The following entry points have been made async aware:
SSL_accept
SSL_read
SSL_write

Also added is a new mode - SSL_MODE_ASYNC. Calling the above functions with
the async mode enabled will initiate a new async job. If an async pause is
encountered whilst executing the job (such as for example if using SHA1/RSA
with the Dummy Async engine), then the above functions return with
SSL_WANT_ASYNC. Calling the functions again (with exactly the same args
as per non-blocking IO), will resume the job where it left off.

Reviewed-by: Rich Salz <rsalz@openssl.org>

This engine is for developers of async aware applications. It simulates
asynchronous activity with external hardware. This initial version supports
SHA1 and RSA. Certain operations using those algorithms have async job
"pauses" in them - using the new libcrypto async capability.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Provides support for running asynchronous jobs. Currently this is completely
stand alone. Future commits will integrate this into libssl and s_server/
s_client. An asynchronous capable engine will be required to see any benefit
from this capability.

Reviewed-by: Rich Salz <rsalz@openssl.org>

The forthcoming async code needs to use pthread thread local variables. This
updates the various Configurations to add the necessary flags. In many cases
this is an educated guess as I don't have access to most of these
environments! There is likely to be some tweaking needed.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

The al variable could be uninitialised in an error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@akamai.com>

RT #4100, MR #1264

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

RT #4100, MR #1264

Reviewed-by: Matt Caswell <matt@openssl.org>

There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141

Reviewed-by: Matt Caswell <matt@openssl.org>

Based on PR#2145

Reviewed-by: Matt Caswell <matt@openssl.org>

PR#4141

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

Final part of flushing out SSLEay API's.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

We use the sysconf function to provide details about the page size in the
secure memory code. This function can return -1 on error so we should check
for this before proceeding.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

The |passwd| variable in the code can be NULL if it goes to the err label.
Therefore we cannot call strlen on it without first checking that it is non
NULL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

The problem remained unnoticed so far, because it's never called by default.
You have to craft OPENSSL_ppccap environment variable to trigger the problem.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

bn/asm/s390x.S: improve performance on z196 and z13 by up to 26%. [even z10 is couple percent faster]. Triggered by RT#4128, but solves the problem by real modulo-scheduling.

Reviewed-by: Rich Salz <rsalz@openssl.org>

It was also found that stich performs suboptimally on AMD Jaguar, hence
execution is limited to XOP-capable and Intel processors.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

Print certificate details using accessor functions.

Since X509_CERT_AUX_print is only used in one place and can't
be used by applications (it uses an internal X509_CERT_AUX structure)
this has been removed and replaced by a function X509_aux_print which
takes an X509 pointer instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

This adds a TLSv1.0 cipher alias for ciphersuites requiring
at least TLSv1.0: currently only PSK ciphersuites using SHA256
or SHA384 MAC (SSLv3 only supports SHA1 and MD5 MAC).

Reviewed-by: Matt Caswell <matt@openssl.org>

This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.

Thanks to the Open Crypto Audit Project for identifying this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>
Signed-off-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

Triggered by RT#3989.

Reviewed-by: Matt Caswell <matt@openssl.org>

The new function SSL_use_certificate_chain_file was always crashing in
the internal function use_certificate_chain_file because it would pass a
NULL value for SSL_CTX *, but use_certificate_chain_file would
unconditionally try to dereference it.

Reviewed-by: Stephen Henson <steve@openssl.org>

The function tls1_get_curvelist() has an explicit check to see if s->cert
is NULL or not. However the check appears *after* calling the tls1_suiteb
macro which derefs s->cert. In reality s->cert can never be NULL because
it is created in SSL_new(). If the malloc fails then the SSL_new call fails
and no SSL object is created.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Continuing from previous work standardise use of malloc in the engine code.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>