Matt's note: I added a call to X509V3err to Kurt's original patch.

RT#3840
Signed-off-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

This would cause memory corruption in opt_init() because it relies on the
terminating NULL.

RT#3842
Reviewed-by: NRich Salz <rsalz@openssl.org>

clang says: "s_cb.c:958:9: error: implicitly declaring library function
'memcpy'"
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

If sk_SSL_CIPHER_new_null() returns NULL then ssl_bytes_to_cipher_list()
should also return NULL.

Based on an original patch by mrpre <mrpre@163.com>.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Add SSL_use_certiicate_chain file functions: this is works the same
way as SSL_CTX_use_certificate_chain_file but for an SSL structure.

Update SSL_CONF code to use the new function.
Update docs.
Update ordinals.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@akamai.com>

For the various string-compare routines (strcmp, strcasecmp, str.*cmp)
use "strcmp()==0" instead of "!strcmp()"
Reviewed-by: NTim Hudson <tjh@openssl.org>

If server requests a certificate, but the client doesn't send one, cache
digested records. This is an optimisation and ensures the correct finished
mac is used when extended master secret is used with client authentication.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

The file name given to -CAserial might not exist yet.  The
-CAcreateserial option decides if this is ok or not.

Previous to this change, -CAserial was a type '<' option, and in that
case, the existence of the file given as argument is tested quite
early, and is a failure if it doesn't.  With the type 's' option, the
argument is just a string that the application can do whatever it
wants with.
Reviewed-by: NRich Salz <rsalz@openssl.org>

This is just to make sure that option is tested on a Unix build.  This
option is already present in ms/testss.bat, so it's an easy steal.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Add command line switch entries to table and return SSL_CONF_TYPE_NONE for
them in SSL_CONF_cmd_value_type.

Update docs.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Compiling OpenSSL code with MSVC and /W4 results in a number of warnings.
One category of warnings is particularly interesting - C4701 (potentially
uninitialized local variable 'name' used). This warning pretty much means
that there's a code path which results in uninitialized variables being used
or returned. Depending on compiler, its options, OS, values in registers
and/or stack, the results can be nondeterministic. Cases like this are very
hard to debug so it's rational to fix these issues.

This patch contains a set of trivial fixes for all the C4701 warnings (just
initializing variables to 0 or NULL or appropriate error code) to make sure
that deterministic values will be returned from all the execution paths.

RT#3835
Signed-off-by: NMatt Caswell <matt@openssl.org>

Matt's note: All of these appear to be bogus warnings, i.e. there isn't
actually a code path where an unitialised variable could be used - its just
that the compiler hasn't been able to figure that out from the logic. So
this commit is just about silencing spurious warnings.
Reviewed-by: NRich Salz <rsalz@openssl.org>

A copy&paste error as a result of the big apps cleanup broke the version
specific methods in s_server.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Just as with the OPENSSL_malloc calls, consistently use sizeof(*ptr)
for memset and memcpy.  Remove needless casts for those functions.
For memset, replace alternative forms of zero with 0.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

What could be better than to refer to the RFC that defines it?
Reviewed-by: NStephen Henson <steve@openssl.org>

Fix error in WIN32_rename() introduced by commit b4faea50.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Ensure all fatal errors transition into the new error state for DTLS.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Ensure all fatal errors transition into the new error state on the client
side.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Ensure all fatal errors transition into the new error state on the server
side.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reusing an SSL object when it has encountered a fatal error can
have bad consequences. This is a bug in application code not libssl
but libssl should be more forgiving and not crash.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Signed-off-by: Nmancha security <mancha1@zoho.com>
Signed-off-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Signed-off-by: Nmancha security <mancha1@zoho.com>
Signed-off-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Remove dependency on ssl_locl.h from v3_scts.c, and incidentally fix a build problem with
kerberos (the dependency meant v3_scts.c was trying to include krb5.h, but without having been
passed the relevanant -I flags to the compiler)
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

RLE is a no-op only for testing.  Remove it.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

If CA.pl is reading from /dev/null, then "chop $FILE" gives a warning.
Sigh.  Have to add "if $FILE".  This just silences a build warning.
Thanks to GitHub user andrejs-igumenovs for help with this.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

For a local variable:
        TYPE *p;
Allocations like this are "risky":
        p = OPENSSL_malloc(sizeof(TYPE));
if the type of p changes, and the malloc call isn't updated, you
could get memory corruption.  Instead do this:
        p = OPENSSL_malloc(sizeof(*p));
Also fixed a few memset() calls that I noticed while doing this.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

RT2943 only complains about the incorrect check of -K argument size,
we might as well do the same thing with the -iv argument.

Before this, we only checked that the given argument wouldn't give a
bitstring larger than EVP_MAX_KEY_LENGTH.  we can be more precise and
check against the size of the actual cipher used.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Was memset with wrong sizeof.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Don't do access check on destination directory; it breaks when euid/egid
is different from real uid/gid.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Signed-off-by: NRich Salz <rsalz@akamai.com>

Thanks to Brian Carpenter for reporting this issue.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Incorrect name used for SSL_AD_INTERNAL_ERROR.
Signed-off-by: Nmancha security <mancha1@zoho.com>
Signed-off-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

This is the last of Alok's PR260
Reviewed-by: NTim Hudson <tjh@openssl.org>