According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 03af8430)

Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit 738911cd.

Reviewed-by: Andy Polyakov <appro@openssl.org>

Various build fixes, mostly uncovered by clang's unused-const-variable
and unused-function errors.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Reviewed-by: Andy Polyakov <appro@openssl.org>

Reviewed-by: Andy Polyakov <appro@openssl.org>

master branch has a specific regression test for a bug in x86_64-mont5 code,
see commit cdfe0fdd.

This code is now in 1.0.2/1.0.1, so also backport the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Invalid zero-padding in the divisor could cause a division by 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit af6e2d51)

The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

used with no explanation. Some of this was introduced as part of RT#1929. The
value 28 is the length of the IP header (20 bytes) plus the UDP header (8
bytes). However use of this constant is incorrect because there may be
instances where a different value is needed, e.g. an IPv4 header is 20 bytes
but an IPv6 header is 40. Similarly you may not be using UDP (e.g. SCTP).
This commit introduces a new BIO_CTRL that provides the value to be used for
this mtu "overhead". It will be used by subsequent commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0d3ae34d)

Reviewed-by: Matt Caswell <matt@openssl.org>

ECDH_compute_key is silently ignored and the KDF is run on duff data

Thanks to github user tomykaira for the suggested fix.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8d02bebd)

Don't attempt to access msg structure if recvmsg returns an error.

PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 012aa9ec)

If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 55f7fb88)

PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit e04d426b)

Reviewed-by: Richard Levitte <levitte@openssl.org>

This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.

PR3584, https://bugs.debian.org/534534



Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

PR: 3474
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 66962039)

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc)

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c9)

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 69d5747f)

Reviewed-by: Rich Salz <rsalz@openssl.org>

Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e0fdea3e)

Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Stephen Henson <steve@openssl.org>

Reviewed-by: Stephen Henson <steve@openssl.org>

Reviewed-by: Stephen Henson <steve@openssl.org>

Accidentally omitted from commit 455b65df

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d)

so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>

The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 8b07c005)

Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4aac102f)

Conflicts:
	crypto/evp/evp_enc.c

(Original commit adb46dbc)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65df)

Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
	crypto/rsa/rsa_pk1.c
	ssl/s3_cbc.c

i2d_re_X509_tbs re-encodes the TBS portion of the certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 95b1752c)