This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c

RT#3725
Reviewed-by: NRich Salz <rsalz@openssl.org>

Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.
Reviewed-by: NTim Hudson <tjh@openssl.org>

These ciphers are removed:
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
    TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
    TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
They were defined in a long-expired IETF internet-draft:
draft-ietf-tls-56-bit-ciphersuites-01.txt
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704
Reviewed-by: NTim Hudson <tjh@openssl.org>

Added various missing return value checks in tls1_change_cipher_state.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

NETSCAPE_HANG_BUG is a workaround for a browser bug from many years ago
(2000).
It predates DTLS, so certainly has no place in d1_srvr.c.
In s3_srvr.c it forces the ServerDone to appear in the same record as the
CertificateRequest when doing client auth.

BoringSSL have already made the same commit:
79ae85e4f777f94d91b7be19e8a62016cb55b3c5
Reviewed-by: NTim Hudson <tjh@openssl.org>

the "-hack" option from s_server that set this option.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

When writing out the hint, if the hint > 0, then we write it out otherwise
we skip it.

Previously when reading the hint back in, if were expecting to see one
(because the ticket length > 0), but it wasn't present then we set the hint
to -1, otherwise we set it to 0. This fails to set the hint to the same as
when it was written out.

The hint should never be negative because the RFC states the hint is
unsigned. It is valid for a server to set the hint to 0 (this means the
lifetime is unspecified according to the RFC). If the server set it to 0, it
should still be 0 when we read it back in.
Reviewed-by: NTim Hudson <tjh@openssl.org>

SSL_SESSION_get_ticket_lifetime_hint. The latter has been reported as
required to fix Qt for OpenSSL 1.1.0. I have also added the former in order
to determine whether a ticket is present or not - otherwise it is difficult
to know whether a zero lifetime hint is because the server set it to 0, or
because there is no ticket.
Reviewed-by: NTim Hudson <tjh@openssl.org>

From RFC4507:
"The ticket_lifetime_hint field contains a hint from the server about how
long the ticket should be stored.  The value indicates the lifetime in
seconds as a 32-bit unsigned integer in network byte order."
Reviewed-by: NTim Hudson <tjh@openssl.org>

There is no mechanism to do that at the moment - SSL_set_bio makes changes
to the wbio even if you pass in SSL_get_wbio().

This commit introduces two new API functions SSL_set_rbio() and
SSL_set_wbio(). These do the same job as SSL_set_bio() except they enable
you to manage the rbio and wbio individually.
Reviewed-by: NTim Hudson <tjh@openssl.org>

I left many "#if 0" lines, usually because I thought we would
probably want to revisit them later, or because they provided
some useful internal documentation tips.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

The mkstack.pl script now generates the entire safestack.h file.
It generates output that follows the coding style.
Also, removed all instances of the obsolete IMPLEMENT_STACK_OF
macro.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

A few minor cleanups to remove pre-processor "#if 1" stuff.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Document SSL_get_extms_support().

Modify behaviour of SSL_get_extms_support() so it returns -1 if the
master secret support of the peer is not known (e.g. handshake in progress).
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Update master secret calculation to support extended master secret.
TLS 1.2 client authentication adds a complication because we need to
cache the handshake messages. This is simpllified however because
the point at which the handshake hashes are calculated for extended
master secret is identical to that required for TLS 1.2 client
authentication (immediately after client key exchange which is also
immediately before certificate verify).
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Add and retrieve extended master secret extension, setting the flag
SSL_SESS_FLAG_EXTMS appropriately.

Note: this just sets the flag and doesn't include the changes to
master secret generation.
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Rewrite ssl3_send_client_key_exchange to retain the premaster secret
instead of using it immediately.

This is needed because the premaster secret is used after the client key
exchange message has been sent to compute the extended master secret.
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Retrieve handshake hashes in a separate function. This tidies the existing
code and will be used for extended master secret generation.
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Add a "flags" field to SSL_SESSION. This will contain various flags
such as encrypt-then-mac and extended master secret support.
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

OPENSSL_NO_SSL_INTERN into internal header files.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

catch up with the Unix build.
A number of new tests, among others test/tocsp.com
Define INTERNAL in ssl/ssl-lib.com to allow for '#include "internal/foo.h"'
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Add new symbols that are longer than 31 chars to symhacks.
VMS doesn't have <sys/un.h>, reflect that in e_os.h.
MS_CALLBACK has been removed, ssl_task.c needs adjustment.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

An expired IETF Internet-Draft (seven years old) that nobody
implements, and probably just as good as NSA DRBG work.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Not interested in helping the NSA in the slightest.
And anyway, it was never implemented, #if'd out.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Remove all "#if 0" blocks from header files.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Remove OPENSSL_NO_BUF_FREELISTS. This was turned on by default,
so the work here is removing the 'maintain our own freelist' code.
Also removed a minor old Windows-multibyte/widechar conversion flag.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

TLS and TLS1 are no longer optional.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Remove support for SHA0 and DSS0 (they were broken), and remove
the ability to attempt to build without SHA (it didn't work).
For simplicity, remove the option of not building various SHA algorithms;
you could argue that SHA_224/256/384/512 should be kept, since they're
like crypto algorithms, but I decided to go the other way.
So these options are gone:
	GENUINE_DSA         OPENSSL_NO_SHA0
	OPENSSL_NO_SHA      OPENSSL_NO_SHA1
	OPENSSL_NO_SHA224   OPENSSL_NO_SHA256
	OPENSSL_NO_SHA384   OPENSSL_NO_SHA512
Reviewed-by: NRichard Levitte <levitte@openssl.org>