The RAND_DRBG_TYPE preprocessor define depends on a NID, so  we have
to include obj_mac.h to make the header selfcontained.

Fixes #7521
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7524)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7483)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7483)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7483)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7484)

The EVP_PKEY methods for CMAC and HMAC needed a rework, although it
wasn't much change apart from name changes.

This also meant that EVP_PKEY_new_CMAC_key() needed an adjustment.
(the possibility to rewrite this function to work with any MAC is yet
to be explored)
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7484)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7484)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7484)

CLA: trivial
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7444)

dsa_builtin_paramgen2 expects the L parameter to be greater than N,
otherwise the generation will get stuck in an infinite loop.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7493)

When wanting to compare the end of a string with another string, make
sure not to start somewhere before the start of the first string.

[extended tests]
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7520)

pkey_test_ctrl() was designed for parsing values, not for using in
test runs.  Relying on its returned value when it returned 1 even for
control errors made it particularly useless for mac_test_run().

Here, it gets replaced with a MAC specific control function, that
parses values the same way but is designed for use in a _run() rather
than a _parse() function.

This uncovers a SipHash test with an invalid control that wasn't
caught properly.  After all, that stanza is supposed to test that
invalid control values do generate an error.  Now we catch that.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7500)

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7501)

Fixes #7497
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7501)

We made the build of foo.obj depend on foo.d, meaning the latter gets
built first.  Unfortunately, the way the compiler works, we are forced
to redirect all output to foo.d, meaning that if the source contains
an error, the build fails without showing those errors.

We therefore remove the dependency and force the build of foo.d to
always happen after build of foo.obj.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7469)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7194)

Needed to clear a clash between ERR_load_CRYPTO_strings and
ERR_load_crypto_strings
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7194)

Believe it or not, the VMS C compiler is remarking on this
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7194)

These functions are generalizations of EVP_PKEY_CTX_str2ctrl() and
EVP_PKEY_CTX_hex2ctrl().  They will parse the value, and then pass the
parsed result and length to a callback that knows exactly how to pass
them on to a main _ctrl function, along with a context structure
pointer.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7393)

If a MAC isn't available as an EVP_MAC, the MAC test falls back to the
corresponding EVP_PKEY method.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7393)

The MAC EVP_PKEY implementations are currently implemented for each
MAC.  However, with the EVP_MAC API, only one such implementation is
needed.

This implementation takes into account the differences between HMAC
and CMAC implementations, and observes that all other current MAC
implementations seem to follow the HMAC model.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7393)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7393)

We currently implement EVP MAC methods as EVP_PKEY methods.  This
change creates a separate EVP API for MACs, to replace the current
EVP_PKEY ones.

A note about this EVP API and how it interfaces with underlying MAC
implementations:

Other EVP APIs pass the EVP API context down to implementations, and
it can be observed that the implementations use the pointer to their
own private data almost exclusively.  The EVP_MAC API deviates from
that pattern by passing the pointer to the implementation's private
data directly, and thereby deny the implementations access to the
EVP_MAC context structure.  This change is made to provide a clearer
separation between the EVP library itself and the implementations of
its supported algorithm classes.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7393)

Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7504)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7510)

Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)

Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized.  Increasing the size of the BNs
prior to doing anything with them suppresses the attack.

Thanks due to Samuel Weiser for finding and locating this.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)

There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm.  This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)

Found by Coverity Scan
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7511)

This also gave enough reason to collect the stuff that's common for
all iOS config targets into the template "ios-common".

Fixes #7318
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7403)

The new Configure summary box (41349b5e) now hides the warning
about the missing seed source (2805ee1e) too much. To make it
more visible again, add warning markers.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7509)

The Name Constraints extension contains GeneralSubtree values
indicating included or excluded subtrees.  It is defined as:

  GeneralSubtree ::= SEQUENCE {
    base                    GeneralName,
    minimum         [0]     BaseDistance DEFAULT 0,
    maximum         [1]     BaseDistance OPTIONAL }

RFC 5280 further specifies:

  Within this profile, the minimum and maximum fields are not used with
  any name forms, thus, the minimum MUST be zero, and maximum MUST be
  absent.

Because the minimum fields has DEFAULT 0, and certificates should be
encoded using DER, the situation where minimum = 0 occurs in a
certificate should not arise.  Nevertheless, it does arise.  For
example, I have seen certificates issued by Microsoft programs that
contain GeneralSubtree values encoded thus.

Enhance the Name Constraints matching routine to handle the case
where minimum is specified.  If present, it must be zero.  The
maximum field remains prohibited.
Reviewed-by: NPaul Yang <yang.yang@baishancloud.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7039)

Fixes #7394
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7399)

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7414)

Since 1fb9fdc3 we may attempt to buffer a record from the next epoch
that has already been buffered. Prior to that this never occurred.

We simply ignore a failure to buffer a duplicated record.

Fixes #6902
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7414)

Reviewed-by: NPaul Yang <yang.yang@baishancloud.com>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7474)

In commit 820e414d (pr #5247) the summary output of the
Configure command was optimized towards instructing people
how to create issue reports.

It turned out that the wording of this message can confuse new
OpenSSL users and make them think that they are seeing an error
message. This commit makes the summary output start with a success
to prevent a misunderstanding. Also it gives more hints to new
OpenSSL users.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7499)

Commit 5b4cb385 (#7382) introduced a bug which had the effect
that RAND_add()/RAND_seed() failed for buffer sizes less than
32 bytes. The reason was that now the added random data was used
exlusively as entropy source for reseeding. When the random input
was too short or contained not enough entropy, the DRBG failed
without querying the available entropy sources.

This commit makes drbg_add() act smarter: it checks the entropy
requirements explicitely. If the random input fails this check,
it won't be added as entropy input, but only as additional data.
More precisely, the behaviour depends on whether an os entropy
source was configured (which is the default on most os):

- If an os entropy source is avaible then we declare the buffer
  content as additional data by setting randomness to zero and
  trigger a regular   reseeding.

- If no os entropy source is available, a reseeding will fail
  inevitably. So drbg_add() uses a trick to mix the buffer contents
  into the DRBG state without forcing a reseeding: it generates a
  dummy random byte, using the buffer content as additional data.

Related-to: #7449
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)

Increase the load buffer size such that it exceeds the chunk
size by a comfortable amount. This is done to avoid calling
RAND_add() with a small final chunk. Instead, such a small
final chunk will be added together with the previous chunk
(unless it's the only one).

Related-to: #7449
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)

The failure of RAND_load_file was only noticed because of the
heap corruption which was reported in #7499 and fixed in commit
5b4cb385. To prevent this in the future, RAND_load_file()
now explicitly checks RAND_status() and reports an error if it
fails.

Related-to: #7449
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)