Commit graph

174 commits

Author SHA1 Message Date
Dr. Stephen Henson
70531c147c Make no-engine work again. 2008-12-20 17:04:40 +00:00
Dr. Stephen Henson
79bd20fd17 Update from stable-branch. 2008-11-24 17:27:08 +00:00
Ben Laurie
f3b7bdadbc Integrate J-PAKE and TLS-PSK. Increase PSK buffer size. Fix memory leaks. 2008-11-16 12:47:12 +00:00
Dr. Stephen Henson
ed551cddf7 Update from stable branch. 2008-11-12 17:28:18 +00:00
Ben Laurie
6caa4edd3e Add JPAKE. 2008-10-26 18:40:52 +00:00
Lutz Jänicke
020d67fb89 Allow detection of input EOF in quiet mode by adding -no_ign_eof option
to s_client application.
PR: #1761
Submitted by: David Woodhouse <dwmw2@infradead.org>
2008-10-22 06:46:14 +00:00
Dr. Stephen Henson
640b86cb24 Fix Warning... 2008-10-19 17:22:34 +00:00
Ben Laurie
d5bbead449 Add XMPP STARTTLS support. 2008-10-14 19:11:26 +00:00
Ben Laurie
babb379849 Type-checked (and modern C compliant) OBJ_bsearch. 2008-10-12 14:32:47 +00:00
Dr. Stephen Henson
0702150f53 Make no-tlsext compile. 2008-09-03 12:29:57 +00:00
Dr. Stephen Henson
59d2d48f64 Add support for client cert engine setting in s_client app.
Add appropriate #ifdefs round client cert functions in headers.
2008-06-03 11:26:27 +00:00
Geoff Thorpe
1e26a8baed Fix a variety of warnings generated by some elevated compiler-fascism,
OPENSSL_NO_DEPRECATED, etc. Steve, please double-check the CMS stuff...
2008-03-16 21:05:46 +00:00
Dr. Stephen Henson
0e1dba934f 1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure

2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).

3. Changes to EVP
	- adding of function EVP_PKEY_CTX_get0_peerkey
	- Make function EVP_PKEY_derive_set_peerkey work for context with
	  ENCRYPT operation, because we use peerkey field in the context to
	  pass non-ephemeral secret key to GOST encrypt operation.
	- added EVP_PKEY_CTRL_SET_IV control command. It is really
	  GOST-specific, but it is used in SSL code, so it has to go
	  in some header file, available during libssl compilation

4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data

5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
  make debugging output which depends on constants defined there, work
  and other KSSL_DEBUG output fixes

6. Declaration of real GOST ciphersuites, two authentication methods
   SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST

7. Implementation  of these methods.

8. Support for sending unsolicited serverhello extension if GOST
  ciphersuite is selected. It is require for interoperability with
  CryptoPro CSP 3.0 and 3.6 and controlled by
  SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
  This constant is added to SSL_OP_ALL, because it does nothing, if
  non-GOST ciphersuite is selected, and all implementation of GOST
  include compatibility with CryptoPro.

9. Support for CertificateVerify message without length field. It is
   another CryptoPro bug, but support is made unconditional, because it
   does no harm for draft-conforming implementation.

10. In tls1_mac extra copy of stream mac context is no more done.
  When I've written currently commited code I haven't read
  EVP_DigestSignFinal manual carefully enough and haven't noticed that
  it does an internal digest ctx copying.

This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
Dr. Stephen Henson
67c8e7f414 Support for certificate status TLS extension. 2007-09-26 21:56:59 +00:00
Bodo Möller
86d4bc3aea fix length parameter in SSL_set_tlsext_opaque_prf_input() calls 2007-09-23 11:08:59 +00:00
Bodo Möller
761772d7e1 Implement the Opaque PRF Input TLS extension
(draft-rescorla-tls-opaque-prf-input-00.txt), and do some cleanups and
bugfixes on the way.  In particular, this fixes the buffer bounds
checks in ssl_add_clienthello_tlsext() and in ssl_add_serverhello_tlsext().

Note that the opaque PRF Input TLS extension is not compiled by default;
see CHANGES.
2007-09-21 06:54:24 +00:00
Dr. Stephen Henson
014f62b649 Add usage message for -sess_out, -sess_in 2007-08-23 12:20:36 +00:00
Dr. Stephen Henson
d24a9c8f5a Docs and usage messages for RFC4507bis support. 2007-08-23 11:34:48 +00:00
Dr. Stephen Henson
710069c19e Fix warnings. 2007-08-12 17:44:32 +00:00
Dr. Stephen Henson
6434abbfc6 RFC4507 (including RFC4507bis) TLS stateless session resumption support
for OpenSSL.
2007-08-11 23:18:29 +00:00
Lutz Jänicke
ee373e7f19 Fix problem with multi line responses in -starttls by using a buffering
BIO and BIO_gets().
2007-02-22 17:39:47 +00:00
Lutz Jänicke
8d72476e2b Extend SMTP and IMAP protocol handling to perform the required
EHLO or CAPABILITY handshake before sending STARTTLS

Submitted by: Goetz Babin-Ebell <goetz@shomitefo.de>
2007-02-21 18:20:41 +00:00
Dr. Stephen Henson
5d5ca32fa1 Updates from 0.9.8-stable branch. 2007-02-18 18:21:57 +00:00
Richard Levitte
85c6749216 Add STARTTLS support for IMAP and FTP.
Submitted by Kees Cook <kees@outflux.net>
2007-02-16 18:12:16 +00:00
Nils Larsch
7806f3dd4b replace macros with functions
Submitted by: Tracy Camp <tracyx.e.camp@intel.com>
2006-11-29 20:54:57 +00:00
Dr. Stephen Henson
5d20c4fb35 Overhaul of by_dir code to handle dynamic loading of CRLs. 2006-09-17 17:16:28 +00:00
Bodo Möller
b166f13eb5 Call 'print_stuff' even if a handshake failed. 2006-06-15 19:00:34 +00:00
Dr. Stephen Henson
7bf7333d68 If we include winsock2.h then FD_SET wants an unsigned type for an fd. 2006-04-17 12:22:13 +00:00
Ulf Möller
4700aea951 Add BeOS support.
PR: 1312
Submitted by: Oliver Tappe <zooey@hirschkaefer.de>
Reviewed by: Ulf Moeller
2006-04-11 21:34:21 +00:00
Nils Larsch
d916ba1ba1 check if con != NULL before using it 2006-03-18 14:24:02 +00:00
Nils Larsch
67b6f1ca88 fix problems found by coverity: remove useless code 2006-03-15 17:45:43 +00:00
Nils Larsch
e968089485 use BIO_snprintf() instead of snprintf + use BIO_FP_TEXT for text output
Submitted by: Gisle Vanem
2006-03-12 22:16:57 +00:00
Nils Larsch
a0aa8b4b61 fix signed vs. unsigned warning 2006-03-11 12:18:11 +00:00
Nils Larsch
ddac197404 add initial support for RFC 4279 PSK SSL ciphersuites
PR: 1191
Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
Reviewed by: Nils Larsch
2006-03-10 23:06:27 +00:00
Bodo Möller
241520e66d More TLS extension related changes.
Submitted by: Peter Sylvester
2006-01-11 06:10:40 +00:00
Bodo Möller
a13c20f603 Further TLS extension updates
Submitted by: Peter Sylvester
2006-01-09 19:49:05 +00:00
Bodo Möller
1aeb3da83f Fixes for TLS server_name extension
Submitted by: Peter Sylvester
2006-01-06 09:08:59 +00:00
Richard Levitte
8de5b7f548 Fix signed/unsigned char clashes. 2006-01-04 12:02:43 +00:00
Bodo Möller
f1fd4544a3 Various changes in the new TLS extension code, including the following:
- fix indentation
 - rename some functions and macros
 - fix up confusion between SSL_ERROR_... and SSL_AD_... values
2006-01-03 03:27:19 +00:00
Bodo Möller
b1277b9902 C style fix-up 2006-01-02 23:29:12 +00:00
Bodo Möller
ed3883d21b Support TLS extensions (specifically, HostName)
Submitted by: Peter Sylvester
2006-01-02 23:14:37 +00:00
Andy Polyakov
ffa101872f Eliminate dependency on read/write/stat in apps under _WIN32. 2005-11-04 09:30:55 +00:00
Dr. Stephen Henson
566dda07ba New option SSL_OP_NO_COMP to disable compression. New ctrls to set
maximum send fragment size. Allocate I/O buffers accordingly.
2005-10-08 00:18:53 +00:00
Dr. Stephen Henson
09b6c2ef15 Make OPENSSL_NO_COMP compile again. 2005-09-30 23:35:33 +00:00
Nils Larsch
4ebb342fcd Let the TLSv1_method() etc. functions return a const SSL_METHOD
pointer and make the SSL_METHOD parameter in SSL_CTX_new,
SSL_CTX_set_ssl_version and SSL_set_ssl_method const.
2005-08-14 21:48:33 +00:00
Richard Levitte
b29228836a DJGPP changes. Contributed by Doug Kaufman <dkaufman@rahul.net> 2005-05-30 22:37:44 +00:00
Dr. Stephen Henson
6c61726b2a Lots of Win32 fixes for DTLS.
1. "unsigned long long" isn't portable changed: to BN_ULLONG.
2. The LL prefix isn't allowed in VC++ but it isn't needed where it is used.
2. Avoid lots of compiler warnings about signed/unsigned mismatches.
3. Include new library directory pqueue in mk1mf build system.
4. Update symbols.
2005-04-27 16:27:14 +00:00
Dr. Stephen Henson
4e321ffaff Fixes for signed/unsigned warnings and shadows. 2005-04-26 17:43:53 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00
Nils Larsch
7d727231b7 some const fixes 2005-04-05 19:11:19 +00:00
Andy Polyakov
02a00bb054 DJGPP update.
PR: 989
Submitted by: Doug Kaufman
2005-01-04 10:28:38 +00:00
Dr. Stephen Henson
abbc186bd2 Fix s_client so it works without a certificate again. 2004-12-13 18:02:23 +00:00
Dr. Stephen Henson
826a42a088 PR: 910
Add command line options -certform, -keyform and -pass to s_client and
s_server. This supports the use of alternative passphrase sources, key formats
and keys handled by an ENGINE.

Update docs.
2004-11-16 17:30:59 +00:00
Richard Levitte
2549564009 On systems that use case-insensitive symbol names (i.e. they're all
converted to upper case or something like that), the application-
level bio_dump_cb() has a name clash with the new library function
BIO_dump_cb().  The easiest fix is to rename the function at the
application level.
2004-08-12 08:58:55 +00:00
Richard Levitte
47c1735acd NetWare fixes provided by Verdon Walker for OpenSSL 0.9.8-dev.
The changes have been mailed to <crypt@bis.doc.gov> as well.

PR: 903
2004-06-28 11:55:28 +00:00
Richard Levitte
4d8743f490 Netware-specific changes,
PR: 780
Submitted by: Verdon Walker <VWalker@novell.com>
Reviewed by: Richard Levitte
2003-11-28 13:10:58 +00:00
Geoff Thorpe
d8ec0dcf45 Avoid some shadowed variable names.
Submitted by: Nils Larsch
2003-11-04 00:51:32 +00:00
Richard Levitte
f44e184ec6 s_client should inform the user of any compression/expansion methods used. 2003-10-06 12:19:38 +00:00
Richard Levitte
3d7c4a5a6d Selected changes for MSDOS, contributed by Gisle Vanem <giva@bgnett.no>.
PR: 669
2003-09-27 21:56:08 +00:00
Lutz Jänicke
4f17dfcd75 Add minimum POP3 STLS hack to s_client.c (as was provided for STARTTLS before)
Submitted by: dg@sunet.ru (Daniel Ginsburg)

PR: #613
2003-05-28 20:24:57 +00:00
Richard Levitte
0b13e9f055 Add the possibility to build without the ENGINE framework.
PR: 287
2003-01-30 17:39:26 +00:00
Richard Levitte
1c3e4a3660 EXIT() may mean return(). That's confusing, so let's have it really mean
exit() in whatever way works for the intended platform, and define
OPENSSL_EXIT() to have the old meaning (the name is of course because
it's only used in the openssl program)
2002-12-03 16:33:03 +00:00
Richard Levitte
4579924b7e Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
Richard Levitte
0bf23d9b20 WinCE patches 2002-11-15 22:37:18 +00:00
Richard Levitte
8d6e60486f Fix to build better with DJGPP.
PR: 338

Here's the description, submitted by Gisle Vanem <giva@bgnett.no>:

1. sock_init() renamed to ssl_sock_init() in ./apps/s_socket.c due
   to name-clash with Watt-32.

2. rand() renamed to Rand() in ./crypto/bn/divtest.c due to name-clash
   with <stdlib.h>

3. Added calls to dbug_init()/sock_init() in some demo programs.

4. Changed cflags/lflags in configure. Watt-32 install root now taken
   from $WATT_ROOT.
2002-11-14 11:22:01 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Richard Levitte
cead7f36da Set up the engine before doing anything random-related, since engine randomness
is only used for seeding and doing it in the wrong order will mean seeding
is done before the engine randomness is hooked in.
Notified by Frederic DONNAT <frederic.donnat@zencod.com>
2002-07-16 06:52:03 +00:00
Dr. Stephen Henson
3647bee263 Config code updates.
CONF_modules_unload() now calls CONF_modules_finish()
automatically.

Default use of section openssl_conf moved to
CONF_modules_load()

Load config file in several openssl utilities.

Most utilities now load modules from the config file,
though in a few (such as version) this isn't done
because it couldn't be used for anything.

In the case of ca and req the config file used is
the same as the utility itself: that is the -config
command line option can be used to specify an
alternative file.
2002-02-22 14:01:21 +00:00
Richard Levitte
135c0af1bb Implement STARTTLS for certain protocols, currently only supporting SMTP. 2001-11-14 13:57:52 +00:00
Bodo Möller
a661b65357 New functions SSL[_CTX]_set_msg_callback().
New macros SSL[_CTX]_set_msg_callback_arg().

Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet).

New '-msg' option for 'openssl s_client' and 'openssl s_server'
that enable a message callback that displays all protocol messages.


In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if
client_version is smaller than the protocol version in use.
Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0
if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the
client will at least see that alert.

Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic
pointer).

Add/update some OpenSSL copyright notices.
2001-10-20 17:56:36 +00:00
Lutz Jänicke
41ebed27fa Flush buffers to prevent mixed output (Adam Back <adam@cypherspace.org>). 2001-10-16 14:24:46 +00:00
Geoff Thorpe
1372965e2e Reduce the header dependencies on engine.h in apps/. 2001-09-12 02:39:06 +00:00
Richard Levitte
c04f8cf44a Use apps_shutdown() in all applications, in case someone decides not
to go the monolith way (does anyone do that these days?).

NOTE: a few applications are missing in this commit.  I've a few more
changes in them that I haven't tested yet.
2001-06-23 16:37:32 +00:00
Richard Levitte
531d630b5c Provide an application-common setup function for engines and use it
everywhere.
2001-06-18 06:22:33 +00:00
Dr. Stephen Henson
bdee69f718 Allow various X509_STORE_CTX properties to be
inherited from X509_STORE.

Add CRL checking options to other applications.
2001-05-09 00:30:39 +00:00
Richard Levitte
be1bd9239f Get e_os2.h to get all the system definitions correctly. 2001-02-20 14:07:03 +00:00
Richard Levitte
56dde3ebe6 Include opensslconf.h or the like early to make sure system macros get
correctly defined.
2001-02-20 13:11:54 +00:00
Richard Levitte
bc36ee6227 Use new-style system-id macros everywhere possible. I hope I haven't
missed any.

This compiles and runs on Linux, and external applications have no
problems with it.  The definite test will be to build this on VMS.
2001-02-20 08:13:47 +00:00
Richard Levitte
cf1b7d9664 Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
2001-02-19 16:06:34 +00:00
Lutz Jänicke
52b621db88 Add "-rand" option to s_client and s_server. 2001-02-15 10:22:07 +00:00
Lutz Jänicke
836f996010 New Option SSL_OP_CIPHER_SERVER_PREFERENCE allows TLS/SSLv3 server to override
the clients choice; in SSLv2 the client uses the server's preferences.
2001-02-09 19:56:31 +00:00
Richard Levitte
f9b3bff6f7 First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu> 2000-11-30 22:53:34 +00:00
Richard Levitte
5270e7025e Merge the engine branch into the main trunk. All conflicts resolved.
At the same time, add VMS support for Rijndael.
2000-10-26 21:07:28 +00:00
Richard Levitte
26a3a48d65 There have been a number of complaints from a number of sources that names
like Malloc, Realloc and especially Free conflict with already existing names
on some operating systems or other packages.  That is reason enough to change
the names of the OpenSSL memory allocation macros to something that has a
better chance of being unique, like prepending them with OPENSSL_.

This change includes all the name changes needed throughout all C files.
2000-06-01 22:19:21 +00:00
Richard Levitte
a9ef75c50d Small fix to enable reading from stdin as well.
Contributed by Yoichiro Okabe <okabe@wizsoft.co.jp>
2000-06-01 11:23:20 +00:00
Richard Levitte
ce301b6b0b Add the possibility (with -ign_eof) to ignore end of file on input but
still not be quiet.  Also make it clear that -quiet implicitely means
-ign_eof as well.
2000-03-10 12:18:28 +00:00
Ulf Möller
4ec19e203c Fix gcc warnings. 2000-02-20 20:59:21 +00:00
Ralf S. Engelschall
667ac4ec6a Make gcc 2.95.2 happy again, even under ``-Wall -Wshadow -Wpointer-arith -Wcast-align
-Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline''.
2000-02-11 09:47:18 +00:00
Dr. Stephen Henson
af57d84312 Rename SSLeay_add_all_algorithms() et al to
OpenSSL_add_all_algorithms(). Move these into
separate files so they work properly.
2000-02-04 14:01:38 +00:00
Ulf Möller
657e60fa00 ispell (and minor modifications) 2000-02-03 23:23:24 +00:00
Dr. Stephen Henson
82fc1d9c28 Add new -notext option to 'ca', -pubkey option to spkac.
Remove some "WTF??" casts from applications.

Fixes to keep VC++ happy and avoid warnings.

Docs tidy.
2000-02-03 02:56:48 +00:00
Dr. Stephen Henson
fabce04122 Make s_server, s_client check cipher list return codes.
Update docs.
2000-01-23 02:28:08 +00:00
Ulf Möller
aa82db4fb4 Add missing #ifndefs that caused missing symbols when building libssl
as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
NO_RSA in ssl/s2*.c.

Submitted by: Kris Kennaway <kris@hub.freebsd.org>
Modified by Ulf Möller
2000-01-16 21:10:00 +00:00
Dr. Stephen Henson
c3ed3b6eab Add -prexit command to s_client and patch some BIO
functions so it doesn't crash. Document s_client.
2000-01-08 19:05:47 +00:00
Dr. Stephen Henson
dd4134101f Change the trust and purpose code so it doesn't need init
either and has a static and dynamic mix.
1999-12-02 02:33:56 +00:00
Dr. Stephen Henson
bb7cd4e3eb Remainder of SSL purpose and trust code: trust and purpose setting in
SSL_CTX and SSL, functions to set them and defaults if no values set.
1999-11-29 22:35:00 +00:00
Bodo Möller
a31011e8e0 Various randomness handling bugfixes and improvements --
some utilities that should have used RANDFILE did not,
and -rand handling was broken except in genrsa.
1999-10-26 01:56:29 +00:00
Dr. Stephen Henson
06f4536a61 Fix to make s_client and s_server work under Windows. A bit of a hack but
an improvement on not working at all.
1999-09-20 22:09:17 +00:00
Bodo Möller
1b1a6e7808 -crlf option. 1999-08-09 13:01:48 +00:00
Bodo Möller
204cf1abb0 Comments. 1999-08-08 14:21:04 +00:00