Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
is set return 2 so applications can issue warnings.

Some CMS SignedData structure use a signature algorithm OID such
as SHA1WithRSA instead of the RSA algorithm OID. Workaround this
case by tolerating the signature if we recognise the OID.
(cherry picked from commit 3a98f9cf)

(cherry picked from commit f04665a6)

Use a previously unused value as we will be updating multiple released
branches.
(cherry picked from commit 0737acd2)

Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be34)

Conflicts:

	CHANGES

(cherry picked from commit a029788b)

(cherry picked from commit 7a3e67f029969620966b8a627b8485d83692cca5)

PR: 3275
(cherry picked from commit ea38f020)

The problem is that OpenSSH calls EVP_Cipher, which is not as
protective as EVP_CipherUpdate. Formally speaking we ought to
do more checks in *_cipher methods, including rejecting
lengths not divisible by block size (unless ciphertext stealing
is in place). But for now I implement check for zero length in
low-level based on precedent.

PR: 3087, 2775
(cherry picked from commit 5e44c144)

(cherry picked from commit 53e51612)

Submitted by: Roumen Petrov

Submitted by: Roumen Petrov
(cherry picked from commit 972b0dc3)

Add a few special case digests not returned by FIPS_get_digestbynid().

Thanks to Roumen Petrov <openssl@roumenpetrov.info> for reporting this
issue.

Although the memory allocated by compression methods is fixed and
cannot grow over time it can cause warnings in some leak checking
tools. The function SSL_COMP_free_compression_methods() will free
and zero the list of supported compression methods. This should
*only* be called in a single threaded context when an application
is shutting down to avoid interfering with existing contexts
attempting to look up compression methods.

Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.

Add option to pkcs8 utility.

Update docs.

PR: 3271
(cherry picked from commit 65370f9b)

Don't set the fips flags in cipher and digests as the implementations
aren't suitable for FIPS mode and will be redirected to the FIPS module
versions anyway.

Return EVP_CIPH_FLAG_FIPS or EVP_MD_FLAG_FIPS if a FIPS implementation
exists when calling EVP_CIPHER_flags and EVP_MD_flags repectively.

Remove unused FIPS code from e_aes.c: the 1.0.2 branch will never be
used to build a FIPS module.

The file evp_fips.c isn't used in OpenSSL 1.0.2 as FIPS and non-FIPS
implementations of algorithms can coexist.

(cherry picked from commit 4ca02656)

(cherry picked from commit b62a4a1c)

(cherry picked from commit ce876d83)

(cherry picked from commit f861b1d4)

(cherry picked from commit fd361a67)

[but don't let it mask make's].

PR: 3269

PR: 3165

(cherry picked from commit ffcc832ba6e17859d45779eea87e38467561dd5d)

(cherry picked from commit d49135e7)

(cherry picked from commit 147cca8f)

(cherry picked from commit 7bb9d84e)

PR: 3201
(cherry picked from commit 03da57fe)