The ongoing discussion about casting or not in PR #5626 had me compiling
again with above mentioned flags. Indeed the compiler had to say something
about it and I did these changes to silence it again.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5943)

Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5948)

Fixes #5849

In pull request #5503 a fallback was added which adds a random nonce of
security_strength/2 bits if no nonce callback is provided. This change raised
the entropy requirements form 256 to 384 bit, which can cause problems on some
platforms (e.g. VMS, see issue #5849).

The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1:

  A nonce may be required in the construction of a seed during instantiation
  in order to provide a security cushion to block certain attacks.
  The nonce shall be either:

  a) A value with at least (security_strength/2) bits of entropy, or

  b) A value that is expected to repeat no more often than a
     (security_strength/2)-bit random string would be expected to repeat.

  Each nonce shall be unique to the cryptographic module in which instantiation
  is performed, but need not be secret. When used, the nonce shall be considered
  to be a critical security parameter.

This commit implements a nonce of type b) in order to lower the entropy
requirements during instantiation back to 256 bits.

The formulation "shall be unique to the cryptographic module" above implies
that the nonce needs to be unique among (with high probability) among all
DRBG instances in "space" and "time". We try to achieve this goal by creating a
nonce of the following form

    nonce = app-specific-data || high-resolution-utc-timestamp || counter

Where || denotes concatenation. The application specific data can be something
like the process or group id of the application. A utc timestamp is used because
it increases monotonically, provided the system time is synchronized. This approach
may not be perfect yet for a FIPS evaluation, but it should be good enough for the
moment.

This commit also harmonizes the implementation of the get_nonce() and the
get_additional_data() callbacks and moves the platform specific parts from
rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5920)

Address the concern that commit c53c2fec raised differently.

The original direction of the traffic is encoded in bit 0
of the flight number.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5923)

There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits.  Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.

Partially fixes #5751
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)

(cherry picked from commit ec46830f8a4ce62c0c8ee7677b1eb8e53ee16df1)

The scrypt and RSA-PSS documents were a mixture of section 3 and
section 7 material.  With pre-1.1.1 OpenSSL, this is understandable,
since we had a different directory layout.  With 1.1.1, we've moved to
the typical man-page directory layout, and the documents need to be
updated accordingly.

Also, the scrypt document contained a description of
EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than
an scrypt specific function, and therefore should be documented
separately.

Fixes #5802
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5942)

Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)

Historically we used to implement standalone base64 code for SRP. This
was replaced by commit 3d3f21aa with the standard base64 processing code.

However, the SRP base64 code was designed to be compatible with other SRP
libraries (notably libsrp, but also others) that use a variant of standard
base64. Specifically a different alphabet is used and no padding '='
characters are used. Instead 0 padding is added to the front of the string.
By changing to standard base64 we change the behaviour of the API which may
impact interoperability. It also means that SRP verifier files created prior
to 1.1.1 would not be readable in 1.1.1 and vice versa.

Instead we expand our standard base64 processing with the capability to be
able to read and generate the SRP base64 variant.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)

Previously they were using EVP_EncodeBlock/EVP_DecodeBlock. These are low
level functions that do not handle padding characters. This was causing
the SRP code to fail. One side effect of using EVP_EncodeUpdate is that
it inserts newlines which is not what we need in SRP so we add a flag to
avoid that.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)

The documentation erroneously stated that one can change the default
configuration file name.

Fixes #5939
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)

The failure is "impossible", because we have confirmation that s_server
listens, yet Mac OS X fails to connect. This avoids 10 minutes timeout
on Travis CI.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)

On rare occasion 's_server | perl -ne print' can complete before
corresponding waitpid, which on Windows can results in -1 return
value. This is not an error, don't treat it like one. Collect
even return value from s_server.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)

X509_get_default_cert_dir_env() returns the default environment
variable to check for certificate directories.
X509_get_default_cert_dir() returns the default configured certificate
directory.

Use these instead of hard coding our own values, and thereby be more
integrated with the rest of OpenSSL.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)

Fixes #5902
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)

Purpose of build_all_generated is to execute all the rules that require
perl, so that one can copy the tree to system with compiler but without
perl. This commit removes last dependencies on perl.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5929)

This is a minor update which hopefully makes these particular lines
read a little easier.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5938)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)

Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)

Computing the value of the GENERATED variable in the build file
templates is somewhat overcomplicated, and because of possible
duplication errors, changes are potentially error prone.

Looking more closely at how this list is determined, it can be
observed that the exact list of files to check is consistently
available in all the values found in the %unified_info tables
'depends', 'sources' and 'shared_sources', and all that's needed is to
filter those values so only those present as keys in the 'generate'
table are left.

This computation is also common for all build files, so due to its
apparent complexity, we move it to common0.tmpl, with the result left
in a global variable (@generated), to be consumed by all build file
templates.

common0.tmpl is included among the files to process when creating
build files, but unlike common.tmpl, it comes first of all.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)

The EVP_MD_CTX_cleanup() function was merged into EVP_MD_CTX_reset()
which is called by EVP_MD_CTX_free().  Adjust the documentation to say
that the latter should be used to avoid leaking memory.

CLA: trivial
Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5921)

Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5774)

- added some explaining text to a sentence that lost its context.
- removed mention of per-ssl drbg
- fix whitespace errors
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5804)

For test recipes that want to use the directory of the data directory
or a subdirectory thereof, rather than just individual files.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5928)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5918)

The warning reads "[cast] may cause misaligned access". Even though
this can be application-supplied pointer, misaligned access shouldn't
happen, because structure type is "encoded" into data itself, and
application would customarily pass correctly aligned pointer. But
there is no harm in resolving the warning...
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5894)

Reviewed-by: NRich Salz <rsalz@openssl.org>

CLA: trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5908)

Fixes #5778, #5840

The various IS_*() macros did not work correctly for 8-bit ASCII
characters with the high bit set, because the CVT(a) preprocessor
macro and'ed the given ASCII value with 0x7F, effectively folding
the high value range 128-255 over the low value range 0-127.
As a consequence, some of the IS_*() erroneously returned TRUE.

This commit fixes the issue by adding range checks instead of
cutting off high order bits using a mask. In order avoid multiple
evaluation of macro arguments, most of the implementation was moved
from macros into a static function is_keytype().

Thanks to Румен Петров for reporting and analyzing the UTF-8 parsing
issue #5840.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5903)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5900)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

Original logic was "if no records found *or* last one is truncated, then
leave complete records in queue." Trouble is that if we don't pass on
complete records and get complete packet in opposite direction, then
queued records will go back to sender. In other words complete records
should always be passed on. [Possible alternative would be to match
direction in reconstruct_record.]
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

Even though removed calls were oiriginally added on Windows, problem
they tried to mitigate is not Windows-specific.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

Without TCP_NODELAY alerts risk to be dropped between shutdown and close.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

HP-UX provides sockets symbols with incompatible prototypes under same
name. This caused problems in 64-bit builds. Additional macros force
unambiguous symbols with unambiguous prototypes.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)

hpux64-parisc2-gcc is chosen based on gcc's bitness, and it was overriden
unconditionally.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)

HP-UX gmtime fails with ERANGE past 19011213204552Z, so skip some tests.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5889)

add_attribute_object and add_DN_object have similar code, so move
it into a common function build_data.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4566)

Fixes #5873
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5880)