(cherry picked from commit 014265eb)
(cherry picked from commit 7721c53e5e9fe4c90be420d7613559935a96a4fb)

This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841b)

Conflicts:
	crypto/evp/c_allc.c
	ssl/ssl_algs.c
	ssl/ssl_locl.h
	ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)

Conflicts:
	ssl/d1_enc.c
	ssl/s3_enc.c
	ssl/s3_pkt.c
	ssl/ssl3.h
	ssl/ssl_algs.c
	ssl/t1_enc.c

This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee79888)

Conflicts:
	crypto/crypto.h
	ssl/t1_lib.c
(cherry picked from commit dc406b59f3169fe191e58906df08dce97edb727c)

Conflicts:
	crypto/crypto.h
	ssl/d1_pkt.c
	ssl/s3_pkt.c

Add additional check to catch this in ASN1_item_verify too.

Reported by: Daniel Black <daniel.black@openquery.com>

Support renewing session tickets (backport from HEAD).

Submitted by: jean-etienne.schwartz@bull.net

In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.

Submitted by: Dmitry Belyavsky <beldmit@gmail.com>

Fix DH double free if parameter generation fails.

Submitted by: "Florian Rüchel" <florian.ruechel@ruhr-uni-bochum.de>

Correctly handle local machine keys in the capi ENGINE.

PR: 2896

Submitted by: Adam Langley

Submitted by: Adam Langley

  debugging code that's seldom used.

Have the new names start in column 48, that makes it easy to see when
the 31 character limit is reached (on a 80 column display, do the math)

Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>

Fix possible deadlock when decoding public keys.

to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)

Make sure tkeylen is initialised properly when encrypting CMS messages.