Emit PERLASM_SCHEME to fix GitMake on OS X

This fixes the errors when trying to assemble .s files using GitMake on OS X.

Change-Id: I2221f558619302d22e0c57d7203173d634155678
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Add cscope.out and .d files to .gitignore

cscope.out is generated by cscope as described in:
http://wiki.openssl.org/index.php/Testing_and_Development_Tools_and_Tips

.d files are compiler-generated Makefile dependency files (e.g. using
'gcc -MMD -MP foo.c').

Change-Id: I2338858a6b6ee0527837d10a8b55cff1689023fd
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Additional output for ssltest.

Print out more details of the conection in ssltest specifically:
server certificate curve name for EC, server temporary key (if any)
and peer signing digest.
Reviewed-by: Matt Caswell <matt@openssl.org>

Add SSL_CONF support to ssltest.

Add command line support for SSL_CONF: server side arguments are
prefixed by -s_ (e.g. -s_no_ssl3) and client side with -c_.
Reviewed-by: Matt Caswell <matt@openssl.org>

Fix cross reference table generator.

If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>

Fixes a minor typo in the EVP docs.

Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Correct timestamp output when clock_precision_digits > 0

PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>

Fix free of garbage pointer. PR#3595

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Fix warning about negative unsigned intergers

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix datarace reported by valgrind/helgrind

This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.

PR3584, https://bugs.debian.org/534534

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix spelling of EECDH

Reviewed-by: Matt Caswell <matt@openssl.org>

armv4cpuid.S: fix compilation error in pre-ARMv7 build.

PR: 3474
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Fix WIN32 build by disabling bn* calls.

The trial division and probable prime with coprime tests are disabled
on WIN32 builds because they use internal functions not exported from
the WIN32 DLLs.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

ec/asm/ecp_nistz256-x86_64.pl: fix inconsistency in path handling.

Reviewed-by: Tim Hudson <tjh@openssl.org>

md32_common.h: address compiler warning in HOST_c2l.

Reviewed-by: Stephen Henson <steve@openssl.org>

Use only unsigned arithmetic in constant-time operations

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Tighten session ticket handling

Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

Add missing CHANGES interval [1.0.1h, 1.0.1i]

Reviewed-by: Rich Salz <rsalz@openssl.org>

Sync CHANGES

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix ssltest logic when some protocols are compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>

Copy negotiated parameters in SSL_set_SSL_CTX.

SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist.
Reviewed-by: Tim Hudson <tjh@openssl.org>

Process signature algorithms in ClientHello late.

Reviewed-by: Tim Hudson <tjh@openssl.org>

ecp_nistz256 update.

Facilitate switch to custom scatter-gather routines. This modification
does not change algorithms, only makes it possible to implement
alternative. This is achieved by a) moving precompute table to assembly
(perlasm parses ecp_nistz256_table.c and is free to rearrange data to
match gathering algorithm); b) adhering to explicit scatter subroutine
(which for now is simply a memcpy). First implementations that will use
this option are 32-bit assembly implementations, ARMv4 and x86, where
equivalent of current read-whole-table-select-single-value algorithm
is too time-consuming. [On side note, switching to scatter-gather on
x86_64 would allow to improve server-side ECDSA performance by ~5%].

Reviewed-by: Bodo Moeller <bodo@openssl.org>

Configure: add ios64 target.

Reviewed-by: Steve Marquess <marquess@openssl.org>

Add missing credit.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>

When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>

Keep old method in case of an unsupported protocol

When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>

no-ssl2 with no-ssl3 does not mean drop the ssl lib

Reviewed-by: Geoff Thorpe <geoff@openssl.org>

RT3547: Add missing static qualifier

Reviewed-by: Ben Laurie <ben@openssl.org>

Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
crypto/Makefile

Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
crypto/evp/evp_enc.c
crypto/rsa/rsa_oaep.c
crypto/rsa/rsa_pk1.c

Updates to NEWS file

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

Updates CHANGES file

Reviewed-by: Bodo Möller <bodo@openssl.org>

Fix no-ssl3 configuration option

CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix for session tickets memory leak.

CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Fix SRTP compile issues for windows

Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
util/mkdef.pl
util/ssleay.num

Fix for SRTP Memory Leak

CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix SSL_R naming inconsistency.

Reviewed-by: Tim Hudson <tjh@openssl.org>

aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.

RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>

Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Support TLS_FALLBACK_SCSV.

Reviewed-by: Stephen Henson <steve@openssl.org>

Remove reference to deleted md4.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Disable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).

Reviewed-by: Tim Hudson <tjh@openssl.org>

Removed duplicate definition of PKCS7_type_is_encrypted

Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix single makefile.

Reviewed-by: Geoffrey Thorpe <geoff@geoffthorpe.net>

RT3462: Document actions when data==NULL

If data is NULL, return the size needed to hold the
derived key.  No other API to do this, so document
the behavior.

Reviewed-by: Richard Levitte <levitte@openssl.org>

DTLS 1.2 support has been added to 1.0.2.

Reviewed-by: Rich Salz <rsalz@openssl.org>

crypto/cast/asm/cast-586.pl: +5% on PIII and remove obsolete readme.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT3549: Remove obsolete files in crypto

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT2910: Remove des.c and its Makefile target

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT2309: Fix podpage MMNNFFPPS->MNNFFPPS

Reviewed-by: Matt Caswell <matt@openssl.org>

Parse custom extensions after internal extensions.

Reviewed-by: Rich Salz <rsalz@openssl.org>

e_os.h: refine inline override logic (to address warnings in debug build).

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

crypto/bn/bn_nist.c: bring original failing code back for reference.

RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>

Add additional explanation to CHANGES entry.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Add additional DigestInfo checks.

Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>

Remove #ifdef's for IRIX_CC_BUG

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT3544: Must update TABLE after Configure change

Also add comment to Configure reminding people to do that.

Reviewed-by: Andy Polyakov <appro@openssl.org>

Add missing tests

Accidentally omitted from commit 455b65dfab0de51c9f67b3c909311770f2b3f801

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Use correct function name: CMS_add1_signer()

Reviewed-by: Matt Caswell <matt@openssl.org>

crypto/bn/bn_nist.c: work around MSC ARM compiler bug.

RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>

e_os.h: allow inline functions to be compiled by legacy compilers.

Reviewed-by: Matt Caswell <matt@openssl.org>

RT3544: Remove MWERKS support

The following #ifdef tests were all removed:
__MWERKS__
MAC_OS_pre_X
MAC_OS_GUSI_SOURCE
MAC_OS_pre_X
OPENSSL_SYS_MACINTOSH_CLASSIC
OPENSSL_SYS_MACOSX_RHAPSODY

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT3425: constant-time evp_enc

Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT3067: simplify patch

(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

RT3066: rewrite RSA padding checks to be slightly more constant time.

Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

make update

Sync libeay.num from 1.0.2

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

Note i2d_re_X509_tbs and related changes in CHANGES

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit e9128d9401ad617e17c5eb3772512c24b038b967)

CHANGES: mention ECP_NISTZ256.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

crypto/rsa/rsa_chk.c: harmonize error codes.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

crypto/ecp_nistz256.c: harmonize error codes.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Fixed error introduced in commit f2be92b94dad3c6cbdf79d99a324804094cf1617
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Harmonize Tru64 and Linux make rules.

RT: 3333,3165
Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix warning.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3291: Add -crl and -revoke options to CA.pl

Document the new features

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT2301: GetDIBits, not GetBitmapBits in rand_win

GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.

Reviewed-by: Tim Hudson <tjh@openssl.org>

crypto/bn/asm/x86_64-mont*.pl: add missing clang detection.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Configure: engage ECP_NISTZ256.

RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>

Add ECP_NISTZ256 by Shay Gueron, Intel Corp.

RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reserve option to use BN_mod_exp_mont_consttime in ECDSA.

Submitted by Shay Gueron, Intel Corp.
RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>

perlasm/x86_64-xlate.pl: handle inter-bank movd.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT2772 update: c_rehash was broken

Move the readdir() lines out of the if statement, so
that flist is available globally.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3271 update; extra; semi-colon; confuses; some;

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

RT2560: missing NULL check in ocsp_req_find_signer

If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2196: Clear up some README wording

Say where to email bug reports.
Mention general RT tracker info in a separate paragraph.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3192: spurious error in DSA verify

This is funny; Ben commented in the source, Matt opend a ticket,
and Rich is doing the submit.  Need more code-review? :)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Merge branch 'master' of git.openssl.org:openssl

Previous commit was reviewed by Geoff, not Stephen:
Reviewed-by: Geoff Thorpe <geoff@openssl.org>

RT3271: Don't use "if !" in shell lines

For portability don't use "if ! expr"

Reviewed-by: Geoff Thorpe <geoff@openssl.org>

RT3271: Don't use "if !" in shell lines

For portability don't use "if ! expr"

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT1909: Omit version for v1 certificates

When calling X509_set_version to set v1 certificate, that
should mean that the version number field is omitted.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT3506: typo's in ssltest

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2841: Extra return in check_issued

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2626: Change default_bits from 1K to 2K

This is a more comprehensive fix.  It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1.  This is from
Kurt's upstream Debian changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

RT2600: Change Win line-endings to Unix.

For consistency.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

RT2272: Add old-style hash to c_rehash

In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT671: export(i2s|s2i|i2v|v2i)_ASN1_(IA5|BIT)STRING

The EXT_BITSTRING and EXT_IA5STRING are defined in x509v3.h, but
the low-level functions are not public. They are useful, no need
to make them static. Note that BITSTRING already was exposed since
this RT was created, so now we just export IA5STRING functions.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT468: SSL_CTX_sess_set_cache_size wrong

The documentation is wrong about what happens when the
session cache fills up.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3301: Discard too-long heartbeat requests

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3291: Add -crl and -revoke options to CA.pl

I added some error-checking while integrating this patch.

Reviewed-by: Tim Hudson <tjh@openssl.org>