Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Convert s3_cbc.c to opaque EVP_MD_CTX.

ok inoguchi jsing

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer.

The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.

ok beck@ inoguchi@ tb@

We inherited the constant time CBC padding removal from BoringSSL, but
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.

Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7

Fixes the failing tlsfuzzer lucky 13 test case.

ok beck inoguchi

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

Convert s3_cbc.c to opaque EVP_MD_CTX.

ok inoguchi jsing

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer.

The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.

ok beck@ inoguchi@ tb@

We inherited the constant time CBC padding removal from BoringSSL, but
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.

Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7

Fixes the failing tlsfuzzer lucky 13 test case.

ok beck inoguchi

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer.

The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.

ok beck@ inoguchi@ tb@

We inherited the constant time CBC padding removal from BoringSSL, but
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.

Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7

Fixes the failing tlsfuzzer lucky 13 test case.

ok beck inoguchi

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer.

The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.

ok beck@ inoguchi@ tb@

We inherited the constant time CBC padding removal from BoringSSL, but
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.

Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7

Fixes the failing tlsfuzzer lucky 13 test case.

ok beck inoguchi

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

We inherited the constant time CBC padding removal from BoringSSL, but
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.

Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7

Fixes the failing tlsfuzzer lucky 13 test case.

ok beck inoguchi

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.

ok inoguchi@ tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

When using an union including a type known for having strong alignment
constraints, in order to force the union to have the same constraint,
use the actual type instead of `double'. And add a comment explaining why we
want such an alignment in there.

ok beck@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

" the the " -> " the ", or in a couple of cases replace the superfluous
"the" with the obviously intended word.

Started with a "the the" spotted by Mihal Mazurek.

Nuke ssl3_cbc_remove_padding().

ok "flensing knife"

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

decompress libssl. ok beck jsing

tags as requested by miod and tedu

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

quick pass at removing ability to disable sha256 and sha512. ok miod

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

branches: 1.1.1;
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@