Would be nice to document when/where this originated (in glibc?) if
anyone knows...
tweaks by schwarze@
ok jmc@ espie@ kettenis@ schwarze@ dimitry(at)google.com

libcrypto minor bump.

There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.
However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:
Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.
Crank libcrypto.so minor version due to the added symbols.

does most of the work pwd_gensalt did, but also creates the hash.
(unused yet)

troff displays these as typographic quotes, but nroff implementations
almost always print them literally, which rarely has the intended effect
with modern fonts, even in stock xterm.
These uses of `` '' can be replaced either with more semantic alternatives
or with Dq, which prints typographic quotes in a UTF-8 locale (but will
automatically fall back to `` '' in an ASCII locale).
improvements and ok schwarze@

CryptAcquireContext and CryptGenRandom returns zero (FALSE) if fails.
From: Dongsheng Song <dongsheng.song@gmail.com>

engine to regular EVP citizens, contributed by Dmitry Eremin-Solenikov;
libcrypto bits only for now.
This is a verbatim import of Dmitry's work, and does not compile in this
state; the forthcoming commits will address these issues.
None of the GOST code is enabled in libcrypto yet, for it still gets
compiled with OPENSSL_NO_GOST defined. However, the public header gost.h
will be installed.

This functionality was already available (and optional), and used in the
bowels of the ASN.1 code. This exposes it as a public interface, which will
be used by the upcoming GOST code.
Crank libcrypto minor version.
From Dmitry Eremin-Solenikov.

The FreeBSD-native arc4random_buf implementation falls back to weak sources of
entropy if the sysctl fails. Remove these dangerous fallbacks by overriding
locally.
Unfortunately, pthread_atfork() is also broken on FreeBSD (at least 9 and 10)
if a program does not link to -lthr. Callbacks registered with pthread_atfork()
simply fail silently. So, it is not always possible to detect a PID wraparound.
I wish we could do better.
This improves arc4random_buf's safety compared to the native FreeBSD
implementation.
Tested on FreeBSD 9 and 10.

don't want to give people the idea that this is non-portable (it
has been present since C89).  OK deraadt@ schwarze@

Suggested by millert@ and schwarze@.
OK schwarze@, millert@

ok deraadt@

Remove excessive technicalities on zero-sized objects as suggested by deraadt@.
contributions and ok deraadt@, ok jmc@ on an earlier version

and fix two instances of "new sentence, new line" while here
feedback and ok jmc@, ok doug@

The old man page had a lot of useful information, but it was all mixed
together which made it difficult to reference.  The main theme in this
commit is that the sections are more focused:
* DESCRIPTION describes the overall behavior
* RETURN VALUES describes what it may return (including implementation
defined values)
* EXAMPLES shows why we recently started an audit on malloc and realloc
usage in the tree.
* Added CAVEATS which describes what is implementation defined, gotchas
and security implications of misusing these functions
* Added IDIOMS which describes how these functions should or
should not be used
The MALLOC_OPTIONS section was left unchanged.  Function names were
added to DIAGNOSTICS and STANDARDS.  The MALLOC_OPTIONS and DIAGNOSTICS
sections were pushed down in the page so more pertinent information is
higher up.
This has gone through several revisions thanks to input from deraadt@
and schwarze@.  Ingo also helped with some of the mandoc formatting.
OK schwarze@ (as far as it is a good starting point and the code
snippets look ok)

millert@ made changes to realpath.c based on FreeBSD's version.  I merged
Todd's changes into dl_realpath.c.
ok millert@, guenther@

ok tedu@

not all versions of <linux/random.h> include <linux/types.h> by default

i looked a bit closer and found instances before Reno, so correct HISTORY.
References:
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/usr/src/ucb/dbx/defs.h
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/inetd.c
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/lib/libc/string/strdup.c
ok deraadt@

in case something wants to create massive amounts of environment, like
a bit more than 1/4 of a 32-bit address space.  unrealistic -- but why
audit one code path, and not treat others the same?  then you have to
re-engage everytime you see the code.  read the news, that isn't what
developers do.  At least if the code paths look the same, there is hope,
because they are easier to verify for correctness.  developers need
to give other developers a chance to want to care.

fixed.

cases and breaks TLS 1.2; crank libcrypto.so minor version out of safety and
to be able to tell broken versions apart easily.

This explanation is based off of Ted's site.  Also, fix a comment from
the SHA-1 version.
ok tedu@

Mention that invalid bases do set EINVAL (as required by POSIX);
this part of the change uses part of an earlier patch by millert@.
Minor mdoc(7) cleanup and sync between the two pages while here.
Feedback and ok jmc@ and millert@.

required by the C standard when called with an invalid base:
strtoll(), strtoimax(), strtoul(), strtoull(), and strtoumax().
Same behaviour for strtoq() and strtouq() even though not standardized.
No functional change in strtol(), it was the only one already correct.
While here, simplify the conditional expression for checking the base
and sync whitespace and comments among the six files.
ok millert@

found with the new mandoc(1) MANDOCERR_AN_MISSING warning;
no text changes

If getrandom returns a temporary failure, make sure errno is not polluted when
it succeeds. Thanks to deraadt@ for pointing it out.

concept ok deraadt@
diff looks ok tedu@

to hold the malloc lock across mmap syscalls in all cases. dropping it
allows another thread to access the existing chunk cache if necessary.
could be improved to be a bit more aggressive, but i've been testing this
simple diff for some time now with good results.

like the sysctl path

This enables support for the new getrandom(2) syscall in Linux 3.17.
If the call exists and fails, return a failure in getentropy(2) emulation as
well. This adds a EINTR check in case the urandom pool is not initialized.
Tested on Fedora Rawhide with 3.17rc0 and Ubuntu 14.04
ok deraadt@

circular lists.  Amazingly, they managed to extend the requirements to no
longer match the behavior of the VAX instructions they were modeled after,
so the trivial VAX ASM versions have to go.  Nice job breaking it, X/Open!
Based on a diff from enh (at) google.com
ok miod@

on it, simplifying error checking, reducing system calls, and improving
thread-safety for libraries.
ok miod@

case of failing to map the 2nd object.
found by Paul Maurers

Most assembly blocks remain inactive if OPENSSL_NO_ASM is not defined,
only enabling inline assembly, but the RSA / RC4-5 blocks (used only in
amd64 systems) turn on implicitly. Guard these two as well.
This simplifies enabling just inline ASM in portable, no effective
change in OpenBSD.

the details are under embargo. The original plan was to wait for the
embargo to lift, but we've been waiting for quite some time, and there's no
indication of when or even if it will end. No sense in dragging this out
any longer.
The SRP code has never been enabled in OpenBSD, though I understand it is
in use by some other people. However, in light of this and other issues,
we're officially saying SRP is outside the scope of libressl. (For now.)

Also, zero the SHA256 context.
suggested by "eric" in a comment on an opensslrampage.org post
ok miod@ deraadt@

being-standardized <endian.h>
ok deraadt@ millert@ beck@

Move <sys/mman.h> and raise(SIGKILL) calls to OS-specific headers.
On OpenBSD, move thread_private.h as well to arc4random.h.
On Windows, use TerminateProcess on getentropy failure.
ok deraadt@

It may make sense to later replace this with a Critical Section later.
ok guenther@