      libs/openssl/doc/man3/EVP_desx_cbc.pod
  63. 1 1
      libs/openssl/doc/man3/EVP_idea_cbc.pod
  64. 1 1
      libs/openssl/doc/man3/EVP_md2.pod
  65. 1 1
      libs/openssl/doc/man3/EVP_md4.pod
  66. 1 1
      libs/openssl/doc/man3/EVP_md5.pod
  67. 1 1
      libs/openssl/doc/man3/EVP_mdc2.pod
  68. 1 1
      libs/openssl/doc/man3/EVP_rc2_cbc.pod
  69. 1 1
      libs/openssl/doc/man3/EVP_rc4.pod
  70. 1 1
      libs/openssl/doc/man3/EVP_rc5_32_12_16_cbc.pod
  71. 1 1
      libs/openssl/doc/man3/EVP_ripemd160.pod
  72. 1 1
      libs/openssl/doc/man3/EVP_seed_cbc.pod
  73. 1 1
      libs/openssl/doc/man3/EVP_sha1.pod
  74. 1 1
      libs/openssl/doc/man3/EVP_sha224.pod
  75. 1 1
      libs/openssl/doc/man3/EVP_sha3_224.pod
  76. 1 1
      libs/openssl/doc/man3/EVP_sm3.pod
  77. 1 1
      libs/openssl/doc/man3/EVP_sm4_cbc.pod
  78. 1 1
      libs/openssl/doc/man3/EVP_whirlpool.pod
  79. 10 10
      libs/openssl/doc/man3/OPENSSL_LH_stats.pod
  80. 3 2
      libs/openssl/doc/man3/PKCS5_PBKDF2_HMAC.pod
  81. 9 1
      libs/openssl/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod
  82. 10 6
      libs/openssl/doc/man3/SSL_CTX_set_info_callback.pod
  83. 2 2
      libs/openssl/doc/man3/d2i_PKCS8PrivateKey_bio.pod
  84. 22 4
      libs/openssl/doc/man3/d2i_X509.pod
  85. 8 1
      libs/openssl/doc/man7/EVP_RAND-TEST-RAND.pod
  86. 34 4
      libs/openssl/doc/man7/provider-base.pod
  87. 2 1
      libs/openssl/include/crypto/context.h
  88. 9 1
      libs/openssl/include/crypto/evp.h
  89. 20 5
      libs/openssl/include/crypto/rand.h
  90. 1 1
      libs/openssl/include/crypto/randerr.h
  91. 2 1
      libs/openssl/include/openssl/cmserr.h
  92. 18 1
      libs/openssl/include/openssl/core_dispatch.h
  93. 1 0
      libs/openssl/include/openssl/core_names.h
  94. 3 1
      libs/openssl/include/openssl/evp.h
  95. 3 3
      libs/openssl/include/openssl/pkcs7.h.in
  96. 2 1
      libs/openssl/include/openssl/randerr.h
  97. 9 1
      libs/openssl/providers/baseprov.c
  98. 62 13
      libs/openssl/providers/common/provider_seeding.c
  99. 32 32
      libs/openssl/providers/fips-sources.checksums
  100. 1 1
      libs/openssl/providers/fips.checksum

+ 9 - 0
libs/openssl/CHANGES.md

@@ -22,6 +22,14 @@ OpenSSL Releases
 OpenSSL 3.1
 -----------
 
+### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
+
+ * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
+   EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
+   that alter the key or IV length ([CVE-2023-5363]).
+
+   *Paul Dale*
+
 ### Changes between 3.1.2 and 3.1.3 [19 Sep 2023]
 
  * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
@@ -19856,6 +19864,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446

+ 147 - 147
libs/openssl/Configurations/unix-Makefile.tmpl

@@ -614,28 +614,28 @@ uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_de
 install_docs: install_man_docs install_html_docs
 
 uninstall_docs: uninstall_man_docs uninstall_html_docs
-	$(RM) -r $(DESTDIR)$(DOCDIR)
+	$(RM) -r "$(DESTDIR)$(DOCDIR)"
 
 {- output_off() if $disabled{fips}; "" -}
 install_fips: build_sw $(INSTALL_FIPSMODULECONF)
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
 	@$(ECHO) "*** Installing FIPS module"
 	@$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
-	@cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
-	@chmod 755 $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
-	@mv -f $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new \
-	       $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)
+	@cp "$(INSTALL_FIPSMODULE)" "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new"
+	@chmod 755 "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new"
+	@mv -f "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new" \
+	       "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
 	@$(ECHO) "*** Installing FIPS module configuration"
 	@$(ECHO) "install $(INSTALL_FIPSMODULECONF) -> $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
-	@cp $(INSTALL_FIPSMODULECONF) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
+	@cp $(INSTALL_FIPSMODULECONF) "$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
 
 uninstall_fips:
 	@$(ECHO) "*** Uninstalling FIPS module configuration"
-	$(RM) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
+	$(RM) "$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
 	@$(ECHO) "*** Uninstalling FIPS module"
-	$(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)
+	$(RM) "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
 {- if ($disabled{fips}) { output_on(); } else { output_off(); } "" -}
 install_fips:
 	@$(ECHO) "The 'install_fips' target requires the 'enable-fips' option"
@@ -646,75 +646,75 @@ uninstall_fips:
 
 
 install_ssldirs:
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/private
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/certs"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/private"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/misc"
 	@set -e; for x in dummy $(MISC_SCRIPTS); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		x1=`echo "$$x" | cut -f1 -d:`; \
 		x2=`echo "$$x" | cut -f2 -d:`; \
 		fn=`basename $$x1`; \
 		$(ECHO) "install $$x1 -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
-		cp $$x1 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
-		chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
-		mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new \
-		      $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
+		cp $$x1 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \
+		chmod 755 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \
+		mv -f "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new" \
+		      "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
 		if [ "$$x1" != "$$x2" ]; then \
 			ln=`basename "$$x2"`; \
 			: {- output_off() unless windowsdll(); "" -}; \
 			$(ECHO) "copy $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
-			cp $(DESTDIR)$(OPENSSLDIR)/misc/$$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \
+			cp "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn" "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \
 			: {- output_on() unless windowsdll();
 			     output_off() if windowsdll(); "" -}; \
 			$(ECHO) "link $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
-			ln -sf $$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \
+			ln -sf $$fn "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \
 			: {- output_on() if windowsdll(); "" -}; \
 		fi; \
 	done
 	@$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
-	@cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
-	@chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
-	@mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
+	@cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
+	@chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
+	@mv -f  "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
 	@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
 		$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
-		cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
-		chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
+		cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
+		chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
 	fi
 	@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
-	@cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
-	@chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
-	@mv -f  $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist
+	@cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
+	@chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
+	@mv -f  "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
 	@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf" ]; then \
 		$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
-		cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \
-		chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \
+		cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
+		chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
 	fi
 
 install_dev: install_runtime_libs
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
 	@$(ECHO) "*** Installing development files"
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/include/openssl"
 	@ : {- output_off() if $disabled{uplink}; "" -}
 	@$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
-	@cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
-	@chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
+	@cp $(SRCDIR)/ms/applink.c "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
+	@chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
 	@ : {- output_on() if $disabled{uplink}; "" -}
 	@set -e; for i in $(SRCDIR)/include/openssl/*.h \
 			  $(BLDDIR)/include/openssl/*.h; do \
 		fn=`basename $$i`; \
 		$(ECHO) "install $$i -> $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
-		cp $$i $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
-		chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+		cp $$i "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
+		chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
 	done
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)"
 	@set -e; for l in $(INSTALL_LIBS); do \
 		fn=`basename $$l`; \
 		$(ECHO) "install $$l -> $(DESTDIR)$(libdir)/$$fn"; \
-		cp $$l $(DESTDIR)$(libdir)/$$fn.new; \
-		$(RANLIB) $(DESTDIR)$(libdir)/$$fn.new; \
-		chmod 644 $(DESTDIR)$(libdir)/$$fn.new; \
-		mv -f $(DESTDIR)$(libdir)/$$fn.new \
-		      $(DESTDIR)$(libdir)/$$fn; \
+		cp $$l "$(DESTDIR)$(libdir)/$$fn.new"; \
+		$(RANLIB) "$(DESTDIR)$(libdir)/$$fn.new"; \
+		chmod 644 "$(DESTDIR)$(libdir)/$$fn.new"; \
+		mv -f "$(DESTDIR)$(libdir)/$$fn.new" \
+		      "$(DESTDIR)$(libdir)/$$fn"; \
 	done
 	@ : {- output_off() if $disabled{shared}; "" -}
 	@set -e; for s in $(INSTALL_SHLIB_INFO); do \
@@ -727,18 +727,18 @@ install_dev: install_runtime_libs
 		: {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \
 		if [ "$$fn2" != "" ]; then \
 			$(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \
-			ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \
+			ln -sf $$fn1 "$(DESTDIR)$(libdir)/$$fn2"; \
 		fi; \
 		: {- output_off() unless windowsdll() or sharedaix(); output_on() if windowsdll(); "" -}; \
 		if [ "$$fn3" != "" ]; then \
 			$(ECHO) "install $$s3 -> $(DESTDIR)$(libdir)/$$fn3"; \
-			cp $$s3 $(DESTDIR)$(libdir)/$$fn3.new; \
-			chmod 755 $(DESTDIR)$(libdir)/$$fn3.new; \
-			mv -f $(DESTDIR)$(libdir)/$$fn3.new \
-			      $(DESTDIR)$(libdir)/$$fn3; \
+			cp $$s3 "$(DESTDIR)$(libdir)/$$fn3.new"; \
+			chmod 755 "$(DESTDIR)$(libdir)/$$fn3.new"; \
+			mv -f "$(DESTDIR)$(libdir)/$$fn3.new" \
+			      "$(DESTDIR)$(libdir)/$$fn3"; \
 		fi; \
 		: {- output_off() if windowsdll(); output_on() if sharedaix(); "" -}; \
-		a=$(DESTDIR)$(libdir)/$$fn2; \
+		a="$(DESTDIR)$(libdir)/$$fn2"; \
 		$(ECHO) "install $$s1 -> $$a"; \
 		if [ -f $$a ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \
 			mkdir /tmp/ar.$$$$; ( cd /tmp/ar.$$$$; \
@@ -755,35 +755,35 @@ install_dev: install_runtime_libs
 		: {- output_off() if sharedaix(); output_on(); "" -}; \
 	done
 	@ : {- output_on() if $disabled{shared}; "" -}
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)/pkgconfig
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)/pkgconfig"
 	@$(ECHO) "install libcrypto.pc -> $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
-	@cp libcrypto.pc $(DESTDIR)$(libdir)/pkgconfig
-	@chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc
+	@cp libcrypto.pc "$(DESTDIR)$(libdir)/pkgconfig"
+	@chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
 	@$(ECHO) "install libssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
-	@cp libssl.pc $(DESTDIR)$(libdir)/pkgconfig
-	@chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libssl.pc
+	@cp libssl.pc "$(DESTDIR)$(libdir)/pkgconfig"
+	@chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
 	@$(ECHO) "install openssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
-	@cp openssl.pc $(DESTDIR)$(libdir)/pkgconfig
-	@chmod 644 $(DESTDIR)$(libdir)/pkgconfig/openssl.pc
+	@cp openssl.pc "$(DESTDIR)$(libdir)/pkgconfig"
+	@chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
 
 uninstall_dev: uninstall_runtime_libs
 	@$(ECHO) "*** Uninstalling development files"
 	@ : {- output_off() if $disabled{uplink}; "" -}
 	@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
-	@$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
+	@$(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
 	@ : {- output_on() if $disabled{uplink}; "" -}
 	@set -e; for i in $(SRCDIR)/include/openssl/*.h \
 			  $(BLDDIR)/include/openssl/*.h; do \
 		fn=`basename $$i`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+		$(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
 	done
-	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include/openssl
-	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include
+	-$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include/openssl"
+	-$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include"
 	@set -e; for l in $(INSTALL_LIBS); do \
 		fn=`basename $$l`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn"; \
-		$(RM) $(DESTDIR)$(libdir)/$$fn; \
+		$(RM) "$(DESTDIR)$(libdir)/$$fn"; \
 	done
 	@ : {- output_off() if $disabled{shared}; "" -}
 	@set -e; for s in $(INSTALL_SHLIB_INFO); do \
@@ -795,39 +795,39 @@ uninstall_dev: uninstall_runtime_libs
 		fn3=`basename "$$s3"`; \
 		: {- output_off() if windowsdll(); "" -}; \
 		$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn1"; \
-		$(RM) $(DESTDIR)$(libdir)/$$fn1; \
+		$(RM) "$(DESTDIR)$(libdir)/$$fn1"; \
 		if [ -n "$$fn2" ]; then \
 			$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \
-			$(RM) $(DESTDIR)$(libdir)/$$fn2; \
+			$(RM) "$(DESTDIR)$(libdir)/$$fn2"; \
 		fi; \
 		: {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \
 		if [ -n "$$fn3" ]; then \
 			$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn3"; \
-			$(RM) $(DESTDIR)$(libdir)/$$fn3; \
+			$(RM) "$(DESTDIR)$(libdir)/$$fn3"; \
 		fi; \
 		: {- output_on() unless windowsdll(); "" -}; \
 	done
 	@ : {- output_on() if $disabled{shared}; "" -}
-	$(RM) $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc
-	$(RM) $(DESTDIR)$(libdir)/pkgconfig/libssl.pc
-	$(RM) $(DESTDIR)$(libdir)/pkgconfig/openssl.pc
-	-$(RMDIR) $(DESTDIR)$(libdir)/pkgconfig
-	-$(RMDIR) $(DESTDIR)$(libdir)
+	$(RM) "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
+	$(RM) "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
+	$(RM) "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
+	-$(RMDIR) "$(DESTDIR)$(libdir)/pkgconfig"
+	-$(RMDIR) "$(DESTDIR)$(libdir)"
 
 _install_modules_deps: install_runtime_libs build_modules
 
 install_engines: _install_modules_deps
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(ENGINESDIR)/"
 	@$(ECHO) "*** Installing engines"
 	@set -e; for e in dummy $(INSTALL_ENGINES); do \
 		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
 		$(ECHO) "install $$e -> $(DESTDIR)$(ENGINESDIR)/$$fn"; \
-		cp $$e $(DESTDIR)$(ENGINESDIR)/$$fn.new; \
-		chmod 755 $(DESTDIR)$(ENGINESDIR)/$$fn.new; \
-		mv -f $(DESTDIR)$(ENGINESDIR)/$$fn.new \
-		      $(DESTDIR)$(ENGINESDIR)/$$fn; \
+		cp $$e "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \
+		chmod 755 "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \
+		mv -f "$(DESTDIR)$(ENGINESDIR)/$$fn.new" \
+		      "$(DESTDIR)$(ENGINESDIR)/$$fn"; \
 	done
 
 uninstall_engines:
@@ -836,22 +836,22 @@ uninstall_engines:
 		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(ENGINESDIR)/$$fn"; \
-		$(RM) $(DESTDIR)$(ENGINESDIR)/$$fn; \
+		$(RM) "$(DESTDIR)$(ENGINESDIR)/$$fn"; \
 	done
-	-$(RMDIR) $(DESTDIR)$(ENGINESDIR)
+	-$(RMDIR) "$(DESTDIR)$(ENGINESDIR)"
 
 install_modules: _install_modules_deps
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)/
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)/"
 	@$(ECHO) "*** Installing modules"
 	@set -e; for e in dummy $(INSTALL_MODULES); do \
 		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
 		$(ECHO) "install $$e -> $(DESTDIR)$(MODULESDIR)/$$fn"; \
-		cp $$e $(DESTDIR)$(MODULESDIR)/$$fn.new; \
-		chmod 755 $(DESTDIR)$(MODULESDIR)/$$fn.new; \
-		mv -f $(DESTDIR)$(MODULESDIR)/$$fn.new \
-		      $(DESTDIR)$(MODULESDIR)/$$fn; \
+		cp $$e "$(DESTDIR)$(MODULESDIR)/$$fn.new"; \
+		chmod 755 "$(DESTDIR)$(MODULESDIR)/$$fn.new"; \
+		mv -f "$(DESTDIR)$(MODULESDIR)/$$fn.new" \
+		      "$(DESTDIR)$(MODULESDIR)/$$fn"; \
 	done
 
 uninstall_modules:
@@ -860,18 +860,18 @@ uninstall_modules:
 		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(MODULESDIR)/$$fn"; \
-		$(RM) $(DESTDIR)$(MODULESDIR)/$$fn; \
+		$(RM) "$(DESTDIR)$(MODULESDIR)/$$fn"; \
 	done
-	-$(RMDIR) $(DESTDIR)$(MODULESDIR)
+	-$(RMDIR) "$(DESTDIR)$(MODULESDIR)"
 
 install_runtime: install_programs
 
 install_runtime_libs: build_libs
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
 	@ : {- output_off() if windowsdll(); "" -}
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)"
 	@ : {- output_on() if windowsdll(); output_off() unless windowsdll(); "" -}
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin"
 	@ : {- output_on() unless windowsdll(); "" -}
 	@$(ECHO) "*** Installing runtime libraries"
 	@set -e; for s in dummy $(INSTALL_SHLIBS); do \
@@ -879,40 +879,40 @@ install_runtime_libs: build_libs
 		fn=`basename $$s`; \
 		: {- output_off() unless windowsdll(); "" -}; \
 		$(ECHO) "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
-		cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
-		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
-		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
-		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+		cp $$s "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+		chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+		mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
+		      "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		: {- output_on() unless windowsdll(); "" -}{- output_off() if windowsdll(); "" -}; \
 		$(ECHO) "install $$s -> $(DESTDIR)$(libdir)/$$fn"; \
-		cp $$s $(DESTDIR)$(libdir)/$$fn.new; \
-		chmod 755 $(DESTDIR)$(libdir)/$$fn.new; \
-		mv -f $(DESTDIR)$(libdir)/$$fn.new \
-		      $(DESTDIR)$(libdir)/$$fn; \
+		cp $$s "$(DESTDIR)$(libdir)/$$fn.new"; \
+		chmod 755 "$(DESTDIR)$(libdir)/$$fn.new"; \
+		mv -f "$(DESTDIR)$(libdir)/$$fn.new" \
+		      "$(DESTDIR)$(libdir)/$$fn"; \
 		: {- output_on() if windowsdll(); "" -}; \
 	done
 
 install_programs: install_runtime_libs build_programs
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin"
 	@$(ECHO) "*** Installing runtime programs"
 	@set -e; for x in dummy $(INSTALL_PROGRAMS); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
-		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
-		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
-		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
-		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+		cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+		chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+		mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
+		      "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 	done
 	@set -e; for x in dummy $(BIN_SCRIPTS); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
-		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
-		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
-		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
-		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+		cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+		chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+		mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
+		      "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 	done
 
 uninstall_runtime: uninstall_programs uninstall_runtime_libs
@@ -924,16 +924,16 @@ uninstall_programs:
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+		$(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 	done;
 	@set -e; for x in dummy $(BIN_SCRIPTS); \
 	do  \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+		$(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 	done
-	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
+	-$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/bin"
 
 uninstall_runtime_libs:
 	@$(ECHO) "*** Uninstalling runtime libraries"
@@ -942,49 +942,49 @@ uninstall_runtime_libs:
 		if [ "$$s" = "dummy" ]; then continue; fi; \
 		fn=`basename $$s`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+		$(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 	done
 	@ : {- output_on() unless windowsdll(); "" -}
 
 
 install_man_docs: build_man_docs
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man1
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man3
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man5
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man7
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man1"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man3"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man5"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man7"
 	@$(ECHO) "*** Installing manpages"
 	@set -e; for x in dummy $(MANDOCS1); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
-		cp $$x $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \
-		chmod 644 $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man1; \
+		cp $$x "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
+		chmod 644 "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man1"; \
 	done
 	@set -e; for x in dummy $(MANDOCS3); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
-		cp $$x $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \
-		chmod 644 $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man3; \
+		cp $$x "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
+		chmod 644 "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man3"; \
 	done
 	@set -e; for x in dummy $(MANDOCS5); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
-		cp $$x $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \
-		chmod 644 $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man5; \
+		cp $$x "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
+		chmod 644 "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man5"; \
 	done
 	@set -e; for x in dummy $(MANDOCS7); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
-		cp $$x $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \
-		chmod 644 $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man7; \
+		cp $$x "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
+		chmod 644 "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man7"; \
 	done
 
 uninstall_man_docs: build_man_docs
@@ -993,65 +993,65 @@ uninstall_man_docs: build_man_docs
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
-		$(RM) $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man1; \
+		$(RM) "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man1"; \
 	done
 	@set -e; for x in dummy $(MANDOCS3); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
-		$(RM) $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man3; \
+		$(RM) "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man3"; \
 	done
 	@set -e; for x in dummy $(MANDOCS5); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
-		$(RM) $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man5; \
+		$(RM) "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man5"; \
 	done
 	@set -e; for x in dummy $(MANDOCS7); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
-		$(RM) $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \
-		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man7; \
+		$(RM) "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
+		$(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man7"; \
 	done
 
 install_html_docs: install_image_docs build_html_docs
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man1
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man3
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man5
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man7
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man1"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man3"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man5"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man7"
 	@$(ECHO) "*** Installing HTML manpages"
 	@set -e; for x in dummy $(HTMLDOCS1); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
-		cp $$x $(DESTDIR)$(HTMLDIR)/man1/$$fn; \
-		chmod 644 $(DESTDIR)$(HTMLDIR)/man1/$$fn; \
+		cp $$x "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
+		chmod 644 "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
 	done
 	@set -e; for x in dummy $(HTMLDOCS3); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
-		cp $$x $(DESTDIR)$(HTMLDIR)/man3/$$fn; \
-		chmod 644 $(DESTDIR)$(HTMLDIR)/man3/$$fn; \
+		cp $$x "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
+		chmod 644 "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
 	done
 	@set -e; for x in dummy $(HTMLDOCS5); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
-		cp $$x $(DESTDIR)$(HTMLDIR)/man5/$$fn; \
-		chmod 644 $(DESTDIR)$(HTMLDIR)/man5/$$fn; \
+		cp $$x "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
+		chmod 644 "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
 	done
 	@set -e; for x in dummy $(HTMLDOCS7); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
-		cp $$x $(DESTDIR)$(HTMLDIR)/man7/$$fn; \
-		chmod 644 $(DESTDIR)$(HTMLDIR)/man7/$$fn; \
+		cp $$x "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
+		chmod 644 "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
 	done
 
 uninstall_html_docs: uninstall_image_docs
@@ -1060,35 +1060,35 @@ uninstall_html_docs: uninstall_image_docs
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
-		$(RM) $(DESTDIR)$(HTMLDIR)/man1/$$fn; \
+		$(RM) "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
 	done
 	@set -e; for x in dummy $(HTMLDOCS3); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
-		$(RM) $(DESTDIR)$(HTMLDIR)/man3/$$fn; \
+		$(RM) "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
 	done
 	@set -e; for x in dummy $(HTMLDOCS5); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
-		$(RM) $(DESTDIR)$(HTMLDIR)/man5/$$fn; \
+		$(RM) "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
 	done
 	@set -e; for x in dummy $(HTMLDOCS7); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
-		$(RM) $(DESTDIR)$(HTMLDIR)/man7/$$fn; \
+		$(RM) "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
 	done
 
 install_image_docs:
-	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man7/img
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man7/img"
 	@set -e; for x in dummy $(IMAGEDOCS7); do \
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
-		cp $(SRCDIR)/$$x $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \
-		chmod 644 $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \
+		cp $(SRCDIR)/$$x "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
+		chmod 644 "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
 	done
 
 uninstall_image_docs:
@@ -1096,7 +1096,7 @@ uninstall_image_docs:
 		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
-		$(RM) $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \
+		$(RM) "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
 	done
 
 # Developer targets (note: these are only available on Unix) #########

+ 2 - 2
libs/openssl/INSTALL.md

@@ -2,8 +2,8 @@ Build and Install
 =================
 
 This document describes installation on all supported operating
-systems (the Unix/Linux family, including macOS), OpenVMS,
-and Windows).
+systems: the Unix/Linux family (including macOS), OpenVMS,
+and Windows.
 
 Table of Contents
 =================

+ 6 - 0
libs/openssl/NEWS.md

@@ -19,6 +19,11 @@ OpenSSL Releases
 OpenSSL 3.1
 -----------
 
+### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
+
+  * Mitigate incorrect resize handling for symmetric cipher keys and IVs.
+    ([CVE-2023-5363])
+
 ### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
 
   * Fix POLY1305 MAC implementation corrupting XMM registers on Windows
@@ -1469,6 +1474,7 @@ OpenSSL 0.9.x
 
 <!-- Links -->
 
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446

+ 2 - 2
libs/openssl/VERSION.dat

@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=1
-PATCH=3
+PATCH=4
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="19 Sep 2023"
+RELEASE_DATE="24 Oct 2023"
 SHLIB_VERSION=3

+ 2 - 0
libs/openssl/apps/dgst.c

@@ -320,6 +320,8 @@ int dgst_main(int argc, char **argv)
         sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */);
         /* Verbose output would make external-tests gost-engine fail */
         EVP_PKEY_CTX_free(mac_ctx);
+        if (sigkey == NULL)
+            goto end;
     }
 
     if (hmac_key != NULL) {

+ 3 - 1
libs/openssl/apps/dhparam.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -222,6 +222,8 @@ int dhparam_main(int argc, char **argv)
         }
 
         tmppkey = app_paramgen(ctx, alg);
+        if (tmppkey == NULL)
+            goto end;
         EVP_PKEY_CTX_free(ctx);
         ctx = NULL;
         if (dsaparam) {

+ 3 - 1
libs/openssl/apps/dsaparam.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -218,6 +218,8 @@ int dsaparam_main(int argc, char **argv)
             goto end;
         }
         pkey = app_keygen(ctx, "DSA", numbits, verbose);
+        if (pkey == NULL)
+            goto end;
         assert(private);
         if (outformat == FORMAT_ASN1)
             i = i2d_PrivateKey_bio(out, pkey);

+ 4 - 1
libs/openssl/apps/enc.c

@@ -624,7 +624,10 @@ int enc_main(int argc, char **argv)
         }
     }
     if (!BIO_flush(wbio)) {
-        BIO_printf(bio_err, "bad decrypt\n");
+        if (enc)
+            BIO_printf(bio_err, "bad encrypt\n");
+        else
+            BIO_printf(bio_err, "bad decrypt\n");
         goto end;
     }
 

+ 3 - 1
libs/openssl/apps/gendsa.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -146,6 +146,8 @@ int gendsa_main(int argc, char **argv)
         goto end;
     }
     pkey = app_keygen(ctx, "DSA", nbits, verbose);
+    if (pkey == NULL)
+        goto end;
 
     assert(private);
     if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) {

+ 3 - 1
libs/openssl/apps/genpkey.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -183,6 +183,8 @@ int genpkey_main(int argc, char **argv)
 
     pkey = do_param ? app_paramgen(ctx, algname)
                     : app_keygen(ctx, algname, 0, 0 /* not verbose */);
+    if (pkey == NULL)
+        goto end;
 
     if (do_param) {
         rv = PEM_write_bio_Parameters(out, pkey);

+ 3 - 1
libs/openssl/apps/genrsa.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -203,6 +203,8 @@ opthelp:
         goto end;
     }
     pkey = app_keygen(ctx, "RSA", num, verbose);
+    if (pkey == NULL)
+        goto end;
 
     if (verbose) {
         BIGNUM *e = NULL;

+ 10 - 6
libs/openssl/apps/lib/apps.c

@@ -956,10 +956,14 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
         ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata,
                                  params, NULL, NULL);
     }
-    if (ctx == NULL)
+    if (ctx == NULL) {
+        BIO_printf(bio_err, "Could not open file or uri for loading");
         goto end;
-    if (expect > 0 && !OSSL_STORE_expect(ctx, expect))
+    }
+    if (expect > 0 && !OSSL_STORE_expect(ctx, expect)) {
+        BIO_printf(bio_err, "Internal error trying to load");
         goto end;
+    }
 
     failed = NULL;
     while (cnt_expectations > 0 && !OSSL_STORE_eof(ctx)) {
@@ -3351,8 +3355,8 @@ EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose)
         BIO_printf(bio_err, "Warning: generating random key material may take a long time\n"
                    "if the system has a poor entropy source\n");
     if (EVP_PKEY_keygen(ctx, &res) <= 0)
-        app_bail_out("%s: Error generating %s key\n", opt_getprog(),
-                     alg != NULL ? alg : "asymmetric");
+        BIO_printf(bio_err, "%s: Error generating %s key\n", opt_getprog(),
+                   alg != NULL ? alg : "asymmetric");
     return res;
 }
 
@@ -3364,8 +3368,8 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg)
         BIO_printf(bio_err, "Warning: generating random key parameters may take a long time\n"
                    "if the system has a poor entropy source\n");
     if (EVP_PKEY_paramgen(ctx, &res) <= 0)
-        app_bail_out("%s: Generating %s key parameters failed\n",
-                     opt_getprog(), alg != NULL ? alg : "asymmetric");
+        BIO_printf(bio_err, "%s: Generating %s key parameters failed\n",
+                   opt_getprog(), alg != NULL ? alg : "asymmetric");
     return res;
 }
 

+ 2 - 0
libs/openssl/apps/req.c

@@ -685,6 +685,8 @@ int req_main(int argc, char **argv)
         EVP_PKEY_CTX_set_app_data(genctx, bio_err);
 
         pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose);
+        if (pkey == NULL)
+            goto end;
 
         EVP_PKEY_CTX_free(genctx);
         genctx = NULL;

+ 2 - 1
libs/openssl/apps/speed.c

@@ -3747,7 +3747,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single,
             } else {
                 int pad;
 
-                RAND_bytes(out, 16);
+                if (RAND_bytes(inp, 16) <= 0)
+                    app_bail_out("error setting random bytes\n");
                 len += 16;
                 aad[11] = (unsigned char)(len >> 8);
                 aad[12] = (unsigned char)(len);

+ 4 - 4
libs/openssl/crypto/bn/bn_gcd.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -642,9 +642,9 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
 
     for (i = 0; i < m; i++) {
         /* conditionally flip signs if delta is positive and g is odd */
-        cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
+        cond = ((unsigned int)-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
             /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
-            & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
+            & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1)));
         delta = (-cond & -delta) | ((cond - 1) & delta);
         r->neg ^= cond;
         /* swap */
@@ -656,7 +656,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
             goto err;
         BN_consttime_swap(g->d[0] & 1 /* g is odd */
                 /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
-                & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
+                & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1))),
                 g, temp, top);
         if (!BN_rshift1(g, g))
             goto err;

+ 0 - 2
libs/openssl/crypto/build.info

@@ -101,8 +101,6 @@ $UTIL_COMMON=\
         context.c sparse_array.c asn1_dsa.c packet.c param_build.c \
         param_build_set.c der_writer.c threads_lib.c params_dup.c
 
-SHARED_SOURCE[../libssl]=sparse_array.c
-
 SOURCE[../libcrypto]=$UTIL_COMMON \
         mem.c mem_sec.c \
         cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \

+ 3 - 2
libs/openssl/crypto/cms/cms_enc.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -15,6 +15,7 @@
 #include <openssl/cms.h>
 #include <openssl/rand.h>
 #include "crypto/evp.h"
+#include "crypto/asn1.h"
 #include "cms_local.h"
 
 /* CMS EncryptedData Utilities */
@@ -81,7 +82,7 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
 
     if (enc) {
         calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_get_type(ctx));
-        if (calg->algorithm == NULL) {
+        if (calg->algorithm == NULL || calg->algorithm->nid == NID_undef) {
             ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM);
             goto err;
         }

+ 3 - 1
libs/openssl/crypto/cms/cms_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -154,6 +154,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
     "unsupported recipientinfo type"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENT_TYPE),
     "unsupported recipient type"},
+    {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM),
+    "unsupported signature algorithm"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_TYPE), "unsupported type"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_ERROR), "unwrap error"},
     {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_FAILURE), "unwrap failure"},

+ 11 - 3
libs/openssl/crypto/cms/cms_sd.c

@@ -385,11 +385,16 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
 
     if (md == NULL) {
         int def_nid;
-        if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0)
+
+        if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0) {
+            ERR_raise_data(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST,
+                           "pkey nid=%d", EVP_PKEY_get_id(pk));
             goto err;
+        }
         md = EVP_get_digestbynid(def_nid);
         if (md == NULL) {
-            ERR_raise(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST);
+            ERR_raise_data(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST,
+                           "default md nid=%d", def_nid);
             goto err;
         }
     }
@@ -429,8 +434,11 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
         }
     }
 
-    if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0))
+    if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0)) {
+        ERR_raise_data(ERR_LIB_CMS, CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM,
+                       "pkey nid=%d", EVP_PKEY_get_id(pk));
         goto err;
+    }
     if (!(flags & CMS_NOATTR)) {
         /*
          * Initialize signed attributes structure so other attributes

+ 2 - 1
libs/openssl/crypto/dh/dh_check.c

@@ -259,7 +259,8 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
  */
 int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret)
 {
-    return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret);
+    return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret)
+           && *ret == 0;
 }
 
 int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret)

+ 1 - 2
libs/openssl/crypto/dh/dh_key.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -190,7 +190,6 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
 static int dh_init(DH *dh)
 {
     dh->flags |= DH_FLAG_CACHE_MONT_P;
-    ossl_ffc_params_init(&dh->params);
     dh->dirty_cnt++;
     return 1;
 }

+ 3 - 1
libs/openssl/crypto/dh/dh_lib.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -116,6 +116,8 @@ static DH *dh_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
         goto err;
 #endif /* FIPS_MODULE */
 
+    ossl_ffc_params_init(&ret->params);
+
     if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
         ERR_raise(ERR_LIB_DH, ERR_R_INIT_FAIL);
         goto err;

+ 5 - 3
libs/openssl/crypto/dsa/dsa_check.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -39,7 +39,8 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
  */
 int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
 {
-    return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret);
+    return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
+           && *ret == 0;
 }
 
 /*
@@ -49,7 +50,8 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
  */
 int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
 {
-    return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret);
+    return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
+           && *ret == 0;
 }
 
 int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)

+ 3 - 1
libs/openssl/crypto/dsa/dsa_lib.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -176,6 +176,8 @@ static DSA *dsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
         goto err;
 #endif
 
+    ossl_ffc_params_init(&ret->params);
+
     if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
         ERR_raise(ERR_LIB_DSA, ERR_R_INIT_FAIL);
         goto err;

+ 0 - 1
libs/openssl/crypto/dsa/dsa_ossl.c

@@ -441,7 +441,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
 static int dsa_init(DSA *dsa)
 {
     dsa->flags |= DSA_FLAG_CACHE_MONT_P;
-    ossl_ffc_params_init(&dsa->params);
     dsa->dirty_cnt++;
     return 1;
 }

+ 43 - 1
libs/openssl/crypto/engine/eng_pkey.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -79,6 +79,48 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
         return NULL;
     }
+    /* We enforce check for legacy key */
+    switch (EVP_PKEY_get_id(pkey)) {
+    case EVP_PKEY_RSA:
+        {
+        RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+        EVP_PKEY_set1_RSA(pkey, rsa);
+        RSA_free(rsa);
+        }
+        break;
+#  ifndef OPENSSL_NO_EC
+    case EVP_PKEY_SM2:
+    case EVP_PKEY_EC:
+        {
+        EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+        EVP_PKEY_set1_EC_KEY(pkey, ec);
+        EC_KEY_free(ec);
+        }
+        break;
+#  endif
+#  ifndef OPENSSL_NO_DSA
+    case EVP_PKEY_DSA:
+        {
+        DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+        EVP_PKEY_set1_DSA(pkey, dsa);
+        DSA_free(dsa);
+        }
+        break;
+#endif
+#  ifndef OPENSSL_NO_DH
+    case EVP_PKEY_DH:
+        {
+        DH *dh = EVP_PKEY_get1_DH(pkey);
+        EVP_PKEY_set1_DH(pkey, dh);
+        DH_free(dh);
+        }
+        break;
+#endif
+    default:
+        /*Do nothing */
+        break;
+    }
+
     return pkey;
 }
 

+ 1 - 0
libs/openssl/crypto/engine/eng_table.c

@@ -97,6 +97,7 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
     if (added && !engine_cleanup_add_first(cleanup)) {
         lh_ENGINE_PILE_free(&(*table)->piles);
         *table = NULL;
+        goto end;
     }
     while (num_nids--) {
         tmplate.nid = *nids;

+ 2 - 0
libs/openssl/crypto/err/openssl.txt

@@ -375,6 +375,7 @@ CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\
 CMS_R_UNSUPPORTED_LABEL_SOURCE:193:unsupported label source
 CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE:155:unsupported recipientinfo type
 CMS_R_UNSUPPORTED_RECIPIENT_TYPE:154:unsupported recipient type
+CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM:195:unsupported signature algorithm
 CMS_R_UNSUPPORTED_TYPE:156:unsupported type
 CMS_R_UNWRAP_ERROR:157:unwrap error
 CMS_R_UNWRAP_FAILURE:180:unwrap failure
@@ -1127,6 +1128,7 @@ RAND_R_FWRITE_ERROR:123:Error writing file
 RAND_R_GENERATE_ERROR:112:generate error
 RAND_R_INSUFFICIENT_DRBG_STRENGTH:139:insufficient drbg strength
 RAND_R_INTERNAL_ERROR:113:internal error
+RAND_R_INVALID_PROPERTY_QUERY:137:invalid property query
 RAND_R_IN_ERROR_STATE:114:in error state
 RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file
 RAND_R_NOT_INSTANTIATED:115:not instantiated

+ 42 - 1
libs/openssl/crypto/evp/evp_enc.c

@@ -197,7 +197,12 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
 #endif
     }
 
-    if (cipher->prov != NULL) {
+    if (!ossl_assert(cipher->prov != NULL)) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+        return 0;
+    }
+
+    if (cipher != ctx->fetched_cipher) {
         if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) {
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
             return 0;
@@ -223,6 +228,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
             return 0;
     }
 
+#ifndef FIPS_MODULE
+    /*
+     * Fix for CVE-2023-5363
+     * Passing in a size as part of the init call takes effect late
+     * so, force such to occur before the initialisation.
+     *
+     * The FIPS provider's internal library context is used in a manner
+     * such that this is not an issue.
+     */
+    if (params != NULL) {
+        OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
+                                     OSSL_PARAM_END };
+        OSSL_PARAM *q = param_lens;
+        const OSSL_PARAM *p;
+
+        p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); 
+        if (p != NULL)
+            memcpy(q++, p, sizeof(*q));
+
+        /*
+         * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
+         * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
+         */
+        p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
+        if (p != NULL)
+            memcpy(q++, p, sizeof(*q));
+
+        if (q != param_lens) {
+            if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
+                ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+                return 0;
+            }
+        }
+    }
+#endif
+
     if (enc) {
         if (ctx->cipher->einit == NULL) {
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);

+ 69 - 1
libs/openssl/crypto/evp/evp_rand.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -47,6 +47,8 @@ struct evp_rand_st {
     OSSL_FUNC_rand_get_ctx_params_fn *get_ctx_params;
     OSSL_FUNC_rand_set_ctx_params_fn *set_ctx_params;
     OSSL_FUNC_rand_verify_zeroization_fn *verify_zeroization;
+    OSSL_FUNC_rand_get_seed_fn *get_seed;
+    OSSL_FUNC_rand_clear_seed_fn *clear_seed;
 } /* EVP_RAND */ ;
 
 static int evp_rand_up_ref(void *vrand)
@@ -236,6 +238,16 @@ static void *evp_rand_from_algorithm(int name_id,
             fnzeroizecnt++;
 #endif
             break;
+        case OSSL_FUNC_RAND_GET_SEED:
+            if (rand->get_seed != NULL)
+                break;
+            rand->get_seed = OSSL_FUNC_rand_get_seed(fns);
+            break;
+        case OSSL_FUNC_RAND_CLEAR_SEED:
+            if (rand->clear_seed != NULL)
+                break;
+            rand->clear_seed = OSSL_FUNC_rand_clear_seed(fns);
+            break;
         }
     }
     /*
@@ -680,3 +692,59 @@ int EVP_RAND_verify_zeroization(EVP_RAND_CTX *ctx)
     evp_rand_unlock(ctx);
     return res;
 }
+
+int evp_rand_can_seed(EVP_RAND_CTX *ctx)
+{
+    return ctx->meth->get_seed != NULL;
+}
+
+static size_t evp_rand_get_seed_locked(EVP_RAND_CTX *ctx,
+                                       unsigned char **buffer,
+                                       int entropy,
+                                       size_t min_len, size_t max_len,
+                                       int prediction_resistance,
+                                       const unsigned char *adin,
+                                       size_t adin_len)
+{
+    if (ctx->meth->get_seed != NULL)
+        return ctx->meth->get_seed(ctx->algctx, buffer,
+                                   entropy, min_len, max_len,
+                                   prediction_resistance,
+                                   adin, adin_len);
+    return 0;
+}
+
+size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
+                         unsigned char **buffer,
+                         int entropy, size_t min_len, size_t max_len,
+                         int prediction_resistance,
+                         const unsigned char *adin, size_t adin_len)
+{
+    int res;
+
+    if (!evp_rand_lock(ctx))
+        return 0;
+    res = evp_rand_get_seed_locked(ctx,
+                                   buffer,
+                                   entropy, min_len, max_len,
+                                   prediction_resistance,
+                                   adin, adin_len);
+    evp_rand_unlock(ctx);
+    return res;
+}
+
+static void evp_rand_clear_seed_locked(EVP_RAND_CTX *ctx,
+                                       unsigned char *buffer, size_t b_len)
+{
+    if (ctx->meth->clear_seed != NULL)
+        ctx->meth->clear_seed(ctx->algctx, buffer, b_len);
+}
+
+void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
+                         unsigned char *buffer, size_t b_len)
+{
+    if (!evp_rand_lock(ctx))
+        return;
+    evp_rand_clear_seed_locked(ctx, buffer, b_len);
+    evp_rand_unlock(ctx);
+}

+ 6 - 2
libs/openssl/crypto/evp/legacy_sha.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -71,7 +71,11 @@ static int sha1_int_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void *p2)
 
 static int shake_ctrl(EVP_MD_CTX *evp_ctx, int cmd, int p1, void *p2)
 {
-    KECCAK1600_CTX *ctx = evp_ctx->md_data;
+    KECCAK1600_CTX *ctx;
+
+    if (evp_ctx == NULL)
+        return 0;
+    ctx = evp_ctx->md_data;
 
     switch (cmd) {
     case EVP_MD_CTRL_XOF_LEN:

+ 1 - 1
libs/openssl/crypto/evp/p_lib.c

@@ -1201,7 +1201,7 @@ int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,
 int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
                            int indent, ASN1_PCTX *pctx)
 {
-    return print_pkey(pkey, out, indent, EVP_PKEY_KEYPAIR, NULL,
+    return print_pkey(pkey, out, indent, EVP_PKEY_PRIVATE_KEY, NULL,
                       (pkey->ameth != NULL ? pkey->ameth->priv_print : NULL),
                       pctx);
 }

+ 3 - 2
libs/openssl/crypto/evp/pmeth_lib.c

@@ -251,10 +251,11 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
      */
     if (e != NULL)
         pmeth = ENGINE_get_pkey_meth(e, id);
-    else if (pkey != NULL && pkey->foreign)
+    else
+# endif /* OPENSSL_NO_ENGINE */
+    if (pkey != NULL && pkey->foreign)
         pmeth = EVP_PKEY_meth_find(id);
     else
-# endif
         app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id);
 
     /* END legacy */

+ 2 - 0
libs/openssl/crypto/ex_data.c

@@ -171,6 +171,8 @@ int ossl_crypto_get_ex_new_index_ex(OSSL_LIB_CTX *ctx, int class_index,
          * "app_data" routines use ex_data index zero.  See RT 3710. */
         if (ip->meth == NULL
             || !sk_EX_CALLBACK_push(ip->meth, NULL)) {
+            sk_EX_CALLBACK_free(ip->meth);
+            ip->meth = NULL;
             ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
             goto err;
         }

+ 5 - 11
libs/openssl/crypto/ffc/ffc_key_validate.c

@@ -26,7 +26,7 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
     *ret = 0;
     if (params == NULL || pub_key == NULL || params->p == NULL) {
         *ret = FFC_ERROR_PASSED_NULL_PARAM;
-        return 0;
+        return 1;
     }
 
     ctx = BN_CTX_new_ex(NULL);
@@ -39,18 +39,14 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
     if (tmp == NULL
         || !BN_set_word(tmp, 1))
         goto err;
-    if (BN_cmp(pub_key, tmp) <= 0) {
+    if (BN_cmp(pub_key, tmp) <= 0)
         *ret |= FFC_ERROR_PUBKEY_TOO_SMALL;
-        goto err;
-    }
     /* Step(1): Verify pub_key <=  p-2 */
     if (BN_copy(tmp, params->p) == NULL
         || !BN_sub_word(tmp, 1))
         goto err;
-    if (BN_cmp(pub_key, tmp) >= 0) {
+    if (BN_cmp(pub_key, tmp) >= 0)
         *ret |= FFC_ERROR_PUBKEY_TOO_LARGE;
-        goto err;
-    }
     ok = 1;
  err:
     if (ctx != NULL) {
@@ -73,7 +69,7 @@ int ossl_ffc_validate_public_key(const FFC_PARAMS *params,
     if (!ossl_ffc_validate_public_key_partial(params, pub_key, ret))
         return 0;
 
-    if (params->q != NULL) {
+    if (*ret == 0 && params->q != NULL) {
         ctx = BN_CTX_new_ex(NULL);
         if (ctx == NULL)
             goto err;
@@ -84,10 +80,8 @@ int ossl_ffc_validate_public_key(const FFC_PARAMS *params,
         if (tmp == NULL
             || !BN_mod_exp(tmp, pub_key, params->q, params->p, ctx))
             goto err;
-        if (!BN_is_one(tmp)) {
+        if (!BN_is_one(tmp))
             *ret |= FFC_ERROR_PUBKEY_INVALID;
-            goto err;
-        }
     }
 
     ok = 1;

+ 22 - 4
libs/openssl/crypto/initthread.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -249,6 +249,15 @@ void ossl_ctx_thread_stop(OSSL_LIB_CTX *ctx)
 
 #else
 
+static void ossl_arg_thread_stop(void *arg);
+
+/* Register the current thread so that we are informed if it gets stopped */
+int ossl_thread_register_fips(OSSL_LIB_CTX *libctx)
+{
+    return c_thread_start(FIPS_get_core_handle(libctx), ossl_arg_thread_stop,
+                          libctx);
+}
+
 void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx)
 {
     THREAD_EVENT_HANDLER **hands = NULL;
@@ -257,7 +266,7 @@ void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx)
     if (tlocal == NULL)
         return NULL;
 
-    if (!CRYPTO_THREAD_init_local(tlocal,  NULL)) {
+    if (!CRYPTO_THREAD_init_local(tlocal, NULL)) {
         goto err;
     }
 
@@ -268,6 +277,16 @@ void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx)
     if (!CRYPTO_THREAD_set_local(tlocal, hands))
         goto err;
 
+    /*
+     * We should ideally call ossl_thread_register_fips() here. This function
+     * is called during the startup of the FIPS provider and we need to ensure
+     * that the main thread is registered to receive thread callbacks in order
+     * to free |hands| that we allocated above. However we are too early in
+     * the FIPS provider initialisation that FIPS_get_core_handle() doesn't work
+     * yet. So we defer this to the main provider OSSL_provider_init_int()
+     * function.
+     */
+
     return tlocal;
  err:
     OPENSSL_free(hands);
@@ -379,8 +398,7 @@ int ossl_init_thread_start(const void *index, void *arg,
          * libcrypto to tell us about later thread stop events. c_thread_start
          * is a callback to libcrypto defined in fipsprov.c
          */
-        if (!c_thread_start(FIPS_get_core_handle(ctx), ossl_arg_thread_stop,
-                            ctx))
+        if (!ossl_thread_register_fips(ctx))
             return 0;
     }
 #endif

+ 3 - 3
libs/openssl/crypto/lhash/lhash.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -266,12 +266,12 @@ static void contract(OPENSSL_LHASH *lh)
         if (n == NULL) {
             /* fputs("realloc error in lhash",stderr); */
             lh->error++;
-            return;
+        } else {
+            lh->b = n;
         }
         lh->num_alloc_nodes /= 2;
         lh->pmax /= 2;
         lh->p = lh->pmax - 1;
-        lh->b = n;
     } else
         lh->p--;
 

+ 9 - 3
libs/openssl/crypto/mem.c

@@ -100,6 +100,9 @@ void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount)
  *    or    100;100@25;0
  * This means 100 mallocs succeed, then next 100 fail 25% of the time, and
  * all remaining (count is zero) succeed.
+ * The failure percentge can have 2 digits after the comma.  For example:
+ *          [email protected]
+ * This means 0.01% of all allocations will fail.
  */
 static void parseit(void)
 {
@@ -112,26 +115,27 @@ static void parseit(void)
     /* Get the count (atol will stop at the @ if there), and percentage */
     md_count = atol(md_failstring);
     atsign = strchr(md_failstring, '@');
-    md_fail_percent = atsign == NULL ? 0 : atoi(atsign + 1);
+    md_fail_percent = atsign == NULL ? 0 : (int)(atof(atsign + 1) * 100 + 0.5);
 
     if (semi != NULL)
         md_failstring = semi;
 }
 
 /*
- * Windows doesn't have random(), but it has rand()
+ * Windows doesn't have random() and srandom(), but it has rand() and srand().
  * Some rand() implementations aren't good, but we're not
  * dealing with secure randomness here.
  */
 # ifdef _WIN32
 #  define random() rand()
+#  define srandom(seed) srand(seed)
 # endif
 /*
  * See if the current malloc should fail.
  */
 static int shouldfail(void)
 {
-    int roll = (int)(random() % 100);
+    int roll = (int)(random() % 10000);
     int shoulditfail = roll < md_fail_percent;
 # ifndef _WIN32
 /* suppressed on Windows as POSIX-like file descriptors are non-inheritable */
@@ -165,6 +169,8 @@ void ossl_malloc_setup_failures(void)
         parseit();
     if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
         md_tracefd = atoi(cp);
+    if ((cp = getenv("OPENSSL_MALLOC_SEED")) != NULL)
+        srandom(atoi(cp));
 }
 #endif
 

+ 32 - 10
libs/openssl/crypto/objects/obj_dat.c

@@ -229,19 +229,19 @@ void ossl_obj_cleanup_int(void)
     objs_free_locks();
 }
 
-int OBJ_new_nid(int num)
+/*
+ * Requires that the ossl_obj_lock be held
+ * if TSAN_REQUIRES_LOCKING defined
+ */
+static int obj_new_nid_unlocked(int num)
 {
 #ifdef OBJ_USE_LOCK_FOR_NEW_NID
     static int new_nid = NUM_NID;
     int i;
 
-    if (!CRYPTO_THREAD_write_lock(ossl_obj_nid_lock)) {
-        ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK);
-        return NID_undef;
-    }
     i = new_nid;
     new_nid += num;
-    CRYPTO_THREAD_unlock(ossl_obj_nid_lock);
+
     return i;
 #else
     static TSAN_QUALIFIER int new_nid = NUM_NID;
@@ -250,6 +250,26 @@ int OBJ_new_nid(int num)
 #endif
 }
 
+int OBJ_new_nid(int num)
+{
+#ifdef TSAN_REQUIRES_LOCKING
+    int i;
+
+    if (!ossl_obj_write_lock(1)) {
+        ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK);
+        return NID_undef;
+    }
+
+    i = obj_new_nid_unlocked(num);
+
+    ossl_obj_unlock(1);
+
+    return i;
+#else
+    return obj_new_nid_unlocked(num);
+#endif
+}
+
 static int ossl_obj_add_object(const ASN1_OBJECT *obj, int lock)
 {
     ASN1_OBJECT *o = NULL;
@@ -687,13 +707,14 @@ const void *OBJ_bsearch_ex_(const void *key, const void *base, int num,
     if (p == NULL) {
         const char *base_ = base;
         int l, h, i = 0, c = 0;
+        char *p1;
 
         for (i = 0; i < num; ++i) {
-            p = &(base_[i * size]);
-            c = (*cmp) (key, p);
+            p1 = &(base_[i * size]);
+            c = (*cmp) (key, p1);
             if (c == 0
                 || (c < 0 && (flags & OBJ_BSEARCH_VALUE_ON_NOMATCH)))
-                return p;
+                return p1;
         }
     }
 #endif
@@ -782,7 +803,8 @@ int OBJ_create(const char *oid, const char *sn, const char *ln)
         goto err;
     }
 
-    tmpoid->nid = OBJ_new_nid(1);
+    tmpoid->nid = obj_new_nid_unlocked(1);
+
     if (tmpoid->nid == NID_undef)
         goto err;
 

+ 7 - 6
libs/openssl/crypto/param_build_set.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -101,21 +101,22 @@ int ossl_param_build_set_multi_key_bn(OSSL_PARAM_BLD *bld, OSSL_PARAM *params,
 {
     int i, sz = sk_BIGNUM_const_num(stk);
     OSSL_PARAM *p;
-
+    const BIGNUM *bn;
 
     if (bld != NULL) {
         for (i = 0; i < sz && names[i] != NULL; ++i) {
-            if (!OSSL_PARAM_BLD_push_BN(bld, names[i],
-                                        sk_BIGNUM_const_value(stk, i)))
+            bn = sk_BIGNUM_const_value(stk, i);
+            if (bn != NULL && !OSSL_PARAM_BLD_push_BN(bld, names[i], bn))
                 return 0;
         }
         return 1;
     }
 
     for (i = 0; i < sz && names[i] != NULL; ++i) {
+        bn = sk_BIGNUM_const_value(stk, i);
         p = OSSL_PARAM_locate(params, names[i]);
-        if (p != NULL) {
-            if (!OSSL_PARAM_set_BN(p, sk_BIGNUM_const_value(stk, i)))
+        if (p != NULL && bn != NULL) {
+            if (!OSSL_PARAM_set_BN(p, bn))
                 return 0;
         }
     }

+ 30 - 4
libs/openssl/crypto/property/property_parse.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -588,15 +588,38 @@ static void put_char(char ch, char **buf, size_t *remain, size_t *needed)
 
 static void put_str(const char *str, char **buf, size_t *remain, size_t *needed)
 {
-    size_t olen, len;
+    size_t olen, len, i;
+    char quote = '\0';
+    int quotes;
 
     len = olen = strlen(str);
     *needed += len;
 
-    if (*remain == 0)
+    /*
+     * Check to see if we need quotes or not.
+     * Characters that are legal in a PropertyName don't need quoting.
+     * We simply assume all others require quotes.
+     */
+    for (i = 0; i < len; i++)
+        if (!ossl_isalnum(str[i]) && str[i] != '.' && str[i] != '_') {
+            /* Default to single quotes ... */
+            if (quote == '\0')
+                quote = '\'';
+            /* ... but use double quotes if a single is present */
+            if (str[i] == '\'')
+                quote = '"';
+        }
+
+    quotes = quote != '\0';
+    if (*remain == 0) {
+        *needed += 2 * quotes;
         return;
+    }
 
-    if (*remain < len + 1)
+    if (quotes)
+        put_char(quote, buf, remain, needed);
+
+    if (*remain < len + 1 + quotes)
         len = *remain - 1;
 
     if (len > 0) {
@@ -605,6 +628,9 @@ static void put_str(const char *str, char **buf, size_t *remain, size_t *needed)
         *remain -= len;
     }
 
+    if (quotes)
+        put_char(quote, buf, remain, needed);
+
     if (len < olen && *remain == 1) {
         **buf = '\0';
         ++*buf;

+ 78 - 8
libs/openssl/crypto/provider_core.c

@@ -1854,10 +1854,14 @@ OSSL_FUNC_BIO_free_fn ossl_core_bio_free;
 OSSL_FUNC_BIO_vprintf_fn ossl_core_bio_vprintf;
 OSSL_FUNC_BIO_vsnprintf_fn BIO_vsnprintf;
 static OSSL_FUNC_self_test_cb_fn core_self_test_get_callback;
-OSSL_FUNC_get_entropy_fn ossl_rand_get_entropy;
-OSSL_FUNC_cleanup_entropy_fn ossl_rand_cleanup_entropy;
-OSSL_FUNC_get_nonce_fn ossl_rand_get_nonce;
-OSSL_FUNC_cleanup_nonce_fn ossl_rand_cleanup_nonce;
+static OSSL_FUNC_get_entropy_fn rand_get_entropy;
+static OSSL_FUNC_get_user_entropy_fn rand_get_user_entropy;
+static OSSL_FUNC_cleanup_entropy_fn rand_cleanup_entropy;
+static OSSL_FUNC_cleanup_user_entropy_fn rand_cleanup_user_entropy;
+static OSSL_FUNC_get_nonce_fn rand_get_nonce;
+static OSSL_FUNC_get_user_nonce_fn rand_get_user_nonce;
+static OSSL_FUNC_cleanup_nonce_fn rand_cleanup_nonce;
+static OSSL_FUNC_cleanup_user_nonce_fn rand_cleanup_user_nonce;
 #endif
 OSSL_FUNC_CRYPTO_malloc_fn CRYPTO_malloc;
 OSSL_FUNC_CRYPTO_zalloc_fn CRYPTO_zalloc;
@@ -2018,6 +2022,68 @@ static void core_self_test_get_callback(OPENSSL_CORE_CTX *libctx,
     OSSL_SELF_TEST_get_callback((OSSL_LIB_CTX *)libctx, cb, cbarg);
 }
 
+static size_t rand_get_entropy(const OSSL_CORE_HANDLE *handle,
+                               unsigned char **pout, int entropy,
+                               size_t min_len, size_t max_len)
+{
+    return ossl_rand_get_entropy((OSSL_LIB_CTX *)core_get_libctx(handle),
+                                 pout, entropy, min_len, max_len);
+}
+
+static size_t rand_get_user_entropy(const OSSL_CORE_HANDLE *handle,
+                                    unsigned char **pout, int entropy,
+                                    size_t min_len, size_t max_len)
+{
+    return ossl_rand_get_user_entropy((OSSL_LIB_CTX *)core_get_libctx(handle),
+                                      pout, entropy, min_len, max_len);
+}
+
+static void rand_cleanup_entropy(const OSSL_CORE_HANDLE *handle,
+                                 unsigned char *buf, size_t len)
+{
+    ossl_rand_cleanup_entropy((OSSL_LIB_CTX *)core_get_libctx(handle),
+                              buf, len);
+}
+
+static void rand_cleanup_user_entropy(const OSSL_CORE_HANDLE *handle,
+                                      unsigned char *buf, size_t len)
+{
+    ossl_rand_cleanup_user_entropy((OSSL_LIB_CTX *)core_get_libctx(handle),
+                                   buf, len);
+}
+
+static size_t rand_get_nonce(const OSSL_CORE_HANDLE *handle,
+                             unsigned char **pout,
+                             size_t min_len, size_t max_len,
+                             const void *salt, size_t salt_len)
+{
+    return ossl_rand_get_nonce((OSSL_LIB_CTX *)core_get_libctx(handle),
+                               pout, min_len, max_len, salt, salt_len);
+}
+
+static size_t rand_get_user_nonce(const OSSL_CORE_HANDLE *handle,
+                                  unsigned char **pout,
+                                  size_t min_len, size_t max_len,
+                                  const void *salt, size_t salt_len)
+{
+    return ossl_rand_get_user_nonce((OSSL_LIB_CTX *)core_get_libctx(handle),
+                                    pout, min_len, max_len, salt, salt_len);
+}
+
+static void rand_cleanup_nonce(const OSSL_CORE_HANDLE *handle,
+                               unsigned char *buf, size_t len)
+{
+    ossl_rand_cleanup_nonce((OSSL_LIB_CTX *)core_get_libctx(handle),
+                            buf, len);
+}
+
+static void rand_cleanup_user_nonce(const OSSL_CORE_HANDLE *handle,
+                               unsigned char *buf, size_t len)
+{
+    ossl_rand_cleanup_user_nonce((OSSL_LIB_CTX *)core_get_libctx(handle),
+                                 buf, len);
+}
+
 static const char *core_provider_get0_name(const OSSL_CORE_HANDLE *prov)
 {
     return OSSL_PROVIDER_get0_name((const OSSL_PROVIDER *)prov);
@@ -2111,10 +2177,14 @@ static const OSSL_DISPATCH core_dispatch_[] = {
     { OSSL_FUNC_BIO_VPRINTF, (void (*)(void))ossl_core_bio_vprintf },
     { OSSL_FUNC_BIO_VSNPRINTF, (void (*)(void))BIO_vsnprintf },
     { OSSL_FUNC_SELF_TEST_CB, (void (*)(void))core_self_test_get_callback },
-    { OSSL_FUNC_GET_ENTROPY, (void (*)(void))ossl_rand_get_entropy },
-    { OSSL_FUNC_CLEANUP_ENTROPY, (void (*)(void))ossl_rand_cleanup_entropy },
-    { OSSL_FUNC_GET_NONCE, (void (*)(void))ossl_rand_get_nonce },
-    { OSSL_FUNC_CLEANUP_NONCE, (void (*)(void))ossl_rand_cleanup_nonce },
+    { OSSL_FUNC_GET_ENTROPY, (void (*)(void))rand_get_entropy },
+    { OSSL_FUNC_GET_USER_ENTROPY, (void (*)(void))rand_get_user_entropy },
+    { OSSL_FUNC_CLEANUP_ENTROPY, (void (*)(void))rand_cleanup_entropy },
+    { OSSL_FUNC_CLEANUP_USER_ENTROPY, (void (*)(void))rand_cleanup_user_entropy },
+    { OSSL_FUNC_GET_NONCE, (void (*)(void))rand_get_nonce },
+    { OSSL_FUNC_GET_USER_NONCE, (void (*)(void))rand_get_user_nonce },
+    { OSSL_FUNC_CLEANUP_NONCE, (void (*)(void))rand_cleanup_nonce },
+    { OSSL_FUNC_CLEANUP_USER_NONCE, (void (*)(void))rand_cleanup_user_nonce },
 #endif
     { OSSL_FUNC_CRYPTO_MALLOC, (void (*)(void))CRYPTO_malloc },
     { OSSL_FUNC_CRYPTO_ZALLOC, (void (*)(void))CRYPTO_zalloc },

+ 62 - 6
libs/openssl/crypto/rand/prov_seed.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -7,12 +7,15 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "rand_local.h"
+#include "crypto/evp.h"
 #include "crypto/rand.h"
 #include "crypto/rand_pool.h"
+#include "internal/core.h"
 #include <openssl/core_dispatch.h>
 #include <openssl/err.h>
 
-size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle,
+size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx,
                              unsigned char **pout, int entropy,
                              size_t min_len, size_t max_len)
 {
@@ -38,14 +41,39 @@ size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle,
     return ret;
 }
 
-void ossl_rand_cleanup_entropy(ossl_unused const OSSL_CORE_HANDLE *handle,
+size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx,
+                                  unsigned char **pout, int entropy,
+                                  size_t min_len, size_t max_len)
+{
+    EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
+
+    if (rng != NULL && evp_rand_can_seed(rng))
+        return evp_rand_get_seed(rng, pout, entropy, min_len, max_len,
+                                 0, NULL, 0);
+    else
+        return ossl_rand_get_entropy(ctx, pout, entropy, min_len, max_len);
+}
+
+void ossl_rand_cleanup_entropy(ossl_unused OSSL_LIB_CTX *ctx,
                                unsigned char *buf, size_t len)
 {
     OPENSSL_secure_clear_free(buf, len);
 }
 
-size_t ossl_rand_get_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
-                           unsigned char **pout, size_t min_len, size_t max_len,
+void ossl_rand_cleanup_user_entropy(OSSL_LIB_CTX *ctx,
+                                    unsigned char *buf, size_t len)
+{
+    EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
+
+    if (rng != NULL && evp_rand_can_seed(rng))
+        evp_rand_clear_seed(rng, buf, len);
+    else
+        OPENSSL_secure_clear_free(buf, len);
+}
+
+size_t ossl_rand_get_nonce(ossl_unused OSSL_LIB_CTX *ctx,
+                           unsigned char **pout,
+                           size_t min_len, ossl_unused size_t max_len,
                            const void *salt, size_t salt_len)
 {
     size_t ret = 0;
@@ -69,8 +97,36 @@ size_t ossl_rand_get_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
     return ret;
 }
 
-void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
+size_t ossl_rand_get_user_nonce(OSSL_LIB_CTX *ctx,
+                                unsigned char **pout,
+                                size_t min_len, size_t max_len,
+                                const void *salt, size_t salt_len)
+{
+    unsigned char *buf;
+    EVP_RAND_CTX *rng = ossl_rand_get0_seed_noncreating(ctx);
+
+    if (rng == NULL)
+        return ossl_rand_get_nonce(ctx, pout, min_len, max_len, salt, salt_len);
+
+    if ((buf = OPENSSL_malloc(min_len)) == NULL)
+        return 0;
+
+    if (!EVP_RAND_generate(rng, buf, min_len, 0, 0, salt, salt_len)) {
+        OPENSSL_free(buf);
+        return 0;
+    }
+    *pout = buf;
+    return min_len;
+}
+
+void ossl_rand_cleanup_nonce(ossl_unused OSSL_LIB_CTX *ctx,
                              unsigned char *buf, size_t len)
 {
     OPENSSL_clear_free(buf, len);
 }
+
+void ossl_rand_cleanup_user_nonce(ossl_unused OSSL_LIB_CTX *ctx,
+                                  unsigned char *buf, size_t len)
+{
+    OPENSSL_clear_free(buf, len);
+}

+ 3 - 1
libs/openssl/crypto/rand/rand_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -51,6 +51,8 @@ static const ERR_STRING_DATA RAND_str_reasons[] = {
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INSUFFICIENT_DRBG_STRENGTH),
     "insufficient drbg strength"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INTERNAL_ERROR), "internal error"},
+    {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_INVALID_PROPERTY_QUERY),
+    "invalid property query"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_IN_ERROR_STATE), "in error state"},
     {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_NOT_A_REGULAR_FILE),
     "Not a regular file"},

+ 97 - 9
libs/openssl/crypto/rand/rand_lib.c

@@ -30,6 +30,7 @@
 # include "crypto/rand_pool.h"
 # include "prov/seeding.h"
 # include "internal/e_os.h"
+# include "internal/property.h"
 
 # ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
@@ -527,29 +528,104 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx)
 {
     EVP_RAND *rand;
     RAND_GLOBAL *dgbl = rand_get_global(libctx);
-    EVP_RAND_CTX *ctx;
-    char *name;
+    EVP_RAND_CTX *ctx = NULL;
+    const char *propq;
+    char *name, *props = NULL;
+    size_t props_len;
+    OSSL_PROPERTY_LIST *pl1, *pl2, *pl3 = NULL;
 
     if (dgbl == NULL)
         return NULL;
-    name = dgbl->seed_name != NULL ? dgbl->seed_name : "SEED-SRC";
-    rand = EVP_RAND_fetch(libctx, name, dgbl->seed_propq);
+    propq = dgbl->seed_propq;
+    if (dgbl->seed_name != NULL) {
+        name = dgbl->seed_name;
+    } else {
+        /*
+         * Default to our internal seed source.  This isn't part of the FIPS
+         * provider so we need to override any FIPS properties.
+         */
+        if (propq == NULL || *propq == '\0') {
+            propq = "-fips";
+        } else {
+            pl1 = ossl_parse_query(libctx, propq, 1);
+            if (pl1 == NULL) {
+                ERR_raise(ERR_LIB_RAND, RAND_R_INVALID_PROPERTY_QUERY);
+                return NULL;
+            }
+            pl2 = ossl_parse_query(libctx, "-fips", 1);
+            if (pl2 == NULL) {
+                ossl_property_free(pl1);
+                ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
+                return NULL;
+            }
+            pl3 = ossl_property_merge(pl2, pl1);
+            ossl_property_free(pl1);
+            ossl_property_free(pl2);
+            if (pl3 == NULL) {
+                ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
+                return NULL;
+            }
+            props_len = ossl_property_list_to_string(libctx, pl3, NULL, 0);
+            if (props_len == 0) {
+                /* Shouldn't happen since we added a query element */
+                ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
+                goto err;
+            } else {
+                props = OPENSSL_malloc(props_len);
+                if (props == NULL) {
+                    ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
+                    goto err;
+                }
+                if (ossl_property_list_to_string(libctx, pl3,
+                                                 props, props_len) == 0) {
+                    ERR_raise(ERR_LIB_RAND, ERR_R_INTERNAL_ERROR);
+                    goto err;
+                }
+                ossl_property_free(pl3);
+                pl3 = NULL;
+                propq = props;
+            }
+        }
+        name = "SEED-SRC";
+    }
+
+    rand = EVP_RAND_fetch(libctx, name, propq);
     if (rand == NULL) {
         ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_FETCH_DRBG);
-        return NULL;
+        goto err;
     }
     ctx = EVP_RAND_CTX_new(rand, NULL);
     EVP_RAND_free(rand);
     if (ctx == NULL) {
         ERR_raise(ERR_LIB_RAND, RAND_R_UNABLE_TO_CREATE_DRBG);
-        return NULL;
+        goto err;
     }
     if (!EVP_RAND_instantiate(ctx, 0, 0, NULL, 0, NULL)) {
         ERR_raise(ERR_LIB_RAND, RAND_R_ERROR_INSTANTIATING_DRBG);
-        EVP_RAND_CTX_free(ctx);
-        return NULL;
+        goto err;
     }
+    OPENSSL_free(props);
     return ctx;
+ err:
+    EVP_RAND_CTX_free(ctx);
+    ossl_property_free(pl3);
+    OPENSSL_free(props);
+    return NULL;
+}
+
+EVP_RAND_CTX *ossl_rand_get0_seed_noncreating(OSSL_LIB_CTX *ctx)
+{
+    RAND_GLOBAL *dgbl = rand_get_global(ctx);
+    EVP_RAND_CTX *ret;
+
+    if (dgbl == NULL)
+        return NULL;
+
+    if (!CRYPTO_THREAD_read_lock(dgbl->lock))
+        return NULL;
+    ret = dgbl->seed;
+    CRYPTO_THREAD_unlock(dgbl->lock);
+    return ret;
 }
 #endif
 
@@ -727,6 +803,18 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx)
     return rand;
 }
 
+#ifdef FIPS_MODULE
+EVP_RAND_CTX *ossl_rand_get0_private_noncreating(OSSL_LIB_CTX *ctx)
+{
+    RAND_GLOBAL *dgbl = rand_get_global(ctx);
+
+    if (dgbl == NULL)
+        return NULL;
+
+    return CRYPTO_THREAD_get_local(&dgbl->private);
+}
+#endif
+
 int RAND_set0_public(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand)
 {
     RAND_GLOBAL *dgbl = rand_get_global(ctx);
@@ -861,7 +949,7 @@ int RAND_set_seed_source_type(OSSL_LIB_CTX *ctx, const char *seed,
 
     if (dgbl == NULL)
         return 0;
-    if (dgbl->primary != NULL) {
+    if (dgbl->seed != NULL) {
         ERR_raise(ERR_LIB_CRYPTO, RAND_R_ALREADY_INSTANTIATED);
         return 0;
     }

+ 6 - 2
libs/openssl/crypto/rand/rand_pool.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -257,7 +257,11 @@ size_t ossl_rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor)
 
     if (bytes_needed > pool->max_len - pool->len) {
         /* not enough space left */
-        ERR_raise(ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW);
+        ERR_raise_data(ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW,
+                       "entropy_factor=%u, entropy_needed=%zu, bytes_needed=%zu,"
+                       "pool->max_len=%zu, pool->len=%zu",
+                       entropy_factor, entropy_needed, bytes_needed,
+                       pool->max_len, pool->len);
         return 0;
     }
 

+ 1 - 13
libs/openssl/crypto/rsa/rsa_backend.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -141,18 +141,6 @@ int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[],
 
     /* Check private key data integrity */
     if (include_private && rsa_d != NULL) {
-        int numprimes = sk_BIGNUM_const_num(factors);
-        int numexps = sk_BIGNUM_const_num(exps);
-        int numcoeffs = sk_BIGNUM_const_num(coeffs);
-
-        /*
-         * It's permissible to have zero primes, i.e. no CRT params.
-         * Otherwise, there must be at least two, as many exponents,
-         * and one coefficient less.
-         */
-        if (numprimes != 0
-            && (numprimes < 2 || numexps < 2 || numcoeffs < 1))
-            goto err;
 
         if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_D,
                                      rsa_d)

+ 23 - 9
libs/openssl/crypto/rsa/rsa_lib.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -753,18 +753,22 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
         return 0;
 
     pnum = sk_BIGNUM_num(primes);
-    if (pnum < 2
-        || pnum != sk_BIGNUM_num(exps)
-        || pnum != sk_BIGNUM_num(coeffs) + 1)
+    if (pnum < 2)
         return 0;
 
     if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0),
-                          sk_BIGNUM_value(primes, 1))
-        || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
-                                sk_BIGNUM_value(exps, 1),
-                                sk_BIGNUM_value(coeffs, 0)))
+                          sk_BIGNUM_value(primes, 1)))
         return 0;
 
+    if (pnum == sk_BIGNUM_num(exps)
+        && pnum == sk_BIGNUM_num(coeffs) + 1) {
+
+        if (!RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
+                                 sk_BIGNUM_value(exps, 1),
+                                 sk_BIGNUM_value(coeffs, 0)))
+        return 0;
+    }
+
 #ifndef FIPS_MODULE
     old_infos = r->prime_infos;
 #endif
@@ -1084,6 +1088,12 @@ int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
 int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
 {
     OSSL_PARAM rsa_params[2], *p = rsa_params;
+    const char *empty = "";
+    /*
+     * Needed as we swap label with empty if it is NULL, and label is
+     * freed at the end of this function.
+     */
+    void *plabel = label;
     int ret;
 
     if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
@@ -1096,9 +1106,13 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
     if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
         return -1;
 
+    /* Accept NULL for backward compatibility */
+    if (label == NULL && llen == 0)
+        plabel = (void *)empty;
+
     /* Cast away the const. This is read only so should be safe */
     *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
-                                             (void *)label, (size_t)llen);
+                                             (void *)plabel, (size_t)llen);
     *p++ = OSSL_PARAM_construct_end();
 
     ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params);

+ 48 - 10
libs/openssl/doc/internal/man3/ossl_rand_get_entropy.pod

@@ -2,8 +2,10 @@
 
 =head1 NAME
 
-ossl_rand_get_entropy, ossl_rand_cleanup_entropy,
-ossl_rand_get_nonce, ossl_rand_cleanup_nonce
+ossl_rand_get_entropy, ossl_rand_get_user_entropy,
+ossl_rand_cleanup_entropy, ossl_rand_cleanup_user_entropy,
+ossl_rand_get_nonce, ossl_rand_get_user_nonce,
+ossl_rand_cleanup_nonce, ossl_rand_cleanup_user_nonce
 - get seed material from the operating system
 
 =head1 SYNOPSIS
@@ -13,13 +15,23 @@ ossl_rand_get_nonce, ossl_rand_cleanup_nonce
  size_t ossl_rand_get_entropy(OSSL_CORE_HANDLE *handle,
                               unsigned char **pout, int entropy,
                               size_t min_len, size_t max_len);
+ size_t ossl_rand_get_user_entropy(OSSL_CORE_HANDLE *handle,
+                                   unsigned char **pout, int entropy,
+                                   size_t min_len, size_t max_len);
  void ossl_rand_cleanup_entropy(OSSL_CORE_HANDLE *handle,
                                 unsigned char *buf, size_t len);
+ void ossl_rand_cleanup_user_entropy(OSSL_CORE_HANDLE *handle,
+                                     unsigned char *buf, size_t len);
  size_t ossl_rand_get_nonce(OSSL_CORE_HANDLE *handle,
                             unsigned char **pout, size_t min_len,
                             size_t max_len, const void *salt, size_t salt_len);
+ size_t ossl_rand_get_user_nonce(OSSL_CORE_HANDLE *handle, unsigned char **pout,
+                                 size_t min_len, size_t max_len,
+                                 const void *salt, size_t salt_len);
  void ossl_rand_cleanup_nonce(OSSL_CORE_HANDLE *handle,
                               unsigned char *buf, size_t len);
+ void ossl_rand_cleanup_user_nonce(OSSL_CORE_HANDLE *handle,
+                                   unsigned char *buf, size_t len);
 
 =head1 DESCRIPTION
 
@@ -29,9 +41,18 @@ stored in a buffer which contains at least I<min_len> and at most I<max_len>
 bytes.  The buffer address is stored in I<*pout> and the buffer length is
 returned to the caller.
 
+ossl_rand_get_user_entropy() is the same as ossl_rand_get_entropy()
+except that it retrieves the seeding material from the library context's
+DRBG seed source.  By default this is the operating system but it can
+be changed by calling L<RAND_set_seed_source_type(3)>.
+
 ossl_rand_cleanup_entropy() cleanses and frees any storage allocated by
-ossl_rand_get_entropy().  The seeding buffer is pointed to by I<buf> and is
-of length I<len> bytes.
+ossl_rand_get_entropy().  The entropy buffer is pointed to by I<buf>
+and is of length I<len> bytes.
+
+ossl_rand_cleanup_user_entropy() cleanses and frees any storage allocated by
+ossl_rand_get_user_entropy().  The entropy buffer is pointed to by I<buf>
+and is of length I<len> bytes.
 
 ossl_rand_get_nonce() retrieves a nonce using the passed I<salt> parameter
 of length I<salt_len> and operating system specific information.
@@ -41,22 +62,39 @@ The output is stored in a buffer which contains at least I<min_len> and at
 most I<max_len> bytes.  The buffer address is stored in I<*pout> and the
 buffer length returned to the caller.
 
+ossl_rand_get_user_nonce() is the same as ossl_rand_get_nonce() except
+that it retrieves the seeding material from the library context's DRBG
+seed source.  By default this is the operating system but it can be
+changed by calling L<RAND_set_seed_source_type(3)>.
+
 ossl_rand_cleanup_nonce() cleanses and frees any storage allocated by
-ossl_rand_get_nonce().  The nonce buffer is pointed to by I<buf> and is
-of length I<len> bytes.
+ossl_rand_get_nonce() or ossl_rand_get_user_nonce().  The nonce buffer
+is pointed to by I<buf> and is of length I<len> bytes.
+
+=head1 NOTES
+
+FIPS providers 3.0.0, 3.0.8 and 3.0.9 incorrectly pass a provider
+internal pointer to ossl_rand_get_entropy(), ossl_rand_cleanup_entropy(),
+ossl_rand_get_nonce() and ossl_rand_cleanup_nonce().  This pointer cannot
+be safely dereferenced.
 
 =head1 RETURN VALUES
 
-ossl_rand_get_entropy() and ossl_rand_get_nonce() return the number of bytes
-in I<*pout> or 0 on error.
+ossl_rand_get_entropy(), ossl_rand_get_user_entropy(),
+ossl_rand_get_nonce() and ossl_rand_get_user_nonce() return the number
+of bytes in I<*pout> or 0 on error.
 
 =head1 HISTORY
 
-The functions described here were all added in OpenSSL 3.0.
+The functions ossl_rand_get_user_entropy(), ossl_rand_get_user_nonce(),
+ossl_rand_cleanup_user_entropy(), and ossl_rand_cleanup_user_nonce()
+were added in OpenSSL 3.1.4 and 3.2.0.
+
+The remaining functions described here were all added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 5 - 3
libs/openssl/doc/man3/CMS_add1_signer.pod

@@ -31,8 +31,8 @@ Unless the B<CMS_REUSE_DIGEST> flag is set the returned CMS_ContentInfo
 structure is not complete and must be finalized either by streaming (if
 applicable) or a call to CMS_final().
 
-The CMS_SignerInfo_sign() function will explicitly sign a CMS_SignerInfo
-structure, its main use is when B<CMS_REUSE_DIGEST> and B<CMS_PARTIAL> flags
+The CMS_SignerInfo_sign() function explicitly signs a CMS_SignerInfo
+structure, its main use is when the B<CMS_REUSE_DIGEST> and B<CMS_PARTIAL> flags
 are both set.
 
 =head1 NOTES
@@ -90,6 +90,8 @@ before it is finalized.
 CMS_add1_signer() returns an internal pointer to the CMS_SignerInfo
 structure just added or NULL if an error occurs.
 
+CMS_SignerInfo_sign() returns 1 on success, 0 on failure.
+
 =head1 SEE ALSO
 
 L<ERR_get_error(3)>, L<CMS_sign(3)>,
@@ -97,7 +99,7 @@ L<CMS_final(3)>,
 
 =head1 COPYRIGHT
 
-Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 5 - 1
libs/openssl/doc/man3/DH_generate_parameters.pod

@@ -128,6 +128,10 @@ The parameter B<j> is invalid.
 
 =back
 
+If 0 is returned or B<*codes> is set to a nonzero value the supplied
+parameters should not be used for Diffie-Hellman operations otherwise
+the security properties of the key exchange are not guaranteed.
+
 DH_check_ex(), DH_check_params() and DH_check_pub_key_ex() are similar to
 DH_check() and DH_check_params() respectively, but the error reasons are added
 to the thread's error queue instead of provided as return values from the
@@ -160,7 +164,7 @@ DH_generate_parameters_ex() instead.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 2 - 2
libs/openssl/doc/man3/DSA_generate_parameters.pod

@@ -51,7 +51,7 @@ called as shown below. For information on the BN_GENCB structure and the
 BN_GENCB_call function discussed below, refer to
 L<BN_generate_prime(3)>.
 
-DSA_generate_prime() is similar to DSA_generate_prime_ex() but
+DSA_generate_parameters() is similar to DSA_generate_parameters_ex() but
 expects an old-style callback function; see
 L<BN_generate_prime(3)> for information on the old-style callback.
 
@@ -126,7 +126,7 @@ DSA_generate_parameters_ex() instead.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 1 - 7
libs/openssl/doc/man3/EVP_aes_128_gcm.pod

@@ -134,13 +134,7 @@ section for details.
 EVP_aes_192_wrap(),
 EVP_aes_256_wrap(),
 EVP_aes_128_wrap_pad(),
-EVP_aes_128_wrap(),
-EVP_aes_192_wrap(),
-EVP_aes_256_wrap(),
 EVP_aes_192_wrap_pad(),
-EVP_aes_128_wrap(),
-EVP_aes_192_wrap(),
-EVP_aes_256_wrap(),
 EVP_aes_256_wrap_pad()
 
 AES key wrap with 128, 192 and 256 bit keys, as according to RFC 3394 section
@@ -173,7 +167,7 @@ the XTS "tweak" value.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-AES(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_aria_128_gcm.pod

@@ -96,7 +96,7 @@ correctly, see the L<EVP_EncryptInit(3)/AEAD Interface> section for details.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-ARIA(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_bf_cbc.pod

@@ -41,7 +41,7 @@ Blowfish encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-BLOWFISH(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_blake2b512.pod

@@ -35,7 +35,7 @@ The BLAKE2b algorithm that produces a 512-bit output from a given input.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-BLAKE2(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 While the BLAKE2b and BLAKE2s algorithms supports a variable length digest,

+ 1 - 1
libs/openssl/doc/man3/EVP_camellia_128_ecb.pod

@@ -79,7 +79,7 @@ Camellia for 128, 192 and 256 bit keys in the following modes: CBC, CFB with
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-CAMELLIA(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_cast5_cbc.pod

@@ -41,7 +41,7 @@ CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-CAST(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_chacha20.pod

@@ -44,7 +44,7 @@ L<EVP_EncryptInit(3)/AEAD Interface> section for more information.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-CHACHA(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 L<RFC 7539|https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4>

+ 1 - 1
libs/openssl/doc/man3/EVP_des_cbc.pod

@@ -89,7 +89,7 @@ Triple-DES key wrap according to RFC 3217 Section 3.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-DES(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_desx_cbc.pod

@@ -31,7 +31,7 @@ implementation.
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-DES(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_idea_cbc.pod

@@ -39,7 +39,7 @@ The IDEA encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-IDEA(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_md2.pod

@@ -28,7 +28,7 @@ The MD2 algorithm which produces a 128-bit output from a given input.
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MD2(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_md4.pod

@@ -29,7 +29,7 @@ The MD4 algorithm which produces a 128-bit output from a given input.
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MD4(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_md5.pod

@@ -40,7 +40,7 @@ WARNING: this algorithm is not intended for non-SSL usage.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MD5(7)> or L<EVP_MD-MD5-SHA1(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_mdc2.pod

@@ -30,7 +30,7 @@ The MDC-2DES algorithm of using MDC-2 with the DES block cipher. It produces a
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MDC2(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_rc2_cbc.pod

@@ -55,7 +55,7 @@ functions to set the key length and effective key length.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-RC2(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_rc4.pod

@@ -47,7 +47,7 @@ interface.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-RC4(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_rc5_32_12_16_cbc.pod

@@ -60,7 +60,7 @@ is an int.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-RC5(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_ripemd160.pod

@@ -29,7 +29,7 @@ The RIPEMD-160 algorithm which produces a 160-bit output from a given input.
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-RIPEMD160(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_seed_cbc.pod

@@ -41,7 +41,7 @@ The SEED encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-SEED(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_sha1.pod

@@ -29,7 +29,7 @@ The SHA-1 algorithm which produces a 160-bit output from a given input.
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SHA1(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_sha224.pod

@@ -49,7 +49,7 @@ their outputs are of the same size.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SHA2(7)>instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_sha3_224.pod

@@ -54,7 +54,7 @@ B<EVP_shake256> provides that of 256 bits.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SHA3(7)> or L<EVP_MD-SHAKE(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_sm3.pod

@@ -28,7 +28,7 @@ The SM3 hash function.
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SM3(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_sm4_cbc.pod

@@ -45,7 +45,7 @@ respectively.
 
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-SM4(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 1 - 1
libs/openssl/doc/man3/EVP_whirlpool.pod

@@ -30,7 +30,7 @@ input.
 
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-WHIRLPOOL(7)> instead.
 See L<crypto(7)/Performance> for further information.
 
 =head1 RETURN VALUES

+ 10 - 10
libs/openssl/doc/man3/OPENSSL_LH_stats.pod

@@ -10,16 +10,16 @@ OPENSSL_LH_node_stats_bio, OPENSSL_LH_node_usage_stats_bio - LHASH statistics
 
  #include <openssl/lhash.h>
 
+The following functions have been deprecated since OpenSSL 3.1, and can be
+hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
+see L<openssl_user_macros(7)>:
+
  void OPENSSL_LH_node_stats(LHASH *table, FILE *out);
  void OPENSSL_LH_node_usage_stats(LHASH *table, FILE *out);
 
  void OPENSSL_LH_node_stats_bio(LHASH *table, BIO *out);
  void OPENSSL_LH_node_usage_stats_bio(LHASH *table, BIO *out);
 
-The following functions have been deprecated since OpenSSL 3.1, and can be
-hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
-see L<openssl_user_macros(7)>:
-
  void OPENSSL_LH_stats(LHASH *table, FILE *out);
  void OPENSSL_LH_stats_bio(LHASH *table, BIO *out);
 
@@ -48,8 +48,7 @@ record a miss.
 OPENSSL_LH_stats_bio(), OPENSSL_LH_node_stats_bio() and OPENSSL_LH_node_usage_stats_bio()
 are the same as the above, except that the output goes to a B<BIO>.
 
-OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() are deprecated and should no
-longer be used.
+These functions are deprecated and should no longer be used.
 
 =head1 RETURN VALUES
 
@@ -61,16 +60,17 @@ These calls should be made under a read lock. Refer to
 L<OPENSSL_LH_COMPFUNC(3)/NOTE> for more details about the locks required
 when using the LHASH data structure.
 
-The functions OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() were deprecated in
-version 3.1.
-
 =head1 SEE ALSO
 
 L<bio(7)>, L<OPENSSL_LH_COMPFUNC(3)>
 
+=head1 HISTORY
+
+These functions were deprecated in version 3.1.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 3 - 2
libs/openssl/doc/man3/PKCS5_PBKDF2_HMAC.pod

@@ -33,7 +33,8 @@ be NULL terminated.
 
 B<iter> is the iteration count and its value should be greater than or
 equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
-B<iter> less than 1 is treated as a single iteration.
+B<iter> value less than 1 is invalid; such values will result in failure
+and raise the PROV_R_INVALID_ITERATION_COUNT error.
 
 B<digest> is the message digest function used in the derivation.
 PKCS5_PBKDF2_HMAC_SHA1() calls PKCS5_PBKDF2_HMAC() with EVP_sha1().
@@ -66,7 +67,7 @@ L<passphrase-encoding(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 9 - 1
libs/openssl/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod

@@ -2,6 +2,7 @@
 
 =head1 NAME
 
+SSL_CONF_CTX_finish,
 SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure
 
 =head1 SYNOPSIS
@@ -10,6 +11,7 @@ SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure
 
  void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
  void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
+ int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx);
 
 =head1 DESCRIPTION
 
@@ -23,6 +25,10 @@ B<SSL> structure B<ssl>. Any previous B<SSL> or B<SSL_CTX> associated with
 B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to
 B<ssl>.
 
+The function SSL_CONF_CTX_finish() must be called after all configuration
+operations have been completed. It is used to finalise any operations
+or to process defaults.
+
 =head1 NOTES
 
 The context need not be set or it can be set to B<NULL> in which case only
@@ -32,6 +38,8 @@ syntax checking of commands is performed, where possible.
 
 SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value.
 
+SSL_CONF_CTX_finish() returns 1 for success and 0 for failure.
+
 =head1 SEE ALSO
 
 L<ssl(7)>,
@@ -47,7 +55,7 @@ These functions were added in OpenSSL 1.0.2.
 
 =head1 COPYRIGHT
 
-Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 10 - 6
libs/openssl/doc/man3/SSL_CTX_set_info_callback.pod

@@ -12,11 +12,15 @@ SSL_get_info_callback
 
  #include <openssl/ssl.h>
 
- void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
- void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))();
+ void SSL_CTX_set_info_callback(SSL_CTX *ctx,
+                                void (*callback) (const SSL *ssl, int type, int val));
 
- void SSL_set_info_callback(SSL *ssl, void (*callback)());
- void (*SSL_get_info_callback(const SSL *ssl))();
+ void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, int val);
+
+ void SSL_set_info_callback(SSL *ssl,
+                            void (*callback) (const SSL *ssl, int type, int val));
+
+ void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type, int val);
 
 =head1 DESCRIPTION
 
@@ -119,7 +123,7 @@ SSL_get_info_callback() returns the current setting.
 The following example callback function prints state strings, information
 about alerts being handled and error messages to the B<bio_err> BIO.
 
- void apps_ssl_info_callback(SSL *s, int where, int ret)
+ void apps_ssl_info_callback(const SSL *s, int where, int ret)
  {
      const char *str;
      int w = where & ~SSL_ST_MASK;
@@ -156,7 +160,7 @@ L<SSL_alert_type_string(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 2 - 2
libs/openssl/doc/man3/d2i_PKCS8PrivateKey_bio.pod

@@ -8,7 +8,7 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private
 
 =head1 SYNOPSIS
 
- #include <openssl/evp.h>
+ #include <openssl/pem.h>
 
  EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
  EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);
@@ -64,7 +64,7 @@ L<passphrase-encoding(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 22 - 4
libs/openssl/doc/man3/d2i_X509.pod

@@ -390,10 +390,12 @@ to the returned structure is also written to I<*a>.  If an error occurred
 then NULL is returned.
 
 On a successful return, if I<*a> is not NULL then it is assumed that I<*a>
-contains a valid B<I<TYPE>> structure and an attempt is made to reuse it. This
-"reuse" capability is present for historical compatibility but its use is
-B<strongly discouraged> (see BUGS below, and the discussion in the RETURN
-VALUES section).
+contains a valid B<I<TYPE>> structure and an attempt is made to reuse it.
+For B<I<TYPE>> structures where it matters it is possible to set up a library
+context on the decoded structure this way (see the B<EXAMPLES> section).
+However using the "reuse" capability for other purposes is B<strongly
+discouraged> (see B<BUGS> below, and the discussion in the B<RETURN VALUES>
+section).
 
 B<d2i_I<TYPE>_bio>() is similar to B<d2i_I<TYPE>>() except it attempts
 to parse data from BIO I<bp>.
@@ -538,6 +540,22 @@ Alternative technique:
  if (d2i_X509(&x, &p, len) == NULL)
      /* error */
 
+Setting up a library context and property query:
+
+ X509 *x;
+ unsigned char *buf;
+ const unsigned char *p;
+ int len;
+ OSSL_LIB_CTX *libctx = ....;
+ const char *propq = ....;
+
+ /* Set up buf and len to point to the input buffer. */
+ p = buf;
+ x = X509_new_ex(libctx, propq);
+
+ if (d2i_X509(&x, &p, len) == NULL)
+     /* error, x was freed and NULL assigned to it (see RETURN VALUES) */
+
 =head1 WARNINGS
 
 Using a temporary variable is mandatory. A common

+ 8 - 1
libs/openssl/doc/man7/EVP_RAND-TEST-RAND.pod

@@ -60,6 +60,13 @@ If there are insufficient data present to satisfy a call, an error is returned.
 Sets the bytes returned when the test generator is sent a nonce request.
 Each nonce request will return all of the bytes.
 
+=item "generate" (B<OSSL_RAND_PARAM_GENERATE>) <integer>
+
+If this parameter is zero, it will only emit the nonce and entropy data
+supplied via the aforementioned parameters.  Otherwise, low quality
+non-cryptographic pseudorandom output is produced.  This parameter defaults
+to zero.
+
 =back
 
 =head1 NOTES
@@ -106,7 +113,7 @@ This functionality was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

+ 34 - 4
libs/openssl/doc/man7/provider-base.pod

@@ -76,13 +76,23 @@ provider-base
  size_t get_entropy(const OSSL_CORE_HANDLE *handle,
                     unsigned char **pout, int entropy,
                     size_t min_len, size_t max_len);
+ size_t get_user_entropy(const OSSL_CORE_HANDLE *handle,
+                         unsigned char **pout, int entropy,
+                         size_t min_len, size_t max_len);
  void cleanup_entropy(const OSSL_CORE_HANDLE *handle,
                       unsigned char *buf, size_t len);
+ void cleanup_user_entropy(const OSSL_CORE_HANDLE *handle,
+                           unsigned char *buf, size_t len);
  size_t get_nonce(const OSSL_CORE_HANDLE *handle,
                   unsigned char **pout, size_t min_len, size_t max_len,
                   const void *salt, size_t salt_len);
+ size_t get_user_nonce(const OSSL_CORE_HANDLE *handle,
+                       unsigned char **pout, size_t min_len, size_t max_len,
+                       const void *salt, size_t salt_len);
  void cleanup_nonce(const OSSL_CORE_HANDLE *handle,
                     unsigned char *buf, size_t len);
+ void cleanup_user_nonce(const OSSL_CORE_HANDLE *handle,
+                         unsigned char *buf, size_t len);
 
  /* Functions for querying the providers in the application library context */
  int provider_register_child_cb(const OSSL_CORE_HANDLE *handle,
@@ -171,9 +181,13 @@ provider):
  OPENSSL_cleanse                OSSL_FUNC_OPENSSL_CLEANSE
  OSSL_SELF_TEST_set_callback    OSSL_FUNC_SELF_TEST_CB
  ossl_rand_get_entropy          OSSL_FUNC_GET_ENTROPY
+ ossl_rand_get_user_entropy     OSSL_FUNC_GET_USER_ENTROPY
  ossl_rand_cleanup_entropy      OSSL_FUNC_CLEANUP_ENTROPY
+ ossl_rand_cleanup_user_entropy OSSL_FUNC_CLEANUP_USER_ENTROPY
  ossl_rand_get_nonce            OSSL_FUNC_GET_NONCE
+ ossl_rand_get_user_nonce       OSSL_FUNC_GET_USER_NONCE
  ossl_rand_cleanup_nonce        OSSL_FUNC_CLEANUP_NONCE
+ ossl_rand_cleanup_user_nonce   OSSL_FUNC_CLEANUP_USER_NONCE
  provider_register_child_cb     OSSL_FUNC_PROVIDER_REGISTER_CHILD_CB
  provider_deregister_child_cb   OSSL_FUNC_PROVIDER_DEREGISTER_CHILD_CB
  provider_name                  OSSL_FUNC_PROVIDER_NAME
@@ -302,9 +316,17 @@ output will have at least I<min_len> and at most I<max_len> bytes.
 The buffer address is stored in I<*pout> and the buffer length is
 returned to the caller.  On error, zero is returned.
 
+get_user_entropy() is the same as get_entropy() except that it will
+attempt to gather seed material via the seed source specified by a call to
+L<RAND_set_seed_source_type(3)> or via L<config(5)/Random Configuration>.
+
 cleanup_entropy() is used to clean up and free the buffer returned by
-get_entropy().  The entropy pointer returned by get_entropy() is passed in
-B<buf> and its length in B<len>.
+get_entropy().  The entropy pointer returned by get_entropy()
+is passed in B<buf> and its length in B<len>.
+
+cleanup_user_entropy() is used to clean up and free the buffer returned by
+get_user_entropy().  The entropy pointer returned by get_user_entropy()
+is passed in B<buf> and its length in B<len>.
 
 get_nonce() retrieves a nonce using the passed I<salt> parameter
 of length I<salt_len> and operating system specific information.
@@ -314,9 +336,17 @@ The output is stored in a buffer which contains at least I<min_len> and at
 most I<max_len> bytes.  The buffer address is stored in I<*pout> and the
 buffer length returned to the caller.  On error, zero is returned.
 
+get_user_nonce() is the same as get_nonce() except that it will attempt
+to gather seed material via the seed source specified by a call to
+L<RAND_set_seed_source_type(3)> or via L<config(5)/Random Configuration>.
+
 cleanup_nonce() is used to clean up and free the buffer returned by
-get_nonce().  The nonce pointer returned by get_nonce() is passed in
-B<buf> and its length in B<len>.
+get_nonce().  The nonce pointer returned by get_nonce()
+is passed in B<buf> and its length in B<len>.
+
+cleanup_user_nonce() is used to clean up and free the buffer returned by
+get_user_nonce().  The nonce pointer returned by get_user_nonce()
+is passed in B<buf> and its length in B<len>.
 
 provider_register_child_cb() registers callbacks for being informed about the
 loading and unloading of providers in the application's library context.

+ 2 - 1
libs/openssl/include/crypto/context.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -21,6 +21,7 @@ void *ossl_child_prov_ctx_new(OSSL_LIB_CTX *);
 void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *);
 void *ossl_self_test_set_callback_new(OSSL_LIB_CTX *);
 void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *);
+int ossl_thread_register_fips(OSSL_LIB_CTX *);
 void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *);
 void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *);
 

+ 9 - 1
libs/openssl/include/crypto/evp.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -949,6 +949,14 @@ int evp_keymgmt_get_number(const EVP_KEYMGMT *keymgmt);
 int evp_mac_get_number(const EVP_MAC *mac);
 int evp_md_get_number(const EVP_MD *md);
 int evp_rand_get_number(const EVP_RAND *rand);
+int evp_rand_can_seed(EVP_RAND_CTX *ctx);
+size_t evp_rand_get_seed(EVP_RAND_CTX *ctx,
+                         unsigned char **buffer,
+                         int entropy, size_t min_len, size_t max_len,
+                         int prediction_resistance,
+                         const unsigned char *adin, size_t adin_len);
+void evp_rand_clear_seed(EVP_RAND_CTX *ctx,
+                         unsigned char *buffer, size_t b_len);
 int evp_signature_get_number(const EVP_SIGNATURE *signature);
 
 #endif /* OSSL_CRYPTO_EVP_H */

+ 20 - 5
libs/openssl/include/crypto/rand.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -108,16 +108,26 @@ void ossl_random_add_conf_module(void);
 /*
  * Get and cleanup random seed material.
  */
-size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle,
+size_t ossl_rand_get_entropy(OSSL_LIB_CTX *ctx,
                              unsigned char **pout, int entropy,
                              size_t min_len, size_t max_len);
-void ossl_rand_cleanup_entropy(ossl_unused const OSSL_CORE_HANDLE *handle,
+size_t ossl_rand_get_user_entropy(OSSL_LIB_CTX *ctx,
+                                  unsigned char **pout, int entropy,
+                                  size_t min_len, size_t max_len);
+void ossl_rand_cleanup_entropy(OSSL_LIB_CTX *ctx,
                                unsigned char *buf, size_t len);
-size_t ossl_rand_get_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
+void ossl_rand_cleanup_user_entropy(OSSL_LIB_CTX *ctx,
+                                    unsigned char *buf, size_t len);
+size_t ossl_rand_get_nonce(OSSL_LIB_CTX *ctx,
                            unsigned char **pout, size_t min_len, size_t max_len,
                            const void *salt, size_t salt_len);
-void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
+size_t ossl_rand_get_user_nonce(OSSL_LIB_CTX *ctx, unsigned char **pout,
+                                size_t min_len, size_t max_len,
+                                const void *salt, size_t salt_len);
+void ossl_rand_cleanup_nonce(OSSL_LIB_CTX *ctx,
                              unsigned char *buf, size_t len);
+void ossl_rand_cleanup_user_nonce(OSSL_LIB_CTX *ctx,
+                                  unsigned char *buf, size_t len);
 
 /*
  * Get seeding material from the operating system sources.
@@ -125,4 +135,9 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
 size_t ossl_pool_acquire_entropy(RAND_POOL *pool);
 int ossl_pool_add_nonce_data(RAND_POOL *pool);
 
+# ifdef FIPS_MODULE
+EVP_RAND_CTX *ossl_rand_get0_private_noncreating(OSSL_LIB_CTX *ctx);
+# else
+EVP_RAND_CTX *ossl_rand_get0_seed_noncreating(OSSL_LIB_CTX *ctx);
+# endif
 #endif

+ 1 - 1
libs/openssl/include/crypto/randerr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

+ 2 - 1
libs/openssl/include/openssl/cmserr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -113,6 +113,7 @@
 #  define CMS_R_UNSUPPORTED_LABEL_SOURCE                   193
 #  define CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE             155
 #  define CMS_R_UNSUPPORTED_RECIPIENT_TYPE                 154
+#  define CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM            195
 #  define CMS_R_UNSUPPORTED_TYPE                           156
 #  define CMS_R_UNWRAP_ERROR                               157
 #  define CMS_R_UNWRAP_FAILURE                             180

+ 18 - 1
libs/openssl/include/openssl/core_dispatch.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -176,6 +176,12 @@ OSSL_CORE_MAKE_FUNC(int, BIO_vsnprintf,
 OSSL_CORE_MAKE_FUNC(int, BIO_ctrl, (OSSL_CORE_BIO *bio,
                                     int cmd, long num, void *ptr))
 
+/* New seeding functions prototypes with the 101-104 series */
+#define OSSL_FUNC_CLEANUP_USER_ENTROPY        96
+#define OSSL_FUNC_CLEANUP_USER_NONCE          97
+#define OSSL_FUNC_GET_USER_ENTROPY            98
+#define OSSL_FUNC_GET_USER_NONCE              99
+
 #define OSSL_FUNC_SELF_TEST_CB               100
 OSSL_CORE_MAKE_FUNC(void, self_test_cb, (OPENSSL_CORE_CTX *ctx, OSSL_CALLBACK **cb,
                                          void **cbarg))
@@ -188,14 +194,25 @@ OSSL_CORE_MAKE_FUNC(void, self_test_cb, (OPENSSL_CORE_CTX *ctx, OSSL_CALLBACK **
 OSSL_CORE_MAKE_FUNC(size_t, get_entropy, (const OSSL_CORE_HANDLE *handle,
                                           unsigned char **pout, int entropy,
                                           size_t min_len, size_t max_len))
+OSSL_CORE_MAKE_FUNC(size_t, get_user_entropy, (const OSSL_CORE_HANDLE *handle,
+                                               unsigned char **pout, int entropy,
+                                               size_t min_len, size_t max_len))
 OSSL_CORE_MAKE_FUNC(void, cleanup_entropy, (const OSSL_CORE_HANDLE *handle,
                                             unsigned char *buf, size_t len))
+OSSL_CORE_MAKE_FUNC(void, cleanup_user_entropy, (const OSSL_CORE_HANDLE *handle,
+                                                 unsigned char *buf, size_t len))
 OSSL_CORE_MAKE_FUNC(size_t, get_nonce, (const OSSL_CORE_HANDLE *handle,
                                         unsigned char **pout, size_t min_len,
                                         size_t max_len, const void *salt,
                                         size_t salt_len))
+OSSL_CORE_MAKE_FUNC(size_t, get_user_nonce, (const OSSL_CORE_HANDLE *handle,
+                                             unsigned char **pout, size_t min_len,
+                                             size_t max_len, const void *salt,
+                                             size_t salt_len))
 OSSL_CORE_MAKE_FUNC(void, cleanup_nonce, (const OSSL_CORE_HANDLE *handle,
                                           unsigned char *buf, size_t len))
+OSSL_CORE_MAKE_FUNC(void, cleanup_user_nonce, (const OSSL_CORE_HANDLE *handle,
+                                               unsigned char *buf, size_t len))
 
 /* Functions to access the core's providers */
 #define OSSL_FUNC_PROVIDER_REGISTER_CHILD_CB   105

+ 1 - 0
libs/openssl/include/openssl/core_names.h

@@ -248,6 +248,7 @@ extern "C" {
 #define OSSL_RAND_PARAM_MAX_REQUEST             "max_request"
 #define OSSL_RAND_PARAM_TEST_ENTROPY            "test_entropy"
 #define OSSL_RAND_PARAM_TEST_NONCE              "test_nonce"
+#define OSSL_RAND_PARAM_GENERATE                "generate"
 
 /* RAND/DRBG names */
 #define OSSL_DRBG_PARAM_RESEED_REQUESTS         "reseed_requests"

+ 3 - 1
libs/openssl/include/openssl/evp.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -85,6 +85,8 @@
 /* Easy to use macros for EVP_PKEY related selections */
 # define EVP_PKEY_KEY_PARAMETERS                                            \
     ( OSSL_KEYMGMT_SELECT_ALL_PARAMETERS )
+# define EVP_PKEY_PRIVATE_KEY                                               \
+    ( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PRIVATE_KEY )
 # define EVP_PKEY_PUBLIC_KEY                                                \
     ( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PUBLIC_KEY )
 # define EVP_PKEY_KEYPAIR                                                   \

+ 3 - 3
libs/openssl/include/openssl/pkcs7.h.in

@@ -1,7 +1,7 @@
 /*
  * {- join("\n * ", @autowarntext) -}
  *
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -60,8 +60,8 @@ typedef struct pkcs7_signer_info_st {
     PKCS7_ISSUER_AND_SERIAL *issuer_and_serial;
     X509_ALGOR *digest_alg;
     STACK_OF(X509_ATTRIBUTE) *auth_attr; /* [ 0 ] */
-    X509_ALGOR *digest_enc_alg;
-    ASN1_OCTET_STRING *enc_digest;
+    X509_ALGOR *digest_enc_alg; /* confusing name, actually used for signing */
+    ASN1_OCTET_STRING *enc_digest; /* confusing name, actually signature */
     STACK_OF(X509_ATTRIBUTE) *unauth_attr; /* [ 1 ] */
     /* The private key to sign with */
     EVP_PKEY *pkey;

+ 2 - 1
libs/openssl/include/openssl/randerr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -41,6 +41,7 @@
 # define RAND_R_GENERATE_ERROR                            112
 # define RAND_R_INSUFFICIENT_DRBG_STRENGTH                139
 # define RAND_R_INTERNAL_ERROR                            113
+# define RAND_R_INVALID_PROPERTY_QUERY                    137
 # define RAND_R_IN_ERROR_STATE                            114
 # define RAND_R_NOT_A_REGULAR_FILE                        122
 # define RAND_R_NOT_INSTANTIATED                          115

+ 9 - 1
libs/openssl/providers/baseprov.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -19,6 +19,7 @@
 #include "prov/providercommon.h"
 #include "prov/implementations.h"
 #include "prov/provider_util.h"
+#include "prov/names.h"
 
 /*
  * Forward declarations to ensure that interface functions are correctly
@@ -90,6 +91,11 @@ static const OSSL_ALGORITHM base_store[] = {
 #undef STORE
 };
 
+static const OSSL_ALGORITHM base_rands[] = {
+    { PROV_NAMES_SEED_SRC, "provider=base", ossl_seed_src_functions },
+    { NULL, NULL, NULL }
+};
+
 static const OSSL_ALGORITHM *base_query(void *provctx, int operation_id,
                                          int *no_cache)
 {
@@ -101,6 +107,8 @@ static const OSSL_ALGORITHM *base_query(void *provctx, int operation_id,
         return base_decoder;
     case OSSL_OP_STORE:
         return base_store;
+    case OSSL_OP_RAND:
+        return base_rands;
     }
     return NULL;
 }

+ 62 - 13
libs/openssl/providers/common/provider_seeding.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -9,11 +9,34 @@
 
 #include <openssl/core_dispatch.h>
 #include "prov/seeding.h"
+#include "prov/providercommon.h"
 
 static OSSL_FUNC_get_entropy_fn *c_get_entropy = NULL;
+static OSSL_FUNC_get_user_entropy_fn *c_get_user_entropy = NULL;
 static OSSL_FUNC_cleanup_entropy_fn *c_cleanup_entropy = NULL;
+static OSSL_FUNC_cleanup_user_entropy_fn *c_cleanup_user_entropy = NULL;
 static OSSL_FUNC_get_nonce_fn *c_get_nonce = NULL;
+static OSSL_FUNC_get_user_nonce_fn *c_get_user_nonce = NULL;
 static OSSL_FUNC_cleanup_nonce_fn *c_cleanup_nonce = NULL;
+static OSSL_FUNC_cleanup_user_nonce_fn *c_cleanup_user_nonce = NULL;
+
+#ifdef FIPS_MODULE
+/*
+ * The FIPS provider uses an internal library context which is what the
+ * passed provider context references.  Since the seed source is external
+ * to the FIPS provider, this is the wrong one.  We need to convert this
+ * to the correct core handle before up-calling libcrypto.
+ */
+# define CORE_HANDLE(provctx) \
+    FIPS_get_core_handle(ossl_prov_ctx_get0_libctx(provctx))
+#else
+/*
+ * The non-FIPS path *should* be unused because the full DRBG chain including
+ * seed source is instantiated.  However, that might not apply for third
+ * party providers, so this is retained for compatibility.
+ */
+# define CORE_HANDLE(provctx) ossl_prov_ctx_get0_handle(provctx)
+#endif
 
 int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns)
 {
@@ -29,15 +52,27 @@ int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns)
         case OSSL_FUNC_GET_ENTROPY:
             set_func(c_get_entropy, OSSL_FUNC_get_entropy(fns));
             break;
+        case OSSL_FUNC_GET_USER_ENTROPY:
+            set_func(c_get_user_entropy, OSSL_FUNC_get_user_entropy(fns));
+            break;
         case OSSL_FUNC_CLEANUP_ENTROPY:
             set_func(c_cleanup_entropy, OSSL_FUNC_cleanup_entropy(fns));
             break;
+        case OSSL_FUNC_CLEANUP_USER_ENTROPY:
+            set_func(c_cleanup_user_entropy, OSSL_FUNC_cleanup_user_entropy(fns));
+            break;
         case OSSL_FUNC_GET_NONCE:
             set_func(c_get_nonce, OSSL_FUNC_get_nonce(fns));
             break;
+        case OSSL_FUNC_GET_USER_NONCE:
+            set_func(c_get_user_nonce, OSSL_FUNC_get_user_nonce(fns));
+            break;
         case OSSL_FUNC_CLEANUP_NONCE:
             set_func(c_cleanup_nonce, OSSL_FUNC_cleanup_nonce(fns));
             break;
+        case OSSL_FUNC_CLEANUP_USER_NONCE:
+            set_func(c_cleanup_user_nonce, OSSL_FUNC_cleanup_user_nonce(fns));
+            break;
         }
 #undef set_func
     }
@@ -47,31 +82,45 @@ int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns)
 size_t ossl_prov_get_entropy(PROV_CTX *prov_ctx, unsigned char **pout,
                              int entropy, size_t min_len, size_t max_len)
 {
-    if (c_get_entropy == NULL)
-        return 0;
-    return c_get_entropy(ossl_prov_ctx_get0_handle(prov_ctx),
-                         pout, entropy, min_len, max_len);
+    const OSSL_CORE_HANDLE *handle = CORE_HANDLE(prov_ctx);
+
+    if (c_get_user_entropy != NULL)
+        return c_get_user_entropy(handle, pout, entropy, min_len, max_len);
+    if (c_get_entropy != NULL)
+        return c_get_entropy(handle, pout, entropy, min_len, max_len);
+    return 0;
 }
 
 void ossl_prov_cleanup_entropy(PROV_CTX *prov_ctx, unsigned char *buf,
                                size_t len)
 {
-    if (c_cleanup_entropy != NULL)
-        c_cleanup_entropy(ossl_prov_ctx_get0_handle(prov_ctx), buf, len);
+    const OSSL_CORE_HANDLE *handle = CORE_HANDLE(prov_ctx);
+
+    if (c_cleanup_user_entropy != NULL)
+        c_cleanup_user_entropy(handle, buf, len);
+    else if (c_cleanup_entropy != NULL)
+        c_cleanup_entropy(handle, buf, len);
 }
 
 size_t ossl_prov_get_nonce(PROV_CTX *prov_ctx, unsigned char **pout,
                            size_t min_len, size_t max_len,
                            const void *salt,size_t salt_len)
 {
-    if (c_get_nonce == NULL)
-        return 0;
-    return c_get_nonce(ossl_prov_ctx_get0_handle(prov_ctx), pout,
-                       min_len, max_len, salt, salt_len);
+    const OSSL_CORE_HANDLE *handle = CORE_HANDLE(prov_ctx);
+
+    if (c_get_user_nonce != NULL)
+        return c_get_user_nonce(handle, pout, min_len, max_len, salt, salt_len);
+    if (c_get_nonce != NULL)
+        return c_get_nonce(handle, pout, min_len, max_len, salt, salt_len);
+    return 0;
 }
 
 void ossl_prov_cleanup_nonce(PROV_CTX *prov_ctx, unsigned char *buf, size_t len)
 {
-    if (c_cleanup_nonce != NULL)
-        c_cleanup_nonce(ossl_prov_ctx_get0_handle(prov_ctx), buf, len);
+    const OSSL_CORE_HANDLE *handle = CORE_HANDLE(prov_ctx);
+
+    if (c_cleanup_user_nonce != NULL)
+        c_cleanup_user_nonce(handle, buf, len);
+    else if (c_cleanup_nonce != NULL)
+        c_cleanup_nonce(handle, buf, len);
 }

+ 32 - 32
libs/openssl/providers/fips-sources.checksums

@@ -86,7 +86,7 @@ d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16  crypto/bn/bn_d
 74b63a4515894592b7241fb30b91b21510beaa3d397809e3d74bc9a73e879d18  crypto/bn/bn_div.c
 98f5d5ac4bb7cc9ba4326ff48eca6830763c72efe13c97f523714aed082be860  crypto/bn/bn_exp.c
 ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434  crypto/bn/bn_exp2.c
-79d9999d197e2c797fdece0a6467d04aaca549abf80dd874859f8f4308ddf3c7  crypto/bn/bn_gcd.c
+5d7ece58f63fbf2f3e685b815e6c71c380ec3b09a78d97863b0687bec5010433  crypto/bn/bn_gcd.c
 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609  crypto/bn/bn_gf2m.c
 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581  crypto/bn/bn_intern.c
 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192  crypto/bn/bn_kron.c
@@ -129,20 +129,20 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81  crypto/des/ecb
 61926e30dd940616e80936d1c94c5f522daf0d475fb3a40a9e589e78f322901e  crypto/des/set_key.c
 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d  crypto/des/spr.h
 816472a54c273906d0a2b58650e0b9d28cc2c8023d120f0d77160f1fe34c4ca3  crypto/dh/dh_backend.c
-d2d0569bea2598bd405f23b60e5283a6ce353f1145a25ff8f28cf15711743156  crypto/dh/dh_check.c
+fcbfe5acb73e1b4094efec56a754b803d2c1a53644c78cf6a73ae868e3f3886d  crypto/dh/dh_check.c
 c117ac4fd24369c7813ac9dc9685640700a82bb32b0f7e038e85afd6c8db75c7  crypto/dh/dh_gen.c
 6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64  crypto/dh/dh_group_params.c
 a539a8930035fee3b723d74a1d13e931ff69a2b523c83d4a2d0d9db6c78ba902  crypto/dh/dh_kdf.c
-0afa7dd237f9b21b0cfb0de10505facd57eb07ded905d888d43a1de2356d4002  crypto/dh/dh_key.c
-b0046b2c4e1d74ff4e93f2486a00f63728909b8a75cbdd29b9100e607f97995c  crypto/dh/dh_lib.c
+9e61a0b5017d835b348b15e93760c42d8d899ffae4251455c7b3085cfd25294c  crypto/dh/dh_key.c
+92345c259ea2a8c09e6d6b069d0942bd6ca4642231580f3e8148ae7a832a1115  crypto/dh/dh_lib.c
 8300775d88db0a1aa26a77eb49d6c4f7252e7fee69e1440de4c40edadc9da044  crypto/dh/dh_local.h
 bbcf4fc3067ac462a27d7277973180b7dc140df9262a686c7fbe4318ca01f7b8  crypto/dsa/dsa_backend.c
-b9c5992089203123c3fae46e39bb4d05e19854087bca7a30ad1f82a3505deec7  crypto/dsa/dsa_check.c
+d7e0d87494e3b3f0898a56785a219e87a2ce14416393ec32d8c0b5f539c7bdbf  crypto/dsa/dsa_check.c
 ae727bf6319eb57e682de35d75ea357921987953b3688365c710e7fba51c7c58  crypto/dsa/dsa_gen.c
 100889e879ffba26b3f2cf0a118943e7cf04076e632d76cfacf96c133949791a  crypto/dsa/dsa_key.c
-9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146  crypto/dsa/dsa_lib.c
+9f4837c5abe53613a2dc1c5db81d073d4f42bd28b6a2d1e93a2b350d8e25d52a  crypto/dsa/dsa_lib.c
 f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022  crypto/dsa/dsa_local.h
-38062c6eebdb2f88fa0c6592837a96a49de2ae520d3ad483a3e02921c8adb094  crypto/dsa/dsa_ossl.c
+c5c252f205482a71efeabe226d51a1c541a6ba2dfa9b8b8a70901087a9dc1667  crypto/dsa/dsa_ossl.c
 d612fd05ff98816ba6cf37f84c0e31443ad9d840ed587a7ab2066027da390325  crypto/dsa/dsa_sign.c
 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1  crypto/dsa/dsa_vrf.c
 d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a  crypto/ec/asm/ecp_nistp521-ppc64.pl
@@ -200,11 +200,11 @@ f288c23b6f83740956886b2303c64d5a3098c98b530859c3bb4b698c01c1643b  crypto/ec/ecp_
 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b  crypto/evp/dh_support.c
 f83e7c6bcc4d0e868eabc9e746c875c40e6df58e839a483449f81e92df314b7c  crypto/evp/digest.c
 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55  crypto/evp/ec_support.c
-3852aee37acb3ccbb774dafd2e4d571ccd05ff928473202d5154199a9a8d62c0  crypto/evp/evp_enc.c
+5cc8225a5a4df7a0feeeb5a7fd07bd826072f1c212772094c02ca26024d33b62  crypto/evp/evp_enc.c
 4b15287d3ce9cb75cb5ac68003c0deddc2688ffd4abb065eaa04d0998efcbcf9  crypto/evp/evp_fetch.c
 ce982249442688249f7c53d0824ae6affb1cf89281f35fbd68c1e0c4c57217d3  crypto/evp/evp_lib.c
 5afebfcf415079974ab3b8b70eac93b618fd264135cd68fee5834edffc60ce22  crypto/evp/evp_local.h
-8dcb59a4222335424349f2af4ba8501d4904f80770774ecc4a5201b9350de0eb  crypto/evp/evp_rand.c
+958c32605960fff7a56ddbf2708a9b74f0e30d00c9e415e1fd111fefd3feb0b5  crypto/evp/evp_rand.c
 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c  crypto/evp/evp_utils.c
 ca8c6cfd30efd53f2e5d1f19bcf09a3a3d0dff6d8947c3943d07a3f4b354aa86  crypto/evp/exchange.c
 9e25042581b73e295c059c6217f3ecf809134d518eb79b1b67f34e3ca9145677  crypto/evp/kdf_lib.c
@@ -220,19 +220,19 @@ e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3  crypto/evp/mac
 1f0e9e94e9b0ad322956521b438b78d44cfcd8eb974e8921d05f9e21ba1c05cf  crypto/evp/pmeth_gn.c
 76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d  crypto/evp/pmeth_lib.c
 4b2dbddf0f9ceed34c3822347138be754fb194febca1c21c46bcc3a5cce33674  crypto/evp/signature.c
-862051944c4f86a6da1be40f4481feb26eee276981f92fd48813cc2c60bee048  crypto/ex_data.c
+600a90728cea180e3c9f6ac5269fa86fef82494f9cde3d8914df3387c80afbfd  crypto/ex_data.c
 1c8389c5d49616d491978f0f2b2a54ba82d805ec41c8f75c67853216953cf46a  crypto/ffc/ffc_backend.c
 a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55  crypto/ffc/ffc_dh.c
 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211  crypto/ffc/ffc_key_generate.c
-2695c9c8ad9193a8c1ab53d5d09712d50d12c91eb8d62e8a15cbc78f327afe84  crypto/ffc/ffc_key_validate.c
+4e973d956d4ec2087994de8e963be1a512da1441f22e6e7b9cd7ee536e3ff834  crypto/ffc/ffc_key_validate.c
 8b72d5a7452b2c15aec6d20027053a83f7df89d49a3b6cfedd77e2b1a29e9fc1  crypto/ffc/ffc_params.c
 1a1d227f9a0f427d2ec93bc646c726c9cd49a84a343b4aff0c9c744fa6df05a9  crypto/ffc/ffc_params_generate.c
 73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159  crypto/ffc/ffc_params_validate.c
 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88  crypto/hmac/hmac.c
 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f  crypto/hmac/hmac_local.h
 0e2d6129504d15ffaf5baa63158ccec0e4b6193a8275333956d8f868ef35127e  crypto/ia64cpuid.S
-5b38180a8ed150ab1be44a86cacd0c6668d2e6ba3de6b0c3420c8056543af54d  crypto/initthread.c
-29c58cd3875ee6eb84efe9c2a5085e434a1172f4183dff300634ff0c680d58ce  crypto/lhash/lhash.c
+3f123f7de496711fa60c47aeaef96640571dbcb1657b23901307e04c3d712579  crypto/initthread.c
+f91d8ca9ac5e7f6ba3282ab53700acf7dc477972d2effd239518043eb1a59a96  crypto/lhash/lhash.c
 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e  crypto/lhash/lhash_local.h
 a4f8f200ca749db91da97735c107836dfb2b623424b15c020ec6e48d874f4564  crypto/loongarch64cpuid.pl
 460a7af09cde89a820b091522ada1310cfcec99c60aee505f94c48c35e9a29e8  crypto/loongarchcap.c
@@ -265,7 +265,7 @@ e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41  crypto/modes/w
 dc2a6064c95ec84e8f73181123cad0721ca3931b922e2872d77bde1704f0cea4  crypto/o_str.c
 8ddbbdf43131c10dcd4428aef0eff2b1e98b0410accada0fad41a4925868beef  crypto/packet.c
 f86fbec8357ef5bbc6442d11717db88a57a7f453fac4b082282b1370abace9e2  crypto/param_build.c
-fa2062acdb901c9b15904b5c8f805247bba8b0eaa935c35fdfbe8d53ff463a7a  crypto/param_build_set.c
+cae7bd4973d36edbdc3bdd8d2c8d157f2c4fcfae00fdf821b67aebb789bc8aa6  crypto/param_build_set.c
 ce0e3fb4f466947b58d19a6fbc6c909ba0767b752ec8f563bfa7a8497b9a67d7  crypto/params.c
 5aed5133eac67516866a8187ec875ff2f8abac4272f80264b52fa225b732dc4a  crypto/params_dup.c
 a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3  crypto/params_from_text.c
@@ -274,23 +274,23 @@ a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3  crypto/params_
 467c416422ecf61e3b713c5eb259fdbcb4aa73ae8dee61804d0b85cfd3fff4f7  crypto/property/defn_cache.c
 0d6df2dfb9896ed00c27e97f190ccd9d581e54e16fb1cbaba587ad1b34c5f1b2  crypto/property/property.c
 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26  crypto/property/property_local.h
-988e14f794b50729aa9e809e1160d7c52cc77bc891df037ac19cefa946df20cc  crypto/property/property_parse.c
+79011789ce1c74d41cbd611d11eecccb0355b9318a53917f362bb8ccec67e417  crypto/property/property_parse.c
 a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3  crypto/property/property_query.c
 20e69b9d594dfc443075eddbb0e6bcc0ed36ca51993cd50cc5a4f86eb31127f8  crypto/property/property_string.c
 8bf2a635dbd2977f8e52506fc23392c9be78d1928114c1754c8d577916645082  crypto/provider_core.c
 d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89  crypto/provider_local.h
 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9  crypto/provider_predefined.c
-470406e440ed0f117743fb645e4c9ac5319df03a06863675f88ebfd3be820a64  crypto/rand/rand_lib.c
+aec47f5e7ec054226692df055a90305fd0dbaf0fbf20b56df353c04a2c2725e0  crypto/rand/rand_lib.c
 fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788  crypto/rand/rand_local.h
 f67fcf8351b046a00cf1baea29aefab3b4fc9521e0ba508abdd1a9ca44de40c3  crypto/riscv32cpuid.pl
 c0ff6a8ca7f52f759a945c4d475d00168b12386324e8177f301127b405ca793e  crypto/riscv64cpuid.pl
 a0870a2d4189788a4500227e7142f2fd9805357ecf083699273ef94b1f455ae3  crypto/riscvcap.c
 f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd  crypto/rsa/rsa_acvp_test_params.c
-9e7dd6fc91d3266d4aa4f0f41b7986381122b7d98114e63ebf04c5ee298b5fda  crypto/rsa/rsa_backend.c
+5834d7c518ad53ea0dd3db811c0e51568c81cc6c117012030101d29003d0725c  crypto/rsa/rsa_backend.c
 38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e  crypto/rsa/rsa_chk.c
 e32cfa04221a2a3ea33f7bcb93ee51b84cbeba97e94c1fbf6e420b24f97fc9ce  crypto/rsa/rsa_crpt.c
 e995da1c2e5007bd7f5907f369fe45ed15f4e657143a85078c755bd5e6863d0b  crypto/rsa/rsa_gen.c
-74ed75d1d8e0844800504a137bfd81c3dbcb6c4bd58b5d5fe9d0a362092b6e88  crypto/rsa/rsa_lib.c
+f2222f270e57559537d3da8abbeb1390bc5376b73dae59d536af6e73eb48bba0  crypto/rsa/rsa_lib.c
 a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b  crypto/rsa/rsa_local.h
 cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00  crypto/rsa/rsa_mp_names.c
 5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5  crypto/rsa/rsa_none.c
@@ -369,7 +369,7 @@ bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16  crypto/x86cpui
 feec318e3875def5c5b6cf9ade636e1bc2f3f200d2390f39152eb9ef7d8e7ce7  include/crypto/bn.h
 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df  include/crypto/bn_conf.h.in
 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6  include/crypto/bn_dh.h
-9f1fa7b67a1664dd0fdc60aa65b153467398aeb07d8bc82c16a6341b2d96dc2f  include/crypto/context.h
+04efb7f98705423b2a63a697a174d37c66d12edf349770e8433b2da5301be390  include/crypto/context.h
 e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504  include/crypto/cryptlib.h
 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c  include/crypto/ctype.h
 89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7  include/crypto/des_platform.h
@@ -377,11 +377,11 @@ daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f  include/crypto
 20d99c9a740e4d7d67e23fa4ae4c6a39d114e486c66ad41b65d91a8244cd1dea  include/crypto/dsa.h
 2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574  include/crypto/ec.h
 edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858  include/crypto/ecx.h
-952d5ec260fd49065e1d95f27cc1f492f9539083efcac469f35803f5a259c6ba  include/crypto/evp.h
+596d8efb42a05d3d11fa81d38193828b46e812f7b2553f2bfaf398b35b7b1da8  include/crypto/evp.h
 bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6  include/crypto/lhash.h
 9190c0b67ead73be80c0b9e53a492bbbc7f22641e6abed82e105fd80198595c4  include/crypto/md32_common.h
 cf90ee889f93092e260ae6d7a01bbefbf3ad8651153729206e45db671bac3dab  include/crypto/modes.h
-8aa4f71ebd9753baceed428e323d5f550d74aff43ab9a55eda7c096d838b8f49  include/crypto/rand.h
+b194efe362380fe989e1f6cbd96c0899496949f17676f3a1ee541731511ce672  include/crypto/rand.h
 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09  include/crypto/rand_pool.h
 306abf9d327a9e63fff2cdef730275abc4d2781254a032b1f370f3428eb5a2ef  include/crypto/rsa.h
 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401  include/crypto/security_bits.h
@@ -430,8 +430,8 @@ f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3  include/openss
 02a1baff7b71a298419c6c5dcb43eaa9cc13e9beeb88c03fb14854b4e84e8862  include/openssl/configuration.h.in
 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7  include/openssl/conftypes.h
 df5e60af861665675e4a00d40d15e36884f940e3379c7b45c9f717eaf1942697  include/openssl/core.h
-00110e80b9b4f621c604ea99f05e7a75d3db4721fc2779224e6fa7e52f06e345  include/openssl/core_dispatch.h
-85db1348b0a925404a06e323aa587a2b5f9468ff9c2d9284e6a78998f9532ae9  include/openssl/core_names.h
+c5e821b6e8191fa6a8377df741f746dbdad84803a111e3675e945662fe3d5cd5  include/openssl/core_dispatch.h
+206559e1af84fd1ff4144cf63133559ee814ad6684656a5d69346f395eddc995  include/openssl/core_names.h
 80e6806ba08aaafb45fefc6fec015f93bf3b717ff61f83f33dfd54f5ff3bd00e  include/openssl/crypto.h.in
 2f9570c2514b4d1b2a86fbdf30ced879e5c52e62f1d3691cb3da37ce4f6a98dd  include/openssl/cryptoerr.h
 bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6  include/openssl/cryptoerr_legacy.h
@@ -447,7 +447,7 @@ b6a11924ed95072f4af0a895ee6b93d17aa06104619fb79c9cd0a7bfd5c9164c  include/openss
 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7  include/openssl/encoder.h
 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc  include/openssl/encodererr.h
 c6ee8f17d7252bdd0807a124dc6d50a95c32c04e17688b7c2e061998570b7028  include/openssl/err.h.in
-f55d107d6b31ba1e0b4a2f27480aa9b2e044240c3acbb7eb589eeb9d87a1d273  include/openssl/evp.h
+87451ed43c9cacf86e76bc974e0832cc9600001cef7d4b8a6acd6ddc6ab3d565  include/openssl/evp.h
 5bd1b5dcd14067a1fe490d49df911002793c0b4f0bd4492cd8f71cfed7bf9f2a  include/openssl/evperr.h
 3085bc5a77ea3776619bf9c748632a3a23f1d8dcad5239ba0f48939f375fb0e8  include/openssl/fips_names.h
 b1d41beba560a41383f899a361b786e04f889106fb5960ec831b0af7996c9783  include/openssl/fipskey.h.in
@@ -467,7 +467,7 @@ fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970  include/openss
 033c0dd117bbd44af2af9ab2eddb16552bd46ce1ce7435736a187ef82357ee92  include/openssl/proverr.h
 b97e8ad49b38683817387596aefec0abd5f4d572643beef48be4f7acba26768d  include/openssl/provider.h
 e512ab2e492d968a9bf8b2b048f79ac5dfe11bddf3c00f2eec6e9c6ecc57d330  include/openssl/rand.h
-108966f56c82fedff53df76a4aa7861c82be4db1fd1ddafb59dc086ea155831c  include/openssl/randerr.h
+5be9d723cf368b48ab35bda5db1a3e83bda6e9e38218dd0b020be1a5427e7488  include/openssl/randerr.h
 140340d4735a8bac1be0a07f5446ce316619ebacde0f8a8a942ab03ddc4f3da3  include/openssl/rsa.h
 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23  include/openssl/rsaerr.h
 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2  include/openssl/safestack.h.in
@@ -508,16 +508,16 @@ e1ef8b2be828a54312d6561b37751a5b6e9d5ebdb6c3e63589728c3d8adca7dc  providers/comm
 c2b4301a9f835c0b3776ad3afba7121d00cd7ae6387fe11c96269a37da08027c  providers/common/include/prov/securitycheck.h
 737cc1228106e555e9bab24e3c2438982e04e05b0d5b9ee6995d71df16c49143  providers/common/provider_ctx.c
 34d0b6d119167d18770ac47e6cee0ad169ec9318e9a33747341a1a75beb20175  providers/common/provider_err.c
-9eae3e2cac89c7b63d091fdca1b6d80c5c5d52aa79c8ba4ce0158c5437ad62f3  providers/common/provider_seeding.c
+18fe559e6634615caaee95c70c6fdcbc0327df8f787290d1a2272904f41bd8ab  providers/common/provider_seeding.c
 8008cc352afcc74177ae3c61dd997097395bddcec4461871c0f52ffed6b7e50c  providers/common/provider_util.c
 5b94312727ca33e4f5c038f4caaae8417bf584cfde22df83d91f3c55c30c81ee  providers/common/securitycheck.c
 bc4370324c4c8791ea6de8641d255073c6745ee984e18912d535e155d9815244  providers/common/securitycheck_fips.c
 abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101  providers/fips/fips_entry.c
-d8f2941b87d45ca9db666f2d5a93c15a26a49c24274b3ac54c2185d2948b1feb  providers/fips/fipsprov.c
-bf247e11ce05e274ab668e80e6e86ed3747b2848570e20b993e68b54559334a3  providers/fips/self_test.c
+503691dec27f35f02348a4144632c5a9d80400140c2386096e47ac4d708e13bb  providers/fips/fipsprov.c
+029fad3c27617c725e516621c2f6c3a0e1dca0fa22f4e89a1a6b9a977c8d935d  providers/fips/self_test.c
 f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3  providers/fips/self_test.h
 551631b909f8d173eafcccac782a44c8aed92bb8463bfccdb936b7f3aee2a48b  providers/fips/self_test_data.inc
-ed6dc106e223a422b133f774f94079fcd404899d7fad624179dd152354dbb500  providers/fips/self_test_kats.c
+5b6d8dbc1365974eb9a5d417b2276d40fa7b9e733bb224200d20a61b4b025973  providers/fips/self_test_kats.c
 cd784a44a01a8a30a6be63381344a7f5432e74d40b02ea471c5b0dc943a7ac9d  providers/implementations/asymciphers/rsa_enc.c
 4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a  providers/implementations/ciphers/cipher_aes.c
 f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2  providers/implementations/ciphers/cipher_aes.h
@@ -586,7 +586,7 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc  providers/impl
 a66987548504bbe5bb81b80e7c1e190ab68abd852fb04f59ae40fd4e93160841  providers/implementations/kdfs/tls1_prf.c
 1e5aaa6dc3bb52b0b5a07e662386b71e0e3ee7c83b9f15a4144ab24264c7431c  providers/implementations/kdfs/x942kdf.c
 8e8b9094c757c78638f60d7bde822a035adeecde11f9565cbd24c1322ec7e06b  providers/implementations/kem/rsa_kem.c
-9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696  providers/implementations/keymgmt/dh_kmgmt.c
+11a0d0fb88ed88e965f10b3a0ef6c880f60341df995128f57ad943053aaf15b2  providers/implementations/keymgmt/dh_kmgmt.c
 a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304  providers/implementations/keymgmt/dsa_kmgmt.c
 9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe  providers/implementations/keymgmt/ec_kmgmt.c
 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251  providers/implementations/keymgmt/ec_kmgmt_imexport.inc
@@ -597,14 +597,14 @@ a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304  providers/impl
 d0eff68c72e177c3fe0c77bc8c38eded7e3ce41f72042e2c034c706a12284dd5  providers/implementations/macs/cmac_prov.c
 e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe  providers/implementations/macs/gmac_prov.c
 895c8dc7235b9ad5ff893be0293cbc245a5455e8850195ac7d446646e4ea71d0  providers/implementations/macs/hmac_prov.c
-f75fbfe5348f93ad610da7d310f4e8fecf18c0549f27605da25d393c33e0edc2  providers/implementations/macs/kmac_prov.c
+8640b63fd8325aaf8f7128d6cc448d9af448a65bf51a8978075467d33a67944e  providers/implementations/macs/kmac_prov.c
 3034074f99b02db045f2ccecc8782322e876dad07a3c169bdb24168b6b1f8cbd  providers/implementations/rands/crngt.c
 4430964416b0d7b77fdb6c0c2e5707b6ed775d956f991d703a5566183e53f6f8  providers/implementations/rands/drbg.c
 bb5f8161a80d0d1a7ee919af2b167972b00afd62e326252ca6aa93101f315f19  providers/implementations/rands/drbg_ctr.c
 56bf1ac85ed6d593e2360f30daf3b6a6a0067eb069db24bbbee07e37fcb75eba  providers/implementations/rands/drbg_hash.c
 8ed3b26de4186cc7ef883e20125ffa729275a9d4ae06ddc6294af74f170e3e43  providers/implementations/rands/drbg_hmac.c
 e1c1c2554adb92d29b035015c1114512e6b8a6781ed31861d812a8a5bb9b34ec  providers/implementations/rands/drbg_local.h
-04339b66c10017229ef368cb48077f58a252ebfda9ab12b9f919e4149b1036ed  providers/implementations/rands/test_rng.c
+a3072e7516b603f3ab9586a5bc4dce18d23b6300108e6e3514a2da09d73b8021  providers/implementations/rands/test_rng.c
 6bb8ae1a0608746d42c7162a51e8245c5b9868be4c6e51bef30ae39ef06b60f3  providers/implementations/signature/dsa_sig.c
 a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df  providers/implementations/signature/ecdsa_sig.c
 9a752462904fc50748c15cdab54262b0bf5e2a8220fbd718d93ccb60aa551fee  providers/implementations/signature/eddsa_sig.c

+ 1 - 1
libs/openssl/providers/fips.checksum

@@ -1 +1 @@
-21be74107ee92b5ab2e205c5cd5f34303808b27bfd9fe17c17650e7c2c0aad38  providers/fips-sources.checksums
+99cfe3d94b8231ef68881031b05156f7e52b2b595211248f09775610bb2b2480  providers/fips-sources.checksums

Algunos archivos no se mostraron porque demasiados archivos cambiaron en este cambio