PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.

Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
is set.

This is a forward-port of commits:
  4af79303
  f4c93b46
  3da721da
  25832701

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.

    * If the PRNG output is prone to repeat itself, ephemeral
      handshakes (and who knows what else besides) are broken.

Removing RSA+MD5 from the default signature algorithm list
prevents its use by default.

If a broken implementation attempts to use RSA+MD5 anyway the sanity
checking of signature algorithms will cause a fatal alert.
(cherry picked from commit 77a0f740d00ecf8f6b01c0685a2f858c3f65a3dd)

Suggested by: Anton Blanchard
(cherry picked from commit 76c15d79)

(cherry picked from commit 6699cb84)

(cherry picked from commit f6983769c1bcd6c3c6b6bbfbbc41848f6dccf127)

(cherry picked from commit 8ba2d4ed7f128e400693562efd35985068c45e4d)

(cherry picked from commit 695e8c36528f9c3275f5f56e9633ac6a0c11f2e3)

Includes multiple updates: AES module to comply with more ABI
flavors, SHA512 for PPC32, .size directives.

PR: 3110
Submitted by Corinna Vinschen.
(cherry picked from commit b3ef742c)

(cherry picked from commit 039081b8)

Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit 0c2adb0a)

Performance improvement and Windows-specific bugfix (PR#3139).

(cherry picked from commit fa104be3)

Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0)

PR: 3130
(cherry picked from commit 6b2cae0c)

Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0)

PR: 3130
(cherry picked from commit 6b2cae0c)

Add tests for AEAD functions: AES-128-GCM, AES-256-GCM and
ChaCha20+Poly1305.

Add support for Chacha20 + Poly1305.

Switches AES-GCM ciphersuites to use AEAD interfaces.

This change allows AEADs to be used in ssl/ to implement SSL/TLS
ciphersuites.

This change adds an AEAD interface to EVP and an AES-GCM implementation
suitable for use in TLS.

The previous version of the function made adding AEAD changes very
difficult. This change should be a semantic no-op - it should be purely
a cleanup.

(cherry picked from commit dfcb42c6)

(cherry picked from commit d5605699)

(cherry picked from commit b85f8afe)

(cherry picked from commit bbc098ff)