Fix integer overflow in IGMP protocol. [SA-15:04]

Fix vt(4) crash with improper ioctl parameters. [EN-15:01]

Updated base system OpenSSL to 1.0.1l. [EN-15:02]

Fix freebsd-update libraries update ordering issue. [EN-15:03]

Approved by: so

Fix multiple vulnerabilities in OpenSSL. [SA-15:01]

Approved by: so

Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20]

Fix routed(8) remote denial of service vulnerability. [SA-14:21]

Fix memory leak in sandboxed namei lookup. [SA-14:22]

Fix OpenSSL multiple vulnerabilities. [SA-14:23]

Approved by: so

Fix multiple OpenSSL vulnerabilities:

The receipt of a specifically crafted DTLS handshake message may cause OpenSSL
to consume large amounts of memory. [CVE-2014-3506]

The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak
memory. [CVE-2014-3507]

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from
the stack. [CVE-2014-3508]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to
a denial of service attack. [CVE-2014-3510]

If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory. [CVE-2014-3509]

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. [CVE-2014-3511]

A malicious client or server can send invalid SRP parameters and overrun
an internal buffer. [CVE-2014-3512]

A malicious server can crash the client with a NULL pointer dereference by
specifying a SRP ciphersuite even though it was not properly negotiated
with the client. [CVE-2014-5139]

Security: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510,
CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139
Security: FreeBSD-SA-14:18.openssl
Approved by: so

Fix OpenSSL multiple vulnerabilities.

Security: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224,
CVE-2014-3470
Security: SA-14:14.openssl
Approved by: so

Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09]

Security: FreeBSD-SA-14:09.openssl
Security: CVE-2014-0198

Fix data corruption with ciss(4). [EN-14:05]

Errata: FreeBSD-EN-14:05.ciss

Approved by: so

Fix devfs rules not applied by default for jails.

Fix OpenSSL use-after-free vulnerability.

Fix TCP reassembly vulnerability.

Security: FreeBSD-SA-14:07.devfs
Security: CVE-2014-3001
Security: FreeBSD-SA-14:08.tcp
Security: CVE-2014-3000
Security: FreeBSD-SA-14:09.openssl
Security: CVE-2010-5298
Approved by: so

Fix NFS deadlock vulnerability. [SA-14:05]

Fix "Heartbleed" vulnerability and ECDSA Cache Side-channel
Attack in OpenSSL. [SA-14:06]

Approved by: so

MFS r260404 (MFC r260403 (MFV r260399)):

Apply vendor commits:

197e0ea Fix for TLS record tampering bug. (CVE-2013-4353).
3462896 For DTLS we might need to retransmit messages from the
previous session so keep a copy of write context in DTLS
retransmission buffers instead of replacing it after
sending CCS. (CVE-2013-6450).
ca98926 When deciding whether to use TLS 1.2 PRF and record hash
algorithms use the version number in the corresponding
SSL_METHOD structure instead of the SSL structure. The
SSL structure version is sometimes inaccurate.
Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449).

Security: CVE-2013-4353
Security: CVE-2013-6449
Security: CVE-2013-6450
Approved by: re (gjb)

Remove svn:mergeinfo from the releng/10.0 branch.

After branch creation from stable/10, the stable/10 branch mergeinfo
was moved to the root of the branch.

Since there have not been any merges from stable/10 to releng/10.0
yet, we do not need to track any of the existing mergeinfo here.

Merges to releng/10.0 should now be done to the root of the branch.

For future branches during the release cycle, unless otherwise noted,
this change will be done as part of the stable/ and releng/ branch
creation.

Discussed with: peter
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFV r254106 (OpenSSL bugfix for RT #2984):

Check DTLS_BAD_VER for version number.

The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

Requested by: zi
Approved by: benl

Merge OpenSSL 1.0.1e.

Approved by: secteam (simon), benl (silence)

Change "the the" to "the". It is a continuation of r226436 and missed in
r237658.

Approved by: benl (maintainer, implicit)

Clean some 'svn:executable' properties in the tree.

Submitted by: Christoph Mallon
MFC after: 3 days

Indicate that we are using OpenSSL with some local modifications.

X-MFC after: with r244974

MFV r244973:

Integrate OpenSSL changeset 22950 (appro):

bn_word.c: fix overflow bug in BN_add_word.

MFC after: 2 weeks

Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS in
share/mk/sys.mk instead.

This is part of a medium term project to permit deterministic builds of
FreeBSD.

Submitted by: Erik Cederstrand <erik@cederstrand.dk>
Reviewed by: imp, toolchain@
Approved by: cperciva
MFC after: 2 weeks

Allow OpenSSL to use arc4random(3) on FreeBSD. arc4random(3) was modified
some time ago to use sysctl instead of /dev/random to get random data,
so is now much better choice, especially for sandboxed processes that have
no direct access to /dev/random.

Approved by: benl
MFC after: 2 weeks

openssl: change SHLIB_VERSION_NUMBER to reflect the reality

Note: I timed out waiting for an exp-run for this change but I survived
having it locally for quite a long time.

MFC after: 1 month
X-MFC note: SHLIB_MAJOR is 6 in stable/8 and stable/9

Merge OpenSSL 1.0.1c.

Approved by: benl (maintainer)

Partially redo r226436, i. e., change "the the" to "the". ca(1), dgst(1),
and engine(3) are generated from these pod files during merge process and
we do not want to re-apply these changes over and over again.

Approved by: benl (maintainer, implicit)

Merge OpenSSL 0.9.8x.

Reviewed by: stas
Approved by: benl (maintainer)
MFC after: 3 days

Update the previous openssl fix. [12:01]

Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02]

Security: FreeBSD-SA-12:01.openssl (revised)
Security: FreeBSD-SA-12:02.crypt
Approved by: so (bz, simon)

Fix multiple OpenSSL vulnerabilities.

Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109
Security: CVE-2012-0884, CVE-2012-2110
Security: FreeBSD-SA-12:01.openssl
Approved by: so (bz,simon)

Fix SSL memory handlig for (EC)DH cipher suites, in particular for
multi-threaded use of ECDH.

Security: CVE-2011-3210
Reviewed by: stas
Obtained from: OpenSSL CVS
Approved by: re (kib)

With retirement of cpumask_t and usage of cpuset_t for representing a
mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.

Remove them and replace their usage with custom pc_cpuid magic (as,
atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and
pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).

This change is not targeted for MFC because of struct pcpu members
removal and dependency by cpumask_t retirement.

MD review by: marcel, marius, alc
Tested by: pluknet
MD testing by: marcel, marius, gonzo, andreast

etire the cpumask_t type and replace it with cpuset_t usage.

This is intended to fix the bug where cpu mask objects are
capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever
value. Anyway, as long as several structures in the kernel are
statically allocated and sized as MAXCPU, it is suggested to keep it
as low as possible for the time being.

Technical notes on this commit itself:
- More functions to handle with cpuset_t objects are introduced.
The most notable are cpusetobj_ffs() (which calculates a ffs(3)
for a cpuset_t object), cpusetobj_strprint() (which prepares a string
representing a cpuset_t object) and cpusetobj_strscan() (which
creates a valid cpuset_t starting from a string representation).
- pc_cpumask and pc_other_cpus are target to be removed soon.
With the moving from cpumask_t to cpuset_t they are now inefficient
and not really useful. Anyway, for the time being, please note that
access to pcpu datas is protected by sched_pin() in order to avoid
migrating the CPU while reading more than one (possible) word
- Please note that size of cpuset_t objects may differ between kernel
and userland. While this is not directly related to the patch itself,
it is good to understand that concept and possibly use the patch
as a reference on how to deal with cpuset_t objects in userland, when
accessing kernland members.
- KTR_CPUMASK is changed and now is represented through a string, to be
set as the example reported in NOTES.

Please additively note that no MAXCPU is bumped in this patch, but
private testing has been done until to MAXCPU=128 on a real 8x8x2(htt)
machine (amd64).

Please note that the FreeBSD version is not yet bumped because of
the upcoming pcpu changes. However, note that this patch is not
targeted for MFC.

People to thank for the time spent on this patch:
- sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested
several revision of the patches and really helped in improving
stability of this work.
- marius fixed several bugs in the sparc64 implementation and reviewed
patches related to ktr.
- jeff and jhb discussed the basic approach followed.
- kib and marcel made targeted review on some specific part of the
patch.
- marius, art, nwhitehorn and andreast reviewed MD specific part of
the patch.
- marius, andreast, gonzo, nwhitehorn and jceel tested MD specific
implementations of the patch.
- Other people have made contributions on other patches that have been
already committed and have been listed separately.

Companies that should be mentioned for having participated at several
degrees:
- Yahoo! for having offered the machines used for testing on big
count of CPUs.
- The FreeBSD Foundation for having sponsored my devsummit attendance,
which has been instrumental.
- Sandvine for having offered offices and infrastructure during
development.

(I really hope I didn't forget anyone, if it happened I apologize in
advance).

Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could
cause OpenSSL to parse past the end of the message.

Note: Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".

Security: http://www.openssl.org/news/secadv_20110208.txt
Security: CVE-2011-0014
Obtained from: OpenSSL CVS

Merge OpenSSL 0.9.8q into head.

Security: CVE-2010-4180
Security: http://www.openssl.org/news/secadv_20101202.txt
MFC after: 3 days

Merge OpenSSL 0.9.8p into head.

Security: CVE-2010-3864
Security: http://www.openssl.org/news/secadv_20101116.txt

Fix double-free in OpenSSL's SSL ECDH code.

It has yet to be determined if this warrants a FreeBSD Security
Advisory, but we might as well get it fixed in the normal branches.

Obtained from: OpenSSL CVS
Security: CVE-2010-2939
X-MFC after: Not long...

Bring in OpenSSL checkin 19821:

Make inline assembler clang-friendly [from HEAD].

openssl/crypto/md32_common.h 1.45.2.1 -> 1.45.2.2
openssl/crypto/rc5/rc5_locl.h 1.8 -> 1.8.8.1

Approved by: simon

Merger of the quota64 project into head.

This joint work of Dag-Erling Smørgrav and myself updates the
FFS quota system to support both traditional 32-bit and new 64-bit
quotas (for those of you who want to put 2+Tb quotas on your users).

By default quotas are not compiled into the kernel. To include them
in your kernel configuration you need to specify:

options QUOTA # Enable FFS quotas

If you are already running with the current 32-bit quotas, they
should continue to work just as they have in the past. If you
wish to convert to using 64-bit quotas, use `quotacheck -c 64';
if you wish to revert from 64-bit quotas back to 32-bit quotas,
use `quotacheck -c 32'.

There is a new library of functions to simplify the use of the
quota system, do `man quotafile' for details. If your application
is currently using the quotactl(2), it is highly recommended that
you convert your application to use the quotafile interface.
Note that existing binaries will continue to work.

Special thanks to John Kozubik of rsync.net for getting me
interested in pursuing 64-bit quota support and for funding
part of my development time on this project.

Merge OpenSSL 0.9.8n into head.

This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m)
but not -STABLE branches.

I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD.
This will be investigated further.

Security: CVE-2010-0433, CVE-2010-0740
Security: http://www.openssl.org/news/secadv_20100324.txt

Prune empty directories.

Readd $FreeBSD$ to the OpenSSL config file as that's useful for
mergemaster.

Suggested by: dougb

Merge OpenSSL 0.9.8m into head.

This also "reverts" some FreeBSD local changes so we should now
be back to using entirely stock OpenSSL. The local changes were
simple $FreeBSD$ lines additions, which were required in the CVS
days, and the patch for FreeBSD-SA-09:15.ssl which has been
superseded with OpenSSL 0.9.8m's RFC5746 'TLS renegotiation
extension' support.

MFC after: 3 weeks

Disable SSL renegotiation in order to protect against a serious
protocol flaw. [09:15]

Correctly handle failures from unsetenv resulting from a corrupt
environment in rtld-elf. [09:16]

Fix permissions in freebsd-update in order to prevent leakage of
sensitive files. [09:17]

Approved by: so (cperciva)
Security: FreeBSD-SA-09:15.ssl
Security: FreeBSD-SA-09:16.rtld
Security: FreeBSD-SA-09:17.freebsd-udpate

Merge DTLS fixes from vendor-crypto/openssl/dist:

- Fix memory consumption bug with "future epoch" DTLS records.
- Fix fragment handling memory leak.
- Do not access freed data structure.
- Fix DTLS fragment bug - out-of-sequence message handling which could
result in NULL pointer dereference in
dtls1_process_out_of_seq_message().

Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.

MFC after: 1 week
Security: CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387

Remove symlinks in OpenSSL's testing framework. These are not required
for normal build, and doesn't export well to CVS.

If they are needed later a script will be added to recreate the symlinks
when needed at build time.

Approved by: re (rwatson)

Merge OpenSSL 0.9.8k into head.

Approved by: re

Remove empty directories from the HEAD.

Discussed with: developers, imp

Don't leak information via uninitialized space in db(3) records. [09:07]

Sanity-check string lengths in order to stop OpenSSL crashing
when printing corrupt BMPString or UniversalString objects. [09:08]

Security: FreeBSD-SA-09:07.libc
Security: FreeBSD-SA-09:08.openssl
Security: CVE-2009-0590
Approved by: re (kensmith)
Approved by: so (cperciva)

Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
long commands into multiple requests. [09:01]

Fix incorrect OpenSSL checks for malformed signatures due to invalid
check of return value from EVP_VerifyFinal(), DSA_verify, and
DSA_do_verify. [09:02]

Security: FreeBSD-SA-09:01.lukemftpd
Security: FreeBSD-SA-09:02.openssl
Obtained from: NetBSD [SA-09:01]
Obtained from: OpenSSL Project [SA-09:02]
Approved by: so (simon)

The vendor area is the proper home for these files now.

Bootstrapping merge history from vendor-crypto/openssl/dist/@182044.

cvs2svn did not delete this, even though it is empty.

Unbreak detection of cryptodev support for FreeBSD which was broken
with OpenSSL 0.9.8 import.

Note that this does not enable cryptodev by default, as it was the
case with OpenSSL 0.9.7 in FreeBSD base, but this change makes it
possible to enable cryptodev at all.

This has been submitted upstream as:
http://rt.openssl.org/Ticket/Display.html?id=1624

Submitted by: nork

This commit was generated by cvs2svn to compensate for changes in r172767,
which included commits to RCS files with non-trunk default branches.

Correct a buffer overflow in OpenSSL SSL_get_shared_ciphers().

Security: FreeBSD-SA-07:08.openssl
Approved by: re (security blanket)

Fix runtime crash in OpenSSL with "Illegal instruction" by making some
casts a bit less evil.

This was e.g. seen when using portsnap as:

Fetching snapshot tag from portsnap3.FreeBSD.org... Illegal instruction

Note the patch is slightly different from kan's original patch to
match style in the OpenSSL source files a bit better.

Submitted by: kan
Tested by: many

- Bring upgrade produce up-to-date for OpenSSL 0.9.8e.
- Add reminder to bump version numer in Makefile.inc.

This commit was generated by cvs2svn to compensate for changes in r167617,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts after import of OpenSSL 0.9.8e.

This commit was generated by cvs2svn to compensate for changes in r167612,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r162916,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts after import of OpenSSL 0.9.8d.

This commit was generated by cvs2svn to compensate for changes in r162911,
which included commits to RCS files with non-trunk default branches.

Correct incorrect PKCS#1 v1.5 padding validation in crypto(3).

Obtained from: OpenSSL project
Security: FreeBSD-SA-06:19.openssl

Resolve conflicts after import of OpenSSL 0.9.8b.

This was missed the first time around since eng_padlock.c was not part
of OpenSSL 0.9.7e and therefor did not have the v0_9_7e CVS tag used
during original resolve of conflicts.

Noticed by: Antoine Brodin <antoine.brodin@laposte.net>

Sync FREEBSD-Xlist with what was actually excluded from OpenSSL 0.9.8b
import.

Add some rough notes on how to import a new OpenSSL version into the
FreeBSD base system. Parts are inspired by the OpenSSH upgrade notes.

Resolve conflicts after import of OpenSSL 0.9.8b.

This commit was generated by cvs2svn to compensate for changes in r160814,
which included commits to RCS files with non-trunk default branches.

Correct a man-in-the-middle SSL version rollback vulnerability.

Security: FreeBSD-SA-05:21.openssl

File removed in update from OpenSSL 0.9.7d -> 0.9.7e.

This commit was generated by cvs2svn to compensate for changes in r142430,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts after import of OpenSSL 0.9.7e.

This commit was generated by cvs2svn to compensate for changes in r142425,
which included commits to RCS files with non-trunk default branches.

Update list of files to remove prior to import of OpenSSL 0.9.7e.

This commit was generated by cvs2svn to compensate for changes in r142421,
which included commits to RCS files with non-trunk default branches.

Add support for C3 Nehemiah ACE ("Padlock") AES crypto. This comes
from OpenSSL 0.9.5 (yet to be released), and is pretty complete.

This commit was generated by cvs2svn to compensate for changes in r133665,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r127904,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts after import of OpenSSL 0.9.7d.

This commit was generated by cvs2svn to compensate for changes in r127128,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r127114,
which included commits to RCS files with non-trunk default branches.

Re-add the FreeBSD RCS keyword for the benefit of mergemaster.

PR: conf/50040
Requested by: Dimitry Andric <dim@xs4all.nl>

Remove files no longer included with OpenSSL as of version 0.9.7c.

Merge conflicts after import of OpenSSL 0.9.7c.

This commit was generated by cvs2svn to compensate for changes in r120631,
which included commits to RCS files with non-trunk default branches.

Update list of files to remove prior to import of OpenSSL 0.9.7c.

Merge conflicts

This commit was generated by cvs2svn to compensate for changes in r112439,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts after import of OpenSSL 0.9.7a.

This commit was generated by cvs2svn to compensate for changes in r111147,
which included commits to RCS files with non-trunk default branches.

Background:
When libdes was replaced with OpenSSL's libcrypto, there were a few
interfaces that the former implemented but the latter did not. Because
some software in the base system still depended upon these interfaces,
we simply included them in our libcrypto (rnd_keys.c).

Now, finally get around to removing the dependencies on these
interfaces. There were basically two cases:

des_new_random_key -- This is just a wrapper for des_random_key, and
these calls were replaced.

des_init_random_number_generator et. al. -- A few functions were used
by the application to seed libdes's PRNG. These are not necessary
when using libcrypto, as OpenSSL internally seeds the PRNG from
/dev/random. These calls were simply removed.

Again, some of the Kerberos 4 files have been taken off the vendor
branch. I do not expect there to be future imports of KTH Kerberos 4.

This commit was generated by cvs2svn to compensate for changes in r110018,
which included commits to RCS files with non-trunk default branches.

Merge conflicts.
This is cunning doublespeak for "use vendor code".

Remove files no longer on OpenSSL 0.9.7. crypto/des/rnd_keys.c is
retained as it is still used.

This commit was generated by cvs2svn to compensate for changes in r109998,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts.

This commit was generated by cvs2svn to compensate for changes in r101618,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r101615,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r101613,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r101386,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts after import of OpenSSL 0.9.6e.

This commit was generated by cvs2svn to compensate for changes in r100936,
which included commits to RCS files with non-trunk default branches.

This man page has not been referenced by anything for a while,
and is not part of the OpenSSL distribution. Remove it.

Remove many obsolete files. The majority of these are simply no
longer included as part of the OpenSSL distribution. However, a few
we just don't need and are explicitly excluded in FREEBSD-Xlist.

Resolve conflicts after import of OpenSSL 0.9.6d.

This commit was generated by cvs2svn to compensate for changes in r100928,
which included commits to RCS files with non-trunk default branches.

Update list of files to remove prior to import of OpenSSL 0.9.6d

Resolve conflicts.

This commit was generated by cvs2svn to compensate for changes in r89837,
which included commits to RCS files with non-trunk default branches.

Protect names that are used elsewhere. This fixes WARNS=2 breakage
in crypto telnet.

Resolve conflicts

This commit was generated by cvs2svn to compensate for changes in r79998,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts

This commit was generated by cvs2svn to compensate for changes in r76866,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts

This commit was generated by cvs2svn to compensate for changes in r72613,
which included commits to RCS files with non-trunk default branches.

Update list of files to remove prior to import

Resolve conflicts, and garbage collect some local changes that are no
longer required

This commit was generated by cvs2svn to compensate for changes in r68651,
which included commits to RCS files with non-trunk default branches.

Add a CVS Id tag

Nuke RSAREF support from orbit.

It's the only way to be sure.

MFI. This is a documentation-only, diffreducing patch, that if
invoked will cause breakage. US Users - DO NOT try to turn on
IDEA - the sources are not included.

Grrr. I hate CVS. These were supposed to be committed when I did the
IDEA fix earlier today.

Bring back IDEA from the dead (but not compiled by default).

Re-add IDEA. This is not actually built unless asked for by the user.
(To avoid patent hassles).

MFF: catch up with FreeFall

If stderr is closed, report the error message about missing libraries
via syslog instead.

Reviewed by: jkh

Internat diff reducer.

This commit was generated by cvs2svn to compensate for changes in r59281,
which included commits to RCS files with non-trunk default branches.

Resolve conflicts.

This commit was generated by cvs2svn to compensate for changes in r59191,
which included commits to RCS files with non-trunk default branches.

Correct a typo and interchanged library names

Submitted by: Ben Rosengart <ben@narcissus.net>
Matthew D. Fuller <fullermd@futuresouth.com>

Don't refer to the openssl handbook chapter by name - the doc guys keep
jamming new chapters in front of it :)

Add a new function stub to libcrypto() which resolves to a symbol in
the librsa* library and reports which version of the library (OpenSSL/RSAREF)
is being used.

This is then used in openssh to detect the failure case of RSAREF and a RSA key
>1024 bits, to print a more helpful error message than 'rsa_public_encrypt() fai
led.'

This is a 4.0-RELEASE candidate.

Update the wording on the error message when libcrypto.so can't find an
RSA library.

Reviewed by: peter, jkh

Sync with internat.freebsd.org; weak symbols vs static libs == trouble

Merge from internat.freebsd.org; move VERBOSE_STUBS to a better spot.

Merge from internat.freebsd.org repo, minus change to rsa_eay.c (missing)

Reorganize and unify libcrypto's interface so that the RSA implementation
is chosen at runtime via dlopen().

This is a checkpoint and may require more tweaks still.

Merge from internat.freebsd.org repo, minus change to rsa_eay.c (missing)

Reorganize and unify libcrypto's interface so that the RSA implementation
is chosen at runtime via dlopen().

This is a checkpoint and may require more tweaks still.

At great personal risk (to my already fragile sanity), reorganize
the rsa stubs for libcrypto. libcrypto.so now uses dlopen() to
implement the backends for either the native or rsaref implemented
RSA code.
This involves:
- unifying the libcrypto and openssl(1) source so there is no
#ifdef RSAref variations.
- using weak symbols and dlopen()/dlsym() routines to access the
rsa method vectors.

Releases will enable the user to choose International, US (rsaref) or
no RSA code at install time.
'make world' will DTRT depending on whether you have the international
or US source. For US users, you must either install rsaref (the port
or package) or (if you don't fear RSA Inc) use the (superior)
International rsa_eay.c code.

This has been discussed at great length by the affected folks and even
we have a great deal of confusion. This is a checkpoint so we can tune
the results. This works for me in all permutations I can think of and
should result in a CD/ftp 'release' just about doing the right thing now.

Don't use the dlopen() stubs if comiling with PIC. This still
needs some more thought for the static case. Should we provide weak
error-generating stubs for static binaries if -lrsaref was forgotten?

Oops; forgot to add this.

Get this to the same level of functionality as old libdes.

Add call stubs for dynamic rsaref loading. This isn't enabled for now
but simply lets us sync up on the solution as it's evolved.

This commit was generated by cvs2svn to compensate for changes in r56083,
which included commits to RCS files with non-trunk default branches.

Fix for missing symbol in -DRSAref case.

Fix breakage when NO_RSA specified.

Reviewed by: Ben Laurie <ben@openssl.org>

Zap NO_IDEA

List of files to nuke prior to import.

This commit was generated by cvs2svn to compensate for changes in r55714,
which included commits to RCS files with non-trunk default branches.

Zap the IDEA stuff - it's patented internationally (at least in some
places), and we don't want people to get in trouble just for having it.

This commit was generated by cvs2svn to compensate for changes in r55099,
which included commits to RCS files with non-trunk default branches.