Reviewed-by: NRichard Levitte <levitte@openssl.org>

The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.

RT#4198
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Move all calls of the OCSP callback into one place, rather than repeating it
in two different places.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Suggested by David Benjamin
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NViktor Dukhovni <openssl-users@dukhovni.org>

MR: #1520

When EC is disabled, and an error occurs in ssl_generate_master_secret()
or RAND_bytes(), the error path does not free rsa_decrypt.

RT#4197
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

After the recent change to use ossl_inline, builds were failing on some
platforms due to a missing usage of "inline".
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Remove all fixed DH ciphersuites and associated logic.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Since we don't use the eay style any more, there's no point tryint to
tell emacs to use it.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Remove incomplete non-functional ECDH client authentication code.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Since auto ecdh is now always used SSL_OP_SINGLE_ECDH_USE is
redundant. Simplify associated code.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NBen Laurie <ben@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

GCM and CCM are modes of operation for block ciphers only. ChaCha20-Poly1305
operates in neither of them but it is AEAD. This change also enables future
AEAD ciphers to be available for use with DTLS.
Signed-off-by: NRich Salz <rsalz@akamai.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>

This reverts commit 777f482d.
Author credit missing.  Reverting this and re-committing with
an Author line.
Reviewed-by: NMatt Caswell <matt@openssl.org>

GCM and CCM are modes of operation for block ciphers only. ChaCha20-Poly1305
operates in neither of them but it is AEAD. This change also enables future
AEAD ciphers to be available for use with DTLS.
Signed-off-by: NRich Salz <rsalz@akamai.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NStephen Henson <steve@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

This change required some special treatment, as HMAC is intertwined
with EVP_MD.  For now, all local HMAC_CTX variables MUST be
initialised with HMAC_CTX_EMPTY, or whatever happens to be on the
stack will be mistaken for actual pointers to EVP_MD_CTX.  This will
change as soon as HMAC_CTX becomes opaque.

Also, since HMAC_CTX_init() can fail now, its return type changes from
void to int, and it will return 0 on failure, 1 on success.
Reviewed-by: NRich Salz <rsalz@openssl.org>