Previous commit 7bb196a7 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit 7bb196a7 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Adds a new function BIO_ADDR_clear to reset a BIO_ADDR back to an
unitialised state, and to set the family to AF_UNSPEC.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

The DTLSv1_listen function exposed details of the underlying BIO
abstraction and did not properly allow for IPv6. This commit changes the
"peer" argument to be a BIO_ADDR and makes it a first class function
(rather than a ctrl) to ensure proper type checking.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Replace all magic numbers with #defined constants except in boolean
functions that return 0 for failure and 1 for success.  Avoid a
couple memory leaks in error recovery code paths.  Code style
improvements.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Add new function EC_KEY_priv2buf() to allocated and encode private
key octet in one call. Update and simplify ASN.1 and print routines.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Update EC ASN.1 and print routines to use EC_KEY_oct2priv and
EC_KEY_priv2oct.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

New functions EC_KEY_oct2priv and EC_KEY_priv2oct. These are private key
equivalents of EC_POINT_oct2point and EC_POINT_point2oct which convert
between the private key octet format and EC_KEY.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Windows doesn't have h_error or hstrerror()
Reviewed-by: NRichard Levitte <levitte@openssl.org>

MR: #1848

Reviewed-by: NMatt Caswell <matt@openssl.org>

And some others found in the Internet.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Added functions:

BIO_socket
BIO_connect
BIO_listen
BIO_accept_ex
BIO_closesocket
BIO_sock_info

These get deprecated:

BIO_gethostbyname
BIO_get_port
BIO_get_host_ip
BIO_get_accept_socket
BIO_accept
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Because different platforms have different levels of support for IPv6,
different kinds of sockaddr variants, and some have getaddrinfo et al
while others don't, we could end up with a mess if ifdefs, duplicate
code and other maintainance nightmares.

Instead, we're introducing wrappers around the common form for socket
communication:
BIO_ADDR, closely related to struct sockaddr and some of its variants.
BIO_ADDRINFO, closely related to struct addrinfo.

With that comes support routines, both convenient creators and
accessors, plus a few utility functions:

BIO_parse_hostserv, takes a string of the form host:service and
splits it into host and service.  It checks for * in both parts, and
converts any [ipv6-address] syntax to ust the IPv6 address.

BIO_lookup, looks up information on a host.

All routines handle IPv4 (AF_INET) and IPv6 (AF_INET6) addresses, and
there is support for local sockets (AF_UNIX) as well.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Add new function BN_bn2binpad() which checks the length of the output
buffer and pads the result with zeroes if necessary.

New functions BN_bn2lebinpad() and BN_lebin2bn() which use little endian
format.
Reviewed-by: NRich Salz <rsalz@openssl.org>

PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.
Reviewed-by: NRich Salz <rsalz@openssl.org>

When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.

This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).

Added new supported certs and doubled test count from 38 to 76.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).

Added tests and updated documentation.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

New functions to return internal pointer for order and cofactor. This
avoids the need to allocate a new BIGNUM which to copy the value to.
Simplify code to use new functions.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Signed-off-by: NRich Salz <rsalz@akamai.com>
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Remove OPENSSL_IMPORT as its only purpose is to define OPENSSL_EXTERN.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

There was an unused macro in ssl_locl.h that used an internal
type, so I removed it.
Move bio_st from bio.h to ossl_type.h
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Can't hurt and seems to prevent problems from some over-aggressive
(LTO?) compilers.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

PR#4280
Reviewed-by: NTim Hudson <tjh@openssl.org>

By default X509_check_trust() trusts self-signed certificates from
the trust store that have no explicit local trust/reject oids
encapsulated as a "TRUSTED CERTIFICATE" object.  (See the -addtrust
and -trustout options of x509(1)).

This commit adds a flag that makes it possible to distinguish between
that implicit trust, and explicit auxiliary settings.

With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted
via explicit trust settings.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

A new return value for DH_check_pub_key was recently added:
DH_CHECK_PUBKEY_INVALID. As this is a flag which can be ORed with other
return values it should have been set to the value 4 not 3.

RT#4278
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC
5114 support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that
are not "safe" then an attacker could use this fact to find a peer's
private DH exponent. This attack requires that the attacker complete
multiple handshakes in which the peer uses the same DH exponent.

A simple mitigation is to ensure that y^q (mod p) == 1

CVE-2016-0701

Issue reported by Antonio Sanso.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Also turn B<foo> into foo() in the pod page.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>