Hide public symbols in x509.h

This picks up most of the remaining public symbols in
x509.h

ok tb@

Move the EVP_PKEY_asn1_* API that will stay to evp/p_lib.c

Most of these functions are only called from this file internally apart
from the pem_str lookups from pem/. In the next major bump we can then
remove asn/ameth_lib.c. Also move EVP_PKEY_ASN1_METHOD to evp_local.h.
While this is used to dispatch to various ASN.1 decoding routines, it
doesn't fit into asn1/ at all.

Unbreak the namespace build after a broken mk.conf and tool misfire had
me aliasing symbols not in the headers I was procesing.

This unbreaks the namespace build so it will pass again

ok tb@

Hide symbols in asn1 and bio

ok jsing@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove unused variable

X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.

ok jsing

Avoid signed integer overflow due to unary negation

The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

Only print versions we know about

The version field of an X.509 Certificate is an enum

Version ::= INTEGER { v1(0), v2(1), v3(2) }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

Indent goto labels for diffability.

Whitespace change only.

Move more ASN1_STRING_* functions to a_string.c.

No functional change.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Move the EVP_PKEY_asn1_* API that will stay to evp/p_lib.c

Most of these functions are only called from this file internally apart
from the pem_str lookups from pem/. In the next major bump we can then
remove asn/ameth_lib.c. Also move EVP_PKEY_ASN1_METHOD to evp_local.h.
While this is used to dispatch to various ASN.1 decoding routines, it
doesn't fit into asn1/ at all.

Unbreak the namespace build after a broken mk.conf and tool misfire had
me aliasing symbols not in the headers I was procesing.

This unbreaks the namespace build so it will pass again

ok tb@

Hide symbols in asn1 and bio

ok jsing@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove unused variable

X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.

ok jsing

Avoid signed integer overflow due to unary negation

The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

Only print versions we know about

The version field of an X.509 Certificate is an enum

Version ::= INTEGER { v1(0), v2(1), v3(2) }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

Indent goto labels for diffability.

Whitespace change only.

Move more ASN1_STRING_* functions to a_string.c.

No functional change.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Unbreak the namespace build after a broken mk.conf and tool misfire had
me aliasing symbols not in the headers I was procesing.

This unbreaks the namespace build so it will pass again

ok tb@

Hide symbols in asn1 and bio

ok jsing@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove unused variable

X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.

ok jsing

Avoid signed integer overflow due to unary negation

The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

Only print versions we know about

The version field of an X.509 Certificate is an enum

Version ::= INTEGER { v1(0), v2(1), v3(2) }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

Indent goto labels for diffability.

Whitespace change only.

Move more ASN1_STRING_* functions to a_string.c.

No functional change.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Hide symbols in asn1 and bio

ok jsing@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove unused variable

X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.

ok jsing

Avoid signed integer overflow due to unary negation

The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

Only print versions we know about

The version field of an X.509 Certificate is an enum

Version ::= INTEGER { v1(0), v2(1), v3(2) }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

Indent goto labels for diffability.

Whitespace change only.

Move more ASN1_STRING_* functions to a_string.c.

No functional change.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Remove unused variable

X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.

ok jsing

Avoid signed integer overflow due to unary negation

The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

Only print versions we know about

The version field of an X.509 Certificate is an enum

Version ::= INTEGER { v1(0), v2(1), v3(2) }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

Indent goto labels for diffability.

Whitespace change only.

Move more ASN1_STRING_* functions to a_string.c.

No functional change.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Remove unused variable

X509_NAME_print() is documented to print things at a given indentation
level. Unfortunately, this never worked since someone got some logic
wrong. Part of the wrong logic was removed in a dead code removal in
OpenSSL commit 92ada7cc, but the variable l was left behind, which leads
to compiler warnings on some platforms. End its sad life pointlessly
and incorrectly measuring column width and remove it.

ok jsing

Avoid signed integer overflow due to unary negation

The current X509_print_ex() tries too hard pretty printing negative
serialNumbers (which shouldn't occur in the first place). In particular,
negating LONG_MAX leads to signed overflow. Ditch the code dealing with
negative serialNumbers representable as long and fall back to the long
form printing. This simplifies the code and fixes

oss-fuzz #49944

with/ok jsing

Only print versions we know about

The version field of an X.509 Certificate is an enum

Version ::= INTEGER { v1(0), v2(1), v3(2) }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

Indent goto labels for diffability.

Whitespace change only.

Move more ASN1_STRING_* functions to a_string.c.

No functional change.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Indent goto labels for diffability.

Whitespace change only.

Move more ASN1_STRING_* functions to a_string.c.

No functional change.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Add error checks for i2d_X509_NAME()

This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().

ok schwarze

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Fix a bug in X509_print_ex(3).
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Remove some double semicolons (hmm, do two semis equal a maxi?).
I've skipped the GNU stuff for now. From Patrick Latifi.

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

When printing the serialNumber, fall back to the colon separated hex
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.

Issue in openssl x509 -text output reported by sthen

ok jsing sthen

Add a const qualifier to the 'X509_NAME *' argument of
X509_NAME_print{,_ex{,_fp}}(3).

tested in a bulk build by sthen
ok jsing

Convert a handful of X509_*() functions to take const as in OpenSSL.

tested in a bulk by sthen
ok jsing

Put function name on a separate line and zap stray whitespace.

Fix silly code that printfs NULL when there are no fractional seconds
on a GENREALIZEDTIME (which there should really never be for anything
remotely standards compliant)
ok jsing@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Delete a lot of #if 0 code in libressl.

There are a few instances where #if 1 is removed but the code remains.

Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.

6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008

input + ok jsing@, miod@, tedu@

Make sure the return value of X509_NAME_oneline(, NULL,) is checked against
NULL.
ok deraadt@ guenther@ jsing@

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Everything sane has stdio, and FILE *. we don't need ifdefs for this.
ok to firebomb from tedu@

improve realloc/calloc/malloc patterns; ok guenther

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

resolve conflicts

resolve conflicts, fix local changes