chacha20/poly1305: make sure to clear the buffer at correct position

The offset to the memory to clear was incorrect, causing a heap buffer
overflow.

CVE-2016-7054

Thanks to Robert Święcki for reporting this

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b8e4011fb26364e44230946b87ab38cc1c719aae)

aes/asm/aesp8-ppc.pl: improve [backward] portability.

Some of stone-age assembler can't cope with r0 in address. It's actually
sensible thing to do, because r0 is shunted to 0 in address arithmetic
and by refusing r0 assembler effectively makes you understand that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a54aba531327285f64cf13a909bc129e9f9d5970)

bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a)

test/bntest.c: regression test for CVE-2016-7055.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit dca2e0ee1745ed2d9cba8c29f334f881a58f85dc)

Fix the evp_test Ctrl keyword processing

Skip the test if the value after ":" is a disabled algorithm, rather
than failing it

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit dfbdf4abb7c62156f36925db95728142c4223225)

Fix no-dso (shlibloadtest)

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 586b79d8884b171eb3fae1ef230572921715ce1a)

When no SRP identity is found, no error was reported server side

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1859)

(cherry picked from commit 7bb37cb5938a0cf76c12c8421950e72634d5f61c)

Unix Makefile: Make sure to use $(PERL) when running ./Configure

For consistency, it's better to use the perl that was specified to
Configure last time it was called.

Use case:

perl v5.8.8 was first along $PATH, perl v5.22.2 was available and
specified as: PERL=/opt/local/bin/perl ./config.  When make wanted to
reconfigure and called './Configure reconf', configuration broke down,
complaining about a perl that's too old.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1884)
(cherry picked from commit 12ccb021be9e1c4c947e020ea2079e985b329a8a)

Missing BN_RECP_CTX field init.

BN_RECP_CTX_new direclty use bn_init to avoid twice memset calls

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1879)
(cherry picked from commit 318447bceb3aa2c50ac0081bdb4e917f8704e7da)

Zero stack variable with DSA nonce

Thanks to Falko Strenzke for bringing this to our attention.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1882)
(cherry picked from commit e5e71f2857275189577ab7b227608ab4ec985471)

INSTALL: small typo

libssl, not libddl.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1871)
(cherry picked from commit b77b6127e8de38726f37697bbbc736ced7b49771)

Allow null in  X509_CRL_METHOD_free

and fix documentation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1634)
(cherry picked from commit 7cb1ecec59d7c8d6628fb9bfd435306f7e06fd33)

Improve PRF documentation

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1834
(cherry picked from commit 27ed73a98f88c98be996a6ffe7bda1b84bfc8be7)

Improve RSA test coverage.

MD5/SHA1 and MDC-2 have special-case logic beyond the generic DigestInfo
wrapping. Test that each of these works, including hash and length
mismatches (both input and signature). Also add VerifyRecover tests. It
appears 5824cc298174d462c827cd090675e30fc03f0caf added support for
VerifyRecover, but forgot to add the test data.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
(cherry picked from commit f320555735af7aa52172a2b8c56181445e8490dd)

Make RSA_sign.pod less confusing.

PKCS #1 v2.0 is the name of a document which specifies an algorithm
RSASSA-PKCS1-v1_5, often referred to as "PKCS #1 v1.5" after an earlier
document which specified it. This gets further confusing because the
document PKCS #1 v2.1 specifies two signature algorithms,
RSASSA-PKCS1-v1_5 and RSASSA-PSS. RSA_sign implements RSASSA-PKCS1-v1_5.

Refer to the document using the RFC number which is easier to find
anyway, and refer to the algorithm by its name.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
(cherry picked from commit aa90ca11c930114d5c0d68a2c1f446bf97853287)

Implement RSASSA-PKCS1-v1_5 as specified.

RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.

OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html

Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.

In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.

See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00

As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
(cherry picked from commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836)

Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER"

This partially reverts commit c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.

However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.

Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!

The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".

Thanks to Cory Benfield for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit c8e2f98c97ff3327784843946c2d62761572e5d5)

Always ensure that init_msg is initialised for a CCS

We read it later in grow_init_buf(). If CCS is the first thing received in
a flight, then it will use the init_msg from the last flight we received. If
the init_buf has been grown in the meantime then it will point to some
arbitrary other memory location. This is likely to result in grow_init_buf()
attempting to grow to some excessively large amount which is likely to
fail. In practice this should never happen because the only time we receive
a CCS as the first thing in a flight is in an abbreviated handshake. None
of the preceding messages from the server flight would be large enough to
trigger this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c437757466e7bef632b26eaaf429a9e693330999)

Windows: use default ZLIB1 unless --with-zlib-lib is set

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1772)
(cherry picked from commit 475592e2419c5cb3098dfea4c9229d0c09ea7010)

Fix the LIBZ macro on VC config targets

If zlib-dynamic was given but not --with-zlib-lib, LIBZ was defined to
the empty string.  Instead, give it the default "ZLIB1".

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1772)
(cherry picked from commit 111b234c8f80371e7e31d922946cbd546491d4e8)

VMS: pretend to use -znodelete

VMS only unloads shared libraries at process rundown, so tell the
OpenSSL code so by pretending we linked with -znodelete.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1862)
(cherry picked from commit 1186a2b3d40e33cbf42d4fd3c7cc679f9f6e14f2)

VMS build file template: assign 'arch' to local symbol table

Since the local symbol table is looked up before the global symbol
table, 'arch' assigned in the local symbol table of the DCL where MMS
is called would be seen before the 'arch' defined in descrip.mms.
Assigning it to the local symbol table in descrip.mms removes that
issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1853)
(cherry picked from commit 3ee24d4acaff1c247db89c5cfcac17749dc3d7bc)

Missed a mention of RT

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1849)
(cherry picked from commit 1e62cc12f35408508594be254f40bf9b65d2a3a9)

Travis: add a strict build

Clang on Linux seems to catch things that we might miss otherwise.
Also, throw in 'no-deprecated' to make sure we test that as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1839)
(cherry picked from commit 7b1954384114643e1a3c3a0ababa3fd7a112c5e3)

Don't assume to know the shared library extension

test/shlibloadtest.c assumes all Unix style platforms use .so as
shared library extension.  This is not the case for Mac OS X, which
uses .dylib.  Instead of this, have the test recipe find out the
extension from configuration data.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1844)
(cherry picked from commit 62dd3351a16089aedb0f1e62e3b6df371c93389c)

Update CRYPTO_set_mem_debug() doc

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1842)
(cherry picked from commit 00bb5504cc62693e05ff4e699f379011c55ecc84)

Enable memory debugging while testing

Pre 1.1.0, 'make test' would set the environment variable
OPENSSL_DEBUG_MEMORY to "on".  This got lost when translating the old
build files to the new templates.  This changes reintroduces that
variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1840)
(cherry picked from commit 6d4bc8a3d2c2f7701588bbfdea80a1f7a3973f26)

test/shlibloadtest: small fixes

- Make sure to initialise SHLIB variables
- Make sure to make local variables static

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1838)
(cherry picked from commit 3b0478fe03191bedef44644996a5a6da51f77eaf)

Clang doesn't like -znodelete, make it a linker flag instead

gcc is kinder, it silently passes quite a few flags to ld, while clang
is stricter and wants them prefixed with -Wl,

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1836)
(cherry picked from commit 075e9da055454ec5586962b43d9923e44bdcb313)

test/build.info: typo, $ missing

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1832)
(cherry picked from commit 9c89c8460a4dcf828a22e2dfc279b5ea8a80ec60)

conf fuzzer: also check for an empty file

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1828
(cherry picked from commit ea6199ea91ac59ae53686335e436d554cdacd2dc)

[fuzzers] do not fail fuzzers with empty input

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1788
(cherry picked from commit ba7407002d899b614d4728da9004594f947ff3da)

Implement GET_MODULE_HANDLE_EX_FLAG_PIN for windows

Rather than leaking a reference, just call GetModuleHandleEx and pin the
module on Windows.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2b59d1beaad43d9cf8eb916a437db63bc8ce1d3a)

Link using -znodelete

Instead of deliberately leaking a reference to ourselves, use nodelete
which does this more neatly. Only for Linux at the moment.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit b6d5ba1a9f004d637acac18ae3519fe063b6b5e1)

Add a test to dynamically load and unload the libraries

This should demonstrate that the atexit() handling is working properly (or
at least not crashing) on process exit.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit b987d748e46d4ec19a45e5ec9e890a9003a361d6)

Ensure that libcrypto and libssl do not unload until the process exits

Because we use atexit() to cleanup after ourselves, this will cause a
problem if we have been dynamically loaded and then unloaded again: the
atexit() handler may no longer be there.

Most modern atexit() implementations can handle this, however there are
still difficulties if libssl gets unloaded before libcrypto, because of
the atexit() callback that libcrypto makes to libssl.

The most robust solution seems to be to ensure that libcrypto and libssl
never unload. This is done by simply deliberately leaking a dlopen()
reference to them.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5836780f436e03be231ff245f04f2f9f2f0ede91)

Add a DSO_dsobyaddr() function

This works the same way as DSO_pathbyaddr() but instead returns a ptr to
the DSO that contains the provided symbol.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit b39eda7ee69a9277c722f8789736e00dc680cda6)

Partial revert of 3d8b2ec42 to add back DSO_pathbyaddr

Commit 3d8b2ec42 removed various unused functions. However now we need to
use one of them! This commit resurrects DSO_pathbyaddr(). We're not going to
resurrect the Windows version though because what we need to achieve can be
done a different way on Windows.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit cb6ea61c161e88aa0268c77f308469a67b2ec063)

Add a CHANGES entry for the unrecognised record type change

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ce95f3b724f71f42dd57af4a0a8e2f571deaf94d)

Add a test for unrecognised record types

We should fail if we receive an unrecognised record type

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1f3e70a450364e3152973380ea4d3bb6694f3980)

Fail if an unrecognised record type is received

TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but
TLS 1.2 says you MUST send an unexpected message alert. We swap to the
TLS 1.2 behaviour for all protocol versions to prevent issues where no
progress is being made and the peer continually sends unrecognised record
types, using up resources processing them.

Issue reported by 郭志攀

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 436a2a0179416d2cc22b678b63e50c2638384d5f)

Test recipes: remove duplicate OpenSSL::Test usage

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1815)
(cherry picked from commit 2c4a3f938ca378d2017275d299f02512b232ceaf)

Fix link to LibFuzzer

CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1801)

(cherry picked from commit fe2582a224e35585274198ef2d2983f3afa84f1e)

Add a read_ahead test

This test checks that read_ahead works correctly when dealing with large
records.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7856332e8c14fd1da1811a9d0afde243dd0f4669)

Fix read_ahead

The function ssl3_read_n() takes a parameter |clearold| which, if set,
causes any old data in the read buffer to be forgotten, and any unread data
to be moved to the start of the buffer. This is supposed to happen when we
first read the record header.

However, the data move was only taking place if there was not already
sufficient data in the buffer to satisfy the request. If read_ahead is set
then the record header could be in the buffer already from when we read the
preceding record. So with read_ahead we can get into a situation where even
though |clearold| is set, the data does not get moved to the start of the
read buffer when we read the record header. This means there is insufficient
room in the read buffer to consume the rest of the record body, resulting in
an internal error.

This commit moves the |clearold| processing to earlier in ssl3_read_n()
to ensure that it always takes place.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a7faa6da317887e14e8e28254a83555983ed6ca7)

Secure our notification email.

Forks will have to define their own

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1821)
(cherry picked from commit 5e28b1c1e048eef600dc49820934a5e1531186d4)

Fix grammar-o in CONTRIBUTING

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1625)
(cherry picked from commit e4d94269a5a41594852dc60716500580f1d47cef)

HPUX: Add the forgotten $(DSTDIR) when linking DSOs

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1802)
(cherry picked from commit f46661de7806b5bae507d17185bda2bafd6c20d8)

Unix Makefile: Some sed implementation truncate long lines.  Use perl instead.

Fixes #1781

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1813)
(cherry picked from commit ebca7961a6bc2652ecb3cf6dda3f43943e2965d3)

Mark VC templates correctly.

VC-noCE-common and VC-WIN64-common were missing this line:

        template         => 1,

Fixes GH#1809

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1811)
(cherry picked from commit be1f4812111aa76f12db91d9059ead3b43314b4c)

Implement length checks as a macro

Replace the various length checks in the extension code with a macro to
simplify the logic.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Ensure we have length checks for all extensions

The previous commit inspired a review of all the length checks for the
extension adding code. This adds more robust checks and adds checks where
some were missing previously. The real solution for this is to use WPACKET
which is currently in master - but that cannot be applied to release
branches.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix length check writing status request extension

The status request extension did not correctly check its length, meaning
that writing the extension could go 2 bytes beyond the buffer size. In
practice this makes little difference because, due to logic in buffer.c the
buffer is actually over allocated by approximately 5k!

Issue reported by Guido Vranken.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix a double free in ca command line

Providing a spkac file with no default section causes a double free.

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 229bd12487f8576fc088dc4f641950ac33c62033)

Add a test for BIO_read() returning 0 in SSL_read() (and also for write)

A BIO_read() 0 return indicates that a failure occurred that may be
retryable. An SSL_read() 0 return indicates a non-retryable failure. Check
that if BIO_read() returns 0, SSL_read() returns <0. Same for SSL_write().

The asyncio test filter BIO already returns 0 on a retryable failure so we
build on that.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a34ac5b8b9c1a3281b4ee545c46177f485fb4949)

A zero return from BIO_read()/BIO_write() could be retryable

A zero return from BIO_read()/BIO_write() could mean that an IO operation
is retryable. A zero return from SSL_read()/SSL_write() means that the
connection has been closed down (either cleanly or not). Therefore we
should not propagate a zero return value from BIO_read()/BIO_write() back
up the stack to SSL_read()/SSL_write(). This could result in a retryable
failure being treated as fatal.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4880672a9b41a09a0984b55e219f02a2de7ab75e)

VMS: tell the C compiler to use the ISO C94 standard

The current version of the VMS compiler provides C99 features,
strictly language wise.  Unfortunately, even the most recent standard
library isn't fully updated for that standard, so we need to use an
earlier standard that the compiler supports.

Most importantly, this affects the __STDC_VERSION__ value, which the
compiler unfortunately currently defaults to 199901L.  With this
change we won't have to give VMS special treatment when looking for
features based on that macro.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1785)
(cherry picked from commit 4f3015bb30b7d95bb97408776b70e6a35fb91e8a)

Fix typo (reported by Matthias St. Pierre)

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 12a7715e3daed439e46cbed461d2a3d9dfd37c0f)

Backdated note in CHANGES about shared library names

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1767)
(cherry picked from commit 78ce90cb1adb95eae094481e01f7a7d408ec78b7)

Add some notes on shared library names on different platforms

This is overdue since the addition of the unified build system

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1767)
(cherry picked from commit 4fa3f08fee253020ea152e11ff1f6fdcab79424f)

x86_64 assembly pack: add Goldmont performance results.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ace05265d2d599e350cf84ed60955b7f2b173bc9)

Efence is antiquated, remove all traces of using it

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1768)
(cherry picked from commit 4fab3e24d62c810bc9165920af1c67c6215c7418)

Correct installation test in appveyor

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1759)
(cherry picked from commit 92403e77ac57e7c5fe49d2d2f304839757293922)

Fix grammar error in SSL_CTX_set_min_proto_version

CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1762)

(cherry picked from commit 8b5fffc819332dc381a431cae1a269642f0adf38)

GH1546: Fix old names in cryptodev code.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1584)
(cherry picked from commit a8a8a917c0c0d36162fdc0cbf84ab17282cef3e9)

Disable encrypt_then_mac negotiation for DTLS.

I use the word 'negotiation' advisedly. Because that's all we were doing.
We negotiated it, set the TLS1_FLAGS_ENCRYPT_THEN_MAC flag in our data
structure, and then utterly ignored it in both dtls_process_record()
and do_dtls1_write().

Turn it off for 1.1.0; we'll fix it for 1.1.1 and by the time that's
released, hopefully 1.1.0b will be ancient history.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

apps: remove some #ifndef clutter

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
(cherry picked from commit b85bf6395251dc28457b95de586a2f0a5faae4af)

apps: instead of varying implementation, make setup_engine a function always

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
(cherry picked from commit 907c6c86331243897b80f37895a14de1e7957541)

If an engine comes up explicitely, it must also come down explicitely

In apps/apps.c, one can set up an engine with setup_engine().
However, we freed the structural reference immediately, which means
that for engines that don't already have a structural reference
somewhere else (because it's a built in engine), we end up returning
an invalid reference.

Instead, the function release_engine() is added, and called at the end
of the routines that call setup_engine().

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
(cherry picked from commit dd1abd4462e4e4fa84b8f8de2ec70375f9b0e191)

Fix broken link to ASYNC_get_wait_ctx and rewrap the paragraph

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1745)
(cherry picked from commit 50c3fc00cc3090d082669591c0923a8468f2d8f9)

Do not set load_crypto_strings_inited when OPENSSL_NO_ERR is defined

Only set the load_crypto_strings_inited to 1 when err_load_crypto_strings_int was called.

This solves the following issue:
- openssl is built with no-err
- load_crypto_strings_inited is set to 1 during the OPENSSL_init_crypto call
- During the cleanup: OPENSSL_cleanup, err_free_strings_int is called because load_crypto_strings_inited == 1
- err_free_strings_int calls do_err_strings_init because it has never been called
- Now do_err_strings_init calls OPENSSL_init_crypto
- But since we are in the cleanup (stopped == 1) this results in an error:
  CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL);
- which then tries to initialize everything we are trying to clean up: ERR_get_state, ossl_init_thread_start, etc
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1654)
(cherry picked from commit a1f2b0e6e07a53c0ae2c81cba319b90e54210cd6)

Add error checking, small nit on ouput

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1632)
(cherry picked from commit 31dad404fd6854ec8dd697bcccfef1e8dba3faff)

Add missing .pod extension to EVP_PKEY_CTX_set_tls1_prf_md

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit efba60ca7ab72cae62baad2aaaf2da32d1093c38)

Fix embedded string handling.

Don't rely on embedded flag to free strings correctly: it wont be
set if there is a malloc failure during initialisation.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1725)
(cherry picked from commit 6215f27a83c6b9089a217dd6deab1665e0ced516)

fix invalid use of incomplete type X509_STORE_CTX

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ba6017a19346a169ca09bb67427ccf6fc56af0af)

Fix signatures of EVP_Digest{Sign,Verify}Update

These are implemented as macros delegating to `EVP_DigestUpdate`, which
takes a `size_t` as its third argument, not an `unsigned int`.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8bdce8d160e29b4e1b80fec31f618d85d8c2b7a8)

Ensure we handle len == 0 in ERR_err_string_n

If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!

Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:
https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e5c1361580d8de79682958b04a5f0d262e680f8b)

Engine afalg: properly set operation type also on big endian.

Copy the whole ALG_OP_TYPE to CMSG_DATA.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 574cffd5d5b8f57f811c8d36d930205041deedee)

Fix typo

I think the second "VC-WIN32" should be "VC-WIN64".
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial

Configure: remove superfluous 0x

The number is taken from the OPENSSL_VERSION_NUMBER which is already
in the hex form.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1706)

(cherry picked from commit 35a498e431f81f94c4ee2dd451cdfe4d566fef3b)

Add memory leak detection to d2i_test

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1707)
(cherry picked from commit 4a4c4bf06d6362f56507c787c61b07655563e962)

Fix copy-paste test labels

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 32804b04b8f3c889beebb6e63e14cc3ea4d8273c)

Remove blank line.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix no-ocsp.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove automatic RPATH - Add a CHANGES entry

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 38be1ea85515a34b3f7285134bdfc1f88082331b)

Remove automatic RPATH - adapt shlib_wrap.sh

Looking for something starting with '-Wl,-rpath,' isn't good enough,
as someone might give something like '-Wl,--enable-new-dtags,-rpath,/PATH'.
Looking for ',-rpath,' should be safe enough.

We could remove the preloading stuff entirely, but just in case the
user has chosen to given RPATH setting arguments at configuration,
we'd better make sure testing will still work.  Fair warning, there
are some configuration options that do not work with preloaded OpenSSL
libraries, such as the sanity checking ones.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 71d8ff1a8998da20db5ab8d4024c3d155b2f6733)

Remove automatic RPATH - add user rpath support

Make Configure recognise -rpath and -R to support user added rpaths
for OSF1 and Solaris.  For convenience, add a variable LIBRPATH in the
Unix Makefile, which the users can use as follows:

    ./config [options] -Wl,-rpath,\$(LIBRPATH)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit fad599f7f147ee71e5581211fb654c2c8c491cd8)

Remove automatic RPATH

Before OpenSSL 1.1.0, binaries were installed in a non-standard
location by default, and runpath directories were therefore added in
those binaries, to make sure the executables would be able to find the
shared libraries they were linked with.

With OpenSSL 1.1.0 and on, binaries are installed in standard
directories by default, and the addition of runpath directories is
therefore not needed any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 075f7e2c6062a33352f570eeafe3c95e41419521)

RT is put out to pasture

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1702)
(cherry picked from commit 7954dced19a7e59e7055eab95a981fa943c7d100)

Fix X509_NAME decode for malloc failures.

The original X509_NAME decode free code was buggy: this
could result in double free or leaks if a malloc failure
occurred.

Simplify and fix the logic.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1691)
(cherry picked from commit 6dcba070a94b1ead92f3e327cf207a0b7db6596f)

Remove untrue comment.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Make dependencies if Makefile is new.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Don't use des when disabled.

Reviewed-by: Rich Salz <rsalz@openssl.org>

fix memory leak

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit eb67172ae53da63a6ff5189dfde2af8f98309ce3)

SRP code tidy.

Tidy up srp_Calc_k and SRP_Calc_u by making them a special case of
srp_Calc_xy which performs SHA1(PAD(x) | PAD(y)).

This addresses an OCAP Audit issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8f332ac962b377a52016927e6db7a15367cb839c)

Add SRP test vectors from RFC5054

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 198d805900b183943a1ced0f5a230d55c8493a04)

Fix missing NULL checks in NewSessionTicket construction

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 83ae4661315d3d0ad52ddaa8fa5c8f1055c6c6f6)

Restore '-keyform engine' support for s_client

This used to work in 1.0.2 but disappeared when the argument parsing was
revamped.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1639)

(cherry picked from commit a6972f346248fbc37e42056bb943fae0896a2967)

Fix an Uninit read in DTLS

If we have a handshake fragment waiting then dtls1_read_bytes() was not
correctly setting the value of recvd_type, leading to an uninit read.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083)

Fix no-dtls

The new large message test in sslapitest needs OPENSSL_NO_DTLS guards

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 55386bef807c7edd0f1db036c0ed464b28a61d68)