The record layer was making decisions that should really be left to the
state machine around unexpected handshake messages that are received after
the initial handshake (i.e. renegotiation related messages). This commit
removes that code from the record layer and updates the state machine
accordingly. This simplifies the state machine and paves the way for
handling other messages post-handshake such as the NewSessionTicket in
TLSv1.3.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

This flag is never set by anything so remove it.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2167)

On error, i2o_SCT_signature() and i2o_SCT() free a pointer that may
have wandered off from the start of the allocated block (not currently
true for i2o_SCT_signature(), but has that potential as the code may
change.  To avoid this, save away the start of the allocated block and
free that instead.

Thanks to Guido Vranken for reporting this issue.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2323)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2319)

Reviewed-by: NRich Salz <rsalz@openssl.org>
GH: #2318

Reviewed-by: NKurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2317)

Reviewed-by: NKurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)

Reviewed-by: NKurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)

X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
present.  This also makes sure there's an appropriate flag to check.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)

The pointer that was freed in the SSLv2 section of ssl_bytes_to_cipher_list
may have stepped up from its allocated position.  Use a pointer that is
guaranteed to point at the start of the allocated block instead.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2312)

Reviewed-by: NStephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2299)

Add a client authentication signature algorithm to simple
ssl test and a server signature algorithm. Since we don't
do client auth this should have no effect. However if we
use client auth signature algorithms by mistake this will
abort the handshake with a no shared signature algorithms
error.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)

Reviewed-by: NRichard Levitte <levitte@openssl.org>

CVE-2017-3732
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero.  This change updates the check to
use DH_check_params()

DH_check_params() is a new function for light weight checking of the p
and g parameters:

    check that p is odd
    check that 1 < g < p - 1
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory. Since hash
operation is read-only it is not considered to be exploitable
beyond a DoS condition. Other ciphers were hardened.

Thanks to Robert Święcki for report.

CVE-2017-3731
Reviewed-by: NRich Salz <rsalz@openssl.org>

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory (or bogus
MAC value is produced if x86 MD5 assembly module is involved). Since
hash operation is read-only it is not considered to be exploitable
beyond a DoS condition.

Thanks to Robert Święcki for report.

CVE-2017-3731
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2288)

In test/ssl_test, parsing ExpectedClientSignHash ended up in the
expected_server_sign_hash field.
Reviewed-by: NStephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2289)

Clashing function code values in evp.h
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2285)

This function is used to validate application supplied parameters. An
assert should be used to check for an error that is internal to OpenSSL.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

Don't use the temp variable donelen in the non-aad fragmented code path.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

When doing in place encryption the overlapping buffer check can fail
incorrectly where we have done a partial block "Update" operation. This
fixes things to take account of any pending partial blocks.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

The previous commit fixed a bug where a partial block had been passed to
an "Update" function and it wasn't properly handled. We should catch this
type of error in evp_test.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

If we have previously been passed a partial block in an "Update" call then
make sure we properly increment the output buffer when we use it.

Fixes #2273
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

Lots of references to 16 replaced by AES_BLOCK_SIZE. Also a few other style
tweaks in that function
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

After collecting extensions we must free them again.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2284)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

simplify some code.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

Instead of looking for "200" and "established" (and failing all other
2xx responses or "Established"), let's look for a line that's not a
header (i.e. doesn't contain a ':') and where the first space is
followed by a '2'.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1664)