The function rsa_ossl_mod_exp uses the function BN_with_flags to create a
temporary copy (local_r1) of a BIGNUM (r1) with modified flags. This
temporary copy shares some state with the original r1. If the state of r1
gets updated then local_r1's state will be stale. This was occurring in the
function so that when local_r1 was freed a call to bn_check_top was made
which failed an assert due to the stale state. To resolve this we must free
local_r1 immediately after we have finished using it and not wait until the
end of the function.

This problem prompted a review of all BN_with_flag usage within the
codebase. All other usage appears to be correct, although often not
obviously so. This commit refactors things to make it much clearer for
these other uses.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

Triggered by RT#4144.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Follow-up to 070c2332.
Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@akamai.com>

GH: #454

Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

GH: #484

Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@akamai.com>

GH: #466

Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@akamai.com>

GH: #481

If somewhere in SSL_new() there is a memory allocation failure, ssl3_free() can
get called with s->s3 still being NULL.

Patch also provided by Willy Tarreau <wtarreau@haproxy.com>
Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NViktor Dukhovni <openssl-users@dukhovni.org>

Add SSLv3 ctrl to EVP_sha1() this is only needed if SSLv3 client
authentication is used with DSA/ECDSA.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Add a ctrl to EVP_md5_sha1() to handle the additional operations needed
to handle SSL v3 client authentication and finished message.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Add digest combining MD5 and SHA1. This is used by RSA signatures for
TLS 1.1 and earlier.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Thanks to Guido Vranken <guidovranken@gmail.com> for reporting this issue.
Reviewed-by: NTim Hudson <tjh@openssl.org>

perlrun(1) leads the way.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Encourages GitHub to perform proper syntax highlighting.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

And a scalar !x --> x==0 test
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

This patch contains the necessary changes to provide GOST 2012
ciphersuites in TLS. It requires the use of an external GOST 2012 engine.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

RT#4142
Reviewed-by: NRichard Levitte <levitte@openssl.org>

RT#4138
Reviewed-by: NRichard Levitte <levitte@openssl.org>

RT #4144
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

During rebasing of the async changes some error codes ended up being
duplicated so that "make errors" fails. This removes the duplication.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NStephen Henson <steve@openssl.org>

In the async code for MacOS/X define _XOPEN_SOURCE (if not already
defined) as early as possible.  We must do this before including
any header files, because on MacOS/X <stlib.h> includes <signal.h>
which includes <ucontext.h>.  If we delay defining _XOPEN_SOURCE
and include <ucontext.h> after various system headers are included,
we are very likely to end up with the wrong (truncated) definition
of ucontext_t.

Also, better error handling and some code cleanup in POSIX fibre
construction and destruction.  We make sure that async_fibre_makecontext()
always initializes the fibre to a state that can be freed.

For all implementations, check for error returns from
async_fibre_makecontext().
Reviewed-by: NMatt Caswell <matt@openssl.org>

Strict ISO confirming C compilers only define __sun
Reviewed-by: NViktor Dukhovni <openssl-users@dukhovni.org>

RT #4144, MR #1353

Reviewed-by: NMatt Caswell <matt@openssl.org>

MR #1350

Original patch by Frank Morgner.
Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@akamai.com>

GH: #456

For all functions, consistently use asdf() not B<asdf()>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@akamai.com>

GH: #458

Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@akamai.com>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>