Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5139)

The getters for min and max proto version wrongly passed NULL instead of
0 as third argument to SSL_ctrl() and SSL_CTX_ctrl(). The third argument
is not used, but the error results in a compiler warning:

warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from pointer without a cast [-Wint-conversion]
int v = SSL_CTX_get_max_proto_version(self->ctx);

See https://github.com/openssl/openssl/pull/4364Signed-off-by: NChristian Heimes <christian@python.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5128)

When using the SSL_CTX_get_min_min_version macro while compiling with
-Wall, my compiler rightfully complains about this construction:

warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from
pointer without a cast [-Wint-conversion]

These macro's should use 0, instead of NULL, for the third argument,
like most other SSL_CTX_ctrl 'get' wrappers do.

CLA: trivial
Signed-off-by: NSteffan Karger <steffan.karger@fox-it.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5099)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)

Correct error return value in OCSP_basic_sign().
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)

Make editorial changes suggested by Rich Salz and add the -rsigopt option to the man page for the ocsp command.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)

Add a -rsigopt option to the ocsp command that allows signature parameters to be provided for the signing of OCSP responses. The parameters that may be provided to -rsigopt are the same as may be provided to -sigopt in the ca, req, and x509 commands.

This PR also defines a OCSP_basic_sign_ctx() function, which functions in the same way as OCSP_basic_sign(), except that it accepts a EVP_MD_CTX rather than a key and digest. The OCSP_basic_sign_ctx() function is used to implement the -rsigopt option in the ocsp command.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)

Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5142)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Probably this is the CCS between the first and second ClientHellos. It
should be ignored.
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Fixes #4283
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Fixes some bugs identified during testing.
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

This enables sending and receiving of the TLSv1.3 cookie on the server side
as appropriate.
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

This just adds the various extension functions. More changes will be
required to actually use them.
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5153)

We incorrectly assumed that explicit dependencies meant that the
source directory would be added for inclusion.  However, if the
dependent file is generated, it's stored in the build directory, and
that should be used for inclusion rather than the source directory.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5153)

This ensures that only one set of includes is associated with each
object file, reagardless of where it's used.

For example, if apps/build.info has this:

    SOURCE[openssl]=foo.c
    INCLUDE[openssl]=.. ../include

and test/build.info has this:

    SOURCE[footest]=../apps/foo.c
    INCLUDE[footest]=../include

The inclusion directories used for apps/foo.o would differ depending
on which program's dependencies get generated first in the build file.

With this change, all those INCLUDEs get combined into one set of
inclusion directories tied to the object file.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5153)

Support added for these two digests, available only via the EVP interface.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5093)

EVP_PKEY_asn1_find_str() would search through standard asn1 methods
first, then those added by the application, which EVP_PKEY_asn1_find()
worked the other way around.  Also, EVP_PKEY_asn1_find_str() didn't
handle aliases.

This change brings EVP_PKEY_asn1_find_str() closer to EVP_PKEY_asn1_find().

Fixes #5086
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5137)

This reverts commit d85722d3.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5137)

The 'loop' variable is only used if EC is available.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5149)

Thanks to Nicolas Schodet for pointing this out.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5141)

Since libssl requires libcrypto and libcrypto.pc already has
Libs.private set exactly the same, there's no reason to repeat it in
libssl.pc.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5134)

Even -pthread gets treated that way.  The reason to do this is so it
ends up in 'Libs.private' in libcrypto.pc.

Fixes #3884
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5134)

Fixes #5143
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5144)

Thanks to David Vernet for reporting this.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5140)

That inclusion turned out to be completely unnecessary

[extended tests]
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5136)

Based on code from Matthias Ballreich, Steve Henson, and Wolf Tobias.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4724)

This includes unnecessary use of the top as inclusion directory
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5132)

Fixes #5090
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5097)

An index.txt entry which has an empty Subject name field will cause ca
to crash. Therefore check it when we load it to make sure its not empty.

Fixes #5109
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5114)

Misconfiguration (e.g. an empty policy section in the config file) can
lead to an empty Subject. Since certificates should have unique Subjects
this should not be allowed.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5114)