Revision of custom extension code.

Move custom extension structures from SSL_CTX to CERT structure.

This change means the form can be revised in future without binary
compatibility issues. Also since CERT is part of SSL structures
so per-SSL custom extensions could be supported in future as well as
per SSL_CTX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b83294fe3022b9d5d525ccdcfeb53d39c25b05bd)

Conflicts:

ssl/ssl.h
ssl/ssl_cert.c
ssl/ssl_locl.h

Constant-time utilities

Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 5a3d21c0585064292bde5cd34089e120487ab687)

Conflicts:
ssl/s3_cbc.c
test/Makefile

RT2400: ASN1_STRING_to_UTF8 missing initializer

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176ad2a914108cd2b403425dc1ebc7262)

RT2308: Add extern "C" { ... } wrapper

Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Cherry-pick of commit 17e80c6bd05de7406a65116f34ed59665607d8d5

Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey

The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)

RT3065: automatically generate a missing EC public key

When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)

RT3065: ec_private_key_dont_crash

This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)

RT2210: Add missing EVP_cleanup to example

I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c54466f1da8b707c932e308d345fd61101)

RT2724: Remove extra declaration

Extra SSL_get_selected_srtp_profile() declaration in ssl/srtp.h
causes -Werror builds to fail.

Cherry-picked from 3609b02305c3678525930ff9bacb566c0122ea2a

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT1744: SSL_CTX_set_dump_dh() doc feedback

The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

RT1804: fix EXAMPLE in EVP_EncryptInit.pod

The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

Typo fixes to evp documentation.

This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b9593f528d9537aa6a003d5c93df1e3c5)

RT3060: Limit the number of empty records.

Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

RT3061: Don't SEGFAULT when trying to export a public DSA key as a private key.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Improve EVP_PKEY_sign documentation

Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a207f7b6d86c3bc8ffb053e5f4d0c1ca0)

define inline for Visual Studio

In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a7370c775dc9fd6198dbacd1706cf242b)

Fix build when BSAES_ASM is defined but VPAES_ASM is not

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68bec81030838e3228ef0238c565af85)

bn/asm/rsaz-*.pl: allow spaces in Perl path name.

RT: 2835

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 15735e4f0e81d535cda0ad7ab52a0ed64b644cd0)

sha1-mb-x86_64.pl: add commentary.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit e608273a8094a95a5703c26a428a007497e74392)

crypto/evp/e_aes_cbc_hmac_sha[1|256].c: fix compiler warnings.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 2893a302a9b6a70161d1859d985a52af11b2195d)

sha1-mb-x86_64.pl: fix typo.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 55eb14da201cc35fe744a08718f5c2efb97f6155)

Fixed out-of-bounds read errors in ssl3_get_key_exchange.

PR#3450

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Fix use after free bug.

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5afa57fb7b17aa51cfba1ffa94e900fc7a5f0e04)

Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org

Fix SRP authentication ciphersuites.

The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)

Test SRP authentication ciphersuites.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 193c1c07165b0042abd217274a084b49459d4443)

Only use FIPS EC methods in FIPS mode.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1433cac53c93f9f109290389f60b17078a572d3d)

Check SRP parameters early.

Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Fix SRP buffer overrun vulnerability.

Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.

Fix SRP ciphersuite DoS vulnerability.

If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix race condition in ssl_parse_serverhello_tlsext

CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Fix OID handling:

- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix DTLS anonymous EC(DH) denial of service

CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Fix protocol downgrade bug in case of fragmented packets

CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>

Remove some duplicate DTLS code.

In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Fix return code for truncated DTLS fragment.

Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Fix memory leak from zero-length DTLS fragments.

The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Fix DTLS handshake message size checks.

In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Added comment for the frag->reassembly == NULL case as per feedback from Emilia

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Avoid double free when processing DTLS packets.

The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

make update

Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix error discrepancy.

We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >

Update $default_depflags to match current defaults.

Clean up CHANGES files: If a change is already present in 1.0.1f or 1.0.1h,
don't list it again under changes between 1.0.1h and 1.0.2.

Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Avoid multiple lock using FIPS DRBG.

Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode.

PR#3176
Reviewed-by: Rich Salz <rsalz@openssl.org>

Add conditional unit testing interface.

Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit e0fc7961c4fbd27577fb519d9aea2dc788742715)

Conflicts:

ssl/heartbeat_test.c
ssl/ssl.h
util/mkdef.pl

Prepare for 1.0.2-beta3-dev

Reviewed-by: Stephen Henson <steve@openssl.org>

Prepare for 1.0.2-beta2 release

Reviewed-by: Stephen Henson <steve@openssl.org>

make update

Reviewed-by: Stephen Henson <steve@openssl.org>

update $default_depflags

Reviewed-by: Matt Caswell <matt@openssl.org>

CHANGES: mention new platforms.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

"EC_POINT_invert" was checking "dbl" function pointer instead of "invert".

PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce161fd301a72194827327128191de7e)

Remove old unused and unmaintained demonstration code.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 62352b8138018775a4c085a105fccd9cdcb6323f)

sha1-ppc.pl: shave off one cycle from BODY_20_39
and improve performance by 10% on POWER[78].

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 5c3598307ebbf5a88d1c39fbb2629536e443a5dd)

Minor documentation update removing "really" and a
statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6f1ed1b7ad3c1a6d2c62f460e26c050)

Add test header to Makefile, update ordinals

Reviewed-by: Tim Hudson <tjh@openssl.org>

Initial POWER8 support from development branch.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix documentation for RSA_set_method(3)

PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)

Make *Final work for key wrap again.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 58f4698f67c33b723a9e99bed1101161a59eea73)

Sanity check lengths for AES wrap algorithm.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d12eef15016e49fc09d6c96653c61624e032d1a3)

Fix typo, add reference.

PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf22aaddb563f4bcfccf25b1a45ac8a4)

Disabled XTS mode in enc utility as it is not supported

PR#3442

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2097a17c576f2395a10b05f14490688bc5f45a07)

Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd548192a03142c80cf8bc68659d79dea20a738)

Clarify -Verify and PSK.

PR#3452
(cherry picked from commit ca2015a617842fed3d36ed4dcbbf8d5e27bc5216)

Fix DTLS certificate requesting code.

Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc5f83d69d802f941a4cc5895eb5fe3d65)

Don't allow -www etc options with DTLS.

The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)

Use case insensitive compare for servername.

PR#3445
(cherry picked from commit 1c3e9a7c67ccdc5e770829fe951e5832e600d377)

document -nextprotoneg option in man pages

Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444
(cherry picked from commit 7efd0e777e65eaa6c60d85b1cc5c889f872f8fc4)

Use more common name for GOST key exchange.
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)

Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)

Add names of GOST algorithms.

PR#3440
(cherry picked from commit 924e5eda2c82d737cc5a1b9c37918aa6e34825da)

* crypto/ui/ui_lib.c: misplaced brace in switch statement.
  Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd340919e511137696792279f595a70ae2762)

Don't clean up uninitialised EVP_CIPHER_CTX on error (CID 483259).

(cherry picked from commit c1d1b0114e9d370c30649e46182393dbfc00e20c)

Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53bea0ecddb9448da7ea9a51a334496127)

x86_64 assembly pack: improve masm support.
(cherry picked from commit 1b0fe79f3ee27ebd20510da3af9ec04c6ee0f800)

Please Clang's sanitizer, addendum.
(cherry picked from commit d11c70b2c2a655d112fa72d34c6702e9aa2eff79)

Please Clang's sanitizer.

PR: #3424,#3423,#3422
(cherry picked from commit 021e5043e524b1cb28a929ef902548a987c16e65)

apps/speed.c: fix compiler warnings in multiblock_speed().
(cherry picked from commit c4f8efab34af95a5319bbc5b954b62614604298a)

sha[1|512]-x86_64.pl: fix logical errors with $shaext=0.
(cherry picked from commit 07b635cceb60abaddba2f0e469e5f5978258f46b)

Prevent infinite loop loading config files.

PR#2985
(cherry picked from commit 9d23f422a32cb333a5e803199ae230706b1bf9f5)

Improve X509_check_host() documentation.

Based on feedback from Jeffrey Walton.

(cherry picked from commit b73ac027357da29d9e393f24cd224999c94028d1)

Update API to use (char *) for email addresses and hostnames

Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd817ea643de2fdeff4e434b050d571e2)

Set optional peername when X509_check_host() succeeds.

Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.

(cherry picked from commit ced3d9158a7a8c676be504bb6cd3b5ffb7cc7f13)

New peername element in X509_VERIFY_PARAM_ID

Declaration, memory management, accessor and documentation.

(cherry picked from commit 6e661d458f5aa8f52bf3d9098bd10025de5f08ea)

One more typo when changing !result to result <= 0

(cherry picked from commit eef1827f89ebb82d3bcb5391fa15e05061bab4b2)

Fix typo in last commit

(cherry picked from commit 90b70a6a6b4df267fea2724c7af37d93366a1fec)

Multiple verifier reference identities.

Implemented as STACK_OF(OPENSSL_STRING).

(cherry picked from commit 8abffa4a73fcbf6536e0a42d736ed9211a8204ea)

Implement sk_deep_copy.

(cherry picked from commit 66d884f06770f2daaee8016299ef7e1e3b91dfd1)

Usage for -hack and -prexit -verify_return_error
(cherry picked from commit ee724df75d9ad67fd954253ac514fddb46f1e3c6)

Document certificate status request options.
(cherry picked from commit cba3f1c739f012aaadb85aaefaf8de424d2695e2)

s_server usage for certificate status requests
(cherry picked from commit a44f219c009798054d6741e919cba5b2e656dbf4)

Update ticket callback docs.
(cherry picked from commit a23a6e85d8dcd5733a343754f434201f3c9aa6f0)

Sanity check keylength in PVK files.

PR#2277
(cherry picked from commit 733a6c882e92f8221bd03a51643bb47f5f81bb81)

Added reference to platform specific cryptographic acceleration such as AES-NI

Fixed error in pod files with latest versions of pod2man

(cherry picked from commit 07255f0a76d9d349d915e14f969b9ff2ee0d1953)

sha512-x86_64.pl: fix typo.

PR: #3431
(cherry picked from commit 7eb9680ae1bf5dd9aeb61c401f2c3bd900ac9aeb)

s3_pkt.c: fix typo.
(cherry picked from commit 0e7a32b55e8c5b1ec7c2bb755213d076390cc55e)

apps/speed.c: add multi-block benchmark.
(cherry picked from commit 375a64e3496c7576a7dbcfdf9a549bf2693506e8)