Hide public symbols in x509.h

This picks up most of the remaining public symbols in
x509.h

ok tb@

Unbreak the namespace build after a broken mk.conf and tool misfire had
me aliasing symbols not in the headers I was procesing.

This unbreaks the namespace build so it will pass again

ok tb@

Hide symbols in asn1 and bio

ok jsing@

Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefile

with beck

Make the new policy code in x509_policy.c to be selectable at compile time.

The old policy codes remains the default, with the new policy code
selectable by defining LIBRESSL_HAS_POLICY_DAG.

ok tb@ jsing@

Revert 1.32

jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

Add compliance checks for the X.509 version field

Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).

X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.

OK tb@ beck@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Unbreak the namespace build after a broken mk.conf and tool misfire had
me aliasing symbols not in the headers I was procesing.

This unbreaks the namespace build so it will pass again

ok tb@

Hide symbols in asn1 and bio

ok jsing@

Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefile

with beck

Make the new policy code in x509_policy.c to be selectable at compile time.

The old policy codes remains the default, with the new policy code
selectable by defining LIBRESSL_HAS_POLICY_DAG.

ok tb@ jsing@

Revert 1.32

jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

Add compliance checks for the X.509 version field

Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).

X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.

OK tb@ beck@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Hide symbols in asn1 and bio

ok jsing@

Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefile

with beck

Make the new policy code in x509_policy.c to be selectable at compile time.

The old policy codes remains the default, with the new policy code
selectable by defining LIBRESSL_HAS_POLICY_DAG.

ok tb@ jsing@

Revert 1.32

jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

Add compliance checks for the X.509 version field

Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).

X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.

OK tb@ beck@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefile

with beck

Make the new policy code in x509_policy.c to be selectable at compile time.

The old policy codes remains the default, with the new policy code
selectable by defining LIBRESSL_HAS_POLICY_DAG.

ok tb@ jsing@

Revert 1.32

jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

Add compliance checks for the X.509 version field

Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).

X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.

OK tb@ beck@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Make the new policy code in x509_policy.c to be selectable at compile time.

The old policy codes remains the default, with the new policy code
selectable by defining LIBRESSL_HAS_POLICY_DAG.

ok tb@ jsing@

Revert 1.32

jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

Add compliance checks for the X.509 version field

Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).

X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.

OK tb@ beck@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Revert 1.32

jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

Add compliance checks for the X.509 version field

Check whether the X.509 version is in the range of valid version
values, and also checks whether the version is consistent with fields
new to those versions (such as X.509 v3 extensions).

X.690 section 11.5 states: "The encoding of a set value or a sequence
value shall not include an encoding for any component value which is
equal to its default value." However, enforcing version 1 (value 0) to
be absent reportedly caused some issues as recent as July 2020, so
accept version 1 even if it is explicitly encoded.

OK tb@ beck@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Indent goto labels for diffability.

Whitespace change only.

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Prepare to provide X509_re_X509*_tbs()

ok beck jsing

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Provide X509_get0_extensions() and X509_get0_signature()

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Provide X509_get_signature_nid().

Fix several crash causing defects from OpenSSL.
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

branches: 1.23.4;
Remove initialisers with default values from the ASN1 data structures.

Minor changes in generated assembly due to the compiler swapping from
.quad 0/.long 0 to .zero, along with changes due to line numbering.

Expand most of the ASN1_SEQUENCE* and associated macros, making the data
structures visible and easier to review, without having to wade through
layers and layers of asn1t.h macros.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.

ok beck@ guenther@

Manually expand ASN1_ITEM_rptr macros that should have been expanded with
the IMPLEMENT_ASN1_DUP_FUNCTION macro.

Expand the IMPLEMENT_ASN1_DUP_FUNCTION macro so that the code is visible
and functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

Expand the IMPLEMENT_ASN1_FUNCTIONS macro so that the code is visible and
functions can be readily located.

Change has been scripted and the generated assembly only differs by changes
to line numbers.

Discussed with beck@ miod@ tedu@

branches: 1.17.4;
Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

tags as requested by miod and tedu

more: no need for null check before free
ok tedu guenther

Make sure ret->name is NULL'ed before return when freeing.
from Dirk Engling <erdgeist@erdgeist.org>

More KNF.

lob a few more knf grenades in here to soften things up.

putting most of the braces in the right column is the very least we can do.

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision