Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Rewrite TLSv1.2 key exporter.

Replace the grotty TLSv1.2 key exporter with a cleaner version that uses
CBB and CBS.

ok tb@

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Convert t1_enc.c to opaque EVP_MD_CTX.

ok inoguchi jsing

Mop up enc_read_ctx and read_hash.

These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.

ok beck@ tb@

Merge SSL_METHOD_INTERNAL into SSL_METHOD.

Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.

ok tb@

Remove tls1_alert_code().

After running the preprocessor, this function becomes:

switch (code) {
case 0:
return (0);
case 10:
return (10);
case 20:
return (20);
...
}

Its intended purpose was to prevent SSLv3 alerts being sent from TLS code,
however now that we've removed "no_certificate" from LibreSSL's reach, it
no longer does anything useful.

ok tb@

Remove references to obsolete alerts.

The "no_certificate" alert only existed in SSLv3, while the
"decryption_failed" and "export_restriction" alerts were removed in
TLSv1.1.

ok tb@

Indent all labels with a single space.

This ensures that diff reports the correct function prototype.

Prompted by tb@

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.

ok inoguchi@ tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Replace DTLS w_epoch with epoch from TLSv1.2 record layer.

ok inoguchi@ tb@

Rewrite TLSv1.2 key block handling.

For TLSv1.2 a single key block is generated, then partitioned into
individual secrets for use as IVs and keys. The previous implementation
splits this across two functions tls1_setup_key_block() and
tls1_change_cipher_state(), which means that the IV and key sizes have to
be known in multiple places.

This implementation generates and partitions the key block in a single
step, meaning that the secrets are then simply handed out when requested.

ok inoguchi@ tb@

Clean up tls1_change_cipher_state().

Replace flag gymnastics at call sites with separate read and write,
functions which call the common code. Condition on s->server instead of
using SSL_ST_ACCEPT, for consistency and more readable code.

ok inoguchi@ tb@

Clean up dtls1_reset_seq_numbers().

Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into
separate read and write functions. Move the calls of these functions into
tls1_change_cipher_state() so they directly follow the change of cipher
state in the record layer, which avoids having to duplicate the calls in
the client and server.

ok inoguchi@ tb@

Clean up and harden TLSv1.2 master key derivation.

The master key and its length are only stored in one location, so it makes
no sense to handle these outside of the derivation function (the current
'out' argument is unused). This simplifies the various call sites.

If derivation fails for some reason, fail hard rather than continuing on
and hoping that something deals with this correctly later.

ok inoguchi@ tb@

Clean up derivation of finished/peer finished.

Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.

ok inoguchi@ tb@

Remove new_sym_enc and new_aead.

These can be replaced with accessors that allow this information to be
retrieved from the new record layer.

ok inoguchi@ tb@

Move new_mac_secret_size into the TLSv1.2 handshake struct.

Drop the 'new_' prefix in the process.

ok inoguchi@ tb@

Move the TLSv1.2 record number increment into the new record layer.

This adds checks (based on the TLSv1.3 implementation) to ensure that the
TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.

ok inoguchi@ tb@

Rename new_cipher to cipher.

This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.

ok inoguchi@ tb@

Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.

Move TLSv1.2 specific components over from SSL_HANDSHAKE.

ok inoguchi@ tb@

Move handling of cipher/hash based cipher suites into the new record layer.

ok tb@

Fail early in legacy exporter if master secret is not available

The exporter depends on having a master secret. If the handshake is
not completed, it is neither guaranteed that a shared ciphersuite was
selected (in which case tls1_PRF() will currently NULL deref) or that
a master secret was set up (in which case the exporter will succeed
with a predictable value). Neither outcome is desirable, so error out
early instead of entering the sausage factory unprepared. This aligns
the legacy exporter with the TLSv1.3 exporter in that regard.

with/ok jsing

Move AEAD handling into the new TLSv1.2 record layer.

ok tb@

Move sequence numbers into the new TLSv1.2 record layer.

This allows for all of the DTLS sequence number save/restore code to be
removed.

ok inoguchi@ "whee!" tb@

Add code to handle change of cipher state in the new TLSv1.2 record layer.

This provides the basic framework for handling change of cipher state in
the new TLSv1.2 record layer, creating new record protection. In the DTLS
case we retain the previous write record protection and can switch back to
it when retransmitting. This will allow the record layer to start owning
sequence numbers and encryption/decryption state.

ok inoguchi@ tb@

Move the read MAC key into the TLSv1.2 record layer.

ok inoguchi@ tb@

Use size_t for key_block_len.

This allows us to remove a check and will make future changes simpler. Use
suitable names for tls1_generate_key_block() arguments while here.

ok inoguchi@ tb@

Replace SSL_IS_DTLS with SSL_is_dtls().

Garbage collect the now unused SSL_IS_DTLS macro.

ok tb@

Mop up various things that are now unused with the new record layer.

ok inoguchi@ tb@

Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer.

The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.

ok beck@ inoguchi@ tb@

Start replacing the existing TLSv1.2 record layer.

This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.

ok inoguchi@ tb@

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Remove dtls1_enc().

Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.

The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.

ok tb@

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.

Fixes COV-174858

ok tb@

Rename tls1_handshake_hash*() to tls1_transcript_hash*().

While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.

ok inoguchi@ tb@

Clean up and simplify the handshake transcript code.

This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.

ok beck@ ("hurry up") and tb@.

Make more of libssl's record layer state internal.

In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.

ok tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

Drop SSL_CIPHER_ALGORITHM2_AEAD flag.

All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can
condition on that rather than having a separate redundant flag.

ok tb@

Use the newer/more sensible names for EVP_MD_CTX_* functions.

EVP_MD_CTX_create -> EVP_MD_CTX_new
EVP_MD_CTX_destroy -> EVP_MD_CTX_free

This should make the intent more obvious and reduce head scratching during
code reviews.

Raised by tb@

Correctly clear the current cipher state, when changing cipher state.

When a renegotiation results in a change of cipher suite, the renegotation
would fail if it switched from AEAD to non-AEAD or vice versa. This is due
to the fact that the previous EVP_AEAD or EVP_CIPHER state remained,
resulting in incorrect logic that caused MAC failures.

Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it
into separate read/write components, then call these functions from the
appropriate places when a ChangeCipherSpec message is being processed.
Also, remove the separate ssl_clear_hash_ctx() calls and fold these into
the ssl_clear_cipher_{read,write}_state() functions.

Issue reported by Bernard Spil, who also tested this diff.

ok tb@

Remove unused argument to tls1_change_cipher_state_cipher().

Bring in an SSL_HANDSHAKE structure and commence the great shovelling
ok jsing@, gcc@, regress@

freezero() the key block; simpler code and less of it.

Check tls1_PRF() return value in tls1_generate_master_secret().

More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of
tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument
names and change lengths to size_t.

ok inoguchi@

Fewer magic numbers.

t1_enc.c

Currently tls1_PRF() requires that a temporary buffer be provided, that
matches the size of the output buffer. This is used in the case where
there are multiple hashes - tls_P_hash() is called with the temporary
buffer and the result is then xored into the output buffer.

Avoid this by simply using a local buffer in tls_P_hash() and then xoring
the result into the output buffer. Overall this makes the code cleaner
and simplifies all of the tls_PRF() callers.

Similar to BoringSSL.

ok inoguchi@

Remove the handshake digests and related code, replacing remaining uses
with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.

ok beck@ inoguchi@

First pass at cleaning up the tls1_P_hash() function - remove a pointless
EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the
code slightly.

ok inoguchi@

Make tls1_PRF() non-static so it can be regress tested.

Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned
and each hash processed separately.

Tested by tb@

Clean up and simplify the tls1_PRF() implementation now that we have a
single EVP MD for the PRF hash.

ok beck@ inoguchi@

Provide a rolling handshake hash that commences as soon as the cipher
suite has been selected, and convert the final finish MAC to use this
handshake hash.

This is a first step towards cleaning up the current handshake
buffer/digest code.

ok beck@ inoguchi@

Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly
line wraps that resulted

Send the error function codes to rot in the depths of hell where they belong
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

Move options and mode from SSL_CTX and SSL to internal, since these can be
set and cleared via existing functions.

Split most of SSL_METHOD out into an internal variant, which is opaque.

Discussed with beck@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

Move most of the SSL3_STATE fields to internal - the ones that remain are
known to be used by ports.

ok beck@

Move most of DTLS1_STATE to internal.
ok jsing@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

Clean up the TLS handshake digest handling - this refactors some of the
code for improved readability, however it also address two issues.

The first of these is a hard-to-hit double free that will occur if
EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure
that tls1_digest_cached_records() either completes successfully and sets
up all of the necessary digests, or it cleans up and frees everything
that was allocated.

The second issue is that EVP_DigestUpdate() can fail - detect and handle
this in tls1_finish_mac() and change the return type to an int so that a
failure can be propagated to the caller (the callers still need to be
fixed to handle this, in a later diff).

The double-free was reported by Matthew Dillon.

ok beck@ doug@ miod@

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

Make sure stdio functions don't end up in the library, from miod@
ok doug@ bcook@

Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a
ssl3_ prefix.

ok beck@

Merge the remnants of s3_enc.c into t1_enc.c.

ok beck@

Correct spelling of OPENSSL_cleanse.

ok miod@

Change AEAD out_len argument to size_t instead of ssize_t - while here,
rename it to out_len so that its purpose is more obvious. Also, drop two
checks that are no longer possible (and have not been for a long time).

Spotted by and ok doug@

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Keep alerts sorted by alert code.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

Remove useless variables and use the values directly.

From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.

ok miod@, jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

Remove trailing whitespace.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Sort and group includes.

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.

It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).

ok beck@ deraadt@ miod@

Typical malloc() with size multiplication to reallocarray().

ok deraadt@

Oops, revert changes commited by mistake. The previous commit was supposed
to only apply to s23_srvr.c.

When you expect a function to return a particular value, don't put a comment
saying that you expect it to return that value and compare it against zero
because it is supposedly faster, for this leads to bugs (especially given the
high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this
library).

Instead, compare for the exact value it ought to return upon success.

ok deraadt@

Remove more compression related code.

decompress libssl. ok beck jsing

tedu the SSL export cipher handling - since we do not have enabled export
ciphers we no longer need the flags or code to support it.

ok beck@ miod@

pedantic avoidance of division by zero, likely not actually
possible to hit for real.
ok miod@ jsing@

Pull the code that builds a DTLS sequence number out into its own function
to avoid duplication. Also use fewer magic numbers.

ok miod@

Pull out the sequence number selection and handle this up front. Also, the
correct record is already known, so avoid reassignment.

More KNF and clean up.

Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(),
so that it reflects what it is actually doing. Use this function in a
number of places that still have the hand rolled version.

ok beck@ miod@

Correctly calculate the key block length when using export ciphers.

Swap compress/expand around so they are in the correct order - these ended
up in the wrong order when the code was refactored.

Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and
EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.

Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are
those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to
change cipher state with an EVP_AEAD and being able to encrypt/decrypt
TLS using the EVP_AEAD. This has no change on existing
non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.

Based on Adam Langley's chromium patches.

Rides the recent libssl bump.

Tested by sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since
OpenSSL 1.0.0.

ok miod@ (a little while back)

In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex()
to avoid a possible NULL function call on ctx.final(). None of the callers
currently check the return value of calls to cert_verify_mac(), however
the function already returns 0 in another case and the MAC comparison will
later fail.

Issue reported by David Ramos.

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Be explicit with types. No binary change.

Factor out the part of tls1_change_cipher_state() that is specific to
switching cipher states using an EVP_CIPHER. This will facilitate the
addition of cipher state changes for EVP_AEAD. No functional change.

Based on Adam Langley's chromium patches.

Factor out the sequence number reset code to aid in upcoming changes.

Add missing NULL check after calling EVP_PKEY_new_mac_key().

Based on Adam Langley's chromium patches.

Use !is_read to imply SSL3_CC_WRITE.

While this is not strictly correct (since the presence of SSL3_CC_READ does
not guarantee the absence of SSL3_CC_WRITE), in practice only one of these
flags is set at a time and there is existing logic which already relies on
this behaviour.

Move the export label initialisation into the export handling code, since
this is the only place where these variables are used.

Remove pointless casts - no binary change.

Rename variables to make it clear that these are only used in the export
code. Additionally, these need to be cleaned in the export case.

Based on Adam Langley's chromium patches.

Further clean up of context handling in tls1_change_cipher_state().

Rather than doing a complex dance to figure out if we should reuse the
cipher context and clean it later on, just free it and allocate a new one.
This simplifies the code path, especially in the write case where special
handling is required for DTLS.

Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is
unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention
that it was already missing from the write case).

Rename more variables for readability and consistency.

Overhaul the key block handling in tls1_change_cipher_state() - use
meaningful variable names with pointer arithmitic, rather than n, i, j
and p with array indexing.

Based on Adam Langley's chromium diffs.

ok miod@

In tls1_setup_key_block(), use the correct IV length for GCM mode, which
results in the key block length calculation also being correct. Rename a
number of variables so that their purpose becomes clear and simplify some
of the code.

Inspired by Adam Langley's chromium diffs.

ok miod@

Clean up the tls1_change_cipher_state() key length handling and use a
single variable with a descriptive name, instead of two poorly named
variables.

Largely based on Adam Langley's chromium patches.

ok miod@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

Fix another two cases where the return value of ssl_replace_hash() is
unchecked.

In the case of tls1_change_cipher_state(), it is fairly pointless to use
ssl_replace_hash(), since it does not initialise the hash and there is
special handling required in the DTLS write case. Instead, just inline
the part of ssl_replace_hash() that is needed and only
ssl_clear_hash_ctx() the write hash in the non-DTLS case.

Also add a detailed comment explaining why there needs to be specialised
handling for DTLS write context and where the contexts are actually freed.

ok miod@

More KNF.

Refactor tls1_change_cipher_state() and split the compression handling out
from the cipher and message digest handling, allowing for upcoming changes.

Based on Adam Langley's chromium diffs.

ok miod@

There is no point in checking if a pointer is non-NULL before calling free,
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.

ok miod@

Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of
this is sporadic, hacked up and can easily be put back in an improved form
should we ever need it.

ok miod@

The ssl_ciper_get_evp() function is currently overloaded to also return the
compression associated with the SSL session. Based on one of Adam Langley's
chromium diffs, factor out the compression handling code into a separate
ssl_cipher_get_comp() function.

Rewrite the compression handling code to avoid pointless duplication and so
that failures are actually returned to and detectable by the caller.

ok miod@

Invoke OPENSSL_cleanse() with the size of the variable you are cleaning.
ok jsing@

KSSL is dead... nuke KSSL_DEBUG from orbit.

ok beck@ miod@

use the correct algorithm mask. reported by satish lvr via
http://marc.info/?l=openssl-dev&m=139779977532459&w=2
ok miod

more malloc/realloc/calloc cleanups; ok beck kettenis

Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.

ok tedu@

More KNF.

now that knf carpet bombing is finished, switch to hand to hand combat.
still not sure what to make of mysteries like this:
for (i = 7; i >= 0; i--) { /* increment */

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

SECURITY fixes backported from openssl-1.0.1f. ok mikeb@

CVE-2013-4353 NULL pointer dereference with crafted Next Protocol
Negotiation record in TLS handshake.
Upstream: 197e0ea

CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client.
Upstream: ca98926, 0294b2b

CVE-2013-6450 Fix DTLS retransmission from previous session.
Upstream: 3462896

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

resolve conflicts

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6a merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Rewrite TLSv1.2 key exporter.

Replace the grotty TLSv1.2 key exporter with a cleaner version that uses
CBB and CBS.

ok tb@

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Convert t1_enc.c to opaque EVP_MD_CTX.

ok inoguchi jsing

Mop up enc_read_ctx and read_hash.

These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.

ok beck@ tb@

Merge SSL_METHOD_INTERNAL into SSL_METHOD.

Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.

ok tb@

Remove tls1_alert_code().

After running the preprocessor, this function becomes:

switch (code) {
case 0:
return (0);
case 10:
return (10);
case 20:
return (20);
...
}

Its intended purpose was to prevent SSLv3 alerts being sent from TLS code,
however now that we've removed "no_certificate" from LibreSSL's reach, it
no longer does anything useful.

ok tb@

Remove references to obsolete alerts.

The "no_certificate" alert only existed in SSLv3, while the
"decryption_failed" and "export_restriction" alerts were removed in
TLSv1.1.

ok tb@

Indent all labels with a single space.

This ensures that diff reports the correct function prototype.

Prompted by tb@

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.

ok inoguchi@ tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Replace DTLS w_epoch with epoch from TLSv1.2 record layer.

ok inoguchi@ tb@

Rewrite TLSv1.2 key block handling.

For TLSv1.2 a single key block is generated, then partitioned into
individual secrets for use as IVs and keys. The previous implementation
splits this across two functions tls1_setup_key_block() and
tls1_change_cipher_state(), which means that the IV and key sizes have to
be known in multiple places.

This implementation generates and partitions the key block in a single
step, meaning that the secrets are then simply handed out when requested.

ok inoguchi@ tb@

Clean up tls1_change_cipher_state().

Replace flag gymnastics at call sites with separate read and write,
functions which call the common code. Condition on s->server instead of
using SSL_ST_ACCEPT, for consistency and more readable code.

ok inoguchi@ tb@

Clean up dtls1_reset_seq_numbers().

Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into
separate read and write functions. Move the calls of these functions into
tls1_change_cipher_state() so they directly follow the change of cipher
state in the record layer, which avoids having to duplicate the calls in
the client and server.

ok inoguchi@ tb@

Clean up and harden TLSv1.2 master key derivation.

The master key and its length are only stored in one location, so it makes
no sense to handle these outside of the derivation function (the current
'out' argument is unused). This simplifies the various call sites.

If derivation fails for some reason, fail hard rather than continuing on
and hoping that something deals with this correctly later.

ok inoguchi@ tb@

Clean up derivation of finished/peer finished.

Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.

ok inoguchi@ tb@

Remove new_sym_enc and new_aead.

These can be replaced with accessors that allow this information to be
retrieved from the new record layer.

ok inoguchi@ tb@

Move new_mac_secret_size into the TLSv1.2 handshake struct.

Drop the 'new_' prefix in the process.

ok inoguchi@ tb@

Move the TLSv1.2 record number increment into the new record layer.

This adds checks (based on the TLSv1.3 implementation) to ensure that the
TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.

ok inoguchi@ tb@

Rename new_cipher to cipher.

This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.

ok inoguchi@ tb@

Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.

Move TLSv1.2 specific components over from SSL_HANDSHAKE.

ok inoguchi@ tb@

Move handling of cipher/hash based cipher suites into the new record layer.

ok tb@

Fail early in legacy exporter if master secret is not available

The exporter depends on having a master secret. If the handshake is
not completed, it is neither guaranteed that a shared ciphersuite was
selected (in which case tls1_PRF() will currently NULL deref) or that
a master secret was set up (in which case the exporter will succeed
with a predictable value). Neither outcome is desirable, so error out
early instead of entering the sausage factory unprepared. This aligns
the legacy exporter with the TLSv1.3 exporter in that regard.

with/ok jsing

Move AEAD handling into the new TLSv1.2 record layer.

ok tb@

Move sequence numbers into the new TLSv1.2 record layer.

This allows for all of the DTLS sequence number save/restore code to be
removed.

ok inoguchi@ "whee!" tb@

Add code to handle change of cipher state in the new TLSv1.2 record layer.

This provides the basic framework for handling change of cipher state in
the new TLSv1.2 record layer, creating new record protection. In the DTLS
case we retain the previous write record protection and can switch back to
it when retransmitting. This will allow the record layer to start owning
sequence numbers and encryption/decryption state.

ok inoguchi@ tb@

Move the read MAC key into the TLSv1.2 record layer.

ok inoguchi@ tb@

Use size_t for key_block_len.

This allows us to remove a check and will make future changes simpler. Use
suitable names for tls1_generate_key_block() arguments while here.

ok inoguchi@ tb@

Replace SSL_IS_DTLS with SSL_is_dtls().

Garbage collect the now unused SSL_IS_DTLS macro.

ok tb@

Mop up various things that are now unused with the new record layer.

ok inoguchi@ tb@

Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer.

The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.

ok beck@ inoguchi@ tb@

Start replacing the existing TLSv1.2 record layer.

This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.

ok inoguchi@ tb@

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Remove dtls1_enc().

Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.

The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.

ok tb@

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.

Fixes COV-174858

ok tb@

Rename tls1_handshake_hash*() to tls1_transcript_hash*().

While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.

ok inoguchi@ tb@

Clean up and simplify the handshake transcript code.

This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.

ok beck@ ("hurry up") and tb@.

Make more of libssl's record layer state internal.

In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.

ok tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

Drop SSL_CIPHER_ALGORITHM2_AEAD flag.

All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can
condition on that rather than having a separate redundant flag.

ok tb@

Use the newer/more sensible names for EVP_MD_CTX_* functions.

EVP_MD_CTX_create -> EVP_MD_CTX_new
EVP_MD_CTX_destroy -> EVP_MD_CTX_free

This should make the intent more obvious and reduce head scratching during
code reviews.

Raised by tb@

Correctly clear the current cipher state, when changing cipher state.

When a renegotiation results in a change of cipher suite, the renegotation
would fail if it switched from AEAD to non-AEAD or vice versa. This is due
to the fact that the previous EVP_AEAD or EVP_CIPHER state remained,
resulting in incorrect logic that caused MAC failures.

Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it
into separate read/write components, then call these functions from the
appropriate places when a ChangeCipherSpec message is being processed.
Also, remove the separate ssl_clear_hash_ctx() calls and fold these into
the ssl_clear_cipher_{read,write}_state() functions.

Issue reported by Bernard Spil, who also tested this diff.

ok tb@

Remove unused argument to tls1_change_cipher_state_cipher().

Bring in an SSL_HANDSHAKE structure and commence the great shovelling
ok jsing@, gcc@, regress@

freezero() the key block; simpler code and less of it.

Check tls1_PRF() return value in tls1_generate_master_secret().

More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of
tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument
names and change lengths to size_t.

ok inoguchi@

Fewer magic numbers.

t1_enc.c

Currently tls1_PRF() requires that a temporary buffer be provided, that
matches the size of the output buffer. This is used in the case where
there are multiple hashes - tls_P_hash() is called with the temporary
buffer and the result is then xored into the output buffer.

Avoid this by simply using a local buffer in tls_P_hash() and then xoring
the result into the output buffer. Overall this makes the code cleaner
and simplifies all of the tls_PRF() callers.

Similar to BoringSSL.

ok inoguchi@

Remove the handshake digests and related code, replacing remaining uses
with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.

ok beck@ inoguchi@

First pass at cleaning up the tls1_P_hash() function - remove a pointless
EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the
code slightly.

ok inoguchi@

Make tls1_PRF() non-static so it can be regress tested.

Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned
and each hash processed separately.

Tested by tb@

Clean up and simplify the tls1_PRF() implementation now that we have a
single EVP MD for the PRF hash.

ok beck@ inoguchi@

Provide a rolling handshake hash that commences as soon as the cipher
suite has been selected, and convert the final finish MAC to use this
handshake hash.

This is a first step towards cleaning up the current handshake
buffer/digest code.

ok beck@ inoguchi@

Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly
line wraps that resulted

Send the error function codes to rot in the depths of hell where they belong
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

Move options and mode from SSL_CTX and SSL to internal, since these can be
set and cleared via existing functions.

Split most of SSL_METHOD out into an internal variant, which is opaque.

Discussed with beck@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

Move most of the SSL3_STATE fields to internal - the ones that remain are
known to be used by ports.

ok beck@

Move most of DTLS1_STATE to internal.
ok jsing@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

Clean up the TLS handshake digest handling - this refactors some of the
code for improved readability, however it also address two issues.

The first of these is a hard-to-hit double free that will occur if
EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure
that tls1_digest_cached_records() either completes successfully and sets
up all of the necessary digests, or it cleans up and frees everything
that was allocated.

The second issue is that EVP_DigestUpdate() can fail - detect and handle
this in tls1_finish_mac() and change the return type to an int so that a
failure can be propagated to the caller (the callers still need to be
fixed to handle this, in a later diff).

The double-free was reported by Matthew Dillon.

ok beck@ doug@ miod@

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

Make sure stdio functions don't end up in the library, from miod@
ok doug@ bcook@

Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a
ssl3_ prefix.

ok beck@

Merge the remnants of s3_enc.c into t1_enc.c.

ok beck@

Correct spelling of OPENSSL_cleanse.

ok miod@

Change AEAD out_len argument to size_t instead of ssize_t - while here,
rename it to out_len so that its purpose is more obvious. Also, drop two
checks that are no longer possible (and have not been for a long time).

Spotted by and ok doug@

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Keep alerts sorted by alert code.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

Remove useless variables and use the values directly.

From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.

ok miod@, jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

Remove trailing whitespace.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Sort and group includes.

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.

It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).

ok beck@ deraadt@ miod@

Typical malloc() with size multiplication to reallocarray().

ok deraadt@

Oops, revert changes commited by mistake. The previous commit was supposed
to only apply to s23_srvr.c.

When you expect a function to return a particular value, don't put a comment
saying that you expect it to return that value and compare it against zero
because it is supposedly faster, for this leads to bugs (especially given the
high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this
library).

Instead, compare for the exact value it ought to return upon success.

ok deraadt@

Remove more compression related code.

decompress libssl. ok beck jsing

tedu the SSL export cipher handling - since we do not have enabled export
ciphers we no longer need the flags or code to support it.

ok beck@ miod@

pedantic avoidance of division by zero, likely not actually
possible to hit for real.
ok miod@ jsing@

Pull the code that builds a DTLS sequence number out into its own function
to avoid duplication. Also use fewer magic numbers.

ok miod@

Pull out the sequence number selection and handle this up front. Also, the
correct record is already known, so avoid reassignment.

More KNF and clean up.

Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(),
so that it reflects what it is actually doing. Use this function in a
number of places that still have the hand rolled version.

ok beck@ miod@

Correctly calculate the key block length when using export ciphers.

Swap compress/expand around so they are in the correct order - these ended
up in the wrong order when the code was refactored.

Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and
EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.

Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are
those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to
change cipher state with an EVP_AEAD and being able to encrypt/decrypt
TLS using the EVP_AEAD. This has no change on existing
non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.

Based on Adam Langley's chromium patches.

Rides the recent libssl bump.

Tested by sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since
OpenSSL 1.0.0.

ok miod@ (a little while back)

In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex()
to avoid a possible NULL function call on ctx.final(). None of the callers
currently check the return value of calls to cert_verify_mac(), however
the function already returns 0 in another case and the MAC comparison will
later fail.

Issue reported by David Ramos.

Add a define for the SSLv3 sequence size and use it, rather than sprinkling
magic numbers around.

ok deraadt@

Be explicit with types. No binary change.

Factor out the part of tls1_change_cipher_state() that is specific to
switching cipher states using an EVP_CIPHER. This will facilitate the
addition of cipher state changes for EVP_AEAD. No functional change.

Based on Adam Langley's chromium patches.

Factor out the sequence number reset code to aid in upcoming changes.

Add missing NULL check after calling EVP_PKEY_new_mac_key().

Based on Adam Langley's chromium patches.

Use !is_read to imply SSL3_CC_WRITE.

While this is not strictly correct (since the presence of SSL3_CC_READ does
not guarantee the absence of SSL3_CC_WRITE), in practice only one of these
flags is set at a time and there is existing logic which already relies on
this behaviour.

Move the export label initialisation into the export handling code, since
this is the only place where these variables are used.

Remove pointless casts - no binary change.

Rename variables to make it clear that these are only used in the export
code. Additionally, these need to be cleaned in the export case.

Based on Adam Langley's chromium patches.

Further clean up of context handling in tls1_change_cipher_state().

Rather than doing a complex dance to figure out if we should reuse the
cipher context and clean it later on, just free it and allocate a new one.
This simplifies the code path, especially in the write case where special
handling is required for DTLS.

Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is
unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention
that it was already missing from the write case).

Rename more variables for readability and consistency.

Overhaul the key block handling in tls1_change_cipher_state() - use
meaningful variable names with pointer arithmitic, rather than n, i, j
and p with array indexing.

Based on Adam Langley's chromium diffs.

ok miod@

In tls1_setup_key_block(), use the correct IV length for GCM mode, which
results in the key block length calculation also being correct. Rename a
number of variables so that their purpose becomes clear and simplify some
of the code.

Inspired by Adam Langley's chromium diffs.

ok miod@

Clean up the tls1_change_cipher_state() key length handling and use a
single variable with a descriptive name, instead of two poorly named
variables.

Largely based on Adam Langley's chromium patches.

ok miod@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

Fix another two cases where the return value of ssl_replace_hash() is
unchecked.

In the case of tls1_change_cipher_state(), it is fairly pointless to use
ssl_replace_hash(), since it does not initialise the hash and there is
special handling required in the DTLS write case. Instead, just inline
the part of ssl_replace_hash() that is needed and only
ssl_clear_hash_ctx() the write hash in the non-DTLS case.

Also add a detailed comment explaining why there needs to be specialised
handling for DTLS write context and where the contexts are actually freed.

ok miod@

More KNF.

Refactor tls1_change_cipher_state() and split the compression handling out
from the cipher and message digest handling, allowing for upcoming changes.

Based on Adam Langley's chromium diffs.

ok miod@

There is no point in checking if a pointer is non-NULL before calling free,
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.

ok miod@

Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of
this is sporadic, hacked up and can easily be put back in an improved form
should we ever need it.

ok miod@

The ssl_ciper_get_evp() function is currently overloaded to also return the
compression associated with the SSL session. Based on one of Adam Langley's
chromium diffs, factor out the compression handling code into a separate
ssl_cipher_get_comp() function.

Rewrite the compression handling code to avoid pointless duplication and so
that failures are actually returned to and detectable by the caller.

ok miod@

Invoke OPENSSL_cleanse() with the size of the variable you are cleaning.
ok jsing@

KSSL is dead... nuke KSSL_DEBUG from orbit.

ok beck@ miod@

use the correct algorithm mask. reported by satish lvr via
http://marc.info/?l=openssl-dev&m=139779977532459&w=2
ok miod

more malloc/realloc/calloc cleanups; ok beck kettenis

Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.

ok tedu@

More KNF.

now that knf carpet bombing is finished, switch to hand to hand combat.
still not sure what to make of mysteries like this:
for (i = 7; i >= 0; i--) { /* increment */

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

SECURITY fixes backported from openssl-1.0.1f. ok mikeb@

CVE-2013-4353 NULL pointer dereference with crafted Next Protocol
Negotiation record in TLS handshake.
Upstream: 197e0ea

CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client.
Upstream: ca98926, 0294b2b

CVE-2013-6450 Fix DTLS retransmission from previous session.
Upstream: 3462896

cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt
from the openssl git (changes between openssl 1.0.1c and 1.0.1d).
ok djm@

resolve conflicts

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

resolve conflicts

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

merge openssl 0.9.6b-engine

Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries

openssl-engine-0.9.6a merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Convert t1_enc.c to opaque EVP_MD_CTX.

ok inoguchi jsing

Mop up enc_read_ctx and read_hash.

These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.

ok beck@ tb@

Merge SSL_METHOD_INTERNAL into SSL_METHOD.

Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.

ok tb@

Remove tls1_alert_code().

After running the preprocessor, this function becomes:

switch (code) {
case 0:
return (0);
case 10:
return (10);
case 20:
return (20);
...
}

Its intended purpose was to prevent SSLv3 alerts being sent from TLS code,
however now that we've removed "no_certificate" from LibreSSL's reach, it
no longer does anything useful.

ok tb@

Remove references to obsolete alerts.

The "no_certificate" alert only existed in SSLv3, while the
"decryption_failed" and "export_restriction" alerts were removed in
TLSv1.1.

ok tb@

Indent all labels with a single space.

This ensures that diff reports the correct function prototype.

Prompted by tb@

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.

ok inoguchi@ tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Replace DTLS w_epoch with epoch from TLSv1.2 record layer.

ok inoguchi@ tb@

Rewrite TLSv1.2 key block handling.

For TLSv1.2 a single key block is generated, then partitioned into
individual secrets for use as IVs and keys. The previous implementation
splits this across two functions tls1_setup_key_block() and
tls1_change_cipher_state(), which means that the IV and key sizes have to
be known in multiple places.

This implementation generates and partitions the key block in a single
step, meaning that the secrets are then simply handed out when requested.

ok inoguchi@ tb@

Clean up tls1_change_cipher_state().

Replace flag gymnastics at call sites with separate read and write,
functions which call the common code. Condition on s->server instead of
using SSL_ST_ACCEPT, for consistency and more readable code.

ok inoguchi@ tb@

Clean up dtls1_reset_seq_numbers().

Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into
separate read and write functions. Move the calls of these functions into
tls1_change_cipher_state() so they directly follow the change of cipher
state in the record layer, which avoids having to duplicate the calls in
the client and server.

ok inoguchi@ tb@

Clean up and harden TLSv1.2 master key derivation.

The master key and its length are only stored in one location, so it makes
no sense to handle these outside of the derivation function (the current
'out' argument is unused). This simplifies the various call sites.

If derivation fails for some reason, fail hard rather than continuing on
and hoping that something deals with this correctly later.

ok inoguchi@ tb@

Clean up derivation of finished/peer finished.

Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.

ok inoguchi@ tb@

Remove new_sym_enc and new_aead.

These can be replaced with accessors that allow this information to be
retrieved from the new record layer.

ok inoguchi@ tb@

Move new_mac_secret_size into the TLSv1.2 handshake struct.

Drop the 'new_' prefix in the process.

ok inoguchi@ tb@

Move the TLSv1.2 record number increment into the new record layer.

This adds checks (based on the TLSv1.3 implementation) to ensure that the
TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.

ok inoguchi@ tb@

Rename new_cipher to cipher.

This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.

ok inoguchi@ tb@

Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.

Move TLSv1.2 specific components over from SSL_HANDSHAKE.

ok inoguchi@ tb@

Move handling of cipher/hash based cipher suites into the new record layer.

ok tb@

Fail early in legacy exporter if master secret is not available

The exporter depends on having a master secret. If the handshake is
not completed, it is neither guaranteed that a shared ciphersuite was
selected (in which case tls1_PRF() will currently NULL deref) or that
a master secret was set up (in which case the exporter will succeed
with a predictable value). Neither outcome is desirable, so error out
early instead of entering the sausage factory unprepared. This aligns
the legacy exporter with the TLSv1.3 exporter in that regard.

with/ok jsing

Move AEAD handling into the new TLSv1.2 record layer.

ok tb@

Move sequence numbers into the new TLSv1.2 record layer.

This allows for all of the DTLS sequence number save/restore code to be
removed.

ok inoguchi@ "whee!" tb@

Add code to handle change of cipher state in the new TLSv1.2 record layer.

This provides the basic framework for handling change of cipher state in
the new TLSv1.2 record layer, creating new record protection. In the DTLS
case we retain the previous write record protection and can switch back to
it when retransmitting. This will allow the record layer to start owning
sequence numbers and encryption/decryption state.

ok inoguchi@ tb@

Move the read MAC key into the TLSv1.2 record layer.

ok inoguchi@ tb@

Use size_t for key_block_len.

This allows us to remove a check and will make future changes simpler. Use
suitable names for tls1_generate_key_block() arguments while here.

ok inoguchi@ tb@

Replace SSL_IS_DTLS with SSL_is_dtls().

Garbage collect the now unused SSL_IS_DTLS macro.

ok tb@

Mop up various things that are now unused with the new record layer.

ok inoguchi@ tb@

Reimplement the TLSv1.2 record handling for the read side.

This is the next step in replacing the TLSv1.2 record layer.

The existing record handling code does decryption and processing in
place, which is not ideal for various reasons, however it is retained
for now as other code depends on this behaviour. Additionally, CBC
requires special handling to avoid timing oracles - for now the
existing timing safe code is largely retained.

ok beck@ inoguchi@ tb@

Start replacing the existing TLSv1.2 record layer.

This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.

ok inoguchi@ tb@

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

Remove dtls1_enc().

Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.

The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.

ok tb@

Stop overloading the record type for padding length.

Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.

ok inoguchi@ tb@

Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.

SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.

ok inoguchi@ tb@

Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.

Fixes COV-174858

ok tb@

Rename tls1_handshake_hash*() to tls1_transcript_hash*().

While handshake hash is correct (in as far as it is a hash of handshake
messages), using tls1_transcript_hash*() aligns them with the naming of the
tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses
Transcript-Hash and "transcript hash", which this matches.

ok inoguchi@ tb@

Clean up and simplify the handshake transcript code.

This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.

ok beck@ ("hurry up") and tb@.

Make more of libssl's record layer state internal.

In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.

ok tb@

Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.

ok inoguchi@ tb@

Drop SSL_CIPHER_ALGORITHM2_AEAD flag.

All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can
condition on that rather than having a separate redundant flag.

ok tb@

Use the newer/more sensible names for EVP_MD_CTX_* functions.

EVP_MD_CTX_create -> EVP_MD_CTX_new
EVP_MD_CTX_destroy -> EVP_MD_CTX_free

This should make the intent more obvious and reduce head scratching during
code reviews.

Raised by tb@

Correctly clear the current cipher state, when changing cipher state.

When a renegotiation results in a change of cipher suite, the renegotation
would fail if it switched from AEAD to non-AEAD or vice versa. This is due
to the fact that the previous EVP_AEAD or EVP_CIPHER state remained,
resulting in incorrect logic that caused MAC failures.

Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it
into separate read/write components, then call these functions from the
appropriate places when a ChangeCipherSpec message is being processed.
Also, remove the separate ssl_clear_hash_ctx() calls and fold these into
the ssl_clear_cipher_{read,write}_state() functions.

Issue reported by Bernard Spil, who also tested this diff.

ok tb@

Remove unused argument to tls1_change_cipher_state_cipher().

Bring in an SSL_HANDSHAKE structure and commence the great shovelling
ok jsing@, gcc@, regress@

freezero() the key block; simpler code and less of it.

Check tls1_PRF() return value in tls1_generate_master_secret().

More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of
tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument
names and change lengths to size_t.

ok inoguchi@

Fewer magic numbers.

t1_enc.c

Currently tls1_PRF() requires that a temporary buffer be provided, that
matches the size of the output buffer. This is used in the case where
there are multiple hashes - tls_P_hash() is called with the temporary
buffer and the result is then xored into the output buffer.

Avoid this by simply using a local buffer in tls_P_hash() and then xoring
the result into the output buffer. Overall this makes the code cleaner
and simplifies all of the tls_PRF() callers.

Similar to BoringSSL.

ok inoguchi@

Remove the handshake digests and related code, replacing remaining uses
with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.

ok beck@ inoguchi@

First pass at cleaning up the tls1_P_hash() function - remove a pointless
EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the
code slightly.

ok inoguchi@

Make tls1_PRF() non-static so it can be regress tested.

Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned
and each hash processed separately.

Tested by tb@

Clean up and simplify the tls1_PRF() implementation now that we have a
single EVP MD for the PRF hash.

ok beck@ inoguchi@

Provide a rolling handshake hash that commences as soon as the cipher
suite has been selected, and convert the final finish MAC to use this
handshake hash.

This is a first step towards cleaning up the current handshake
buffer/digest code.

ok beck@ inoguchi@

Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly
line wraps that resulted

Send the error function codes to rot in the depths of hell where they belong
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

Move options and mode from SSL_CTX and SSL to internal, since these can be
set and cleared via existing functions.

Split most of SSL_METHOD out into an internal variant, which is opaque.

Discussed with beck@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

Move most of the SSL3_STATE fields to internal - the ones that remain are
known to be used by ports.

ok beck@

Move most of DTLS1_STATE to internal.
ok jsing@

Remove unused SSLv3 from ssl3_cbc_record_digest_supported().

From Markus Uhlin <markus.uhlin at bredband dot net>

ok beck@ bcooK@

Clean up the TLS handshake digest handling - this refactors some of the
code for improved readability, however it also address two issues.

The first of these is a hard-to-hit double free that will occur if
EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure
that tls1_digest_cached_records() either completes successfully and sets
up all of the necessary digests, or it cleans up and frees everything
that was allocated.

The second issue is that EVP_DigestUpdate() can fail - detect and handle
this in tls1_finish_mac() and change the return type to an int so that a
failure can be propagated to the caller (the callers still need to be
fixed to handle this, in a later diff).

The double-free was reported by Matthew Dillon.

ok beck@ doug@ miod@

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

Make sure stdio functions don't end up in the library, from miod@
ok doug@ bcook@

Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a
ssl3_ prefix.

ok beck@

Merge the remnants of s3_enc.c into t1_enc.c.

ok beck@

Correct spelling of OPENSSL_cleanse.

ok miod@

Change AEAD out_len argument to size_t instead of ssize_t - while here,
rename it to out_len so that its purpose is more obvious. Also, drop two
checks that are no longer possible (and have not been for a long time).

Spotted by and ok doug@

Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

Keep alerts sorted by alert code.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

Remove useless variables and use the values directly.

From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.

ok miod@, jsing@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

Remove trailing whitespace.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Sort and group includes.

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.

It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).

ok beck@ deraadt@ miod@

Typical malloc() with size multiplication to reallocarray().

ok deraadt@

Oops, revert changes commited by mistake. The previous commit was supposed
to only apply to s23_srvr.c.

When you expect a function to return a particular value, don't put a comment
saying that you expect it to return that value and compare it against zero
because it is supposedly faster, for this leads to bugs (especially given the
high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this
library).

Instead, compare for the exact value it ought to return upon success.

ok deraadt@

Remove more compression related code.

decompress libssl. ok beck jsing

tedu the SSL export cipher handling - since we do not have enabled export
ciphers we no longer need the flags or code to support it.

ok beck@ miod@

pedantic avoidance of division by zero, likely not actually
possible to hit for real.
ok miod@ jsing@

Pull the code that builds a DTLS sequence number out into its own function
to avoid duplication. Also use fewer magic numbers.

ok miod@

Pull out the sequence number selection and handle this up front. Also, the
correct record is already known, so avoid reassignment.

More KNF and clean up.

Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(),
so that it reflects what it is actually doing. Use this function in a
number of places that still have the hand rolled version.

ok beck@ miod@