Add private/public key conversion tests

Reviewed-by: Matt Caswell <matt@openssl.org>

Remove d2i_X509_PKEY and i2d_X509_PKEY

Remove partially implemented d2i_X509_PKEY and i2d_X509_PKEY: nothing
uses them and they don't work properly. Update ordinals.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

ec/asm/ecp_nistz256-x86_64.pl: update commentary with before-after performance data.

Reviewed-by: Richard Levitte <levitte@openssl.org>

free NULL cleanup

EVP_.*free; this gets:
        EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free
        EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it
        EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Engage vpaes-armv8 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add vpaes-amrv8.pl module.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Configure: remove unused variables.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Make asn1_ex_i2c, asn1_ex_c2i static.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Remove combine option from ASN.1 code.

Remove the combine option. This was used for compatibility with some
non standard behaviour in ancient versions of OpenSSL: specifically
the X509_ATTRIBUTE and DSAPublicKey handling. Since these have now
been revised it is no longer needed.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Simplify DSA public key handling.

DSA public keys could exist in two forms: a single Integer type or a
SEQUENCE containing the parameters and public key with a field called
"write_params" deciding which form to use. These forms are non standard
and were only used by functions containing "DSAPublicKey" in the name.

Simplify code to only use the parameter form and encode the public key
component directly in the DSA public key method.

Reviewed-by: Richard Levitte <levitte@openssl.org>

ASN1_TYPE documentation.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add Record Layer documentation

Add some design documentation on how the record layer works to aid future
maintenance.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix formatting oddities

Fix some formatting oddities in rec_layer_d1.c.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix record.h formatting

Fix some strange formatting in record.h. This was probably originally
introduced as part of the reformat work.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Define SEQ_NUM_SIZE

Replace the hard coded value 8 (the size of the sequence number) with a
constant defined in a macro.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix compilation on windows for record layer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Rename record layer source files

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove some unneccessary macros

Reviewed-by: Richard Levitte <levitte@openssl.org>

Renamed record layer header files

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reorganise header files

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove last trace of non-record layer code reading and writing sequence
numbers directly

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move last_write_sequence from s->d1 to s->rlayer.d.
Also push some usage of last_write_sequence out of dtls1_retransmit_message
and into the record layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move ssl3_record_sequence_update into record layer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move buffered_app_data from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move handshake_fragment, handshake_fragment_len, alert_fragment and
alert_fragment_len from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix seg fault in dtls1_new

Reviewed-by: Richard Levitte <levitte@openssl.org>

Moved processed_rcds and unprocessed_rcds from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move bitmap and next_bitmap from s->d1 to s->rlayer.d.
Create dtls_bitmap.h and dtls_bitmap.c

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move r_epoch and w_epoch from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>

Introduce a DTLS_RECORD_LAYER type for DTLS record layer state

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move DTLS1_RECORD_DATA into rec_layer.h

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move read_sequence and write_sequence from s->s3 to s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->s3->wpend_* to s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move handshake_fragment, handshake_fragment_len, alert_fragment and
alert_fragment_len from s->s3 into s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->s3->wnum to s->rlayer.wnum

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->rstate to s->rlayer.rstate

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->packet and s->packet_length into s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove unneccessary use of accessor function now code is moved into record
layer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Make rrec, wrec, rbuf and wbuf fully private to the record layer. Also, clean
up some access to them. Now that various functions have been moved into the
record layer they no longer need to use the accessor macros.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Removed dependency on rrec from heartbeat processing

Reviewed-by: Richard Levitte <levitte@openssl.org>

Introduce macro RECORD_LAYER_setup_comp_buffer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix bug where rrec was being released...should have been removed by one of
the earlier record layer commits

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move ssl3_pending into the record layer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove RECORD_LAYER_set_ssl and introduce RECORD_LAYER_init

Reviewed-by: Richard Levitte <levitte@openssl.org>

Provide RECORD_LAYER_set_data function

Reviewed-by: Richard Levitte <levitte@openssl.org>

Introduce the functions RECORD_LAYER_release, RECORD_LAYER_read_pending, and
RECORD_LAYER_write_pending.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Create RECORD_LAYER_clear function.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Tidy up rec_layer.h. Add some comments regarding which functions should be
being used for what purpose.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Moved s3_pkt.c, s23_pkt.c and d1_pkt.c into the record layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Split out non record layer functions out of s3_pkt.c and d1_pkt.c into
the new files s3_msg.c and s1_msg.c respectively.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move more SSL3_RECORD oriented functions into ssl3_record.c

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move SSL3_RECORD oriented functions into ssl3_record.c

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move SSL3_BUFFER set up and release code into ssl3_buffer.c

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->s3->wrec to s>rlayer>wrec

Reviewed-by: Richard Levitte <levitte@openssl.org>

Encapsulate s->s3->wrec

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->s3->rrec to s->rlayer->rrec

Reviewed-by: Richard Levitte <levitte@openssl.org>

Encapsulate s->s3->rrec

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->s3->wbuf to s->rlayer->wbuf

Reviewed-by: Richard Levitte <levitte@openssl.org>

Encapsulate access to s->s3->wbuf

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move s->s3->rrec into s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>

Encapsulate SSL3_BUFFER and all access to s->s3->rbuf.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Create a RECORD_LAYER structure and move read_ahead into it.

Reviewed-by: Richard Levitte <levitte@openssl.org>

update ordinals

Reviewed-by: Matt Caswell <matt@openssl.org>

Move more internal only functions to asn1_locl.h

Reviewed-by: Matt Caswell <matt@openssl.org>

free NULL cleanup.

This gets EC_GROUP_clear_free EC_GROUP_free, EC_KEY_free,
EC_POINT_clear_free, EC_POINT_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Resolve swallowed returns codes

The recent updates to libssl to enforce stricter return code checking, left
a small number of instances behind where return codes were being swallowed
(typically because the function they were being called from was declared as
void). This commit fixes those instances to handle the return codes more
appropriately.

Reviewed-by: Richard Levitte <levitte@openssl.org>

make update

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move internal only ASN.1 functions to asn1_locl.h

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove X509_ATTRIBUTE hack.

The X509_ATTRIBUTE structure includes a hack to tolerate malformed
attributes that encode as the type instead of SET OF type. This form
is never created by OpenSSL and shouldn't be needed any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

free NULL cleanup

This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free
BIO_free BIO_free_all BIO_vfree

Reviewed-by: Matt Caswell <matt@openssl.org>

Support key loading from certificate file

Support loading of key and certificate from the same file if
SSL_CONF_FLAG_REQUIRE_PRIVATE is set. This is done by remembering the
filename used for each certificate type and attempting to load a private
key from the file when SSL_CONF_CTX_finish is called.

Update docs.

Reviewed-by: Richard Levitte <levitte@openssl.org>

make depend

Reviewed-by: Richard Levitte <levitte@openssl.org>

make X509_NAME opaque

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix HMAC to pass invalid key len test

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add HMAC test for invalid key len

Reviewed-by: Richard Levitte <levitte@openssl.org>

Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add more HMAC tests

Reviewed-by: Richard Levitte <levitte@openssl.org>

SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG was disabled in 0.9.8q and 1.0.0c.
This commit sets the value of SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG to
zero.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Deprecate RAND_pseudo_bytes

The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:

if(RAND_pseudo_bytes(...) <= 1)
goto err;

In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.

This form is also seen:
if(!RAND_pseudo_bytes(...))
goto err;

This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.

Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.

If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.

Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>

RAND_bytes updates

Ensure RAND_bytes return value is checked correctly, and that we no longer
use RAND_pseudo_bytes.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix return checks in GOST engine

Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix misc NULL derefs in sureware engine

Fix miscellaneous NULL pointer derefs in the sureware engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add ticket length before buffering DTLS message

In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Ensure last_write_sequence is saved in DTLS1.2

In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.

Reviewed-by: Richard Levitte <levitte@openssl.org>

free NULL cleanup

Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets DH_free, DSA_free, RSA_free

Reviewed-by: Matt Caswell <matt@openssl.org>

update ordinals

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update ordinals

Thanks to the change of mkdef.pl, a few more deprecated functions were
properly defined in util/libeay.num.

Reviewed-by: Matt Caswell <matt@openssl.org>

Teach mkdef.pl to handle multiline declarations.

For the moment, this is specially crafted for DECLARE_DEPRECATED because
that's where we found the problem, but it can easily be expanded to other
types of special delarations when needed.

Reviewed-by: Matt Caswell <matt@openssl.org>

Fix verify algorithm.

Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.

Reviewed-by: Matt Caswell <matt@openssl.org>

make ASN1_OBJECT opaque

Reviewed-by: Matt Caswell <matt@openssl.org>

Configuration file examples.

Reviewed-by: Matt Caswell <matt@openssl.org>

Make OCSP response verification more flexible.

If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>

make depend

Reviewed-by: Matt Caswell <matt@openssl.org>

Move some EVP internals to evp_int.h

Move EVP internals to evp_int.h, remove -Ievp hack from crypto/Makefile

Reviewed-by: Matt Caswell <matt@openssl.org>

Move some ASN.1 internals to asn1_int.h

Move ASN.1 internals used across multiple directories into new internal
header file asn1_int.h remove crypto/Makefile hack which allowed other
directories to include "asn1_locl.h"

Reviewed-by: Matt Caswell <matt@openssl.org>

free NULL cleanup

Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets ASN1_OBJECT_free and ASN1_STRING_free.

Reviewed-by: Matt Caswell <matt@openssl.org>

Fix malloc define typo

Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

Use OPENSSL_malloc rather than malloc/calloc

Reviewed-by: Matt Caswell <matt@openssl.org>

Fix eng_cryptodev to not depend on BN internals.

Reviewed-by: Matt Caswell <matt@openssl.org>