Hide symbols in cast, idea, and ocsp

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

X509_GET_PUBKEY(3) return value check in libcrypto

ok beck@ tb@

suggest using X509_get0_pubkey() and remove EVP_PKEY_free() from tb@

Add an essentially empty ocsp_local.h and include it in the files
that will need it in the upcoming bump.

discussed with jsing

Fix OCSP_basic_verify() cert chain construction in case the
OCSP_BASICRESP bs contains no certificates.

From David von Oheimb (OpenSSL 121738d1)

ok beck

Simplify slightly by using X509_get0_pubkey() thus eliminating the
need for EVP_PKEY_free().

ok beck

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide a bunch of OCSP_resp_* getters.

ok beck jsing

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

X509_GET_PUBKEY(3) return value check in libcrypto

ok beck@ tb@

suggest using X509_get0_pubkey() and remove EVP_PKEY_free() from tb@

Add an essentially empty ocsp_local.h and include it in the files
that will need it in the upcoming bump.

discussed with jsing

Fix OCSP_basic_verify() cert chain construction in case the
OCSP_BASICRESP bs contains no certificates.

From David von Oheimb (OpenSSL 121738d1)

ok beck

Simplify slightly by using X509_get0_pubkey() thus eliminating the
need for EVP_PKEY_free().

ok beck

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide a bunch of OCSP_resp_* getters.

ok beck jsing

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge

X509_GET_PUBKEY(3) return value check in libcrypto

ok beck@ tb@

suggest using X509_get0_pubkey() and remove EVP_PKEY_free() from tb@

Add an essentially empty ocsp_local.h and include it in the files
that will need it in the upcoming bump.

discussed with jsing

Fix OCSP_basic_verify() cert chain construction in case the
OCSP_BASICRESP bs contains no certificates.

From David von Oheimb (OpenSSL 121738d1)

ok beck

Simplify slightly by using X509_get0_pubkey() thus eliminating the
need for EVP_PKEY_free().

ok beck

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide a bunch of OCSP_resp_* getters.

ok beck jsing

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge

Add an essentially empty ocsp_local.h and include it in the files
that will need it in the upcoming bump.

discussed with jsing

Fix OCSP_basic_verify() cert chain construction in case the
OCSP_BASICRESP bs contains no certificates.

From David von Oheimb (OpenSSL 121738d1)

ok beck

Simplify slightly by using X509_get0_pubkey() thus eliminating the
need for EVP_PKEY_free().

ok beck

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide a bunch of OCSP_resp_* getters.

ok beck jsing

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge

Fix OCSP_basic_verify() cert chain construction in case the
OCSP_BASICRESP bs contains no certificates.

From David von Oheimb (OpenSSL 121738d1)

ok beck

Simplify slightly by using X509_get0_pubkey() thus eliminating the
need for EVP_PKEY_free().

ok beck

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide a bunch of OCSP_resp_* getters.

ok beck jsing

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Prepare to provide a bunch of OCSP_resp_* getters.

ok beck jsing

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge

Prepare to provide a bunch of OCSP_resp_* getters.

ok beck jsing

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

X509_STORE_CTX_set_*() may fail, so check for errors.

ok beck@

Add several fixes from OpenSSL to make OCSP work with intermediate
certificates provided in the response. - makes our newly added
ocsp regress test pass too..
ok bcook@

ocsp_check_ids says "If algoritm mismatch let caller deal with it" before
returning 2. The one and only caller doesn't check for that, so...
Stop returning it.
ok miod

tags as requested by miod and tedu

More KNF.

KNF

Replace all use of ERR_add_error_data with ERR_asprintf_error_data.
This avoids a lot of ugly gymnastics to do snprintfs before sending the
bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c
where it was being called with the incorrect number of arguments and
using random things off the stack as addresses of strings.
ok krw@, jsing@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts, fix local changes

resolve conflicts

resolve conflicts

merge 0.9.7d

branches: 1.1.1;
OpenSSL 0.9.7 stable 2002 05 08 merge