Commits · 03f880e4fc5f4235006abdc152664c22aef6a506 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Mar 10, 2016

The typedef ECPARAMETERS is already defined, don't define it anew · 03f880e4
Richard Levitte authored Mar 10, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
03f880e4

Allow OPENSSL_NO_SOCK in e_os.h even for non-Windows/DOS platforms · ffbc5b57

David Woodhouse authored Feb 20, 2016

UEFI needs this too. Don't keep it only in the Windows/DOS ifdef block.

This is a fixed version of what was originally commit 963bb621 and
subsequently reverted in commit 37b1f8bd

. Somewhere along the way, the
Windows/DOS ifdef actually got removed, leaving it just broken. It should
have been turned into an #elif, not removed.

This one correctly changes the logic from

    # if WINDOWS|DOS
    #  if OPENSSL_NO_SOCK
        ... no-sock ...
    #  elif !DJGPP
        ... native windows ...

to

    # if OPENSSL_NO_SOCK
       ... no-sock ...
    # elif WINDOWS|DOS
    #  if !DJGPP
        ... native windows ...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

ffbc5b57

Remove a missed item from the old thread API · 6a7de8e0

Matt Caswell authored Mar 10, 2016



A line from cryptlib.h was missed during the old Thread API removal. This
breaks no-deprecated builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>

6a7de8e0

Mark SRP_VBASE_get_by_user() as deprecated · 1e45206f

Matt Caswell authored Mar 10, 2016



The function SRP_VBASE_get_by_user() is declared as deprecated but the
implementation was not.

Reviewed-by: Rich Salz <rsalz@openssl.org>

1e45206f

No need to call EVP_CIPHER_CTX_init after EVP_CIPHER_CTX_new · 0f1d814c

Matt Caswell authored Mar 10, 2016



The afalgtest was unnecessarily initing an EVP_CIPHER_CTX. It is not
needed and is deprecated.

Reviewed-by: Rich Salz <rsalz@openssl.org>

0f1d814c

Pass down inclusion directories to source file generators · d4605727

Richard Levitte authored Mar 10, 2016



The source file generators sometimes use $(CC) to post-process
generated source, and getting the inclusion directories may be
necessary at times, so we pass them down.

RT#4406

Reviewed-by: Rich Salz <rsalz@openssl.org>

d4605727

Travis - add missing semi-colon · 8cffddc0
Richard Levitte authored Mar 10, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
8cffddc0

Update .gitignore to ignore all cscope files · 3253927d

Todd Short authored Mar 05, 2016



Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>

3253927d

remove ms/.rnd and add it to .gitignore · c54bae98

Viktor Szakats authored Mar 09, 2016



Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>

c54bae98

RT3676 add: Export ASN.1 DHparams · 599eccfc
Rich Salz authored Mar 09, 2016
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
599eccfc

Travis - don't use ccache with cross compiles · a70ca740

Richard Levitte authored Mar 10, 2016



Although theoretically possible, Configure doesn't treat CC variable
set like this very well: CC="ccache i686-w64-mingw32-gcc"
Also, this Travis script doesn't recognise the possibility either.

Reviewed-by: Rich Salz <rsalz@openssl.org>

a70ca740

Avoid negative array index in BIO_debug_callback() · a1673e15

Benjamin Kaduk authored Mar 08, 2016

BIO_snprintf() can return -1 on truncation (and overflow as of commit
9cb17730

).  Though neither can
realistically occur while printing a pointer and short fixed string into
a buffer of length 256, the analysis to confirm that this the case goes
somewhat far up the call chain, and not all static analyzers can
successfully follow the chain of logic.

It's easy enough to clamp the returned length to be nonnegative before
continuing, which appeases the static analyzer and does not harm the
subsequent code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

a1673e15

CT: check some GeneralizedTime return values · 80e8fdbe

Benjamin Kaduk authored Mar 08, 2016



Some of the ASN.1 routines for the GeneralizedTime type can return
errors; check for these and do not continue past failure, so as
to appease coverity.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

80e8fdbe

When configured "shared", don't build static libraries on Windows · b805b444

Richard Levitte authored Mar 10, 2016



The reason for this is that the static libraries and the DLL import
libraries are named the same on Windows.  When configured "shared",
the static libraries are unused anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>

b805b444

Make util/mk1mf.pl recognise no-weak-ssl-ciphers · 9c176223
Richard Levitte authored Mar 10, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
9c176223

Avoid double-free in calleres to OCSP_parse_url · dca7158c

Jim Basney authored Mar 09, 2016



set pointers to NULL after OPENSSL_free before returning to caller to
avoid possible double-free in caller

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>

dca7158c

Fix return type for CRYPTO_THREAD_run_once · 64256510

Mat authored Mar 10, 2016



return type should be int and not void

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>

64256510

Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag · dd60efea
Viktor Dukhovni authored Mar 08, 2016
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
dd60efea
Remove duplicate typedef of ECPKPARAMETERS in ec.h · 29f08260
Richard Levitte authored Mar 10, 2016
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
29f08260
Run make update · 6b514590
Kurt Roeckx authored Mar 09, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #2296
```
6b514590
Travis - the source directory is _srcdist, not _srcdir · 32e4cc0c
Richard Levitte authored Mar 10, 2016
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
32e4cc0c

Mar 09, 2016
- Correct slight logic error in processing IF in build.info · c5798e0e
  Richard Levitte authored Mar 09, 2016
```
This corrects a fault where the inner IF in this example was still
being acted upon:

  IF[0]
    ...whatever...
    IF[1]
      ...whatever more...
    ENDIF
  ENDIF

With this change, the inner IF is skipped over.

Reviewed-by: Matt Caswell <matt@openssl.org>
```
  c5798e0e
- When grepping something starting with a dash, remember to use -e · 64b9d84b
  Richard Levitte authored Mar 09, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
```
  64b9d84b
- Deprecate the use of version-specific methods · 2b8fa1d5
  Kurt Roeckx authored Mar 02, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
```
  2b8fa1d5
- Use version flexible method instead of fixed version · 885e601d
  Kurt Roeckx authored Mar 02, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
```
  885e601d
- Use minimum and maximum protocol version instead of version fixed methods · 0d5301af
  Kurt Roeckx authored Feb 02, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
```
  0d5301af
- Fix usage of OPENSSL_NO_*_METHOD · 1fc7d666
  Kurt Roeckx authored Feb 02, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
```
  1fc7d666
- Move disabling of RC4 for DTLS to the cipher list. · ca3895f0
  Kurt Roeckx authored Mar 08, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  ca3895f0
- Remove DES cipher alias · 82478521
  Kurt Roeckx authored Mar 09, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  82478521
- Update ciphers -s documentation · 29c4cf0c
  Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  29c4cf0c
- Document SSL_get1_supported_ciphers · cdc72e49
  Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  cdc72e49
- IDEA is not supported in TLS 1.2 · d7a47426
  Kurt Roeckx authored Feb 07, 2016
```
This currently seems to be the only cipher we still support that should get
disabled.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  d7a47426
- Add support for minimum and maximum protocol version supported by a cipher · 3eb2aff4
  Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  3eb2aff4
- Add ssl_get_client_min_max_version() function · 068c358a
  Kurt Roeckx authored Feb 07, 2016
```
Adjust ssl_set_client_hello_version to get both the minimum and maximum and then
make ssl_set_client_hello_version use the maximum version.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  068c358a
- Make SSL_CIPHER_get_version return a const char * · b11836a6
  Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  b11836a6
- Remove unused code · 6063453c
  Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  6063453c
- Make function to convert version to string · 7d650072
  Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  7d650072
- Constify security callbacks · e4646a89
  Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
  e4646a89
- Documentation for ctx_set_ctlog_list_file() · ca74c38d
  Rob Percival authored Mar 09, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  ca74c38d
- Minor improvement to formatting of SCT output in s_client · 6bea2a72
  Rob Percival authored Mar 04, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  6bea2a72