The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.

Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.

Update docs.
(cherry picked from commit a4339ea3)

Conflicts:

	CHANGES

(cherry picked from commit e8b0dd57)

When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
(cherry picked from commit b77b58a3)

PR: 3202
(cherry picked from commit 926725b3)

(cherry picked from commit 2218c296)

For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
(cherry picked from commit 34628967)

(cherry picked from commit a6c62f0c)

(and ensure stack alignment in the process)
(cherry picked from commit fc0503a2)

It worked because it was never called.
(cherry picked from commit e9c80e04)

SHA512_Transform was initially added rather as tribute to tradition
than for practucal reasons. But use was recently found in ssl/s3_cbc.c
and it turned to be problematic on platforms that don't tolerate
misasligned references to memory and lack assembly subroutine.
(cherry picked from commit cdd1acd7)

Partial mitigation of PR#3200
(cherry picked from commit 0294b2be)

(cherry picked from commit 9b3d7570)

Conflicts:

	crypto/x509/x509_vpm.c

Move the IP, email and host checking fields from the public
X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID
structure. By doing this the structure can be modified in future
without risk of breaking any applications.

For consistency with other cases if we are performing
partial chain verification with just one certificate
notify the callback with ok==1.

New functions to retrieve internal pointers to X509_VERIFY_PARAM
for SSL_CTX and SSL structures.

We need to lock when *not* in FIPS mode.

(cherry picked from commit d1671f4f)

Add MULX/AD*X code paths and optimize even original code path.

(cherry picked from commit 667053a2)

(cherry picked from commit 41965a84)

PR: 3176.

In FIPS mode ssleay_rand_bytes is only used for PRNG seeding and is
performed in either a single threaded context (when the PRNG is first
initialised) or under a lock (reseeding). To avoid multiple locks disable
use of CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes.

PR: 3189
Submitted by: Oscar Ciurana
(cherry picked from commit c5d5f5bd)

(cherry picked from commit 8bd7ca99)

rsaz_exp.c: harmonize line terminating;
asm/rsaz-*.pl: minor optimizations.
asm/rsaz-x86_64.pl: sync from master.
(cherry picked from commit 31ed9a21)

(cherry picked from commit 6efef384)