Error checking and memory leak fixes in NISTZ256.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix Wmaybe-uninitialized: initialize variable

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix the check of test apps in util/mk1mf.pl

The previous check assumed that the variables for each test app, ending
with TEST would be indication enough.  Experience showed that this isn't
the best way.  Instead, simply look for the EXE variable in test/Makefile.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Small fixes after the Big apps cleanup

This fixes util/mk1mf.pl, which was looking for old variable names from
apps/Makefile.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Add readline (etc) support

Compile with -DREADLINE and the appropriate library.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Simplify parse_yesno; remove local variable

Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix typo in help & comment formatting

Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix error message

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Fix main build breakage.

A variable declaration got dropped during a merge.
And if a compiler inlines strcmp() and you put a strcmp in an
assert message, the resultant stringification exceeds ANSI string
limits.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Remove the special list-xxxx commands

There's a new "list" command, which takes a flag to say what
to list.  Removing the old hacky commands.  Re-ordered some
functions to remove some needless declarations.

Reviewed-by: Richard Levitte <levitte@openssl.org>

RT2962: add -keytab and -krb5svc flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Free malloc data on encoding errors.

Reviewed-by: Richard Levitte <levitte@openssl.org>

apps-cleanup: the doc fixes

Reviewed-by: Richard Levitte <levitte@openssl.org>

Quote HTML entities in s_server output

Reviewed-by: Richard Levitte <levitte@openssl.org>

RT2206: Add -issuer flag to ocsp command

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove EFENCE support.

Reviewed-by: Richard Levitte <levitte@openssl.org>

RT2451: Add telnet to s_client -starttls

Also add -xmpphost and -smtphost flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add -nocommands to s_client.

Add flag to disable the 'command letters' from s_client.

Reviewed-by: Richard Levitte <levitte@openssl.org>

fewer NO_ENGINE #ifdef's

Make setup_engine be a dummy if NO_ENGINE is enabled.
The option is not enabled if NO_ENGINE is enabled, so the one "wasted"
variable just sits there. Removes some variables and code.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add missing BIO_flush() calls

Reviewed-by: Richard Levitte <levitte@openssl.org>

Big apps cleanup (option-parsing, etc)

This is merges the old "rsalz-monolith" branch over to master.  The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt.  Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that.  There have been many other changes and code-cleanup, see
bullet list below.

Special thanks to Matt for the long and detailed code review.

TEMPORARY:
        For now, comment out CRYPTO_mem_leaks() at end of main

Tickets closed:
        RT3515: Use 3DES in pkcs12 if built with no-rc2
        RT1766: s_client -reconnect and -starttls broke
        RT2932: Catch write errors
        RT2604: port should be 'unsigned short'
        RT2983: total_bytes undeclared #ifdef RENEG
        RT1523: Add -nocert to fix output in x509 app
        RT3508: Remove unused variable introduced by b09eb24
        RT3511: doc fix; req default serial is random
        RT1325,2973: Add more extensions to c_rehash
        RT2119,3407: Updated to dgst.pod
        RT2379: Additional typo fix
        RT2693: Extra include of string.h
        RT2880: HFS is case-insensitive filenames
        RT3246: req command prints version number wrong

Other changes; incompatibilities marked with *:
        Add SCSV support
        Add -misalign to speed command
        Make dhparam, dsaparam, ecparam, x509 output C in proper style
        Make some internal ocsp.c functions void
        Only display cert usages with -help in verify
        Use global bio_err, remove "BIO*err" parameter from functions
        For filenames, - always means stdin (or stdout as appropriate)
        Add aliases for -des/aes "wrap" ciphers.
        *Remove support for IISSGC (server gated crypto)
        *The undocumented OCSP -header flag is now "-header name=value"
        *Documented the OCSP -header flag

Reviewed-by: Matt Caswell <matt@openssl.org>

Fix error checking and memory leaks in NISTZ256 precomputation.

Thanks to Brian Smith for reporting these issues.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Correctly set Z_is_one on the return value in the NISTZ256 implementation.

Also add a few comments about constant-timeness.

Thanks to Brian Smith for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix CRYPTO_strdup

The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)

SSL_CIPHER lookup functions.

Add tables to convert between SSL_CIPHER fields and indices for ciphers
and MACs.

Reorganise ssl_ciph.c to use tables to lookup values and load them.

New functions SSL_CIPHER_get_cipher_nid and SSL_CIPHER_get_digest_nid.

Add documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Avoid "no config file" warning message

Set config to /dev/null when doing make rehash.

Reviewed-by: Richard Levitte <levitte@openssl.org>

ssltest output cleanup

Make only errors go to stderr.
Print count and size before the loop, so you can see it's an 838K
message that will take a few moments.

Reviewed-by: Richard Levitte <levitte@openssl.org>

test/Makefile dclean cleans out a few files too many.

The files removed are the ones that were symbolic links before, but
aren't now, so we should not remove them any more.

Reviewed-by: Stephen Henson <steve@openssl.org>

Repair EAP-FAST session resumption

EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec6114f5511b20c2e6ca741e61a39b99d6
and
7b3ba508af5c86afe43e28174aa3c53a0a24f4d9
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Engage ec/asm/ecp_nistz256-sparcv9 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Add ec/asm/ecp_nistz256-sparcv9.pl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

modes/asm/ghashv8-armx.pl: additional performance data.

Reviewed-by: Rich Salz <rsalz@openssl.org>

aes/asm/aesni-x86.pl: fix typo affecting Windows build.

Reviewed-by: Matt Caswell <matt@openssl.org>

aes/asm/aesni-x86[_64].pl update.

This addresses

- request for improvement for faster key setup in RT#3576;
- clearing registers and stack in RT#3554 (this is more of a gesture to
see if there will be some traction from compiler side);
- more commentary around input parameters handling and stack layout
(desired when RT#3553 was reviewed);
- minor size and single block performance optimization (was lying around);

Reviewed-by: Matt Caswell <matt@openssl.org>

Add assembly support for 32-bit iOS.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Configure: Engage ecp_nistz256-armv8 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add ecp_nistz256-armv8 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Configure: add initial support for 64-bit Android.

Reviewed-by: Richard Levitte <levitte@openssl.org>

crypto/ec/ecp_nistp[224|521].c: fix formatting.

Reviewed-by: Rich Salz <rsalz@openssl.org>

ec/ecp_nistp*.c: fix SEGVs.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Configure: engage ARMv8 Montgomery multiplication module.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Add ARMv8 Montgomery multiplication module.

Reviewed-by: Rich Salz <rsalz@openssl.org>

aes/asm/vpaes-armv8.pl: make it compile on iOS.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove SET oid config file and SET certs

Reviewed-by: Andy Polyakov <appro@openssl.org>

Use 2K RSA and SHA256 in tests

Reviewed-by: Andy Polyakov <appro@openssl.org>

Fix encoding bug in i2c_ASN1_INTEGER

Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Error out immediately on empty ciphers list.

A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Use -Wall -Wextra with clang

The disabled set of -Weverything is hard to maintain across versions.
Use -Wall -Wextra but also document other useful warnings that currently trigger.

Reviewed-by: Rich Salz <rsalz@openssl.org>

SunOS non-posix shells do not grok export name=value

Reviewed-by: Richard Levitte <levitte@openssl.org>

Code style: space after 'if'

Reviewed-by: Matt Caswell <matt@openssl.org>

Remove code for deleted function from ssl.h

ssl_cert_inst was removed in 2c3823491d8812560922a58677e3ad2db4b2ec8d

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Reject empty generation strings.

Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>

Limit depth of nested sequences when generating ASN.1

Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>

Remove obsolete options for debug-steve*

Reviewed-by: Rich Salz <rsalz@openssl.org>

Add -Wtype-limits to strict warnings.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Initialize variable

newsig may be used (freed) uninitialized on a malloc error.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix ssl_get_prev_session overrun

If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Check for ClientHello message overruns

The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>

free NULL cleanup 9

Ongoing work to skip NULL check before calling free routine.  This gets:
    ecp_nistz256_pre_comp_free nistp224_pre_comp_free nistp256_pre_comp_free
    nistp521_pre_comp_free PKCS7_free PKCS7_RECIP_INFO_free
    PKCS7_SIGNER_INFO_free sk_PKCS7_pop_free PKCS8_PRIV_KEY_INFO_free
    PKCS12_free PKCS12_SAFEBAG_free PKCS12_free sk_PKCS12_SAFEBAG_pop_free
    SSL_CONF_CTX_free SSL_CTX_free SSL_SESSION_free SSL_free ssl_cert_free
    ssl_sess_cert_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Fix memory leak

It should have freed them when != NULL, not when == NULL.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>

do_dirname: Don't change gen on failures

It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.

Reviewed-by: Rich Salz <rsalz@openssl.org>

X509_VERIFY_PARAM_free: Check param for NULL

Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>

free NULL cleanup 10

Avoid checking for NULL before calling free functions.  This gets
ssl.*free:
    ssl_sess_cert_free ssl_free ssl_excert_free ssl_cert_free
    SSL_free SSL_SRP_CTX_free SSL_SESSION_free SSL_CTX_free
    SSL_CTX_SRP_CTX_free SSL_CONF_CTX_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

The wrong ifdef is used to guard usage of PSK code

PR#3790

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Don't set *pval to NULL in ASN1_item_ex_new.

While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix ECDH detection, add ECDH keyid test.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix ECDH key identifier support.

PR#3789

Reviewed-by: Rich Salz <rsalz@openssl.org>

Polish shell script to avoid needless complexity.

No need for here documents, just use "yes" or </dev/null.
No need for "|| exit 1" clauses, just use "set -e".

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

fix to "test script cleanup"

Fix commit 30f54ad295d58ff8c6d28c1fd612d23c2c343d19 which used
non-portable syntax for checking exit status.

Reviewed-by: Matt Caswell <matt@openssl.org>

Fix read_ahead issue

Fix a "&" that should have been "!" when processing read_ahead.

RT#3793

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

test script cleanup

Removed commented-out tests

Standardize on doing
        cmd ... || exit 1
instead of
        cmd ...
        if [ $? != 0] ; then
           exit 1
        fi
where that if statement has ben one, three, or four lines, variously.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Have mkerr.pl treat already existing multiline string defs properly

Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>

Drop CA.sh for CA.pl

Remove CA.sh script and use CA.pl for testing, etc.

Reviewed-by: Richard Levitte <levitte@openssl.org>

consistent test-start logging

Output a consistent "start" marker for each test.
Remove "2>/dev/null" from Makefile command lines.
Add OPENSSL_CONFIG=/dev/null for places where it's needed, in
order to suppress a warning message from the openssl CLI.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Ignore the non-dll windows specific build directories

Reviewed-by: Rich Salz <rsalz@openssl.org>

Appease clang -Wshadow

The macros BSWAP4 and BSWAP8 have statetemnt expressions
implementations that use local variable names that shadow variables
outside the macro call, generating warnings like this

e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable
      [-Wshadow]
    seqnum = BSWAP8(blocks[0].q[0]);
             ^
../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8'
                            ^
e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here
    size_t ret = 0;
           ^

Have clang be quiet by modifying the macro variable names slightly
(suffixing them with an underscore).

Reviewed-by: Rich Salz <rsalz@openssl.org>

Appease clang -Wgnu-statement-expression

We use GNU statement expressions in crypto/md32_common.h, surrounded
by checks that GNU C is indeed used to compile.  It seems that clang,
at least on Linux, pretends to be GNU C, therefore finds the statement
expressions and then warns about them.

The solution is to have clang be quiet about it.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Appease clang -Wempty-translation-unit

ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one
      declaration [-Wempty-translation-unit]
      ^
1 warning generated.

Reviewed-by: Rich Salz <rsalz@openssl.org>

update ordinals

Reviewed-by: Rich Salz <rsalz@openssl.org>

make depend

Reviewed-by: Rich Salz <rsalz@openssl.org>

remove asn1_mac.h

Reviewed-by: Rich Salz <rsalz@openssl.org>

Remove old ASN.1 functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Remove unnecessary use of ASN1_const_CTX

Reviewed-by: Rich Salz <rsalz@openssl.org>

Rewrite ssl_asn1.c using new ASN.1 code.

Complete reimplementation of d2i_SSL_SESSION and i2d_SSL_SESSION using
new ASN.1 code and eliminating use of old ASN.1 macros.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Add macro to implement static encode functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fewer newlines in comp method output

Print "supported compression methods" all on one line.

Reviewed-by: Andy Polyakov <appro@openssl.org>

modes/asm/ghashv8-armx.pl: up to 90% performance improvement.

Reviewed-by: Matt Caswell <matt@openssl.org>

sha/asm/sha*-armv8.pl: add Denver and X-Gene esults.

Reviewed-by: Richard Levitte <levitte@openssl.org>

aes/asm/aesv8-armx.pl: optimize for Cortex-A5x.

ARM has optimized Cortex-A5x pipeline to favour pairs of complementary
AES instructions. While modified code improves performance of post-r0p0
Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts
original r0p0. We favour later revisions, because one can't prevent
future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%,
while new code is not slower on r0p0, or Apple A7 for that matter.

[Update even SHA results for latest Cortex-A53.]

Reviewed-by: Richard Levitte <levitte@openssl.org>

perlasm/arm-xlate.pl update (fix end-less loop and prepare for 32-bit iOS).

Reviewed-by: Rich Salz <rsalz@openssl.org>

Configure: android-arm facelift.

Reviewed-by: Rich Salz <rsalz@openssl.org>

make update

Reviewed-by: Matt Caswell <matt@openssl.org>

Remove SSL_TASK, the DECnet Based SSL Engine - addendum

A bit of cleanup was forgotten.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Remove SSL_TASK, the DECnet Based SSL Engine

This engine is for VMS only, and isn't really part of the core OpenSSL
but rather a side project of its own that just happens to have tagged
along for a long time.  The reasons why it has remained within the
OpenSSL source are long lost in history, and there not being any real
reason for it to remain here, it's time for it to move out.

This side project will appear as a project in its own right, the
location of which will be announced later on.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Remove old ASN.1 code from evp_asn1.c

Rewrite ASN1_TYPE_set_int_octetstring and ASN1_TYPE_get_int_octetstring
to use the new ASN.1 code instead of the old macros.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Now that we've removed the need for symlinks, we can safely remove util/mklinks.pl

Reviewed-by: Rich Salz <rsalz@openssl.org>

Remove remaining variables for symlinked/copied headers and tests

GitConfigure:   no more 'no-symlinks'

util/bat.sh, util/mk1mf.pl, util/pl/VC-32.pl, util/pl/unix.pl:
- Remove all uses of EXHEADER.
  That includes removing the use if INC_D and INCO_D.
- Replace the check for TEST with a check for [A-Z0-9_]*TEST.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Remove EXHEADER, TEST, APPS, links:, install: and uninstall: where relevant

With no more symlinks, there's no need for those variables, or the links
target.  This also goes for all install: and uninstall: targets that do
nothing but copy $(EXHEADER) files, since that's now taken care of by the
top Makefile.

Also, removed METHTEST from test/Makefile.  It looks like an old test that's
forgotten...

Reviewed-by: Rich Salz <rsalz@openssl.org>

Stop symlinking, move files to intended directory

Rather than making include/openssl/foo.h a symlink to
crypto/foo/foo.h, this change moves the file to include/openssl/foo.h
once and for all.

Likewise, move crypto/foo/footest.c to test/footest.c, instead of
symlinking it there.

Originally-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Ensure EC private keys retain leading zeros

RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>