Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe09)

The update: target in engines/ didn't recurse into engines/ccgost.
The update: and depend: targets in engines/ccgost needed a fixup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8b822d25)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6f45032f)

Conflicts:
	apps/Makefile

We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0f539dc1)

Conflicts:
	Makefile.org
	apps/Makefile
	test/Makefile
	crypto/cmac/Makefile
	crypto/srp/Makefile

If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d81)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 00d565cf)

The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given.  This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"

This commit addresses those tickets: 3798 3799 3801.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit f34b095f)

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bed2edf1)

Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c4137b5e)

Conflicts:
	crypto/asn1/asn1_gen.c

The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)

Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d)

Reviewed-by: Matt Caswell <gitlab@openssl.org>

Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 111b60be)

Conflicts:
	crypto/asn1/asn1_gen.c

If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1)

Conflicts:
	ssl/ssl_sess.c

The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)

While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b496)

Conflicts:
	crypto/asn1/tasn_new.c

If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc2)

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update CHANGES fiel with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>

This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>

CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 5dc1247a)

Cleanse various intermediate buffers used by the PRF (backported version
from master).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 35fafc4d)

Conflicts:
	ssl/s3_enc.c

Conflicts:
	ssl/t1_enc.c

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d6ca1cee)

Conflicts:
	ssl/ssl_locl.h

Fix compiler warnings (similar to commit 25012d5e

)

Reviewed-by: Richard Levitte <levitte@openssl.org>

New function ASN1_STRING_clear_free which cleanses an ASN1_STRING
structure before freeing it.

Call ASN1_STRING_clear_free on PKCS#8 private key components.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a8ae0891)

Conflicts:
	crypto/dh/dh_ameth.c

They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bc2e18a3)

Make the output from mkerr.pl consistent with the newly reformatted code.

Reviewed-by: Richard Levitte <levitte@openssl.org>

CVE-2015-0288
PR#3708

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 28a00bcd)