The DTLSv1_listen function exposed details of the underlying BIO
abstraction and did not properly allow for IPv6. This commit changes the
"peer" argument to be a BIO_ADDR and makes it a first class function
(rather than a ctrl) to ensure proper type checking.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Also remove two mistakenly checked-in files.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

RT1556: doc/crypto/threads.pod
RT2024: Missing pages mentioned in crypto.pod
RT2890: Wrong size in ERR_string_error description.
RT3461: Better description of PEM Encryption
        (Jeffrey Walton <noloader@gmail.com>)
        Also, fix up formatting and removed some code examples
        that encourage unsafe patterns, like unencrypted private
        keys (Rich Salz)
RT4240: Document some speed flags (Tomas Mraz <tmraz@redhat.com>)
RT4260: Fix return value doc for X509_REQ_sign and X509_sign
        (Laetitia Baudoin <lbaudoin@google.com>)
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Added functions:

BIO_socket
BIO_connect
BIO_listen
BIO_accept_ex
BIO_closesocket
BIO_sock_info

These get deprecated:

BIO_gethostbyname
BIO_get_port
BIO_get_host_ip
BIO_get_accept_socket
BIO_accept
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Because different platforms have different levels of support for IPv6,
different kinds of sockaddr variants, and some have getaddrinfo et al
while others don't, we could end up with a mess if ifdefs, duplicate
code and other maintainance nightmares.

Instead, we're introducing wrappers around the common form for socket
communication:
BIO_ADDR, closely related to struct sockaddr and some of its variants.
BIO_ADDRINFO, closely related to struct addrinfo.

With that comes support routines, both convenient creators and
accessors, plus a few utility functions:

BIO_parse_hostserv, takes a string of the form host:service and
splits it into host and service.  It checks for * in both parts, and
converts any [ipv6-address] syntax to ust the IPv6 address.

BIO_lookup, looks up information on a host.

All routines handle IPv4 (AF_INET) and IPv6 (AF_INET6) addresses, and
there is support for local sockets (AF_UNIX) as well.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Also fix option processing in pkeyutl to allow use of (formerly)
"out-of-order" switches that were needless implementation limitations.

Handle documented "ENGINE" form with -keyform and -peerform.

Better handling of OPENSSL_NO_ENGINE and OPENSSL_NO_RSA.

RT2018
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Add new function BN_bn2binpad() which checks the length of the output
buffer and pads the result with zeroes if necessary.

New functions BN_bn2lebinpad() and BN_lebin2bn() which use little endian
format.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).

Added tests and updated documentation.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

New functions to return internal pointer for order and cofactor. This
avoids the need to allocate a new BIGNUM which to copy the value to.
Simplify code to use new functions.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Signed-off-by: NRich Salz <rsalz@akamai.com>
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

PR#4280
Reviewed-by: NTim Hudson <tjh@openssl.org>

Also turn B<foo> into foo() in the pod page.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

RT4264, RT4268
Reviewed-by: NTim Hudson <tjh@openssl.org>

The SSL and SSL_CTX structures are reference counted. However since libssl
was made opaque there is no way for users of the library to manipulate the
reference counts. This adds functions to enable that.
Reviewed-by: NStephen Henson <steve@openssl.org>

Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.

To that end, change verify(1) to accept these options zero or more
times.  Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.

Improve verify(1) documentation, which could still use some work.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

This avoids explicit double spaces between sentences.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Also s/s/ssl/ as appropriate in the code example.

Suggested by Claus Assmann.
Reviewed-by: NRich Salz <rsalz@openssl.org>

It turns out that -pause calls the undocumented function SSL_set_debug.
That just sets flag inside the SSL structure.  That flag, despite
the command is never used.  So remove the flag, the field, and the
function.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Add CRYPTO_EX_DATA add EndC_KEY_[gs]et_method, From Roumen Petrov.
Had to add various exdata calls to init/copy/free the exdata.
Had to remove const from some EC functions because exdata isn't
const-correct. :(
Also remove EC_EXTRA_DATA and use a union to hold the possible
pre-computed values and an enum to tell which value is in the
union. (Rich Salz)
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Fix the docs, and refactor some common code.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

These now take and return unsigned long, and get is constified.
Updated related documentation and util/ssleay.num
Reviewed-by: NMatt Caswell <matt@openssl.org>

Make CRYPTO_mem_leaks() and CRYPTO_mem_leaks_fp() return a status value.
Update documentation. Don't abort() if there are leaks.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Also always abort() on leak failure.
Reviewed-by: NStephen Henson <steve@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>