Update list of OPENSSL_NO_*

This syncs the list with some version of upstream and exposes a few
OPENSSL_NO_* that may now be relevant.

from jsing (a long time ago)

Unhook and remove GOST and STREEBOG

This stops compiling the GOST source. The current implementation is low
quality and got in the way, especially in libssl. While we would be open
for GOST support, it needs to be significantly better than what we have
had and it also needs a maintainer.

Add OPENSSL_NO_GOST to opensslfeatures and stop installing gost.h.
Some code wrapped in #ifndef OPENSSL_NO_GOST will be removed later.

ok jsing

Set OPENSSL_NO_ENGINE, remove engine code

ENGINE was special. It's horrible code even by the low standards of this
library. Some ports may now try to use the stubs which will fail, but
the fallout from this should be minimal. Of course there are various
language bindings that expose the ENGINE API. OpenSSL 3 disabling ENGINE
by default will likely help fixing this at some point.

ok jsing

Drop DSO and define OPENSSL_NO_DSO

DSO and in particular dlopen() was used for dynamic engines, which we
removed a long time ago and for dynamic conf modules, which we removed
only very recently. Now remove this dangerous interface.

ok jsing

define OPENSSL_NO_DTLS1_1 since we no longer have that either.

ok tb@

Define the 'standard' OPENSSL_NO_BLAHBLAH's for no tls 1.0 or 1.1

We have no tls 1.0 or 1.1 or methods for them.

These "in theory" will make things that check the openssl #ifdef
soup for all the floating eyeballs make the correct decisions, or
if they do not they at least can not blame us.

ok tb@

Remove commented version of OPENSSL_NO_EC2M

LIBRESSL_NEXT_API is no longer needed

Temporarily define LIBRESSL_NEXT_API in opensslfeatures.h

Define OPENSSL_NO_DEPRECATED and OPENSSL_NO_EC2M in opensslfeatures.h

ok beck jsing

Define LIBRESSL_HAS_QUIC

ok jsing

Unconditionally comment out OPENSSL_NO_RFC3779

ok inoguchi jsing

Expose Certificate Transparency symbols in headers

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Set OPENSSL_NO_ENGINE, remove engine code

ENGINE was special. It's horrible code even by the low standards of this
library. Some ports may now try to use the stubs which will fail, but
the fallout from this should be minimal. Of course there are various
language bindings that expose the ENGINE API. OpenSSL 3 disabling ENGINE
by default will likely help fixing this at some point.

ok jsing

Drop DSO and define OPENSSL_NO_DSO

DSO and in particular dlopen() was used for dynamic engines, which we
removed a long time ago and for dynamic conf modules, which we removed
only very recently. Now remove this dangerous interface.

ok jsing

define OPENSSL_NO_DTLS1_1 since we no longer have that either.

ok tb@

Define the 'standard' OPENSSL_NO_BLAHBLAH's for no tls 1.0 or 1.1

We have no tls 1.0 or 1.1 or methods for them.

These "in theory" will make things that check the openssl #ifdef
soup for all the floating eyeballs make the correct decisions, or
if they do not they at least can not blame us.

ok tb@

Remove commented version of OPENSSL_NO_EC2M

LIBRESSL_NEXT_API is no longer needed

Temporarily define LIBRESSL_NEXT_API in opensslfeatures.h

Define OPENSSL_NO_DEPRECATED and OPENSSL_NO_EC2M in opensslfeatures.h

ok beck jsing

Define LIBRESSL_HAS_QUIC

ok jsing

Unconditionally comment out OPENSSL_NO_RFC3779

ok inoguchi jsing

Expose Certificate Transparency symbols in headers

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

define OPENSSL_NO_DTLS1_1 since we no longer have that either.

ok tb@

Define the 'standard' OPENSSL_NO_BLAHBLAH's for no tls 1.0 or 1.1

We have no tls 1.0 or 1.1 or methods for them.

These "in theory" will make things that check the openssl #ifdef
soup for all the floating eyeballs make the correct decisions, or
if they do not they at least can not blame us.

ok tb@

Remove commented version of OPENSSL_NO_EC2M

LIBRESSL_NEXT_API is no longer needed

Temporarily define LIBRESSL_NEXT_API in opensslfeatures.h

Define OPENSSL_NO_DEPRECATED and OPENSSL_NO_EC2M in opensslfeatures.h

ok beck jsing

Define LIBRESSL_HAS_QUIC

ok jsing

Unconditionally comment out OPENSSL_NO_RFC3779

ok inoguchi jsing

Expose Certificate Transparency symbols in headers

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Remove commented version of OPENSSL_NO_EC2M

LIBRESSL_NEXT_API is no longer needed

Temporarily define LIBRESSL_NEXT_API in opensslfeatures.h

Define OPENSSL_NO_DEPRECATED and OPENSSL_NO_EC2M in opensslfeatures.h

ok beck jsing

Define LIBRESSL_HAS_QUIC

ok jsing

Unconditionally comment out OPENSSL_NO_RFC3779

ok inoguchi jsing

Expose Certificate Transparency symbols in headers

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Define LIBRESSL_HAS_QUIC

ok jsing

Unconditionally comment out OPENSSL_NO_RFC3779

ok inoguchi jsing

Expose Certificate Transparency symbols in headers

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Unconditionally comment out OPENSSL_NO_RFC3779

ok inoguchi jsing

Expose Certificate Transparency symbols in headers

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Move the now internal X.509-related structs into x509_lcl.h.
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Enable RFC 3779 code.

From job. Discussed at length with beck, claudio, job during h2k21

Expose new API in headers and make X509 structs opaque.

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.h

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Expose various DTLSv1.2 specific functions and defines

ok bcook inoguchi jsing

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

Import latest OPENSSL_NO_* flags from OpenSSL 1.1.1g

ok tb@

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.

Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

Remove SHA-0 support.

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.

ok bcook@, jsing@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove OpenSSL engine RSAX.

OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.

Also cranked major version in libcrypto, libssl and libtls.

"fine with me" bcook@ miod@

Remove obsolete MDC-2DES from libcrypto.

ok deraadt@ jsing@ miod@

Add OPENSSL_NO_EGD to opensslfeatures.h.

Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34

from Bernard Spil, ok deraadt@

Enable the build of GOST routines in libcrypto. Riding upon the Cammelia
libcrypto minor bump.

Add the Cammelia cipher to libcrypto.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.

However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:

Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.

Crank libcrypto.so minor version due to the added symbols.

it has been 4888 days since the transient feature to define short macros
for apps that haven't had time to make the appropriate changes was added.
time's up.

additional features: no buffer freelists and no heartbleed

no compression is also a feature of libressl

move all the feature settings to a common header.
probably ok beck jsing miod

define OPENSSL_NO_SSL_TRACE in opensslfeatures.h

ok jsing@ tb@

Enable CMS in LibreSSL.

ok bcook@ deraadt@ inoguchi@ job@ tb@

Start working towards adding feature flags (rather than anti-feature flags)
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.

ok beck@ bluhm@ tb@

Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in async
features (and possibly never will).

Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags that
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.

ok bluhm@ tb@

Reformat and sort the OPENSSL_NO_* defines.

Remove OPENSSL_NO_NEXTPROTONEG - some software creates conflicting
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.

Define OPENSSL_NO_NEXTPROTONEG since there is no longer any NPN.

Temporarily revive MD4 for MS CHAP support.