Fix errors with last cherry-pick; SSL_CONF_* and s_client

-verify_return_error aren't in this release.

3 files changed, 0 insertions, 527 deletions

diff --git a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
deleted file mode 100644
index 4fc8f06d9e..0000000000
--- a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
+++ /dev/null
@@ -1,47 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
- void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
-
-=head1 DESCRIPTION
-
-SSL_CONF_CTX_set_ssl_ctx() sets the context associated with B<cctx> to the
-B<SSL_CTX> structure B<ctx>. Any previos B<SSL> or B<SSL_CTX> associated with
-B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to
-B<ctx>.
-
-SSL_CONF_CTX_set_ssl() sets the context associated with B<cctx> to the
-B<SSL> structure B<ssl>. Any previos B<SSL> or B<SSL_CTX> associated with
-B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to
-B<ssl>.
-
-=head1 NOTES
-
-The context need not be set or it can be set to B<NULL> in which case only
-syntax checking of commands is performed, where possible.
-
-=head1 RETURN VALUES
-
-SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value.
-
-=head1 SEE ALSO
-
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>,
-L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.2
-
-=cut
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
deleted file mode 100644
index 2a4019c871..0000000000
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ /dev/null
@@ -1,438 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CONF_cmd - send configuration command
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
- int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
- int SSL_CONF_finish(SSL_CONF_CTX *cctx);
-
-=head1 DESCRIPTION
-
-The function SSL_CONF_cmd() performs configuration operation B<cmd> with
-optional parameter B<value> on B<ctx>. Its purpose is to simplify application
-configuration of B<SSL_CTX> or B<SSL> structures by providing a common
-framework for command line options or configuration files.
-
-SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to.
-
-The function SSL_CONF_finish() must be called after all configuration
-operations have been completed. It is used to finalise any operations
-or to process defaults.
-
-=head1 SUPPORTED COMMAND LINE COMMANDS
-
-Currently supported B<cmd> names for command lines (i.e. when the
-flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
-are case sensitive. Unless otherwise stated commands can be used by
-both clients and servers and the B<value> parameter is not used. The default
-prefix for command line commands is B<-> and that is reflected below.
-
-=over 4
-
-=item B<-sigalgs>
-
-This sets the supported signature algorithms for TLS v1.2. For clients this
-value is used directly for the supported signature algorithms extension. For
-servers it is used to determine which signature algorithms to support.
-
-The B<value> argument should be a colon separated list of signature algorithms
-in order of decreasing preference of the form B<algorithm+hash>. B<algorithm>
-is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
-OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
-Note: algorithm and hash names are case sensitive.
-
-If this option is not set then all signature algorithms supported by the
-OpenSSL library are permissible.
-
-=item B<-client_sigalgs>
-
-This sets the supported signature algorithms associated with client
-authentication for TLS v1.2. For servers the value is used in the supported
-signature algorithms field of a certificate request. For clients it is
-used to determine which signature algorithm to with the client certificate.
-If a server does not request a certificate this option has no effect.
-
-The syntax of B<value> is identical to B<-sigalgs>. If not set then
-the value set for B<-sigalgs> will be used instead.
-
-=item B<-curves>
-
-This sets the supported elliptic curves. For clients the curves are
-sent using the supported curves extension. For servers it is used
-to determine which curve to use. This setting affects curves used for both
-signatures and key exchange, if applicable.
-
-The B<value> argument is a colon separated list of curves. The curve can be
-either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g
-B<prime256v1>). Curve names are case sensitive.
-
-=item B<-named_curve>
-
-This sets the temporary curve used for ephemeral ECDH modes. Only used by 
-servers
-
-The B<value> argument is a curve name or the special value B<auto> which
-picks an appropriate curve based on client and server preferences. The curve
-can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
-(e.g B<prime256v1>). Curve names are case sensitive.
-
-=item B<-cipher>
-
-Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
-currently not performed unless a B<SSL> or B<SSL_CTX> structure is 
-associated with B<cctx>.
-
-=item B<-cert>
-
-Attempts to use the file B<value> as the certificate for the appropriate
-context. It currently uses SSL_CTX_use_cerificate_chain_file if an B<SSL_CTX>
-structure is set or SSL_use_certifcate_file with filetype PEM if an B<SSL>
-structure is set. This option is only supported if certificate operations
-are permitted.
-
-=item B<-key>
-
-Attempts to use the file B<value> as the private key for the appropriate
-context. This option is only supported if certificate operations
-are permitted. Note: if no B<-key> option is set then a private key is
-not loaded: it does not currently use the B<-cert> file.
-
-=item B<-dhparam>
-
-Attempts to use the file B<value> as the set of temporary DH parameters for
-the appropriate context. This option is only supported if certificate
-operations are permitted.
-
-=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
-Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 
-by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>,
-B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively.
-
-=item B<-bugs>
-
-Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
-
-=item B<-no_comp>
-
-Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>.
-
-=item B<-no_ticket>
-
-Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
-
-=item B<-serverpref>
-
-Use server and not client preference order when determining which cipher suite,
-signature algorithm or elliptic curve to use for an incoming connection.
-Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
-
-=item B<-no_resumption_on_reneg>
-
-set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
-
-=item B<-legacyrenegotiation>
-
-permits the use of unsafe legacy renegotiation. Equivalent to setting
-B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
-
-=item B<-legacy_server_connect>, B<-no_legacy_server_connect>
-
-permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
-clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
-Set by default.
-
-=item B<-strict>
-
-enables strict mode protocol handling. Equivalent to setting
-B<SSL_CERT_FLAG_TLS_STRICT>.
-
-=item B<-debug_broken_protocol>
-
-disables various checks and permits several kinds of broken protocol behaviour
-for testing purposes: it should B<NEVER> be used in anything other than a test
-environment. Only supported if OpenSSL is configured with
-B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>.
-
-=back
-
-=head1 SUPPORTED CONFIGURATION FILE COMMANDS
-
-Currently supported B<cmd> names for configuration files (i.e. when the
-flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
-B<cmd> names are case insensitive so B<signaturealgorithms> is recognised
-as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names
-are also case insensitive.
-
-Note: the command prefix (if set) alters the recognised B<cmd> values.
-
-=over 4
-
-=item B<CipherString>
-
-Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
-currently not performed unless an B<SSL> or B<SSL_CTX> structure is 
-associated with B<cctx>.
-
-=item B<Certificate>
-
-Attempts to use the file B<value> as the certificate for the appropriate
-context. It currently uses SSL_CTX_use_cerificate_chain_file if an B<SSL_CTX>
-structure is set or SSL_use_certifcate_file with filetype PEM if an B<SSL>
-structure is set. This option is only supported if certificate operations
-are permitted.
-
-=item B<PrivateKey>
-
-Attempts to use the file B<value> as the private key for the appropriate
-context. This option is only supported if certificate operations
-are permitted. Note: if no B<-key> option is set then a private key is
-not loaded: it does not currently use the B<Certificate> file.
-
-=item B<ServerInfoFile>
-
-Attempts to use the file B<value> in the "serverinfo" extension using the
-function SSL_CTX_use_serverinfo_file.
-
-=item B<DHParameters>
-
-Attempts to use the file B<value> as the set of temporary DH parameters for
-the appropriate context. This option is only supported if certificate
-operations are permitted.
-
-=item B<SignatureAlgorithms>
-
-This sets the supported signature algorithms for TLS v1.2. For clients this
-value is used directly for the supported signature algorithms extension. For
-servers it is used to determine which signature algorithms to support.
-
-The B<value> argument should be a colon separated list of signature algorithms
-in order of decreasing preference of the form B<algorithm+hash>. B<algorithm>
-is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
-OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
-Note: algorithm and hash names are case sensitive.
-
-If this option is not set then all signature algorithms supported by the
-OpenSSL library are permissible.
-
-=item B<ClientSignatureAlgorithms>
-
-This sets the supported signature algorithms associated with client
-authentication for TLS v1.2. For servers the value is used in the supported
-signature algorithms field of a certificate request. For clients it is
-used to determine which signature algorithm to with the client certificate.
-
-The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then
-the value set for B<SignatureAlgorithms> will be used instead.
-
-=item B<Curves>
-
-This sets the supported elliptic curves. For clients the curves are
-sent using the supported curves extension. For servers it is used
-to determine which curve to use. This setting affects curves used for both
-signatures and key exchange, if applicable.
-
-The B<value> argument is a colon separated list of curves. The curve can be
-either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g
-B<prime256v1>). Curve names are case sensitive.
-
-=item B<ECDHParameters>
-
-This sets the temporary curve used for ephemeral ECDH modes. Only used by 
-servers
-
-The B<value> argument is a curve name or the special value B<Automatic> which
-picks an appropriate curve based on client and server preferences. The curve
-can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
-(e.g B<prime256v1>). Curve names are case sensitive.
-
-=item B<Protocol>
-
-The supported versions of the SSL or TLS protocol.
-
-The B<value> argument is a comma separated list of supported protocols to
-enable or disable. If an protocol is preceded by B<-> that version is disabled.
-All versions are enabled by default, though applications may choose to
-explicitly disable some. Currently supported protocol values are B<SSLv2>,
-B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers
-to all supported versions.
-
-=item B<Options>
-
-The B<value> argument is a comma separated list of various flags to set.
-If a flag string is preceded B<-> it is disabled. See the
-B<SSL_CTX_set_options> function for more details of individual options.
-
-Each option is listed below. Where an operation is enabled by default
-the B<-flag> syntax is needed to disable it.
-
-B<SessionTicket>: session ticket support, enabled by default. Inverse of
-B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
-B<SSL_OP_NO_TICKET>.
-
-B<Compression>: SSL/TLS compression support, enabled by default. Inverse
-of B<SSL_OP_NO_COMPRESSION>.
-
-B<EmptyFragments>: use empty fragments as a countermeasure against a
-SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
-is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>.
-
-B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>.
-
-B<DHSingle>: enable single use DH keys, set by default. Inverse of
-B<SSL_OP_DH_SINGLE>. Only used by servers.
-
-B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of
-B<SSL_OP_ECDH_SINGLE>. Only used by servers.
-
-B<ServerPreference> use server and not client preference order when
-determining which cipher suite, signature algorithm or elliptic curve
-to use for an incoming connection.  Equivalent to
-B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
-
-B<NoResumptionOnRenegotiation> set
-B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers.
-
-B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation.
-Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
-
-B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation
-for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
-Set by default.
-
-=back
-
-=head1 SUPPORTED COMMAND TYPES
-
-The function SSL_CONF_cmd_value_type() currently returns one of the following
-types:
-
-=over 4
-
-=item B<SSL_CONF_TYPE_UNKNOWN>
-
-The B<cmd> string is unrecognised, this return value can be use to flag
-syntax errors.
-
-=item B<SSL_CONF_TYPE_STRING>
-
-The value is a string without any specific structure.
-
-=item B<SSL_CONF_TYPE_FILE>
-
-The value is a file name.
-
-=item B<SSL_CONF_TYPE_DIR>
-
-The value is a directory name.
-
-=back
-
-=head1 NOTES
-
-The order of operations is significant. This can be used to set either defaults
-or values which cannot be overridden. For example if an application calls:
-
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
- SSL_CONF_cmd(ctx, userparam, uservalue);
-
-it will disable SSLv2 support by default but the user can override it. If 
-however the call sequence is:
-
- SSL_CONF_cmd(ctx, userparam, uservalue);
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
-
-SSLv2 is B<always> disabled and attempt to override this by the user are
-ignored.
-
-By checking the return code of SSL_CTX_cmd() it is possible to query if a
-given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are
-mixed with additional application specific operations.
-
-For example an application might call SSL_CTX_cmd() and if it returns
--2 (unrecognised command) continue with processing of application specific
-commands.
-
-Applications can also use SSL_CTX_cmd() to process command lines though the
-utility function SSL_CTX_cmd_argv() is normally used instead. One way
-to do this is to set the prefix to an appropriate value using
-SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the
-following argument to B<value> (which may be NULL).
-
-In this case if the return value is positive then it is used to skip that
-number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is
-returned then B<cmd> is not recognised and application specific arguments
-can be checked instead. If -3 is returned a required argument is missing
-and an error is indicated. If 0 is returned some other error occurred and
-this can be reported back to the user.
-
-The function SSL_CONF_cmd_value_type() can be used by applications to 
-check for the existence of a command or to perform additional syntax
-checking or translation of the command value. For example if the return
-value is B<SSL_CONF_TYPE_FILE> an application could translate a relative
-pathname to an absolute pathname.
-
-=head1 EXAMPLES
-
-Set supported signature algorithms:
-
- SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
-
-Enable all protocols except SSLv3 and SSLv2:
-
- SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
-
-Only enable TLSv1.2:
-
- SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
-
-Disable TLS session tickets:
-
- SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
-
-Set supported curves to P-256, P-384:
-
- SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
-
-Set automatic support for any elliptic curve for key exchange:
-
- SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic");
-
-=head1 RETURN VALUES
-
-SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is
-B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
-returns the number of arguments processed. This is useful when processing
-command lines.
-
-A return value of -2 means B<cmd> is not recognised.
-
-A return value of -3 means B<cmd> is recognised and the command requires a
-value but B<value> is NULL.
-
-A return code of 0 indicates that both B<cmd> and B<value> are valid but an
-error occurred attempting to perform the operation: for example due to an
-error in the syntax of B<value> in this case the error queue may provide
-additional information.
-
-SSL_CONF_finish() returns 1 for success and 0 for failure.
-
-=head1 SEE ALSO
-
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
-
-=head1 HISTORY
-
-SSL_CONF_cmd() was first added to OpenSSL 1.0.2
-
-=cut
diff --git a/doc/ssl/SSL_CONF_cmd_argv.pod b/doc/ssl/SSL_CONF_cmd_argv.pod
deleted file mode 100644
index 246eaa5bd3..0000000000
--- a/doc/ssl/SSL_CONF_cmd_argv.pod
+++ /dev/null
@@ -1,42 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CONF_cmd_argv - SSL configuration command line processing.
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
-
-=head1 DESCRIPTION
-
-The function SSL_CONF_cmd_argv() processes at most two command line
-arguments from B<pargv> and B<pargc>. The values of B<pargv> and B<pargc>
-are updated to reflect the number of command options procesed. The B<pargc>
-argument can be set to B<NULL> is it is not used.
-
-=head1 RETURN VALUES
-
-SSL_CONF_cmd_argv() returns the number of command arguments processed: 0, 1, 2
-or a negative error code.
-
-If -2 is returned then an argument for a command is missing.
-
-If -1 is returned the command is recognised but couldn't be processed due
-to an error: for example a syntax error in the argument.
-
-=head1 SEE ALSO
-
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.2
-
-=cut