Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

The -show_chain flag to the verify command line app shows information about
the chain that has been built. This commit adds the text "untrusted" against
those certificates that have been used from the untrusted list.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Rewrite ssl3_digest_cached_records handling. Only digest cached records
if digest array is NULL: this means it is safe to call
ssl3_digest_cached_records multiple times (subsequent calls are no op).

Remove flag TLS1_FLAGS_KEEP_HANDSHAKE instead only update handshake buffer
if digest array is NULL.

Add additional "keep" parameter to ssl3_digest_cached_records to indicate
if the handshake buffer should be retained after digesting cached records
(needed for TLS 1.2 client authentication).
Reviewed-by: NMatt Caswell <matt@openssl.org>

Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Add BIO_CTX_secure_new so all BIGNUM's in the context are secure.
Contributed by Akamai Technologies under the Corporate CLA.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX.
This backs that change out, and does it a different way.

Thanks to Timo Teras for the concept.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

This is a workaround so old that nobody remembers what buggy clients
it was for. It's also been broken in stable branches for two years and
nobody noticed (see
https://boringssl-review.googlesource.com/#/c/1694/).
Reviewed-by: NTim Hudson <tjh@openssl.org>

The return type of BIO_number_read() and BIO_number_written() as well as
the corresponding num_read and num_write members in the BIO structure has
been changed from unsigned long to uint64_t. On platforms where an unsigned
long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
transferred.

With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Also removed a source file that isn't built, and moved
another one to test for eventual fixing.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>
MR #588

Reviewed-by: NRichard Levitte <levitte@openssl.org>

PR#3872
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NStephen Henson <steve@openssl.org>
(cherry picked from commit ad0fb7f4988c8a717fe6bcb035304385fbdaef41)

Conflicts:
	crypto/asn1/ameth_lib.c

This is for consistency.
Additionally, have its presence define OPENSSL_SYS_WINDOWS as well.
Reviewed-by: NMatt Caswell <matt@openssl.org>

If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

CVE-2015-1791

This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.

Parts of this patch were inspired by this Akamai change:
https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3Reviewed-by: NRich Salz <rsalz@openssl.org>

Using an enum with -Wswitch means all lookup routines handle
all cases.  Remove X509_LU_PKEY which was never used.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The new accessors SSL_get_client_random, SSL_get_server_random and
SSL_SESSION_get_master_key should return a size_t to match the type of the
|outlen| parameter.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Change the new SSL_get_client_random(), SSL_get_server_random() and
SSL_SESSION_get_master_key() functions to use size_t for |outlen| instead of
int.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Tor uses these values to implement a low-rent clone of RFC 5705 (which,
in our defense, we came up with before RFC 5705 existed).  But now that
ssl_st is opaque, we need another way to get at them.

Includes documentation, with suitable warnings about not actually
using these functions.
Signed-off-by: NNick Mathewson <nickm@torproject.org>
Signed-off-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>

On the server side, if you want to know which ciphers the client
offered, you had to use session->ciphers.  But that field is no
longer visible, so we need a method to get at it.
Signed-off-by: NNick Mathewson <nickm@torproject.org>
Signed-off-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>

This adds a new function which will encrypt a private key using PKCS#8
based on an X509_ALGOR structure and reimplements PKCS8_encrypt to use it.

Update pkcs8 utlity to use PKCS8_set0_pbe.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Set a specific error if the parameters are otherwise valid but exceed the
memory limit.
Reviewed-by: NRich Salz <rsalz@openssl.org>

The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

This adds support for the ASN.1 structures in draft-josefsson-scrypt-kdf-03
Private keys encrypted by scrypt can now be decrypted transparently as long
as they don't exceed the memory limits.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Add scrypt algorithm as described in draft-josefsson-scrypt-kdf-03
Reviewed-by: NRich Salz <rsalz@openssl.org>

Rewrite and tidy ASN1_INTEGER and ASN1_ENUMERATED handling.

Remove code duplication.

New functions to convert between int64_t and ASN.1 types without the
quirks of the old long conversion functions.

Add documentation.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Miscellaneous updates following review comments on the version negotiation
rewrite patches.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Following the version negotiation rewrite all of the previous code that was
dedicated to version negotiation can now be deleted - all six source files
of it!!
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Continuing from the previous commit this changes the way we do client side
version negotiation. Similarly all of the s23* "up front" state machine code
has been avoided and again things now work much the same way as they already
did for DTLS, i.e. we just do most of the work in the
ssl3_get_server_hello() function.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

This commit changes the way that we do server side protocol version
negotiation. Previously we had a whole set of code that had an "up front"
state machine dedicated to the negotiating the protocol version. This adds
significant complexity to the state machine. Historically the justification
for doing this was the support of SSLv2 which works quite differently to
SSLv3+. However, we have now removed support for SSLv2 so there is little
reason to maintain this complexity.

The one slight difficulty is that, although we no longer support SSLv2, we
do still support an SSLv3+ ClientHello in an SSLv2 backward compatible
ClientHello format. This is generally only used by legacy clients. This
commit adds support within the SSLv3 code for these legacy format
ClientHellos.

Server side version negotiation now works in much the same was as DTLS,
i.e. we introduce the concept of TLS_ANY_VERSION. If s->version is set to
that then when a ClientHello is received it will work out the most
appropriate version to respond with. Also, SSLv23_method and
SSLv23_server_method have been replaced with TLS_method and
TLS_server_method respectively. The old SSLv23* names still exist as
macros pointing at the new name, although they are deprecated.

Subsequent commits will look at client side version negotiation, as well of
removal of the old s23* code.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

And remove a duplicate comment, probably from a merge hiccup.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Follow the same convention the other OPENSSL_NO_xxx header files
do, and use #error instead of making the header file be a no-op.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

There are header files in crypto/ that are used by the rest of
OpenSSL.  Move those to include/internal and adapt the affected source
code, Makefiles and scripts.

The header files that got moved are:

crypto/constant_time_locl.h
crypto/o_dir.h
crypto/o_str.h
Reviewed-by: NMatt Caswell <matt@openssl.org>