Commits · 3cb8c3265f639f8eebf32053457ae6a6d61e2413 · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

Jan 07, 2016
- Remove the old VMS linker option file creator for shlibs · 3cb8c326
  Richard Levitte authored Jan 07, 2016
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  3cb8c326
- Enhance util/mkdef.pl to provide a VMS linker option file for shlibs · a388633d
  Richard Levitte authored Jan 07, 2016
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  a388633d
- Remove crypto/pem/pem_seal.c · 0674427f
  Richard Levitte authored Jan 07, 2016
```
It's functionality appears unused.  If we're wrong, we will revert.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  0674427f
- DANE support for X509_verify_cert() · 170b7358
  Viktor Dukhovni authored Dec 29, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  170b7358
- use more descriptive name DEFINE_STACK_OF_CONST · a8eba56e
  Dr. Stephen Henson authored Jan 07, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  a8eba56e
- Only declare stacks in headers · 4a1f3f27
  Dr. Stephen Henson authored Jan 06, 2016
```
Don't define stacks in C source files: it causes warnings
about unused functions in some compilers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  4a1f3f27
- Rename DECLARE*STACK_OF to DEFINE*STACK_OF · 85885715
  Dr. Stephen Henson authored Dec 28, 2015
```
Applications wishing to include their own stacks now just need to include

DEFINE_STACK_OF(foo)

in a header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  85885715
- remove unused PREDECLARE · c5e0c540
  Dr. Stephen Henson authored Dec 27, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  c5e0c540
- Fix declarations and constification for inline stack. · 4a640fb6
  Dr. Stephen Henson authored Dec 23, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  4a640fb6
- Change STACK_OF to use inline functions. · 411abf2d
  Dr. Stephen Henson authored Dec 23, 2015
```
Change DECLARE_STACK_OF into inline functions. This avoids the need for
auto generated mkstack.pl macros and now handles const properly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  411abf2d
Jan 06, 2016

DANE make update · 249d9719
Viktor Dukhovni authored Dec 29, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
249d9719
DANE documentation typos · 63b65834
Viktor Dukhovni authored Jan 06, 2016
```
Reported-by: Claus Assmann

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
63b65834
Remove more (rest?) of FIPS build stuff. · 700b4a4a
Rich Salz authored Dec 14, 2015
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
700b4a4a
Remove some unused perl scripts · 0b0443af
Rich Salz authored Dec 17, 2015
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
0b0443af

DANE support structures, constructructors and accessors · 919ba009

Viktor Dukhovni authored Dec 29, 2015



Also tweak some of the code in demos/bio, to enable interactive
testing of BIO_s_accept's use of SSL_dup.  Changed the sconnect
client to authenticate the server, which now exercises the new
SSL_set1_host() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>

919ba009

Jan 03, 2016
- Fix X509_STORE_CTX_cleanup() · e29c73c9
  Viktor Dukhovni authored Jan 01, 2016
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
  e29c73c9
- Drop incorrect id == -1 case from X509_check_trust · 0e7abc90
  Viktor Dukhovni authored Dec 29, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  0e7abc90
- X509_verify_cert() cleanup · d9b8b89b
  Viktor Dukhovni authored Dec 29, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  d9b8b89b
- Cleanup of verify(1) failure output · 63c6aa6b
  Viktor Dukhovni authored Jan 01, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  63c6aa6b
Jan 02, 2016

Instead of a local hack, implement SIZE_MAX in numbers.h if it's missing · 1de1d768
Richard Levitte authored Jan 02, 2016
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
1de1d768

Fix a possible memleak · 6aa0ba4b

Richard Levitte authored Dec 18, 2015



If there's a failure allocating md_data, the destination pctx will have
a shared pointer with the source EVP_MD_CTX, which will lead to problems
when either the source or the destination is freed.

Reviewed-by: Stephen Henson <steve@openssl.org>

6aa0ba4b

Protocol version selection and negotiation rewrite · 4fa52141

Viktor Dukhovni authored Dec 29, 2015



The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

4fa52141

Refine and re-wrap Min/Max protocol docs · 57ce7b61
Viktor Dukhovni authored Dec 29, 2015
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
57ce7b61
Add support for minimum and maximum protocol version · 7946ab33
Kurt Roeckx authored Dec 06, 2015
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
7946ab33

Jan 01, 2016
- Fix no-dh. · 1e0784ff
  Ben Laurie authored Jan 01, 2016
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
  1e0784ff
- remove invalid free · f2c14768
  Dr. Stephen Henson authored Jan 01, 2016
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  f2c14768
Dec 31, 2015
- Use X509_get0_pubkey where appropriate · 8382fd3a
  Dr. Stephen Henson authored Dec 20, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  8382fd3a
Dec 30, 2015

Update to SHA256 for TSA signing digest. · 39a6a4a7
Rich Salz authored Dec 30, 2015
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
39a6a4a7
Fix faulty check in the VMS version of opt_progname · 211a68b4
Richard Levitte authored Dec 30, 2015
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
211a68b4
Remove the #ifndef OPENSSL_SYS_VMS around SSL_add_dir_cert_subjects_to_stack · 579415de
Richard Levitte authored Dec 30, 2015
```
It served a purpose, but not any more.

Reviewed-by: Stephen Henson <steve@openssl.org>
```
579415de
Correct missing prototype · e6578078
Richard Levitte authored Dec 30, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
e6578078

SIZE_MAX doesn't exist everywhere, supply an alternative · 36830eca

Richard Levitte authored Dec 30, 2015



SIZE_MAX is a great macro, and does unfortunately not exist everywhere.
Since we check against half of it, using bitwise shift to calculate the
value of half SIZE_MAX should be safe enough.

Reviewed-by: Tim Hudson <tjh@openssl.org>

36830eca

Fix some missing or faulty header file inclusions · 3dc9589c
Richard Levitte authored Dec 30, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
3dc9589c

Check for missing DSA parameters. · 72245f34

Dr. Stephen Henson authored Dec 30, 2015



If DSA parameters are absent return -1 (for unknown) in DSA_security_bits.

If parameters are absent when a certificate is set in an SSL/SSL_CTX
structure this will reject the certificate by default. This will cause DSA
certificates which omit parameters to be rejected but that is never (?)
done in practice.

Thanks to Brian 'geeknik' Carpenter for reporting this issue.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

72245f34

Dec 29, 2015
- Convert RSA encrypt to use EVP_PKEY · 923ffa97
  Dr. Stephen Henson authored Dec 28, 2015
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  923ffa97
- Prefer ReuseAddr over Reuse, with IO::Socket::INET · 0d0769a4
  Richard Levitte authored Dec 26, 2015
```
Reuse is deprecated and ReuseAddr is prefered, according to documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
  0d0769a4
- Fix no-engine. · 33bed28b
  Ben Laurie authored Dec 27, 2015
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
  33bed28b
Dec 28, 2015
- RT4202: Update rt URL's. · 41977c53
  Rich Salz authored Dec 28, 2015
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  41977c53
- make a "missed make update" update · 5bec6e56
  Rich Salz authored Dec 28, 2015
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  5bec6e56
Dec 27, 2015

Increase the max size limit for a CertificateRequest message · 057b6f79

Matt Caswell authored Dec 23, 2015



Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.

RT#4198

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

057b6f79