Commits · 6ada465fb258ae2c29668c59f3ec9b69dc38f8b3 · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

Jan 19, 2016

Add documentation for EVP_PKEY_TLS1_PRF · 6ada465f
Dr. Stephen Henson authored Jan 19, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
6ada465f
add TLS1-PRF tests · 53a3a545
Dr. Stephen Henson authored Jan 19, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
53a3a545
Add TLS1-PRF test support to evp_test · 44a284d2
Dr. Stephen Henson authored Jan 19, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
44a284d2

use TLS PRF · b7d60e76

Dr. Stephen Henson authored Jan 19, 2016



Modify libssl to use EVP_PKEY TLS PRF.

Reviewed-by: Matt Caswell <matt@openssl.org>

b7d60e76

Add TLS PRF method. · 1eff3485

Dr. Stephen Henson authored Jan 19, 2016



Add EVP_PKEY algorithm for TLS1 PRF.

Reviewed-by: Matt Caswell <matt@openssl.org>

1eff3485

Fix GOST2012-NULL-GOST12 · 89577287

Dmitry Belyavsky authored Jan 19, 2016



Fix a typo in the definition of the GOST2012-NULL-GOST12 ciphersuite.

RT#4213

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

89577287

Jan 18, 2016

Drop cached certificate signature validity flag · 0e76014e

Viktor Dukhovni authored Jan 17, 2016



It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers.  Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

0e76014e

Don't use "grep -q", "-q" is not POSIX, and fails on Solaris. · 86334b6a
Kristian Amlie authored Jan 18, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
86334b6a

Add some extra Cygwin targets as aliases for Cygwin-x86 · b9ee2dac

Richard Levitte authored Jan 17, 2016



Cygwin was used for x86 before, so let's keep it around for those who
still use it (it make Configure reconf possible).
Cygwin-i[3456]86 for those that might generate and pass a target name
directly to Configure.

Reviewed-by: Rich Salz <rsalz@openssl.org>

b9ee2dac

Adjust the configuration target name from Cygwin-i686 to Cygwin-x86 · 3f542969
Richard Levitte authored Jan 17, 2016
```
This is to reflect that it's not limited to just i686.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
3f542969

Fix configuration system to support different architectures on Cygwin. · a717c110

Corinna Vinschen authored Jan 17, 2016



This patch allows to recognize the architectures supported by Cygwin
and to choose the right configuration from there.  Drop -march to
use default architecture on 32 bit x86.

Drop pre-Cygwin-1.3 recognition since it's long gone and there's no
valid configuration for this anymore.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

a717c110

Don't strip object files on Cygwin · 42b8f142

Corinna Vinschen authored Jan 16, 2016



  Building for the Cygwin distro requires to be able to build debuginfo
  files.  This in turn requires to build object files without stripping.
  The stripping is performed by the next step after building which creates
  the debuginfo files.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

42b8f142

Use POSIX functions on Cygwin, not Win32 function · 8d35ceb9

Corinna Vinschen authored Jan 16, 2016



Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

8d35ceb9

Fix build break; restore missing target · 23d526ec
Rich Salz authored Jan 17, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
23d526ec

Jan 17, 2016

Fix function declarations. · ba151698
Rich Salz authored Jan 17, 2016
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
ba151698
Accessor update; fix API, document one. · 213f60bf
Rich Salz authored Jan 17, 2016
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
213f60bf

Remove some old makefile targets · ee6d9f4e

Rich Salz authored Jan 15, 2016



Remove lint, tags, dclean, tests.
This is prep for a new makedepend scheme.
This is temporary pending unified makefile, and might help it.

Reviewed-by: Richard Levitte <levitte@openssl.org>

ee6d9f4e

Add some accessors. · 9e5cd4ba

Rich Salz authored Jan 17, 2016



Author: Remi Gacogne <rgacogne-github@coredump.fr>
GH334: Add an OCSP_SINGLERESP_get0_id() accessor to the OCSP_CERTID of
a OCSP_SINGLERESP. It is possible to do it the other way around using
OCSP_resp_find(), but this is more efficient when you have a tree indexed
by OCSP_CERTID, like haproxy does. (This is also RT4251)

Author: Marek Klein <kleinmrk@gmail.com>
GH556: OCSP_resp_get_produced_at() accessor to the producedAt of a
OCSP_BASICRESP
GH555: TS_STATUS_INFO_get_status(), TS_STATUS_INFO_get_text() and
TS_STATUS_INFO_get_failure_info() accessors for a TS_STATUS_INFO

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

9e5cd4ba

RT4247: Add missing patch · 0b3a231e

Rich Salz authored Jan 16, 2016



Missed the camellia EVP update.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

0b3a231e

Jan 16, 2016

The TLSProxy tests can't run if no-engine has been configured · 3f22ed2f
Richard Levitte authored Jan 17, 2016
```
Make sure they detect that.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
3f22ed2f

fix no-engine build · 8e237299

Dr. Stephen Henson authored Jan 16, 2016



Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

8e237299

Start a new line after each sentence-ending period. · ee84152f
Viktor Dukhovni authored Jan 16, 2016
```
This avoids explicit double spaces between sentences.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
ee84152f

Make SSL_dane_enable() requirement more clear. · 80f63d66

Viktor Dukhovni authored Jan 16, 2016



Also s/s/ssl/ as appropriate in the code example.

Suggested by Claus Assmann.

Reviewed-by: Rich Salz <rsalz@openssl.org>

80f63d66

Better invalid SNI name error handling · 8d887efa

Viktor Dukhovni authored Jan 16, 2016



Also report an SSL_dane_enable error when the basedomain is an
invalid SNI name.  Avoid side-effects when such a name is valid
with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by
setting the SNI name first.

Reviewed-by: Rich Salz <rsalz@openssl.org>

8d887efa

Empty SNI names are not valid · 0982ecaa

Viktor Dukhovni authored Jan 16, 2016



While empty inputs to SSL_set1_host() clear the reference identifier
list.

Reviewed-by: Rich Salz <rsalz@openssl.org>

0982ecaa

RT4247: Fix EVP_CIPHER_CTX opaque on sparc · ecdd0ff7
Rich Salz authored Jan 15, 2016
```
Via Rainer Jung

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
ecdd0ff7

Jan 15, 2016

free up gost ciphers · 25be7a0f
Dr. Stephen Henson authored Jan 14, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
25be7a0f
Add lookup_certs for a trusted stack. · c864e761
Dr. Stephen Henson authored Jan 14, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
c864e761

NGX-2040 - fix wildcard match on punycode/IDNA DNS names · 9f9a3926

Zi Lin authored Jan 15, 2016



- bugfix: should not treat '--' as invalid domain substring.
- '-' should not be the first letter of a domain

Signed-off-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

9f9a3926

Fix typo · 87c00c93
Rich Salz authored Jan 15, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
87c00c93

Update Windows installation instructions · 7a77bd9d

Matt Caswell authored Jan 14, 2016

The windows installation instructions were very out of date. Substantial
update to the text. Remove a lot of historical stuff that isn't relevant
any more, and merge the win64 and win32 instructions into one file.

Reviewed-by: Richard Levitte <levitte@openssl.org>

7a77bd9d

Rename INSTALL.W32 to INSTALL.WIN · 46bf69b5

Matt Caswell authored Jan 14, 2016



Also remove the INSTALL.W64 file. Next commit will update INSTALL.WIN to
cover both.

Reviewed-by: Richard Levitte <levitte@openssl.org>

46bf69b5

Jan 14, 2016

Small fixup, an extra line slipped in · 1de8e63f

Richard Levitte authored Jan 14, 2016

The previous 'Relax the requirements for a debug build' commit had
an extra line of code that shouldn't have been there. This fixes it.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

1de8e63f

Cosmetic polish for last-resort depth 0 check · 497ecc0d
Viktor Dukhovni authored Jan 14, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
497ecc0d

Avoid the r modifier for s/// (perl) · 56afc187

Richard Levitte authored Jan 14, 2016



It seems that the r modifier for s/// is fairly new.  It's reported
not to exist in perl 5.10.1, so it's better to avoid it when
possible.

Reviewed-by: Tim Hudson <tjh@openssl.org>

56afc187

Fix last-resort depth 0 check when the chain has multiple certificates · bdcadca2
Viktor Dukhovni authored Jan 14, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
bdcadca2

Add a no-egd option to disable EGD-related code · 0423f812

Benjamin Kaduk authored Jan 12, 2016



The entropy-gathering daemon is used only on a small number of machines.
Provide a configure knob so that EGD support can be disabled by default
but re-enabled on those systems that do need it.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

0423f812

Make SSL_set_debug deprecated in 1.1 · 47153c72
Rich Salz authored Jan 14, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
47153c72
Always initialize X509_STORE_CTX get_crl pointer · 311f2785
Viktor Dukhovni authored Jan 14, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
311f2785
Editorial · 46e64f6e
Viktor Dukhovni authored Jan 14, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
46e64f6e