During a DTLS handshake we may get records destined for the next epoch
arrive before we have processed the CCS. In that case we can't decrypt or
verify the record yet, so we buffer it for later use. When we do receive
the CCS we work through the queue of unprocessed records and process them.

Unfortunately the act of processing wipes out any existing packet data
that we were still working through. This includes any records from the new
epoch that were in the same packet as the CCS. We should only process the
buffered records if we've not got any data left.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Add a test to inject a record from the next epoch during the handshake and
make sure it doesn't get processed immediately.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Enables the testing of DTLS code in 1.0.2

Reviewed-by: Richard Levitte <levitte@openssl.org>

- make the VMS version of RAND_poll() faster and more secure
- avoid pointer size warnings with setvbuf()

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>

Apply a limit to the maximum blob length which can be read in do_d2i_bio()
to avoid excessive allocation.

Thanks to Shi Lei for reporting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 66bcba14)

If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 07bed46f)

Conflicts:
	crypto/bn/bn_print.c

Check for error return in BN_div_word().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8b9afbc0)

RT#4530

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 7123aa81)

Thanks to Hanno Böck for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 39a43280)

Conflicts:
	crypto/pkcs12/p12_utl.c

Fix error path leaks in a2i_ASN1_STRING(), a2i_ASN1_INTEGER() and
a2i_ASN1_ENUMERATED().

Thanks to Shi Lei for reporting these issues.

Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1322
(cherry picked from commit 5e3553c2

)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Thanks to Shi Lei for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Thanks to Shi Lei for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20fc103f)

Conflicts:
	include/openssl/ts.h

Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 790555d6)

Use correct length in old ASN.1 indefinite length sequence decoder
(only used by SSL_SESSION).

This bug was discovered by Hanno Böck using libfuzzer.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e9f17097)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 56f9953c)

Thanks to David Benjamin <davidben@google.com> for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e032117d)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 976ef6ad)

Conflicts:
	crypto/evp/bio_enc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ee6ce5cc)

Conflicts:
	crypto/evp/bio_enc.c

If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.

RT#4615

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 626aa248)

RT#4511

Reviewed-by: Matt Caswell <matt@openssl.org>

TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.

CVE-2016-2180

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0ed26acc)

RT#4603

Reviewed-by: Rich Salz <rsalz@openssl.org>

There are two failure cases for OCSP_request_add_id():
1. OCSP_ONEREQ_new() failure, where |cid| is not freed
2. sk_OCSP_ONEREQ_push() failure, where |cid| is freed

This changes makes the error behavior consistent, such that |cid| is
not freed when sk_OCSP_ONEREQ_push() fails. OpenSSL only takes
ownership of |cid| when the function succeeds.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1289)
(cherry picked from commit 415e7c48)

RT#4600

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 52eede5a)

Conflicts:
	ssl/s3_lib.c

RT#4610

Reviewed-by: Rich Salz <rsalz@openssl.org>

Extended alg_print() in pkcs12 utility to support PBES2 algorithms.

RT#4588

Reviewed-by: Rich Salz <rsalz@openssl.org>

If underlying type is boolean don't check field is NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ad72d9fd)

The ASN.1 BIGNUM type needs to be handled in a custom way as it is
not a generic ASN1_STRING type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3cea73a7)

Conflicts:
	crypto/asn1/x_bignum.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 28e90f69)

RT#4611

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit b8a7bd83)