Server side EVP_PKEY DH support

Reviewed-by: Matt Caswell <matt@openssl.org>

Rename some BUF_xxx to OPENSSL_xxx

Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old nam

Rename some BUF_xxx to OPENSSL_xxx

Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.

Reviewed-by: Tim Hudson <tjh@openssl.org>

show more ...

Remove support for all 40 and 56 bit ciphers.

Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364

Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDH

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves()

SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it. On
the other hand SSL_{CTX_}set1_curves() allows y

Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves()

SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it. On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

show more ...

Remove support for SSL_{CTX_}set_tmp_ecdh_callback().

This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in ha

Remove support for SSL_{CTX_}set_tmp_ecdh_callback().

This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in handshake failures that can
be avoided by selecting a different cipher.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

show more ...

Add comment explaining why we don't check a return value

A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* use

Add comment explaining why we don't check a return value

A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

show more ...

Standardise our style for checking malloc failures

if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Stan

Standardise our style for checking malloc failures

if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise
the approach in libssl.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

show more ...

Remove the type variable

The SSL structure contained a "type" variable that was set to either
SSL_ST_ACCEPT or SSL_ST_CONNECT depending on whether we are the server or
the client. Th

Remove the type variable

The SSL structure contained a "type" variable that was set to either
SSL_ST_ACCEPT or SSL_ST_CONNECT depending on whether we are the server or
the client. This duplicates the capability of the "server" variable and was
actually rarely used.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

show more ...

Make no-psk compile without warnings.

PR#4035

Reviewed-by: Matt Caswell <matt@openssl.org>

Remove BIO_s_file_internal macro.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix no-stdio build

Much related/similar work also done by
Ivan Nestlerode <ivan.nestlerode@sonos.com>

+Replace FILE BIO's with dummy ops that fail.
+Include <stdio.h>

Fix no-stdio build

Much related/similar work also done by
Ivan Nestlerode <ivan.nestlerode@sonos.com>

+Replace FILE BIO's with dummy ops that fail.
+Include <stdio.h> for sscanf() even with no-stdio (since the declaration
is there). We rely on sscanf() to parse the OPENSSL_ia32cap environment
variable, since it can be larger than a 'long'. And we don't rely on the
availability of strtoull().
+Remove OPENSSL_stderr(); not used.
+Make OPENSSL_showfatal() do nothing (currently without stdio there's
nothing we can do).
+Remove file-based functionality from ssl/. The function
prototypes were already gone, but not the functions themselves.
+Remove unviable conf functionality via SYS_UEFI
+Add fallback definition of BUFSIZ.
+Remove functions taking FILE * from header files.
+Add missing DECLARE_PEM_write_fp_const
+Disable X509_LOOKUP_hash_dir(). X509_LOOKUP_file() was already compiled out,
so remove its prototype.
+Use OPENSSL_showfatal() in CRYPTO_destroy_dynlockid().
+Eliminate SRP_VBASE_init() and supporting functions. Users will need to
build the verifier manually instead.
+Eliminate compiler warning for unused do_pk8pkey_fp().
+Disable TEST_ENG_OPENSSL_PKEY.
+Disable GOST engine as is uses [f]printf all over the place.
+Eliminate compiler warning for unused send_fp_chars().

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>

show more ...

RT4047: Set reference count earlier

Make sure it's valid very early.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix PSK identity hint handling.

For server use a PSK identity hint value in the CERT structure which
is inherited when SSL_new is called and which allows applications to
set hints on

Fix PSK identity hint handling.

For server use a PSK identity hint value in the CERT structure which
is inherited when SSL_new is called and which allows applications to
set hints on a per-SSL basis. The previous version of
SSL_use_psk_identity_hint tried (wrongly) to use the SSL_SESSION structure.

PR#4039

Reviewed-by: Matt Caswell <matt@openssl.org>

show more ...

Avoid direct X509 structure access

Reviewed-by: Tim Hudson <tjh@openssl.org>

Add and use OPENSSL_zalloc

There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richar

Add and use OPENSSL_zalloc

There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328

Reviewed-by: Richard Levitte <levitte@openssl.org>

show more ...

Add X509_up_ref function.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Remove SESS_CERT entirely.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Move peer chain to SSL_SESSION structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove certificates from sess_cert

As numerous comments indicate the certificate and key array is not an
appopriate structure to store the peers certificate: so remove it and
just th

Remove certificates from sess_cert

As numerous comments indicate the certificate and key array is not an
appopriate structure to store the peers certificate: so remove it and
just the s->session->peer instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>

show more ...

Remove peer temp keys from SESS_CERT

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add CHANGES entry for OPENSSL_NO_TLSEXT removal

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove support for OPENSSL_NO_TLSEXT

Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSS

Remove support for OPENSSL_NO_TLSEXT

Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

show more ...

move masks out of CERT structure

Reviewed-by: Rich Salz <rsalz@openssl.org>

Move certificate validity flags out of CERT.

Reviewed-by: Rich Salz <rsalz@openssl.org>