This reverts commit 7b18d1a5, which moved the
DEVRANDOM and DEVRANDOM_EGD defines into rand_unix.c. That change introduced
the regression that the compiler complains about missing declarations in
apps/version.c when OpenSSL is configured using `--with-rand-seed=devrandom`
(resp. `--with-rand-seed=egd`):

apps/version.c:173:42: error: 'DEVRANDOM' undeclared
             static const char *dev[] = { DEVRANDOM, NULL };
                                          ^~~~~~~~~

Fixes #10759
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10764)

The HMAC_CTX structure stores the original key in case the ctx is reused
without changing the key.

However, HMAC_Init_ex() checks its parameters such that the only code path
where the stored key is ever used is in the case where HMAC_Init_ex is
called with a NULL key and an explicit md is provided which is the same as
the md that was provided previously. But in that case we can actually reuse
the pre-digested key that we calculated last time, so we can refactor the
code not to use the stored key at all.

With that refactor done it is no longer necessary to store the key in the
ctx at all. This means that long running ctx's will not keep the key in
memory for any longer than required. Note though that the digested key
*is* still kept in memory for the duration of the life of the ctx.

Fixes #10743
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10763)

ECDSA_do_verify() is a function that verifies a ECDSA signature given a hash and a public EC key. The function is supposed to return 1 on valid signature, 0 on invalid signature and -1 on error. Previously, we returned 0 if the key did not have a verify_sig method. This is actually an error case and not an invalid signature. Consequently, this patch updates the return code to -1.

Fixes #8766
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10693)

(cherry picked from commit 26583f6aa8dc28e3598e61db66e54e2fdf8b195f)

This came from f3fdfbf78c6b. run = 1 should be done in pkey_print_message
as well, otherwise other tests printed with pkey_print_message won't run.

Change-Id: I0ba0b05256ad6509ada4735b26d10f8a73fd89ec
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10710)

(cherry picked from commit 6e49b514067a2b6a30d064d2ae1fdfd8050c184b)

This change addresses a potential side-channel vulnerability in
the internals of nistz256 low level operations for armv8.
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit f5a659b6dfcc735a62c712dcca64d116d2289b97)

This is only used if configured with
./config -DECP_NISTZ256_REFERENCE_IMPLEMENTATION
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit 7d4716648e8348dea862e198b9395478fae01907)

Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit e9fe87950db2e6169029b2ecf3ed09d64265bc9c)

Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit 3d139746ca72f0906c036d0a4a3e176c7b61ed1b)

Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit 0de3399b691f025153c8001045d5eeb0909dfd7a)

Cherry picked from
https://github.com/google/boringssl/commit/12d9ed670da3edd64ce8175cfe0e091982989c18Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit 2baea7c7e0896658b74956cac6084dd7e82e8c1b)

This commit addresses a potential side-channel vulnerability in the
internals of some elliptic curve low level operations.
The side-channel leakage appears to be tiny, so the severity of this
issue is rather low.

The issue was reported by David Schrammel and Samuel Weiser.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9239)

(cherry picked from commit 3cb914c463ed1c9e32cfb773d816139a61b6ad5f)

The New Year has caused various files to appear out of date to "make
update". This causes Travis to fail. Therefore we update those files.
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10739)

Fix double + in hkdflabel declaration (FIXES #10675)
CLA: trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10700)

(cherry picked from commit 2de5a5fbdd14f514e962cccfe90482c37786c183)

The pyca-cryptography external test has been failing for a long time.
It looks like upstream needs to make some changes to adapt to 1.1.1.

Backported from #10689

[extended tests]
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10722)

Bring us up to date with upstream's 1.17.1 release.  Among other
things, it includes commit c2497d46b4bad473e164943d67b58cd1ae261c3a
which fixes several issues that affect running the test suite under
Travis CI.  Hopefully those will work transitively for us as well.

[extended tests]
Reviewed-by: NMatt Caswell <matt@openssl.org>

(cherry picked from commit 3e73f558af600ea068bb2132988c31ddb444e13e)
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10690)

The timer alarm sets run = 0, while the benchmark
does run = 1 in the initialization code.  That is
a race condition, if the timer goes off too early
the benchmark runs forever.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10680)

(cherry picked from commit f3fdfbf78c6bfc97abf9c70b03859a28ebf6b66d)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10679)

(cherry picked from commit b2a00f62209add348deb8283c588ddbd572dc216)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10678)

(cherry picked from commit 048fa13e5ef4ccd730561f79a6c91f38365994d1)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10677)

(cherry picked from commit 275a048ffc1585a731e39d7e8e3f53766e8f48d7)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10676)

(cherry picked from commit 9d079f2744b9b624c6fe75f95fc0f766ef88ffcf)

We store a secondary frame pointer info for the debugger
in the red zone.  This fixes a crash in the unwinder when
this function is interrupted.

Additionally the missing cfi function annotation is added
to aesni_cbc_sha256_enc_shaext.

[extended tests]
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10674)

(cherry picked from commit 665de4d48aef2507022a7d74f5c7f6e339d5e6bc)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10672)

(cherry picked from commit eff5076a78502d1ac04669e44127d4bd7c0a9ce7)

The new DH test in evp_extra_test.c broke the no-dh build so we add some
guards to fix it.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/10644)

(cherry picked from commit 501fcfb8cfc1aa114ffde437039c2dc2827554ae)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10655)

(cherry picked from commit b0d3442efc10b635863b915c2d014345f6e5a219)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10654)

(cherry picked from commit 95bbe6eff7aadc681e282ec957379b49d6f80ca8)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10653)

(cherry picked from commit a5fe7825b970a6c937118a4f707f9ad367413794)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10652)

(cherry picked from commit 013c2e8d1a272df444f47b8b54de1d51bc499887)

Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10651)

(cherry picked from commit 0190c52ab8b4cdf5fe577b3d924576167c892a15)

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10642)

(cherry picked from commit 6b913be708f98b1d971586d38e608218ee6de6fa)

In OpenSSL pre 1.1.0, 'openssl x509 -keyform engine' was possible
and supported.  In 1.1.0, type of keyform argument is OPT_FMT_PEMDER
which doesn't support engine. This changes type of keyform argument
to OPT_FMT_PDE which means PEM, DER or engine and updates the manpage
including keyform and CAkeyform.

This restores the pre 1.1.0 behavior.

This issue is very similar than https://github.com/openssl/openssl/issues/4366

CLA: trivial
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10609)

(cherry picked from commit 0ab6fc79a9a63370be1a615729dc2a6ed0d6c89b)

The computation of macros and configdata.pm related data from %disabled
was done much too early, leaving later disablings without real support.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10565)

It's reported that /dev/crypto support has been dropped in OpenBSD 5.7.

Fixes #10552
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10565)

While stack unwinding works with gdb here, the
function _Unwind_Backtrace gives up when something outside
.cfi_startproc/.cfi_endproc is found in the call stack, like
OPENSSL_cleanse, OPENSSL_atomic_add, OPENSSL_rdtsc, CRYPTO_memcmp
and other trivial functions which don't save anything in the stack.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/10635)

(cherry picked from commit 8913378a552e470c66277c47b19699f20b84aa3b)

Fixes #10261
CLA: trivial
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10285)

(cherry picked from commit 1ac7e15375be39c8f03171c02658cf703f58217a)

Make a note of when this function was first introduced
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10568)

This is a missing accessor in order to obtain PSS parameters from an
RSA key, which should also be available in 1.1.1.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10568)

Provide a test to check tat when we assign a DH object we know whether
we are dealing with PKCS#3 or X9.42 DH keys.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10593)

(cherry picked from commit e295de1d8433ed07092845cb6c56aa424ff35c6d)

OpenSSL supports both PKCS#3 and X9.42 DH keys. By default we use PKCS#3
keys. The function `EVP_PKEY_set1_DH` was assuming that the supplied DH
key was a PKCS#3 key. It should detect what type of key it is and assign
the correct type as appropriate.

Fixes #10592
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10593)

(cherry picked from commit 32c869ffaba67822602ea9fec611272ff8e8db58)

CLA: trivial

Fixes #10273
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10578)

(cherry picked from commit 1aeec3dbc2d62f902698b1eba9ed31cbd436f9dc)

RAND_get_rand_method() can return a NULL method pointer in the case of a
malloc failure, so don't dereference it without a check.

Reported-by: Zu-Ming Jiang (detected by FIFUZZ)

Fixes #10480
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10490)