Reviewed-by: NRichard Levitte <levitte@openssl.org>

If RSA or DSA is disabled we will never use a ciphersuite with
RSA/DSA authentication as it is already filtered out by the cipher
list logic.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

As numerous comments indicate the certificate and key array is not an
appopriate structure to store the peers certificate: so remove it and
just the s->session->peer instead.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Since [sc]_ssl->[rw]bio aren't available, do not try to fiddle with
them.  Surely, a BIO_free on the "main" BIOs should be enough
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Construct bio_err and bio_stdout from file handles instead of FILE
pointers, since the latter might not be implemented (when OPENSSL_NO_STDIO
is defined).
Convert all output to use BIO_printf.
Change lh_foo to lh_SSL_SESSION_foo.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

This reverts commit d480e182.

Commit broke TLS handshakes due to fragility of digest caching: that will be
fixed separately.
Reviewed-by: NRich Salz <rsalz@openssl.org>

We always free the handshake buffer when digests are freed so move
it into ssl_free_digest_list()
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

When generating a private key, try to make the output file be readable
only by the owner.  Put it in CHANGES file since it might be noticeable.

Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key.  Checked via assert so that this
bug (security-related) gets fixed.  Thanks to Viktor for help in tracing
the code-paths where private keys are written.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

While closing RT3588 (Remove obsolete comment) Kurt and I saw that a
few lines to completely clear the SSL cipher state could be moved into
a common function.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

PR#3904
Reviewed-by: NRich Salz <rsalz@openssl.org>

It is valid for an extension block to be present in a ClientHello, but to
be of zero length.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX.
This backs that change out, and does it a different way.

Thanks to Timo Teras for the concept.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Updates to CHANGES and NEWS to take account of the latest security fixes.
Reviewed-by: NRich Salz <rsalz@openssl.org>

CVE-2015-1788
Reviewed-by: NMatt Caswell <matt@openssl.org>

CVE-2015-1790
Reviewed-by: NRich Salz <rsalz@openssl.org>

Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.

Thanks to LibreSSL project for reporting these issues.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Determine disabled algorithm masks when algorithms are loaded instead of
recalculating them each time.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Restore GOST mac setup which was accidentally removed during cipher
refactor.
Reviewed-by: NRich Salz <rsalz@openssl.org>

This is a workaround so old that nobody remembers what buggy clients
it was for. It's also been broken in stable branches for two years and
nobody noticed (see
https://boringssl-review.googlesource.com/#/c/1694/).
Reviewed-by: NTim Hudson <tjh@openssl.org>

It should not be possible for DTLS message fragments to span multiple
packets. However previously if the message header fitted exactly into one
packet, and the fragment body was in the next packet then this would work.
Obviously this would fail if packets get re-ordered mid-flight.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The underlying field returned by RECORD_LAYER_get_rrec_length() is an
unsigned int. The return type of the function should match that.
Reviewed-by: NTim Hudson <tjh@openssl.org>

In the event of an error in the HMAC function, leaks can occur because the
HMAC_CTX does not get cleaned up.

Thanks to the BoringSSL project for reporting this issue.
Reviewed-by: NRichard Levitte <levitte@openssl.org>