Can't hurt and seems to prevent problems from some over-aggressive
(LTO?) compilers.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

top_dir() are used to create directory names, top_file() should be
used for files.  In a Unixly environment, that doesn't matter, but...
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

PR#4280
Reviewed-by: NTim Hudson <tjh@openssl.org>

Not all architectures have a time_t defined the same way.  To make
sure we get the same result, we need to cast &checkoffset to (intmax_t *)
and make sure that intmax_t is defined somehow.

To make really sure we don't pass a variable with the wrong size down
to opt_imax(), we use a temporary intmax_t.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Also remove $Makefile variable :)
Reviewed-by: NAndy Polyakov <appro@openssl.org>

As a side-effect of opaque x509, ex_flags were looked up too early,
before additional policy cache updates.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

This is a time_t and can be zero or negative.  So use 'M' (maximal
signed int) not 'p' (positive int).
Reviewed-by: NRich Salz <rsalz@openssl.org>

Some last lflags to convert to ex_libs or a combo of lflags and ex_libs
Reviewed-by: NRich Salz <rsalz@openssl.org>

The lflags configuration had a weird syntax with a % as separator.  If
it was present, whatever came before ended up as PEX_LIBS in Makefile
(usually, this is LDFLAGS), while whatever came after ended up as
EX_LIBS.

This change splits that item into lflags and ex_libs, making their use
more explicit.

Also, PEX_LIBS in all the Makefiles are renamed to LDFLAGS.
Reviewed-by: NRich Salz <rsalz@openssl.org>

A few more sub-joins could be replaced with calls to add() and add_before()
Reviewed-by: NRich Salz <rsalz@openssl.org>

This reverts commit a450326e.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Remove depend hacks from demos/engines.
Remove clean-depend; just call makedepend (or $CC -M) and use that.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

By default X509_check_trust() trusts self-signed certificates from
the trust store that have no explicit local trust/reject oids
encapsulated as a "TRUSTED CERTIFICATE" object.  (See the -addtrust
and -trustout options of x509(1)).

This commit adds a flag that makes it possible to distinguish between
that implicit trust, and explicit auxiliary settings.

With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted
via explicit trust settings.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

The use of the uninitialized buffer in the RNG has no real security
benefits and is only a nuisance when using memory sanitizers.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

This is a followin from !1738, we no longer need those variables.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Add tests for have_precompute_mult for the optimised curves (nistp224,
nistp256 and nistp521) if present
Reviewed-by: NRichard Levitte <levitte@openssl.org>

During precomputation if the group given is well known then we memcpy a
well known precomputation. However we go the wrong label in the code and
don't store the data properly. Consequently if we call have_precompute_mult
the data isn't there and we return 0.

RT#3600
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The function DH_check_pub_key() was missing some return value checks in
some calls to BN functions.

RT#4278
Reviewed-by: NAndy Polyakov <appro@openssl.org>

A new return value for DH_check_pub_key was recently added:
DH_CHECK_PUBKEY_INVALID. As this is a flag which can be ORed with other
return values it should have been set to the value 4 not 3.

RT#4278
Reviewed-by: NAndy Polyakov <appro@openssl.org>

This extends the existing async functionality to SSL_shutdown(), i.e.
SSL_shutdown() can now casuse an SSL_ERROR_WANT_ASYNC error to be returned
from SSL_get_error() if async mode has been enabled.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

PR#4277
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

These tests are not built, and only usable as hand-tests so not
worth moving into our test framework.
This closes https://github.com/openssl/openssl/pull/561 and RT 4252
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Add enable-crypto-mdebug enable-rc5 enable-md2 to any target that was
--strict-warnings.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Add details about the latest issues fixed in the forthcoming release.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Following on from the previous commit, add a test to ensure that
DH_compute_key correctly fails if passed a bad y such that:

y^q (mod p) != 1
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC
5114 support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that
are not "safe" then an attacker could use this fact to find a peer's
private DH exponent. This attack requires that the attacker complete
multiple handshakes in which the peer uses the same DH exponent.

A simple mitigation is to ensure that y^q (mod p) == 1

CVE-2016-0701

Issue reported by Antonio Sanso.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>