Kurt Roeckx
2b8fa1d56c
Deprecate the use of version-specific methods
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1824
2016-03-09 19:45:05 +01:00
Kurt Roeckx
885e601d97
Use version flexible method instead of fixed version
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1824
2016-03-09 19:39:54 +01:00
Kurt Roeckx
0d5301aff9
Use minimum and maximum protocol version instead of version fixed methods
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1824
2016-03-09 19:38:56 +01:00
Kurt Roeckx
1fc7d6664a
Fix usage of OPENSSL_NO_*_METHOD
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1824
2016-03-09 19:38:18 +01:00
Kurt Roeckx
ca3895f0b5
Move disabling of RC4 for DTLS to the cipher list.
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
82478521aa
Remove DES cipher alias
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
29c4cf0cd1
Update ciphers -s documentation
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
cdc72e497d
Document SSL_get1_supported_ciphers
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
d7a474264b
IDEA is not supported in TLS 1.2
...
This currently seems to be the only cipher we still support that should get
disabled.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
3eb2aff401
Add support for minimum and maximum protocol version supported by a cipher
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
068c358ac3
Add ssl_get_client_min_max_version() function
...
Adjust ssl_set_client_hello_version to get both the minimum and maximum and then
make ssl_set_client_hello_version use the maximum version.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
b11836a63a
Make SSL_CIPHER_get_version return a const char *
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
6063453c5a
Remove unused code
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
7d65007238
Make function to convert version to string
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
e4646a8963
Constify security callbacks
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
2016-03-09 19:10:28 +01:00
Rob Percival
ca74c38dc8
Documentation for ctx_set_ctlog_list_file()
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rob Percival
6bea2a72a8
Minor improvement to formatting of SCT output in s_client
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rob Percival
328f36c5c5
Do not display a CT log error message if CT validation is disabled
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rich Salz
60b350a3ef
RT3676: Expose ECgroup i2d functions
...
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-09 12:25:21 -05:00
Richard Levitte
c471884996
Comment away the extra checks in Configure
...
The "extra checks" is a debugging tool to check the config resolving
mechanism. It uses Perl's smart match, which is experimental and
therefore always causes Perl to give out a warning, and it causes
older Perl versions to fail entirely.
So, it gets commented away, but stays otherwise in place, as it may be
useful again.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:59:14 +01:00
Richard Levitte
67336ea400
Make ct_dir and certs_dir static in test/ct_test.c
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:58:02 +01:00
Richard Levitte
1bee9d6b6c
Fix ct_test to not assume it's in the source directory
...
ct_test assumed it's run in the source directory and failed when built
elsewhere. It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.
Test recipe updated to match.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:35:18 -05:00
Rob Percival
9ddff1e83c
Document importance of CTLOG_STORE outliving SCT if SCT_set0_log is used
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
dc919c6935
Make SCT literals into const variables in ct_test.c
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
eac84e8127
Makes STACK_OF(SCT)* parameter of i2d_SCT_LIST const
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
14db9bbd71
Removes SCT_LIST_set_source and SCT_LIST_set0_logs
...
Both of these functions can easily be implemented by callers instead.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
21b908a8f9
Makes SCT_get0_log return const CTLOG*
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
12d2d28185
Makes CTLOG_STORE_get0_log_by_id return const CTLOG*
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
98af731064
Improved documentation of SCT_CTX_* functions
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
e5a7ac446b
Updates ct_err.c
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
5c081a8f74
Remove unnecessary call to SCT_set1_extensions(sct, "", 0) in ct_test.c
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
6d7fd9c142
Reset SCT validation_status if the SCT is modified
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
9c812014c8
Use SCT_VERSION_V1 in place of literal 0 in ct_test.c
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
70279a81a7
Fixes "usuable" typo in ct_locl.h
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
70073f3e3a
Treat boolean functions as booleans
...
Use "!x" instead of "x <= 0", as these functions never return a negative
value.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
8c92c4eac0
Make parameters of CTLOG_get* const
...
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
5da65ef23c
Extensive application of __owur to CT functions that return a boolean
...
Also improves some documentation of those functions.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
8fbb93d0e2
Makes SCT_LIST_set_source return the number of successes
...
No longer terminates on first error, but instead tries to set the source
of every SCT regardless of whether an error occurs with some.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Todd Short
aeb5b95576
Fix locking in ssl_cert_dup()
...
Properly check the return value of CRYPTO_THREAD_lock_new()
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 11:26:01 -05:00
Richard Levitte
b7aacc3ac3
Restore building out of source with the unified build scheme
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:56 +01:00
Richard Levitte
467bbe090b
CT test can't run without EC, so skip it on that algo as well
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:23 +01:00
Richard Levitte
c469a9a81e
Fix ct_test to not assume it's in the source directory
...
ct_test assumed it's run in the source directory and failed when built
elsewhere. It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.
Test recipe updated to match.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:23 +01:00
Matt Caswell
9b13e27c28
Update CHANGES and NEWS
...
Update the CHANGES and NEWS files with information about the recently added
AFALG engine and pipelining.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 15:31:22 +00:00
Matt Caswell
651edc0d19
Fix classic build
...
The Thread API changes broke classic build. This fixes it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 14:58:42 +00:00
Richard Levitte
635bd409b3
In build.info, an IF within a clause that's skipped over shouldn't apply
...
If we find an IF within a clause that's skipped over, set it to be
skipped as well.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 14:53:30 +01:00
Matt Caswell
4a4e250c2a
Add an entry in NEWS about the new threading API
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 12:41:39 +00:00
Matt Caswell
5818c2b839
Update CHANGES for the new threading API
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 12:41:39 +00:00
Matt Caswell
2e52e7df51
Remove the old threading API
...
All OpenSSL code has now been transferred to use the new threading API,
so the old one is no longer used and can be removed. We provide some compat
macros for removed functions which are all no-ops.
There is now no longer a need to set locking callbacks!!
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 12:41:39 +00:00
Matt Caswell
4fc4faa7a7
Remove use of the old CRYPTO_LOCK_X5O9_STORE
...
The locking here is a bit strange and unclear. Rather than refactor
anything and possibly break stuff I have just moved to using the new
thread API following as closely as possible what was there previously.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 12:41:39 +00:00
Richard Levitte
9749a07a1d
Don't call ENGINE_cleanup when configured "no-engine"
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 12:52:50 +01:00