We can't unfortunately print the CMAC cipher used without extending the API.

PR#2579
(cherry picked from commit 79e31a2842e10271581cbfdaae0145dd4bd35107)

Add patch originally accidentally omitted to allow CMAC to work with
EVP_PKEY APIs.

IN parameter.

Under the old docs, the only thing stated was "at most
EVP_PKEY_size(pkey) bytes will be written". It was kind of misleading
since it appears EVP_PKEY_size(pkey) WILL be written regardless of the
signature's buffer size.

(cherry picked from commit 6e6ba36d)

PR#3272
(cherry picked from commit 370bf1d7)

PR#2531
(cherry picked from commit 44724bee)

PR#3173
(cherry picked from commit 76ed5a42)

If CSR verify fails in ca utility print out error messages.
Otherwise some errors give misleading output: for example
if the key size exceeds the library limit.

PR#2875
(cherry picked from commit a30bdb55)

(cherry picked from commit 7ae6a4b6)

Update protocols supported and note that SSLv2 is effectively disabled
by default.

PR#3184
(cherry picked from commit 1b13a4f38dfc385d5e776f6b3e06c5795874cf9b)

(cherry picked from commit a356e488)

Resolved conflicts:

	crypto/bn/asm/rsaz-avx2.pl

PR#3107
(cherry picked from commit 7c206db9)

Some state strings were erronously not compiled when no-ssl2
was set.

PR#3295
(cherry picked from commit 0518a3e1)

PR#3141
(cherry picked from commit d183545d)

(cherry picked from commit d1d4382d)

PR#3174
(cherry picked from commit fd331c0bb9b557903dd2ce88398570a3327b5ef0)

In EVP_PBE_alg_add don't use the underlying NID for the cipher
as it may have a non-standard key size.

PR#3206
(cherry picked from commit efb7caef637a1de8468ca109efd355a9d0e73a45)

(cherry picked from commit 7eb04882)

(cherry picked from commit ac171925)

(cherry picked from commit 406d4af0)

PR#3014
(cherry picked from commit 11da66f8)

PR#2783
(cherry picked from commit b36f35cd)

OIDs with one component don't have an encoding.

PR#2556 (Bug#1)
(cherry picked from commit 95791bf9)

PR#3374
(cherry picked from commit 0436369f)

Document that the certificate passed to SSL_CTX_add_extra_chain_cert()
should not be freed by the application.

PR#3409
(cherry picked from commit 0535c2d6)

PR#3403
(cherry picked from commit d2aea038)

(cherry picked from commit 7be6b27a)

PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)

This ensures high performance is situations when assembler supports
AVX2, but not AD*X.
(cherry picked from commit f3f620e1)

Resolved conflicts:

	crypto/bn/asm/rsaz-avx2.pl

(cherry picked from commit 7b8c8c4d)

(cherry picked from commit a48fb040)

(cherry picked from commit 29edebe9)

Just store NUL-terminated strings.  This works better when we add
support for multiple hostnames.
(cherry picked from commit b3012c69)

(cherry picked from commit d241b804)

This is to compensate for higher aes* instruction latency on Cortex-A57.
(cherry picked from commit 015364ba)

(cherry picked from commit 0f777aeb)

In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

Bug discovered and fixed by Miod Vallat from the OpenBSD team.

PR#3375

This reverts commit 3d860774.

Incorrect attribution.

properly built.