Fix miscellaneous NULL pointer derefs in the sureware engine.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets DH_free, DSA_free, RSA_free
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Thanks to the change of mkdef.pl, a few more deprecated functions were
properly defined in util/libeay.num.
Reviewed-by: NMatt Caswell <matt@openssl.org>

For the moment, this is specially crafted for DECLARE_DEPRECATED because
that's where we found the problem, but it can easily be expanded to other
types of special delarations when needed.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Move EVP internals to evp_int.h, remove -Ievp hack from crypto/Makefile
Reviewed-by: NMatt Caswell <matt@openssl.org>

Move ASN.1 internals used across multiple directories into new internal
header file asn1_int.h remove crypto/Makefile hack which allowed other
directories to include "asn1_locl.h"
Reviewed-by: NMatt Caswell <matt@openssl.org>

Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets ASN1_OBJECT_free and ASN1_STRING_free.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Fix compilation failure when SCTP is compiled due to incorrect define.
Reported-by: NConrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Thanks to a -I.., the path does work, at least on unix.  However, this
doesn't work so well on VMS.  Correcting the path to not rely on given
-I does work on both.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Remove old ASN.1 COMPAT type. This was meant as a temporary measure
so older ASN.1 code (from OpenSSL 0.9.6) still worked. It's a hack
which breaks constification and hopefully nothing uses it now, if
it ever did.
Reviewed-by: NMatt Caswell <matt@openssl.org>

It was saying that it was an illegal parameter / unsupported cipher
Reviewed-by: NMatt Caswell <matt@openssl.org>

The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Also removes for it being NULL
Reviewed-by: NMatt Caswell <matt@openssl.org>

Remove x_exten.c and x_exten.o from crypto/asn1/Makefile: they've moved now.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Fix missing return value check in dtls1_listen when calling SSL_clear().
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Change ssl_set_handshake_header from return void to returning int, and
handle error return code appropriately.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Ensure that all libssl functions called from within the apps have their
return values checked where appropriate.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Mark most functions returning a result defined in any libssl header file
with __owur to warn if they are used without checking the return value.
Use -DUNUSED_RETURN compiler flag with gcc to activate these warnings.
Some functions returning a result are skipped if it is common and valid to
use these functions without checking the return value.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

In order to receive warnings on unused function return values the flag
-DDEBUG_UNUSED must be passed to the compiler. This change adds that for the
--strict-warnings Configure option.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Follow up on the earlier "Do not keep TABLE in version control".
Actually removing TABLE from version control was forgotten.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Remove {i2d,d2i}_ASN1_BOOLEAN.

Rewrite single occurrence of d2i_ASN1_BOOLEAN in asn1_parse2
Reviewed-by: NRich Salz <rsalz@openssl.org>

Remove old M_ASN1_ macros and replace any occurences with the corresponding
function.

Remove d2i_ASN1_bytes, d2i_ASN1_SET, i2d_ASN1_SET: no longer used internally.
Reviewed-by: NRich Salz <rsalz@openssl.org>

In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google).
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Using $t is an artifact from the earlier changes in Configure and was
unfortunately forgotten as is.
Reviewed-by: NStephen Henson <steve@openssl.org>