Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Reviewed-by: Emilia Käsper <emilia@openssl.org>

The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74

 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(If a change is already present in 1.0.1f or 1.0.1h,
don't list it again under changes between 1.0.1h and 1.0.2.)

(which didn't always handle value 0 correctly).

Reviewed-by:  <emilia@openssl.org>

Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>

The call to setenv in gost2814789t.c is not portable and may
not reflect the location of the GOST ENGINE on all platforms anyway.
Instead set OPENSSL_ENGINES in test/Makefile
Reviewed-by: Geoff Thorpe <geoff@openssl.org>

This has been unmaintained for a long time. If it's still of interest
to anyone, it can be obtained easily enough by reverting this commit.
(It could join other demo code in some other repository, perhaps.) In
any case we don't want it taking up space in the baseline source
package, so <snip>.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

and improve performance by 10% on POWER[78].

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

[and split ppccap.c to ppccap.c and ppc_arch.h]

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

Add cmac.h to mkdef.pl
Remove ENGINE_load_rsax from engine.h: no longer built.
Update ordinals
Reviewed-by: Tim Hudson <tjh@openssl.org>

PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

ssl/ssl_locl.h now comes first to ensure that it will compile standalone.
test/testutil.h is considered to be in the same directory as the test file,
since the test file will be linked into test/ and built there.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

These help standardize the structure of main() and result reporting.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Add support for RFC5649 key wrapping with padding.

Add RFC5649 tests to evptests.txt

Based on PR#3434 contribution by Petr Spacek <pspacek@redhat.com>.

EVP support and minor changes added by Stephen Henson.

Doxygen comment block updates by Tim Hudson.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Tim Hudson <tjh@openssl.org>

PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

PR#3442

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

This reverts commit 927f2e5d.

This reverts commit 14aaf883.

Reviewed-by: Tim Hudson <tjh@openssl.org>

PR#3452

Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452

The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453