Note: some shells do not like the command verb to be quoted, so we avoid
it unless it's actually necessary.

RT#4665
Reviewed-by: NRich Salz <rsalz@openssl.org>

Remove NULL check on parameter, and use NULL not ! on buffer.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The previous commit revealed a long standing problem where CertStatus
processing was broken in DTLS. This would have been revealed by better
testing - so add some!
Reviewed-by: NRich Salz <rsalz@openssl.org>

The function tls_construct_cert_status() is called by both TLS and DTLS
code. However it only ever constructed a TLS message header for the message
which obviously failed in DTLS.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Build file templates would be looked up like this if the user gave us
an additional directory to look for configuration files and build file
templates:

    $OPENSSL_LOCAL_CONFIG_DIR/$OSTYPE-Makefile.tmpl
    $SOURCEDIR/Configurations/$OSTYPE-Makefile.tmpl
    $OPENSSL_LOCAL_CONFIG_DIR/Makefile.tmpl
    $SOURCEDIR/Configurations/Makefile.tmpl

So for example, if the user created his own Makefile.tmpl and tried to
use it with a unixly config, it would never be user because we have a
unix-Makefile.tmpl in our Configurations directory.  This is clearly
wrong, and this change makes it look in this order instead:

    $OPENSSL_LOCAL_CONFIG_DIR/$OSTYPE-Makefile.tmpl
    $OPENSSL_LOCAL_CONFIG_DIR/Makefile.tmpl
    $SOURCEDIR/Configurations/$OSTYPE-Makefile.tmpl
    $SOURCEDIR/Configurations/Makefile.tmpl
Reviewed-by: NRich Salz <rsalz@openssl.org>

We've done away with Makefile as source of information and now use
configdata.pm exclusively.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Make sure the information is kept for reconfiguration too.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Because of a perl operator priority mixup, the --openssldir argument
wasn't honored.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

The definition of STITCHED_CALL relies on OPENSSL_NO_ASM.  However,
when a configuration simply lacks the assembler implementation for RC4
(which is where we have implemented the stitched call), OPENSSL_NO_ASM
isn't implemented.  Better, then, to rely on specific macros that
indicated that RC4 (and MD5) are implemented in assembler.

For this to work properly, we must also make sure Configure adds the
definition of RC4_ASM among the C flags.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

EC DRBG support was added in 7fdcb457 in 2011 and then later removed.
However the CHANGES entry for its original addition was left behind.
This just removes the spurious CHANGES entry.
Reviewed-by: NStephen Henson <steve@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

msan detected an uninit read.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

User can make Windows openssl.exe to treat command-line arguments
and console input as UTF-8 By setting OPENSSL_WIN32_UTF8 environment
variable (to any value). This is likely to be required for data
interchangeability with other OSes and PKCS#12 containers generated
with Windows CryptoAPI.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

OpenSSL versions before 1.1.0 didn't convert non-ASCII
UTF8 PKCS#12 passwords to Unicode correctly.

To correctly decrypt older files, if MAC verification fails
with the supplied password attempt to use the broken format
which is compatible with earlier versions of OpenSSL.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

To avoid possible race conditions don't switch password format using
global state in crypto/pkcs12
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Found by Coverity.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

It should not have been removed.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Ensure it is clear to the user why there has been an error.
Reviewed-by: NRich Salz <rsalz@openssl.org>

The new curves test did not take into account no-ec2m
Reviewed-by: NRichard Levitte <levitte@openssl.org>

If not, fall back to our own code, using the given mutex
Reviewed-by: NAndy Polyakov <appro@openssl.org>

For increments, the relaxed model is fine.  For decrements, it's
recommended to use the acquire release model.  We therefore go for the
latter.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Note: we trust any other compiler that fully implements GNU extension
to define __GNUC__

RT#4642
Reviewed-by: NAndy Polyakov <appro@openssl.org>

In apps/rsa.c, we were second guessing RSA_check_key() to leave error
codes lying around without returning -1 properly.  However, this also
catches other errors that are lying around and that we should not care
about.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Thanks to Shi Lei for reporting this issue.

CVE-2016-6303
Reviewed-by: NMatt Caswell <matt@openssl.org>

Add CVE to CHANGES
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Ownership semantics and function names have changed.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>