Windows 8 SDKs complain that GetVersion() is deprecated.

We only use GetVersion like this:

	(GetVersion() < 0x80000000)

which checks if the Windows version is NT based. Use a macro check_winnt()
which uses GetVersion() on older SDK versions and true otherwise.
(cherry picked from commit a4cc3c80)

(cherry picked from commit 19f65ddb)

Allegedly formwarding to NUL: sometimes creates NUL file in file
system.

PR: 3250
(cherry picked from commit 63aff300)

PR: 3251
Suggested by: Thorsten Schning
(cherry picked from commit 779c51c6)

when adding duplicates in add_cert_dir.

PR: 3261
Reported by: Marian Done
(cherry picked from commit 758954e0)

(cherry picked from commit d099f0ed)

When setting the current certificate check that it has a corresponding
private key.
(cherry picked from commit 358d352a)

New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

Update docs.
(cherry picked from commit 13dc3ce9)

(cherry picked from commit daddd9a9)

(cherry picked from commit 214368ff)

Add the RFC6962 OIDs to the objects table.
(backport from master branch)

(cherry picked from commit 6ecbc2bb)

(cherry picked from commit f3a39032)

(cherry picked from commit 5a7652c3)

This can be used to speed up SRTP with libsrtp, e.g. on TI omap/sitara based devices.
(cherry picked from commit be2c4d9b)

If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file.  However the value isn't used to generate the key, but it does
print it's generating such a key.  The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024).  Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.

We now read the config first and use the value from the config file when no size
is given.

PR: 2592
(cherry picked from commit 33432203)

(cherry picked from commit e547c45f)

(cherry picked from commit 2b4ffc65)

apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
(cherry picked from commit 856c6dfb)

(cherry picked from commit 70113432)

(cherry picked from commit f4d45640)

Improve CBC decrypt and CTR by ~13/16%, which adds up to ~25/33%
improvement over "pre-Silvermont" version. [Add performance table to
aesni-x86.pl].
(cherry picked from commit 5599c733)

as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
(cherry picked from commit b1efb716)

When a chain is complete and ends in a trusted root checks are also
performed on the TA and the callback notified with ok==1. For
consistency do the same for chains where the TA is not self signed.
(cherry picked from commit 385b3486)