The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The dsa_ossl.c file defined a couple of multi-line macros, but then only
used each one once. The macros just serve to complicate the code and make
it more difficult to understand what is really going on. Hence they are
removed.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

CVE-2016-2178
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Some of the instructions used in latest additions are extension
ones. There is no real reason to limit ourselves to specific
processors, so [re-]adhere to base instruction set.

RT#4548
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)

Return directly NULL after ASN1_STRING_set, as it already has set an error code.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)

Reviewed-by: NRich Salz <rsalz@openssl.org>

GH: #1139

RT#4474 (partial)
Reviewed-by: NRich Salz <rsalz@openssl.org>

If the string to print is exactly 2048 character long (excluding the NULL
terminator) then BIO_printf will chop off the last byte. This is because
it has filled its static buffer but hasn't yet allocated a dynamic buffer.
In cases where we don't have a dynamic buffer we need to truncate but that
is not the case for BIO_printf(). We need to check whether we are able to
have a dynamic buffer buffer deciding to truncate.
Reviewed-by: NRich Salz <rsalz@openssl.org>

zapparams modification based on tip from Matt Caswell

RT#3198
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Use STATUS_SUCCESS instead of 0.
Renamed USE_BCRYPT to RAND_WINDOWS_USE_BCRYPT to avoid possible collisions with other defines.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1142)

Adds missing casts for 64-bit.
Removed zero initialization of hProvider. hProvider is an "out" parameter of CryptAcquireContextW.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1142)

Define USE_BCRYPT
Removed _WIN32_WINNT define
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1142)

When openssl is compiled with MSVC and _WIN32_WINNT>=0x0601 (Windows 7), BCryptGenRandom is used instead of the legacy CryptoAPI.

This change brings the following benefits:
- Removes dependency on CryptoAPI (legacy API) respectively advapi32.dll
- CryptoAPI Cryptographic Service Providers (rsa full) are not dynamically loaded.
- Allows Universal Windows Platform (UWP) apps to use openssl (CryptGenRandom is not available for Windows store apps)
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1142)

The problem is the checking in policy_cache_set, there is a race
condition between the null check and obtaining the lock.  The fix is in
policy_cache_new to detect if the creation has happened already.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

_ctr32 in function name refers to 32-bit counter, but it was implementing
64-bit one. This didn't pose problem to EVP, but 64-bit counter was just
misleading.

RT#4512
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Numerous test failures were occuring when Configured with enable-ubsan
although they could all be traced back to one issue.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Also fixes -Wstrict-oveflow warning on this file.

RT#4474 (partial)
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The set_reasons() function in v3_crld.c leaks a STACK_OF(CONF_VALUE)
object on an error path.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The int X509_PURPOSE_add() function was leaking an X509_PURPOSE object
on error.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The X509_TRUST_add() function was leaking an X509_TRUST object on error.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The ASN1_item_pack() function was leaking an ASN1_STRING object on error
paths.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The ASN1_GENERALIZEDTIME_adj() function leaks an ASN1_GENERALIZEDTIME
object on an error path.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The v2i_POLICY_MAPPINGS() function leaked ASN1_OBJECT pointers on error
paths.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The notice_section() function allocates a STACK_OF(CONF_VALUE) but
then fails to free it on an error path.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The v2i_AUTHORITY_KEYID() function can leak memory under an error
condition.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The function a2i_ASN1_INTEGER() allocates a buffer |s| but then fails
to free it on error paths.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The ec_wNAF_mul() function allocates some temporary storage that it
doesn't always free on an error condition.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

RT2630 -- segfault for int overlow
RT2877 -- check return values in apps/rand
Update CHANGES file for previous "windows rand" changes.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Salt must be two ASCII characters.  Add tests to check for that,
and a test to test the checks.
Reviewed-by: NMatt Caswell <matt@openssl.org>

The -text argument to dhparam is broken, because the DHparams_print()
function always returns an error. The problem is that always expects a
public or private key to be present, even though that is never the case
with parameters.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Add missing error raise call, as it is done everywhere else.
and as CRYPTO_THREAD_lock_new don't do it internally.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

On OpenBSD we turn off async capabilities due to no ucontext.h.

RT#4379
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>