Commits · 1fc7d6664a3d118f9d5de217c9ffd154ed9ddb6f · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Mar 09, 2016

Fix usage of OPENSSL_NO_*_METHOD · 1fc7d666
Kurt Roeckx authored Feb 02, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
```
1fc7d666
Move disabling of RC4 for DTLS to the cipher list. · ca3895f0
Kurt Roeckx authored Mar 08, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
ca3895f0
Remove DES cipher alias · 82478521
Kurt Roeckx authored Mar 09, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
82478521
Update ciphers -s documentation · 29c4cf0c
Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
29c4cf0c
Document SSL_get1_supported_ciphers · cdc72e49
Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
cdc72e49

IDEA is not supported in TLS 1.2 · d7a47426

Kurt Roeckx authored Feb 07, 2016



This currently seems to be the only cipher we still support that should get
disabled.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595

d7a47426

Add support for minimum and maximum protocol version supported by a cipher · 3eb2aff4
Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
3eb2aff4

Add ssl_get_client_min_max_version() function · 068c358a

Kurt Roeckx authored Feb 07, 2016



Adjust ssl_set_client_hello_version to get both the minimum and maximum and then
make ssl_set_client_hello_version use the maximum version.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595

068c358a

Make SSL_CIPHER_get_version return a const char * · b11836a6
Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
b11836a6

Remove unused code · 6063453c

Kurt Roeckx authored Feb 07, 2016



Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595

6063453c

Make function to convert version to string · 7d650072
Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
7d650072
Constify security callbacks · e4646a89
Kurt Roeckx authored Feb 07, 2016
```
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
```
e4646a89

Documentation for ctx_set_ctlog_list_file() · ca74c38d

Rob Percival authored Mar 09, 2016



Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

ca74c38d

Minor improvement to formatting of SCT output in s_client · 6bea2a72
Rob Percival authored Mar 04, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
6bea2a72
Do not display a CT log error message if CT validation is disabled · 328f36c5
Rob Percival authored Mar 04, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
328f36c5
RT3676: Expose ECgroup i2d functions · 60b350a3
Rich Salz authored Mar 09, 2016
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
60b350a3

Comment away the extra checks in Configure · c4718849

Richard Levitte authored Mar 09, 2016



The "extra checks" is a debugging tool to check the config resolving
mechanism.  It uses Perl's smart match, which is experimental and
therefore always causes Perl to give out a warning, and it causes
older Perl versions to fail entirely.

So, it gets commented away, but stays otherwise in place, as it may be
useful again.

Reviewed-by: Matt Caswell <matt@openssl.org>

c4718849

Make ct_dir and certs_dir static in test/ct_test.c · 67336ea4
Richard Levitte authored Mar 09, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
67336ea4

Fix ct_test to not assume it's in the source directory · 1bee9d6b

Richard Levitte authored Mar 09, 2016



ct_test assumed it's run in the source directory and failed when built
elsewhere.  It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.

Test recipe updated to match.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

1bee9d6b

Document importance of CTLOG_STORE outliving SCT if SCT_set0_log is used · 9ddff1e8
Rob Percival authored Mar 09, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
9ddff1e8
Make SCT literals into const variables in ct_test.c · dc919c69
Rob Percival authored Mar 09, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
dc919c69
Makes STACK_OF(SCT)* parameter of i2d_SCT_LIST const · eac84e81
Rob Percival authored Mar 08, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
eac84e81

Removes SCT_LIST_set_source and SCT_LIST_set0_logs · 14db9bbd

Rob Percival authored Mar 08, 2016



Both of these functions can easily be implemented by callers instead.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

14db9bbd

Makes SCT_get0_log return const CTLOG* · 21b908a8

Rob Percival authored Mar 08, 2016



Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

21b908a8

Makes CTLOG_STORE_get0_log_by_id return const CTLOG* · 12d2d281
Rob Percival authored Mar 08, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
12d2d281

Improved documentation of SCT_CTX_* functions · 98af7310

Rob Percival authored Mar 08, 2016



Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

98af7310

Updates ct_err.c · e5a7ac44

Rob Percival authored Mar 08, 2016



Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

e5a7ac44

Remove unnecessary call to SCT_set1_extensions(sct, "", 0) in ct_test.c · 5c081a8f
Rob Percival authored Mar 08, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
5c081a8f
Reset SCT validation_status if the SCT is modified · 6d7fd9c1
Rob Percival authored Mar 08, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
6d7fd9c1
Use SCT_VERSION_V1 in place of literal 0 in ct_test.c · 9c812014
Rob Percival authored Mar 07, 2016
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
9c812014

Fixes "usuable" typo in ct_locl.h · 70279a81

Rob Percival authored Mar 07, 2016



Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

70279a81

Treat boolean functions as booleans · 70073f3e

Rob Percival authored Mar 07, 2016



Use "!x" instead of "x <= 0", as these functions never return a negative
value.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

70073f3e

Make parameters of CTLOG_get* const · 8c92c4ea

Rob Percival authored Mar 04, 2016



Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

8c92c4ea

Extensive application of __owur to CT functions that return a boolean · 5da65ef2

Rob Percival authored Mar 04, 2016



Also improves some documentation of those functions.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

5da65ef2

Makes SCT_LIST_set_source return the number of successes · 8fbb93d0

Rob Percival authored Mar 04, 2016



No longer terminates on first error, but instead tries to set the source
of every SCT regardless of whether an error occurs with some.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

8fbb93d0

Fix locking in ssl_cert_dup() · aeb5b955

Todd Short authored Mar 09, 2016



Properly check the return value of CRYPTO_THREAD_lock_new()

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

aeb5b955

Restore building out of source with the unified build scheme · b7aacc3a
Richard Levitte authored Mar 09, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
b7aacc3a
CT test can't run without EC, so skip it on that algo as well · 467bbe09
Richard Levitte authored Mar 09, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
467bbe09

Fix ct_test to not assume it's in the source directory · c469a9a8

Richard Levitte authored Mar 09, 2016



ct_test assumed it's run in the source directory and failed when built
elsewhere.  It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.

Test recipe updated to match.

Reviewed-by: Matt Caswell <matt@openssl.org>

c469a9a8

Update CHANGES and NEWS · 9b13e27c

Matt Caswell authored Mar 09, 2016



Update the CHANGES and NEWS files with information about the recently added
AFALG engine and pipelining.

Reviewed-by: Richard Levitte <levitte@openssl.org>

9b13e27c