aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.

RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>

Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Support TLS_FALLBACK_SCSV.

Reviewed-by: Stephen Henson <steve@openssl.org>

Remove reference to deleted md4.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Disable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).

Reviewed-by: Tim Hudson <tjh@openssl.org>

Removed duplicate definition of PKCS7_type_is_encrypted

Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix single makefile.

Reviewed-by: Geoffrey Thorpe <geoff@geoffthorpe.net>

RT3462: Document actions when data==NULL

If data is NULL, return the size needed to hold the
derived key.  No other API to do this, so document
the behavior.

Reviewed-by: Richard Levitte <levitte@openssl.org>

DTLS 1.2 support has been added to 1.0.2.

Reviewed-by: Rich Salz <rsalz@openssl.org>

crypto/cast/asm/cast-586.pl: +5% on PIII and remove obsolete readme.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT3549: Remove obsolete files in crypto

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT2910: Remove des.c and its Makefile target

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT2309: Fix podpage MMNNFFPPS->MNNFFPPS

Reviewed-by: Matt Caswell <matt@openssl.org>

Parse custom extensions after internal extensions.

Reviewed-by: Rich Salz <rsalz@openssl.org>

e_os.h: refine inline override logic (to address warnings in debug build).

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

crypto/bn/bn_nist.c: bring original failing code back for reference.

RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>

Add additional explanation to CHANGES entry.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Add additional DigestInfo checks.

Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>

Remove #ifdef's for IRIX_CC_BUG

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT3544: Must update TABLE after Configure change

Also add comment to Configure reminding people to do that.

Reviewed-by: Andy Polyakov <appro@openssl.org>

Add missing tests

Accidentally omitted from commit 455b65dfab0de51c9f67b3c909311770f2b3f801

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Use correct function name: CMS_add1_signer()

Reviewed-by: Matt Caswell <matt@openssl.org>

crypto/bn/bn_nist.c: work around MSC ARM compiler bug.

RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>

e_os.h: allow inline functions to be compiled by legacy compilers.

Reviewed-by: Matt Caswell <matt@openssl.org>

RT3544: Remove MWERKS support

The following #ifdef tests were all removed:
__MWERKS__
MAC_OS_pre_X
MAC_OS_GUSI_SOURCE
MAC_OS_pre_X
OPENSSL_SYS_MACINTOSH_CLASSIC
OPENSSL_SYS_MACOSX_RHAPSODY

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT3425: constant-time evp_enc

Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT3067: simplify patch

(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

RT3066: rewrite RSA padding checks to be slightly more constant time.

Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

make update

Sync libeay.num from 1.0.2

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

Note i2d_re_X509_tbs and related changes in CHANGES

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit e9128d9401ad617e17c5eb3772512c24b038b967)

CHANGES: mention ECP_NISTZ256.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

crypto/rsa/rsa_chk.c: harmonize error codes.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

crypto/ecp_nistz256.c: harmonize error codes.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Fixed error introduced in commit f2be92b94dad3c6cbdf79d99a324804094cf1617
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Harmonize Tru64 and Linux make rules.

RT: 3333,3165
Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix warning.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3291: Add -crl and -revoke options to CA.pl

Document the new features

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT2301: GetDIBits, not GetBitmapBits in rand_win

GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.

Reviewed-by: Tim Hudson <tjh@openssl.org>

crypto/bn/asm/x86_64-mont*.pl: add missing clang detection.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Configure: engage ECP_NISTZ256.

RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>

Add ECP_NISTZ256 by Shay Gueron, Intel Corp.

RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reserve option to use BN_mod_exp_mont_consttime in ECDSA.

Submitted by Shay Gueron, Intel Corp.
RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>

perlasm/x86_64-xlate.pl: handle inter-bank movd.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT2772 update: c_rehash was broken

Move the readdir() lines out of the if statement, so
that flist is available globally.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3271 update; extra; semi-colon; confuses; some;

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

RT2560: missing NULL check in ocsp_req_find_signer

If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2196: Clear up some README wording

Say where to email bug reports.
Mention general RT tracker info in a separate paragraph.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3192: spurious error in DSA verify

This is funny; Ben commented in the source, Matt opend a ticket,
and Rich is doing the submit.  Need more code-review? :)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Merge branch 'master' of git.openssl.org:openssl

Previous commit was reviewed by Geoff, not Stephen:
Reviewed-by: Geoff Thorpe <geoff@openssl.org>

RT3271: Don't use "if !" in shell lines

For portability don't use "if ! expr"

Reviewed-by: Geoff Thorpe <geoff@openssl.org>

RT3271: Don't use "if !" in shell lines

For portability don't use "if ! expr"

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT1909: Omit version for v1 certificates

When calling X509_set_version to set v1 certificate, that
should mean that the version number field is omitted.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT3506: typo's in ssltest

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2841: Extra return in check_issued

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2626: Change default_bits from 1K to 2K

This is a more comprehensive fix.  It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1.  This is from
Kurt's upstream Debian changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

RT2600: Change Win line-endings to Unix.

For consistency.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

RT2272: Add old-style hash to c_rehash

In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT671: export(i2s|s2i|i2v|v2i)_ASN1_(IA5|BIT)STRING

The EXT_BITSTRING and EXT_IA5STRING are defined in x509v3.h, but
the low-level functions are not public. They are useful, no need
to make them static. Note that BITSTRING already was exposed since
this RT was created, so now we just export IA5STRING functions.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT468: SSL_CTX_sess_set_cache_size wrong

The documentation is wrong about what happens when the
session cache fills up.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3301: Discard too-long heartbeat requests

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3291: Add -crl and -revoke options to CA.pl

I added some error-checking while integrating this patch.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT2518: fix pod2man errors

pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT992: RSA_check_key should have a callback arg

The original RT request included a patch.  By the time
we got around to doing it, however, the callback scheme
had changed. So I wrote a new function RSA_check_key_ex()
that uses the BN_GENCB callback.  But thanks very much
to Vinet Sharma <vineet.sharma@gmail.com> for the
initial implementation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT3108: OPENSSL_NO_SOCK should imply OPENSSL_NO_DGRAM

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT3031: Need to #undef some names for win32

Copy the ifdef/undef stanza from x509.h to x509v3.h

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2849: Redundant check of "dsa" variable.

In the current code, the check isn't redundant.
And in fact the REAL check was missing.
This avoids a NULL-deref crash.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2843: Remove another spurious close-comment token

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2842: Remove spurious close-comment marker.

Also, I (rsalz) changed "#ifdef undef" to "#if 0"

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Merge branch 'master' of git.openssl.org:openssl

empty merge; script hiccup.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT1834: Fix PKCS7_verify return value

The function returns 0 or 1, only.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT1832: Fix PKCS7_verify return value

The function returns 0 or 1, only.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT1771: Add string.h include.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT1325,2973: Add more extensions to c_rehash

Regexp was bracketed wrong.

Reviewed-by: Tim Hudson <tjh@openssl.org>

make update

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

Add i2d_re_X509_tbs

i2d_re_X509_tbs re-encodes the TBS portion of the certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>

Add CHANGES entry for SCT viewer code.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

sync ordinals with 1.0.2

Reviewed-by: Tim Hudson <tjh@openssl.org>

psk_client_callback, 128-byte id bug.

Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>

Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT3334: Fix crypto/LPdir_win.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>

RT3140: Possibly-unit variable in pem_lib.c

Can't really happen, but the flow of control isn't obvious.
Add an initializer.

Reviewed-by: Matt Caswell <matt@openssl.org>

Make the inline const-time functions static.

"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>

RT3508: Remove unused variable introduced by b09eb24

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT3511: doc fix; req default serial is random

RT842, closed back in 2004, changed the default serial number
to be a random number rather than zero.  Finally time to update
the doc

Reviewed-by: Tim Hudson <tjh@openssl.org>

Add explanatory note to crypto/store/README

Reviewed-by: Richard Levitte <levitte@openssl.org>

RT1325,2973: Add more extensions to c_rehash

Add .crt/.cer/.crl to the filenames parsed.

I also updated the podpage (since it didn't exist when
this ticket was first created, nor when it was re-created
seven years later).

Reviewed-by: Tim Hudson <tjh@openssl.org>

Configure: add configuration for crypto/ec/asm extensions.

Reviewed-by: Rich Salz <rsalz@openssl.org>

md5-x86_64.pl: work around warning.

Reviewed-by: Rich Salz <rsalz@openssl.org>

x86[_64] assembly pack: add Silvermont performance data.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Remove some outdated README files, to avoid confusing people.

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT2820: case-insensitive filenames on Darwin

Andy pointed out there is also darwin64, so tweak the pattern.

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT2119,3407: Updated to dgst.pod

Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT2379: Additional typo fix

Andy found an additional typo "can be can be".
Now I have that silly "Que sera sera" song stuck in my head.

Reviewed-by: Andy Polyakov <appro@openssl.org>

RT1941: c_rehash.pod is missing

Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>

apps/speed.c: add -misalign command-line argument.

New option allows to perform benchmarks on misaligned data.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT2379: Bug in BIO_set_accept_port.pod

The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Fixed double inclusion of string.h

PR2693

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT2880: HFS is case-insensitive filenames

Add Darwin to list of case-insensitive filenames when
installing manapges.  When doing this, I noticed that
we weren't setting "filecase" for the HTML doc install.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT3246: req command prints version number wrong

Make X509_REQ_print_ex do the same thing that
X509_REQ_print does.

Reviewed-by: Matt Caswell <matt@openssl.org>

RT1665,2300: Crypto doc cleanups

RT1665: aes documentation.

Paul Green wrote a nice aes.pod file.
But we now encourage the EVP interface.
So I took his RT item and used it as impetus to add
the AES modes to EVP_EncryptInit.pod
I also noticed that rc4.pod has spurious references to some other
cipher pages, so I removed them.

RT2300: Clean up MD history (merged into RT1665)

Put HISTORY section only in EVP_DigestInit.pod. Also add words
to discourage use of older cipher-specific API, and remove SEE ALSO
links that point to them.

Make sure digest pages have a NOTE that says use EVP_DigestInit.

Review feedback:
More cleanup in EVP_EncryptInit.pod
Fixed SEE ALSO links in ripemd160.pod, sha.pod, mdc2.pod, blowfish.pod,
rc4.d, and des.pod.  Re-order sections in des.pod for consistency

Reviewed-by: Matt Caswell <matt@openssl.org>