Remove old M_ASN1_ macros and replace any occurences with the corresponding
function.

Remove d2i_ASN1_bytes, d2i_ASN1_SET, i2d_ASN1_SET: no longer used internally.
Reviewed-by: NRich Salz <rsalz@openssl.org>

In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google).
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Using $t is an artifact from the earlier changes in Configure and was
unfortunately forgotten as is.
Reviewed-by: NStephen Henson <steve@openssl.org>

This tests the unwrap algorithm with an invalid key. The result should
be rejected without returning any plaintext.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NEmilia Käsper <emilia@openssl.org>

crypto/modes/wrap128.c was heavily refactored to support AES Key Wrap
with Padding, and four bugs were introduced into CRYPTO_128_unwrap() at
that time:

- crypto_128_unwrap_raw()'s return value ('ret') is checked incorrectly,
  and the function immediately returns 'ret' in (almost) all cases.
  This makes the IV checking code later in the function unreachable, but
  callers think the IV check succeeded since CRYPTO_128_unwrap()'s
  return value is non-zero.

  FIX: Return 0 (error) if crypto_128_unwrap_raw() returned 0 (error).

- crypto_128_unwrap_raw() writes the IV to the 'got_iv' buffer, not to
  the first 8 bytes of the output buffer ('out') as the IV checking code
  expects.  This makes the IV check fail.

  FIX: Compare 'iv' to 'got_iv', not 'out'.

- The data written to the output buffer ('out') is "cleansed" if the IV
  check fails, but the code passes OPENSSL_cleanse() the input buffer
  length ('inlen') instead of the number of bytes that
  crypto_128_unwrap_raw() wrote to the output buffer ('ret').  This
  means that OPENSSL_cleanse() could potentially write past the end of
  'out'.

  FIX: Change 'inlen' to 'ret' in the OPENSSL_cleanse() call.

- CRYPTO_128_unwrap() is returning the length of the input buffer
  ('inlen') instead of the number of bytes written to the output buffer
  ('ret').  This could cause the caller to read past the end of 'out'.

  FIX: Return 'ret' instead of 'inlen' at the end of the function.

PR#3749
Reviewed-by: NStephen Henson <steve@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NStephen Henson <steve@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Updated test/testssl script to include the new DTLS capability in ssltest.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NStephen Henson <steve@openssl.org>

Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Resync NEWS with the latest version from 1.0.2
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Resync CHANGES with the latest version from 1.0.2.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.
Reviewed-by: NSteve Henson <steve@openssl.org>

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286
Reviewed-by: NRichard Levitte <levitte@openssl.org>

If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.

CVE-2015-1787
Reviewed-by: NRichard Levitte <levitte@openssl.org>

If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.

Thanks to David Ramos of Stanford University for reporting this bug.

CVE-2015-0291
Reviewed-by: NTim Hudson <tjh@openssl.org>

Fix a bug where invalid PSS parameters are not rejected resulting in a
NULL pointer exception. This can be triggered during certificate
verification so could be a DoS attack against a client or a server
enabling client authentication.

Thanks to Brian Carpenter for reporting this issues.

CVE-2015-0208
Reviewed-by: NTim Hudson <tjh@openssl.org>

CVE-2015-0287
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.

CVE-2015-0207
Reviewed-by: NRichard Levitte <levitte@openssl.org>

OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.

CVE-2015-0290
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

./config would translate -d into having the target get a 'debug-'
prefix, and then run './Configure LIST' to find out if such a
debugging target exists or not.

With the recent changes, the separate 'debug-foo' targets are
disappearing, and we're giving the normal targets debugging
capabilities instead.  Unfortunately, './config' wasn't changed to
match this new behavior.

This change introduces the arguments '--debug' and '--release' - the
latter just for orthogonality - to ./Configure, and ./config now
treats -d by adding '--debug' to the options for ./Configure.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Some miscellaneous removal of dead code from lib crypto.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

In the probable_prime() function we behave slightly different if the number
of bits we are interested in is <= BN_BITS2 (the num of bits in a BN_ULONG).
As part of the calculation we work out a size_limit as follows:

    size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;

There is a problem though if bits == BN_BITS2. Shifting by that much causes
undefined behaviour. I did some tests. On my system BN_BITS2 == 64. So I
set bits to 64 and calculated the result of:

    (((BN_ULONG)1) << bits)

I was expecting to get the result 0. I actually got 1! Strangely this...

    (((BN_ULONG)0) << BN_BITS2)

...does equal 0! This means that, on my system at least, size_limit will be
off by 1 when bits == BN_BITS2.

This commit fixes the behaviour so that we always get consistent results.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

The function CRYPTO_128_unwrap_pad uses an 8 byte AIV (Alternative Initial
Value). The least significant 4 bytes of this is placed into the local
variable |ptext_len|. This is done as follows:

    ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];

aiv[4] is an unsigned char, but (aiv[4] << 24) is promoted to a *signed*
int - therefore we could end up shifting into the sign bit and end up with
a negative value. |ptext_len| is a size_t (typically 64-bits). If the
result of the shifts is negative then the upper bits of |ptext_len| will
all be 1.

This commit fixes the issue by explicitly casting to an unsigned int.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Add some missing checks for memory allocation failures in ca app.
Reviewed-by: NTim Hudson <tjh@openssl.org>

TABLE was always a debugging tool, and permitted everyone to see the
effect of changes in the string-format configs.  The hash-format
configs being much more readable, distributing TABLE becomes much less
necessary.

Being able to produce a TABLE is kept, however, as it still is a
useful debugging tool for configs, what with multi-level inheritance
and all.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Move obviously personal configurations to personal files.

Note: those files should really not be in the main repo at all
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

As part of this, remove some levitte examples that never were relevant.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Because base templates express inheritance of values, the attribute is
renamed to 'inherit_from', and texts about this talk about 'inheritance(s)'
rather than base templates.

As they were previously implemented, base templates that were listed
together would override one another, the first one acting as defaults for
the next and so on.

However, it was pointed out that a strength of inheritance would be to
base configurations on several templates - for example one for CPU, one
for operating system and one for compiler - and that requires a different
way of combining those templates.  With this change, inherited values
from several inheritances are concatenated by default (keep on reading).

Also, in-string templates with the double-curly syntax are removed,
replaced with the possibility to have a configuration value be a coderef
(i.e. a 'sub { /* your code goes here */ }') that gets the list of values
from all inheritances as the list @_.  The result of executing such a
coderef on a list of values is assumed to become a string.  ANY OTHER
FORM OF VALUE WILL CURRENTLY BREAK.

As a matter of fact, an attribute in the current config with no value is
assumed to have this coderef as value:

    sub { join(' ', @_) }

While we're at it, rename debug-[cl]flags to debug_[cl]flags and
nodebug-[cl]flags to release_[cl]flags.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>