Calling SSL_shutdown while in init previously gave a "1" response, meaning
everything was successfully closed down (even though it wasn't). Better is
to send our close_notify, but fail when trying to receive one.

The problem with doing a shutdown while in the middle of a handshake is
that once our close_notify is sent we shouldn't really do anything else
(including process handshake/CCS messages) until we've received a
close_notify back from the peer. However the peer might send a CCS before
acting on our close_notify - so we won't be able to read it because we're
not acting on CCS messages!

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

The GOST engine is now out of date and is removed by this commit. An up
to date GOST engine is now being maintained in an external repository.

See:
https://wiki.openssl.org/index.php/Binaries



Reviewed-by: Richard Levitte <levitte@openssl.org>

For BSD systems, Configure adds a shared_ldflags including a reference
to the Makefile variable LIBRPATH, but since it must be passed down to
Makefile.shared, care must be taken so the value of LIBRPATH doesn't
get expanded too early, or it ends up giving an empty string.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT#4080

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2.  In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...

This commit makes it possible to disable any or all of the TLS or
DTLS protocols.  It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

Modify libssl to use EVP_PKEY TLS PRF.

Reviewed-by: Matt Caswell <matt@openssl.org>

Add EVP_PKEY algorithm for TLS1 PRF.

Reviewed-by: Matt Caswell <matt@openssl.org>

Fix a typo in the definition of the GOST2012-NULL-GOST12 ciphersuite.

RT#4213

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers.  Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Cygwin was used for x86 before, so let's keep it around for those who
still use it (it make Configure reconf possible).
Cygwin-i[3456]86 for those that might generate and pass a target name
directly to Configure.

Reviewed-by: Rich Salz <rsalz@openssl.org>

This is to reflect that it's not limited to just i686.

Reviewed-by: Rich Salz <rsalz@openssl.org>

This patch allows to recognize the architectures supported by Cygwin
and to choose the right configuration from there.  Drop -march to
use default architecture on 32 bit x86.

Drop pre-Cygwin-1.3 recognition since it's long gone and there's no
valid configuration for this anymore.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

  Building for the Cygwin distro requires to be able to build debuginfo
  files.  This in turn requires to build object files without stripping.
  The stripping is performed by the next step after building which creates
  the debuginfo files.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Remove lint, tags, dclean, tests.
This is prep for a new makedepend scheme.
This is temporary pending unified makefile, and might help it.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Author: Remi Gacogne <rgacogne-github@coredump.fr>
GH334: Add an OCSP_SINGLERESP_get0_id() accessor to the OCSP_CERTID of
a OCSP_SINGLERESP. It is possible to do it the other way around using
OCSP_resp_find(), but this is more efficient when you have a tree indexed
by OCSP_CERTID, like haproxy does. (This is also RT4251)

Author: Marek Klein <kleinmrk@gmail.com>
GH556: OCSP_resp_get_produced_at() accessor to the producedAt of a
OCSP_BASICRESP
GH555: TS_STATUS_INFO_get_status(), TS_STATUS_INFO_get_text() and
TS_STATUS_INFO_get_failure_info() accessors for a TS_STATUS_INFO

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Missed the camellia EVP update.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Make sure they detect that.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

This avoids explicit double spaces between sentences.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Also s/s/ssl/ as appropriate in the code example.

Suggested by Claus Assmann.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Also report an SSL_dane_enable error when the basedomain is an
invalid SNI name.  Avoid side-effects when such a name is valid
with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by
setting the SNI name first.

Reviewed-by: Rich Salz <rsalz@openssl.org>

While empty inputs to SSL_set1_host() clear the reference identifier
list.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Via Rainer Jung

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

- bugfix: should not treat '--' as invalid domain substring.
- '-' should not be the first letter of a domain

Signed-off-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>

The windows installation instructions were very out of date. Substantial
update to the text. Remove a lot of historical stuff that isn't relevant
any more, and merge the win64 and win32 instructions into one file.

Reviewed-by: Richard Levitte <levitte@openssl.org>