Add hooks to support key agreement recipient info type (KARI) using
algorithm specific code in the relevant public key ASN1 method.
(cherry picked from commit 17c2764d)

Add new tests to cms-test.pl covering PSS and OAEP.
(cherry picked from commit 32b18e03)

Add support for custom public key parameters in the cms utility using
the -keyopt switch. Works for -sign and also -encrypt if -recip is used.
(cherry picked from commit 02498cc8)

Document use of -keyopt to use RSA-PSS and RSA-OAEP modes.
(cherry picked from commit 4bf4a650)

Extend RSA ASN1 method to support CMS PSS signatures for both sign
and verify.

For signing the EVP_PKEY_CTX parameters are read and the appropriate
CMS structures set up.

For verification the CMS structures are analysed and the corresponding
parameters in the EVP_PKEY_CTX set.

Also add RSA-OAEP support.

For encrypt the EVP_PKEY_CTX parameters are used.

For decrypt the CMS structure is uses to set the appropriate EVP_PKEY_CTX
parameters.
(cherry picked from commit 0574cadf)

Also sync error codes with OpenSSL 1.0.1 and add new ones.

Add OAEP ctrls to retrieve MD and label. Return errors if
an attempt is made to set or retrieve OAEP parameters when
padding mode is not OAEP.
(cherry picked from commit 211a14f6)

Extend OAEP support. Generalise the OAEP padding functions to support
arbitrary digests. Extend EVP_PKEY RSA method to handle the new OAEP
padding functions and add ctrls to set the additional parameters.
(cherry picked from commit 271fef0e)

Conflicts:

	CHANGES

Add some RSA error codes used by the FIPS module.

(cherry picked from commit ff7b6ce9)

(cherry picked from commit e0f7cfda)

Add support for customisation of CMS handling of signed and enveloped
data from custom public key parameters.

This will provide support for RSA-PSS and RSA-OAEP but could also be
applied to other algorithms.
(cherry picked from commit e365352d)

(cherry picked from commit 81063953)

Add OIDs for KDF schemes from RFC5753 and add cross references for
each type and the appropriate digest to use.
(cherry picked from commit 6af440ce)

Conflicts:

	crypto/objects/obj_dat.h
	crypto/objects/obj_mac.num

(cherry picked from commit e423c360)

Conflicts:

	crypto/objects/obj_dat.h
	crypto/objects/obj_mac.num

Backport support for FIPS 186-2 DSA parameter generation from
HEAD. Redirect to FIPS in FIPS mode and workaround prototype error.

Add support for DH parameter generation using DSA methods including
FIPS 186-3.
(cherry picked from commit 39090878)

Make DHparams_dup work properly with X9.42 DH parameters.
(cherry picked from commit d3cc91ee)

(cherry picked from commit c9577ab5)

Conflicts:

	crypto/dh/dh_ameth.c

Add support for key wrap algorithms via EVP interface.

Generalise AES wrap algorithm and add to modes, making existing
AES wrap algorithm a special case.

Move test code to evptests.txt
(cherry picked from commit 97cf1f6c)

Conflicts:

	CHANGES

(cherry picked from commit c9a8e3d1)

(cherry picked from commit ca303d33)

(cherry picked from commit 282a480a)

Add code to support GCM an CCM modes in evp_test. On encrypt this
will compare the expected ciphertext and tag. On decrypt it will
compare the expected plaintext: tag comparison is done internally.

Add a simple CCM test case and convert all tests from crypto/modes/gcm128.c
(cherry picked from commit 15652f98)

(cherry picked from commit 95248de3)

(cherry picked from commit bc91494e)

(cherry picked from commit 415ece73)

Conflicts:
	ssl/ssl3.h
	ssl/t1_lib.c

Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
(cherry picked from commit a4870de5)

Make DTLS behave like TLS when negotiating version: record layer has
DTLS 1.0, message version is 1.2.

Tolerate different version numbers if version hasn't been negotiated
yet.
(cherry picked from commit 40088d8b)

Add DTLS record header parsing, different client hello format and add
HelloVerifyRequest message type.

Add code to d1_pkt.c to send message headers to the message callback.
(cherry picked from commit 890f2f8b)

Conflicts:

	ssl/ssl_locl.h

Check for Suite B support using method flags instead of version numbers:
anything supporting TLS 1.2 cipher suites will also support Suite B.

Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
(cherry picked from commit 4544f0a6)

If we successfully match a cookie don't set return value to 2 as this
results in other error conditions returning 2 as well.

Instead set return value to -2 which can be checked later if everything
else is OK.
(cherry picked from commit c56f5b8e)

Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.

As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
(cherry picked from commit c6913eeb)

Conflicts:

	CHANGES

Port TLS 1.2 GCM code to DTLS. Enable use of TLS 1.2 only ciphers when in
DTLS 1.2 mode too.
(cherry picked from commit 4221c0dd)