Document thread-safe lock creation
Reviewed-by: NRichard Levitte <levitte@openssl.org>

RT#2534
Reviewed-by: NTim Hudson <tjh@openssl.org>

RT#2558
Reviewed-by: NTim Hudson <tjh@openssl.org>

RT#2616
Reviewed-by: NTim Hudson <tjh@openssl.org>

Some setups use links inside .git directory and make clean should not
remove them to avoid breaking git meta-information.
Signed-off-by: NCristian Stoica <cristian.stoica@nxp.com>

CLA: none; trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1078)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1063)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

The previous commit added SSL_CTX_set_tlsext_status_type(). This one adds
some documentation for it.
Reviewed-by: NRich Salz <rsalz@openssl.org>

To allow OCSP stapling to work with libcurl.

Github PR #200
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Since 50932c4a "PACKETise ServerHello processing",
ssl_next_proto_validate() incorrectly allows empty protocol name.
draft-agl-tls-nextprotoneg-04[1] says "Implementations MUST ensure that
the empty string is not included and that no byte strings are
truncated."
This patch restores the old correct behavior.

[1] https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Add a status return value instead of void.
Add some sanity checks on reference counter value.
Update the docs.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

- "/Ox /O2 /Ob2" get's reduced to "/O2", the reason being:

    /Ox = /Ob2 /Og /Oi /Ot /Oy /Gs
    /O2 = /Ob2 /Og /Oi /Ot /Oy /Gs /GF /Gy

- apps/openssl.cnf gets installed.

- always delete files quietly, as they might not be there.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1075)

Fix some missing OBJ_dup failure checks.
Merged from
https://boringssl.googlesource.com/boringssl/+/0ce78a757d815c0dde9ed5884229f3a5b2cb3e9c%5E!
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1057)

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1042)

The current limit of 2^14 bytes is too low (e.g. RFC 5246 specifies the
maximum size of just the extensions field to be 2^16-1), and may cause
bogus failures.

RT#4063
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/413)

Currently point to wrong address
Signed-off-by: NKirill Marinushkin <k.marinushkin@gmail.com>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

check source's kdf_ukm, not destination's

use != NULL, instead of implicit checking

don't free internal data structure like pkey_rsa_copy()
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

In some cases, perl's glob() thinks it needs to return file names with
generation numbers, such as when a file name pattern includes two
periods.  Constructing other file names by simple appending to file
names with generation numbers isn't a good idea, so for the VMS case,
just peal the generation numbers if they are there.
Fortunately, this is easy, as the returned generation number delimiter
will always be a semi-colon.
Reviewed-by: NRich Salz <rsalz@openssl.org>

If the server does not send a session ticket extension, it should not then
send the NewSessionTicket message.

If the server sends the session ticket extension, it MUST then send the
NewSessionTicket message.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Per RFC 4507, section 3.3:

   This message [NewSessionTicket] MUST be sent if the
   server included a SessionTicket extension in the ServerHello.  This
   message MUST NOT be sent if the server did not include a
   SessionTicket extension in the ServerHello.

The presence of the NewSessionTicket message should be determined
entirely from the ServerHello without probing.

RT#4389
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

RT#4471
Reviewed-by: NMatt Caswell <matt@openssl.org>

RT#4302
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Fix -signer option in smime utility to output signer certificates
when verifying.

Add support for format SMIME for -inform and -outform with cms and
smime utilities.

PR#4215
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

* Configure: Replaced -DTERMIO by -DTERMIOS in CFLAGS.

* crypto/bio/bss_dgram.c [WATT32]: Remove obsolete redefinition of
  function names: sock_write, sock_read and sock_puts.

* crypto/bio/bss_sock.c [WATT32]: For Watt-32 2.2.11 sock_write,
  sock_read and sock_puts are redefined to their private names so
  their names must be undefined first before they can be redefined
  again.

* crypto/bio/bss_file.c (file_fopen) [__DJGPP__]: Make a copy of the
  passed file name and replace the leading dots in the dirname part
  and the basname part of the file name, unless LFN is supported.

* e_os.h [__DJGPP__]: Undefine macro DEVRANDOM_EGD. Neither MS-DOS nor
  FreeDOS provide 'egd' sockets.
  New macro HAS_LFN_SUPPORT checks if underlying file system supports
  long file names or not.
  Include sys/un.h.
  Define WATT32_NO_OLDIES.

* INSTALL.DJGPP: Update URL of WATT-32 library.

Submitted by Juan Manuel Guerrero <juan.guerrero@gmx.de>

RT#4217
Reviewed-by: NAndy Polyakov <appro@openssl.org>

DJGPP is a 3rd party configuration, we rely entirely on the OpenSSL to
help us fine tune and test.  Therefore, it's moved to its own config.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

The old proxy tests test the implementation of an application proxy
policy callback defined in the test itself, which is not particularly
useful.

It is, however, useful to test cert verify overrides in
general. Therefore, replace these tests with tests for cert verify
callback behaviour.

Also glob the ssl test inputs on the .in files to catch missing
generated files.
Reviewed-by: NRich Salz <rsalz@openssl.org>

ERR_LIB_USER has value 128, and shifting into the sign bit upsets the
shift sanitizer.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Multiple digest options to the ocsp utility are allowed: e.g. to use
different digests for different certificate IDs. A digest option without
a following certificate is however illegal.

RT#4215
Reviewed-by: NRich Salz <rsalz@openssl.org>

While it seemed like a good idea to have this file once upon a time,
this kind of file belongs with the package maintainer rather than in
our source.
Reviewed-by: NRich Salz <rsalz@openssl.org>

RT#4207
Reviewed-by: NTim Hudson <tjh@openssl.org>

RT#4438
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NStephen Henson <steve@openssl.org>

RT#4403
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

This makes it possible to just run ./config on a x86_64 machine with
no extra fuss.

RT#4356
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>