exclude_rule 'MD023' # Headers must start at the beginning of the line
exclude_rule 'MD026' # Trailing punctuation in header
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12109)

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

Instead appease coverity by marking 1464986 as a false positive.
Coverity is confused by the engine reference counting.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

The strength and max_length DRBG parameters were being cached in the EVP_RAND
layer.  This commit removes the caching.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12321)

Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12321)

The calls to query the DRBG strength, state and maximum output size all used
nested locks.  This removes the nesting.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12321)

CLA: trivial
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12320)

The shared_target attrribute for Solaris built with gcc wasn't right
and shared libraries couldn't be properly built.

Fixes #12356
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12360)

This entry added the macro B_ENDIAN when it shouldn't have.

Fixes #12332
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12335)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12339)

OpenSSL::config::guess_system() is supposed to return system triplets.
However, for Windows and VMS, it returned the final OpenSSL config
target instead.  We move the entries for them to the table that
OpenSSL::config::map_guess() uses, so it can properly convert the
input triplet to an OpenSSL config target.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12339)

Thanks to Michael Mueller on the openssl-users list for the suggested
improvement.
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12338)

[extended tests]
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12275)

If an empty password was supplied we ignored it and were trying to use
the fallback method to read the password instead (i.e. read from stdin).
However if that failed (which it always does if the cmp option -batch is
used) then we were reporting that we had successfully read the password
without actually setting one.

Instead, if an empty password is explicitly provided we should use it. If
no password is supplied explicitly and we have no fallback method then we
assume the empty password.

[extended tests]
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12275)

In HTTP_new_bio(), if the host has a trailing '/' we took a copy of the
hostname but failed to terminate it properly.
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12275)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12280)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12280)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12279)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12279)

Make the improved semantics of VFO replace the previous VF and remove VFO
Add warnings about overriding use of HARNESS_VERBOSE* variables
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12279)

This line wasn't properly handled:

    SCRIPTS{misc,linkname=tsget}=tsget.pl

It generated an attribute "linkname=tsget" with the value 1, instead of
what it should have, an attribute "linkname" with the value "tsget".

Fixes #12341
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12344)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12334)

CLA: trivial
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12329)

'absolutedir' does a thorough job ensuring that we have a "real" path
to both source and build directory, unencumbered by symbolic links.
However, that isn't enough on case insensitive file systems on Unix
flavored platforms, where it's possible to stand in, for example,
/PATH/TO/Work/openssl, and then do this:

    perl ../../work/openssl/Configure

... and thereby having it look like the source directory and the build
directory aren't the same.

We solve this by having a closer look at the computed source and build
directories, and making sure they are exactly the same strings if they
are in fact the same directory.

This is especially important when making symbolic links based on this
directories, but may have other ramifications as well.

Fixes #12323
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12337)

Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12326)

We can run tests in parallel by setting the HARNESS_JOBS environment
variable.
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12326)

The environment variable `HARNESS_JOBS` can be used to control how many
jobs to run in parallel.  The default is still to run jobs sequentially.

This commit does not define custom `rules`, and different versions of
`TAP::Harness` come with different strategies regarding the default
`rules` that define which test recipes can be run in parallel.
In recent versions of Perl, unless specified otherwise any task can be
run in parallel.
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12326)

Fixes #12303
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12304)

Usually it will be freed in tls_early_post_process_client_hello().
However if a ClientHello callback will be used and will return
SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello()
may never come to the point where pre_proc_exts is freed.

Fixes #12194

CLA: trivial
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12330)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12322)

A number of the KDF reset functions were resetting a little too much

Fixes #12225
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12229)

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix

Fixes #1418
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

candidate issuer cert cannot be the same as the subject cert 'x'
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)