The easiest way to take care of manifest files is to integrate them
into the associated binary (.exe or .dll).  MT (the Manifest Tool) is
the utility to use for this.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

RT#4605
Reviewed-by: NRich Salz <rsalz@openssl.org>

The set0 setters take ownership of their arguments, so the values should
be set to NULL to avoid a double-free in the cleanup block should
ssl_security(SSL_SECOP_TMP_DH) fail. Found by BoringSSL's WeakDH test.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1299)

Reviewed-by: NRich Salz <rsalz@openssl.org>

In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records.  Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.
Reviewed-by: NRich Salz <rsalz@openssl.org>

subject alternate names.

Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

New hostname checking function asn1_valid_host()

Check commonName entries against nameConstraints: any CN components in
EE certificate which look like hostnames are checked against
nameConstraints.

Note that RFC5280 et al only require checking subject alt name against
DNS name constraints.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

With no-deprecated, some nested includes don't happen by default.
Reviewed-by: NRich Salz <rsalz@openssl.org>

With OpenSSL 1.1 and on, the engines are tightly tied to the shared
library they're to be used with.  That makes them depend on the
pointer size as well as the shared library version, and this gets
reflected in the name of the directory they're installed in.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

We're installing architecture dependent (compiled) programs in
architecture specific directories, while architecture independent
programs (scripts) get installed in the general programs directory.
OSSL$EXE: reflects that by having two values.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Since there's been quite some changes, documentation needs updating
Reviewed-by: NRich Salz <rsalz@openssl.org>

This mostly affects 'openssl version -a', which might as well display
what we're actually looking at.
Reviewed-by: NRich Salz <rsalz@openssl.org>

We previously had a number of logical names for the different parts.
There's really no need for that, the default directories are in one
directory tree.  So we only define OSSL$DATAROOT: and make everything
related to that one.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Replace nptest with sanity test.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Commit aea145e3 removed some error codes that are generated
algorithmically: mapping alerts to error texts.  Found by
Andreas Karlsson.  This restores them, and adds two missing ones.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Function-like macros are replaced with prototypes and a note
that they are implemented as macros.  Constants are just
referenced in-line in the text.

Tweak BIO_TYPE_... documentation.

Also fix RT4592.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".

This fixes Github Issue #1268
Reviewed-by: NRich Salz <rsalz@openssl.org>

Some Unix variants require shared libraries to have the execute
permissions set, or they won't be loadable or executable when loaded.
Among others, cygwin has this requirement.
Reviewed-by: NMatt Caswell <matt@openssl.org>

It's possible to have a very few rules for some directories and trust
that other patterns further along will take care of whatever is left.
.gitignore should therefore be loosely organised from least generic to
most generic, allowing things like this:

    # Keep any file with extensions, such as foo.c, bar.h, ...
    !/dir/*.*

    # ....

    # Remove all object files
    *.o
    *.obj

With this change, we implement some very generic rules for what will
and will not be ignored in the fuzz subdirectory, and truse that
patterns later on (such as *.o, *.obj, *.exe) will take care of
everything we didn't specifically specify for the fuzz subdirectory.
Reviewed-by: NRich Salz <rsalz@openssl.org>

If application uses any of Windows-specific interfaces, make it
application developer's respondibility to include <windows.h>.
Rationale is that <windows.h> is quite "toxic" and is sensitive
to inclusion order (most notably in relation to <winsock2.h>).
It's only natural to give complete control to the application developer.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Extended alg_print() in pkcs12 utility to support PBES2 algorithms.

RT#4588
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

$openssldir and $enginesdir were mistakenly made unavailable to other
perl fragments.  They are still needed in the definition of CFLAGS.
Reviewed-by: NRich Salz <rsalz@openssl.org>

This logical names permits '#include <openssl/foo.h>' to work properly.
Reviewed-by: NRich Salz <rsalz@openssl.org>

OpenSSL engines are tied to the OpenSSL shared library versions,
starting with OpenSSL 1.1.  We therefore need to install them in
directories which have the shared library version in it's name, to
easily allow multiple OpenSSL versions to be installed at the same
time.

For VMS, the change is a bit more involved, primarly because the top
installation directory was already versioned, *as well as* some of the
files inside.  That's a bit too much.  Version numbering in files is
also a bit different on VMS.  The engines for shared library version
1.1 will therefore end up in OSSL$INSTROOT:[ENGINES0101.'arch']

('arch' is the architecture we build for)
Reviewed-by: NRich Salz <rsalz@openssl.org>

OpenSSL engines are tied to the OpenSSL shared library versions,
starting with OpenSSL 1.1.  We therefore need to install them in
directories which have the shared library version in it's name, to
easily allow multiple OpenSSL versions to be installed at the same
time.

For Unix, the default installation directory is changed from
$PREFIX/lib/engines to $PREFIX/lib/engines-${major}_${minor} (mingw)
or $PREFIX/lib/engines-${major}.${minor} (all but mingw)

($PREFIX is the directory given for the configuration option --prefix,
and ${major} and ${minor} are the major and minor shared library
version numbers)
Reviewed-by: NRich Salz <rsalz@openssl.org>

OpenSSL engines are tied to the OpenSSL shared library versions,
starting with OpenSSL 1.1.  We therefore need to install them in
directories which have the shared library version in it's name, to
easily allow multiple OpenSSL versions to be installed at the same
time.

For windows, the default installation directory is changed from
$PREFIX/lib/engines to $PREFIX/lib/engines-${major}_${minor}

($PREFIX is the directory given for the configuration option --prefix,
and ${major} and ${minor} are the major and minor shared library
version numbers)
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

When creating the library $lib.olb, make sure the extension is there.
Otherwise, a logical name with the same name as the file in question
will redirect the creation elsewhere.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

The calls we made to it were redundant, as the same initialization is
done later in OPENSSL_init_crypto() anyway.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>