Commit graph

11520 commits

Author SHA1 Message Date
Ben Laurie
1769dfab06 Const fix. 2013-09-06 14:03:28 +01:00
Scott Deboy
67c408cee9 Free generated supp data after handshake completion, add comment regarding use of num_renegotiations in TLS and supp data generation callbacks 2013-09-06 13:59:14 +01:00
Ben Laurie
5eda213ebe More cleanup. 2013-09-06 13:59:14 +01:00
Ben Laurie
a6a48e87bc Make it build. 2013-09-06 13:59:13 +01:00
Scott Deboy
36086186a9 Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
2013-09-06 13:59:13 +01:00
Ben Laurie
cda01d55ba s/recommend/recommended/ 2013-09-05 21:43:50 +01:00
Veres Lajos
478b50cf67 misspellings fixes by https://github.com/vlajos/misspell_fixer 2013-09-05 21:39:42 +01:00
Ben Laurie
d2625fd657 Clean up layout. 2013-09-05 17:28:05 +01:00
Carlos Alberto Lopez Perez
b98af49d97 Add an "-xmpphost" option to s_client
* Many XMPP servers are configured with multiple domains (virtual hosts)
 * In order to establish successfully the TLS connection you have to specify
   which virtual host you are trying to connect.
 * Test this, for example with ::
   * Fail:
       openssl s_client -connect talk.google.com:5222 -starttls xmpp
   * Works:
       openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com
2013-09-05 17:24:56 +01:00
Carlos Alberto Lopez Perez
50f307a98f Add "xmpp" to the list of supported starttls protocols on s_client manpage 2013-09-05 17:24:56 +01:00
Carlos Alberto Lopez Perez
4249d4ba86 Fix infinite loop on s_client starttls xmpp
* When the host used in "-connect" is not what the remote XMPP server expects
   the server will return an error like this:
     <stream:error>
       <host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
     </stream:error>
 * But the actual code will stay on the loop forever because the stop condition
   "/stream:features>" will never happen,
 * Make this more robust: The stop condition should be that BIO_read failed
 * Test if for example with ::

    openssl s_client  -connect random.jabb3r.net:5222 -starttls xmpp
2013-09-05 17:24:56 +01:00
Carlos Alberto Lopez Perez
4e48c77572 Fix XMPP code detection on s_client starttls xmpp
* Some XMPP Servers (OpenFire) use double quotes.
 * This makes s_client starttls work with this servers.
 * Tested with OpenFire servers from http://xmpp.net/ ::

     openssl s_client -connect coderollers.com:5222 -starttls xmpp
2013-09-05 17:24:55 +01:00
Rob Stradling
dece3209f2 Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-09-05 13:09:03 +01:00
Dr. Stephen Henson
c3eb33763b Document supported curve functions. 2013-09-03 15:43:01 +01:00
Dr. Stephen Henson
902efde1cc Document -force_pubkey option. 2013-08-21 13:43:00 +01:00
Dr. Stephen Henson
36019f70e8 Correct ECDSA example. 2013-08-21 13:43:00 +01:00
Ben Laurie
d5605699a1 Correctly test for no-ec. 2013-08-21 04:21:57 +01:00
Ben Laurie
a0aaa5660a Fix compile errors. 2013-08-21 04:21:42 +01:00
Dr. Stephen Henson
fcb2bcfe65 Typo: don't call RAND_cleanup during app startup.
(cherry picked from commit 90e7f983b5)
2013-08-18 19:06:51 +01:00
Dr. Stephen Henson
eeb15452a0 Add documentation.
Preliminary documentation for chain and verify stores and certificate chain
setting functions.
2013-08-17 17:41:14 +01:00
Dr. Stephen Henson
b85f8afe37 Don't run ECDH CMS tests if EC disabled. 2013-08-17 17:41:14 +01:00
Dr. Stephen Henson
14536c8c9c Make no-ec compilation work. 2013-08-17 17:41:13 +01:00
Dr. Stephen Henson
42082eda6f Return 1 when setting ECDH auto mode. 2013-08-17 17:41:13 +01:00
Dr. Stephen Henson
5ef24a806d Add the server 'hang' issue to the FAQ 2013-08-14 16:38:06 +01:00
Michael Tuexen
b62f4daac0 DTLS message_sequence number wrong in rehandshake ServerHello
This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.
2013-08-13 18:53:19 +01:00
Michael Tuexen
0c75eeacd3 DTLS handshake fix.
Reported by: Prashant Jaikumar <rmstar@gmail.com>

Fix handling of application data received before a handshake.
2013-08-08 13:30:49 +01:00
Kaspar Brand
5ae8d6bcba Fix for PEM_X509_INFO_read_bio.
PR: 3028
Fix bug introduced in PEM_X509_INFO_bio which wouldn't process RSA keys
correctly if they appeared first.
2013-08-06 16:01:47 +01:00
Dr. Stephen Henson
dfcb42c68e Update cms docs. 2013-08-05 16:23:22 +01:00
Dr. Stephen Henson
bbc098ffb3 Add X9.42 DH test. 2013-08-05 16:23:22 +01:00
Dr. Stephen Henson
75787fd833 Add X9.42 DH certificate to S/MIME test 2013-08-05 16:23:22 +01:00
Dr. Stephen Henson
bd59f2b91d CMS RFC2631 X9.42 DH enveloped data support. 2013-08-05 16:23:13 +01:00
Dr. Stephen Henson
dc1ce3bc64 Add KDF for DH.
Add X9.42 DH KDF. Move sharedinfo generation code to CMS library as the
same structure is used by DH and ECDH.

Move ASN1_OBJECT typedef to ossl_typ.h so it can be picked up by dh headers
without the need to use ASN1.
2013-08-05 15:45:01 +01:00
Dr. Stephen Henson
3909087801 Extend DH parameter generation support.
Add support for DH parameter generation using DSA methods including
FIPS 186-3.
2013-08-05 15:45:01 +01:00
Dr. Stephen Henson
d3cc91eee2 Enhance DH dup functions.
Make DHparams_dup work properly with X9.42 DH parameters.
2013-08-05 15:45:01 +01:00
Dr. Stephen Henson
c9577ab5ea If present print j, seed and counter values for DH 2013-08-05 15:45:00 +01:00
Dr. Stephen Henson
3f6b6f0b8c Minor optimisation to KDF algorithm.
Don't need to use temporary buffer if remaining length equals digest length.
2013-08-05 15:45:00 +01:00
Dr. Stephen Henson
e61f5d55bc Algorithm parameter support.
Check and set AlgorithmIdenfier parameters for key wrap algorithms.
Currently these just set parameters to NULL.
2013-08-05 15:45:00 +01:00
Andy Polyakov
a59f436295 crypto/evp/e_aes.c: fix logical pre-processor bug and formatting.
Bug would emerge when XTS is added to bsaes-armv7.pl. Pointed out by
Ard Biesheuvel of Linaro.
2013-08-03 17:09:06 +02:00
Andy Polyakov
fd8ad019e1 crypto/bn/asm/rsax-x86_64.pl: make it work on Darwin. 2013-08-03 16:28:50 +02:00
Andy Polyakov
006784378d crypto/sha/asm/sha*-x86_64.pl: comply with Win64 ABI. 2013-07-31 23:50:15 +02:00
Trevor Perrin
0b2bde70dd Various custom extension fixes.
Force no SSL2 when custom extensions in use.
Don't clear extension state when cert is set.
Clear on renegotiate.
2013-07-31 14:29:41 +01:00
Adam Langley
a898936218 Add tests for ALPN functionality.
Conflicts:
	ssl/ssltest.c
2013-07-22 15:47:48 +01:00
Ben Laurie
a108f841ba Add a no-opt 64-bit target. 2013-07-22 15:28:20 +01:00
Adam Langley
6f017a8f9d Support ALPN.
This change adds support for ALPN[1] in OpenSSL. ALPN is the IETF
blessed version of NPN and we'll be supporting both ALPN and NPN for
some time yet.

[1] https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-00

Conflicts:
	ssl/ssl3.h
	ssl/t1_lib.c
2013-07-22 15:28:20 +01:00
Dr. Stephen Henson
584ac22110 Make ecdsatest work with nonces.
Update ecdsatest to use ECDSA_sign_setup and ECDSA_sign_ex, this
avoids the nonce generation which would otherwise break the test.

Reinstate ecdsatest.
2013-07-19 14:11:43 +01:00
Dr. Stephen Henson
527c898ce8 Temporarily disable ECDSA test.
Disable ECDSA test temporarily: it is incompatible with ECDSA nonces.
2013-07-19 13:46:48 +01:00
Dr. Stephen Henson
5cdc25a754 New CMS tests.
Add some ECDH CMS tests.
2013-07-17 21:45:01 +01:00
Dr. Stephen Henson
a0957d5505 Scripts to recreate S/MIME test certificates.
Add a script to generate keys and certificates for the S/MIME and CMS
tests.

Update certificates and add EC examples.
2013-07-17 21:45:01 +01:00
Dr. Stephen Henson
5711885a2b Custom key wrap option for cms utility. 2013-07-17 21:45:01 +01:00
Dr. Stephen Henson
41b920ef01 Return correct enveloped data type in ASN1 methods.
For RSA and DSA keys return an appropriate RecipientInfo type. By setting
CMS_RECIPINFO_NONE for DSA keys an appropriate error is returned if
an attempt is made to use DSA with enveloped data.
2013-07-17 21:45:01 +01:00