Commit graph

681 commits

Author SHA1 Message Date
Scott Deboy
ac20719d99 Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.

Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
2014-02-05 18:25:46 +00:00
Dr. Stephen Henson
0f78819c8c New ctrl to set current certificate.
New ctrl sets current certificate based on certain criteria. Currently
two options: set the first valid certificate as current and set the
next valid certificate as current. Using these an application can
iterate over all certificates in an SSL_CTX or SSL structure.
2014-02-02 22:58:19 +00:00
Daniel Kahn Gillmor
5a21cadbeb use SSL_kDHE throughout instead of SSL_kEDH
DHE is the standard term used by the RFCs and by other TLS
implementations.  It's useful to have the internal variables use the
standard terminology.

This patch leaves a synonym SSL_kEDH in place, though, so that older
code can still be built against it, since that has been the
traditional API.  SSL_kEDH should probably be deprecated at some
point, though.
2014-01-09 15:43:28 +00:00
Daniel Kahn Gillmor
4082fea81c use SSL_kECDHE throughout instead of SSL_kEECDH
ECDHE is the standard term used by the RFCs and by other TLS
implementations.  It's useful to have the internal variables use the
standard terminology.

This patch leaves a synonym SSL_kEECDH in place, though, so that older
code can still be built against it, since that has been the
traditional API.  SSL_kEECDH should probably be deprecated at some
point, though.
2014-01-09 15:43:27 +00:00
Rob Stradling
7b6b246fd3 Additional "chain_cert" functions.
PR#3169

This patch, which currently applies successfully against master and
1_0_2, adds the following functions:

SSL_[CTX_]select_current_cert() - set the current certificate without
disturbing the existing structure.

SSL_[CTX_]get0_chain_certs() - get the current certificate's chain.

SSL_[CTX_]clear_chain_certs() - clear the current certificate's chain.

The patch also adds these functions to, and fixes some existing errors
in, SSL_CTX_add1_chain_cert.pod.
2013-11-13 23:48:35 +00:00
Nick Mathewson
2016265dfb Do not include a timestamp in the Client/ServerHello Random field.
Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
is set.

This is a forward-port of commits:
  4af793036f
  f4c93b46ed
  3da721dac9
  2583270191

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.

    * If the PRNG output is prone to repeat itself, ephemeral
      handshakes (and who knows what else besides) are broken.
2013-10-21 03:37:20 +01:00
Dr. Stephen Henson
5e3ff62c34 Experimental encrypt-then-mac support.
Experimental support for encrypt then mac from
draft-gutmann-tls-encrypt-then-mac-02.txt

To enable it set the appropriate extension number (0x10 for the test server)
using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10

For non-compliant peers (i.e. just about everything) this should have no
effect.
2013-09-08 13:14:03 +01:00
Scott Deboy
36086186a9 Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
2013-09-06 13:59:13 +01:00
Trevor
a398f821fa Add support for arbitrary TLS extensions.
Contributed by Trevor Perrin.
2013-06-12 17:01:13 +01:00
Dr. Stephen Henson
4544f0a691 Suite B support for DTLS 1.2
Check for Suite B support using method flags instead of version numbers:
anything supporting TLS 1.2 cipher suites will also support Suite B.

Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
2013-04-09 16:49:13 +01:00
Dr. Stephen Henson
1e2d4cb0e1 Make TLS 1.2 ciphers work again.
Since s->method does not reflect the final client version when a client
hello is sent for SSLv23_client_method it can't be relied on to indicate
if TLS 1.2 ciphers should be used. So use the client version instead.
2013-04-04 18:21:58 +01:00
Dr. Stephen Henson
4221c0dd30 Enable TLS 1.2 ciphers in DTLS 1.2.
Port TLS 1.2 GCM code to DTLS. Enable use of TLS 1.2 only ciphers when in
DTLS 1.2 mode too.
2013-03-28 14:14:27 +00:00
Dr. Stephen Henson
c3b344e36a Provisional DTLS 1.2 support.
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.

Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
2013-03-26 15:16:41 +00:00
Dr. Stephen Henson
cfd298b7ae Extend DTLS method macros.
Extend DTLS method creation macros to support version numbers and encryption
methods. Update existing code.
2013-03-26 15:16:41 +00:00
Dr. Stephen Henson
cbd64894ec Use enc_flags when deciding protocol variations.
Use the enc_flags field to determine whether we should use explicit IV,
signature algorithms or SHA256 default PRF instead of hard coding which
versions support each requirement.
2013-03-18 15:03:58 +00:00
Dr. Stephen Henson
6de2649a6b Use appropriate versions of SSL3_ENC_METHOD 2013-03-18 14:53:59 +00:00
Dr. Stephen Henson
173e72e64c DTLS revision.
Revise DTLS code. There was a *lot* of code duplication in the
DTLS code that generates records. This makes it harder to maintain and
sometimes a TLS update is omitted by accident from the DTLS code.

Specifically almost all of the record generation functions have code like
this:

some_pointer = buffer + HANDSHAKE_HEADER_LENGTH;
... Record creation stuff ...
set_handshake_header(ssl, SSL_MT_SOMETHING, message_len);

...

write_handshake_message(ssl);

Where the "Record creation stuff" is identical between SSL/TLS and DTLS or
in some cases has very minor differences.

By adding a few fields to SSL3_ENC to include the header length, some flags
and function pointers for handshake header setting and handshake writing the
code can cope with both cases.

Note: although this passes "make test" and some simple DTLS tests there may
be some minor differences in the DTLS code that have to be accounted for.
2013-03-18 14:36:43 +00:00
Dr. Stephen Henson
890f2f8b92 DTLS trace support.
Add DTLS record header parsing, different client hello format and add
HelloVerifyRequest message type.

Add code to d1_pkt.c to send message headers to the message callback.
2013-03-11 13:05:07 +00:00
Andy Polyakov
dd7e60bd70 ssl/*: revert "remove SSL_RECORD->orig_len" and merge "fix IV".
Revert is appropriate because binary compatibility is not an issue
in 1.1.
2013-02-08 10:20:48 +01:00
Andy Polyakov
2aec073a52 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 8bfd4c659f)
2013-02-06 14:19:10 +00:00
Dr. Stephen Henson
c4e6fb1524 Timing fix mitigation for FIPS mode.
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
(cherry picked from commit b908e88ec1)
2013-02-06 14:19:08 +00:00
Ben Laurie
2acc020b77 Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)
2013-02-06 14:19:07 +00:00
Dr. Stephen Henson
94a209d8e1 Add ctrl and utility functions to retrieve raw cipher list sent by client in
client hello message. Previously this could only be retrieved on an initial
connection and it was impossible to determine the cipher IDs of any uknown
ciphersuites.
2012-09-12 13:57:48 +00:00
Ben Laurie
2daceb0342 Call OCSP Stapling callback after ciphersuite has been chosen, so the
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent.  See
http://rt.openssl.org/Ticket/Display.html?id=2836.
2012-09-11 12:57:46 +00:00
Dr. Stephen Henson
d47c01a31a perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange 2012-08-31 11:18:54 +00:00
Dr. Stephen Henson
2ea8035460 Add three Suite B modes to TLS code, supporting RFC6460. 2012-08-15 15:15:05 +00:00
Dr. Stephen Henson
6dbb6219e7 Make tls1_check_chain return a set of flags indicating checks passed
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.

Print out results of checks for each candidate chain tested in
s_server/s_client.
2012-07-27 13:39:23 +00:00
Dr. Stephen Henson
ec4a50b3c3 Abort handshake if signature algorithm used not supported by peer. 2012-07-24 18:11:27 +00:00
Dr. Stephen Henson
d18b716d25 check EC tmp key matches preferences 2012-07-24 13:47:40 +00:00
Dr. Stephen Henson
74ecfab401 Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
2012-07-23 23:34:28 +00:00
Dr. Stephen Henson
b7bfe69b66 New function ssl_set_client_disabled to set masks for any ciphersuites
that are disabled for this session (as opposed to always disabled by
configuration).
2012-07-18 14:09:46 +00:00
Dr. Stephen Henson
9f27b1eec3 Add new ctrl to retrieve client certificate types, print out
details in s_client.

Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.

Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
2012-07-08 14:22:45 +00:00
Dr. Stephen Henson
3dbc46dfcd Separate client and server permitted signature algorithm support: by default
the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
2012-07-03 12:51:14 +00:00
Dr. Stephen Henson
18d7158809 Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
2012-06-29 14:24:42 +00:00
Dr. Stephen Henson
0f39bab0df Function tls1_check_ec_server_key is now redundant as we make
appropriate checks in tls1_check_chain.
2012-06-28 13:02:14 +00:00
Dr. Stephen Henson
d61ff83be9 Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
2012-06-28 12:45:49 +00:00
Dr. Stephen Henson
4453cd8c73 Reorganise supported signature algorithm extension processing.
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
2012-06-25 14:32:30 +00:00
Dr. Stephen Henson
0f229cce65 Add support for application defined signature algorithms for use with
TLS v1.2. These are sent as an extension for clients and during a certificate
request for servers.

TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
2012-06-22 14:03:31 +00:00
Dr. Stephen Henson
a5ee80b910 Make it possible to delete all certificates from an SSL structure. 2012-06-18 12:56:59 +00:00
Ben Laurie
71fa451343 Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
Ben Laurie
a9e1c50bb0 RFC 5878 support. 2012-05-30 10:10:58 +00:00
Dr. Stephen Henson
09e4e4b98e Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
Improved localisation of TLS extension handling and code tidy.
2012-04-24 12:22:23 +00:00
Dr. Stephen Henson
ce33b42bc6 oops, not yet ;-) 2012-04-23 21:58:29 +00:00
Dr. Stephen Henson
579d553464 update NEWS 2012-04-23 21:56:33 +00:00
Dr. Stephen Henson
b2284ed34a Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Localize client hello extension parsing in t1_lib.c
2012-04-06 11:18:40 +00:00
Dr. Stephen Henson
a43526302f Add support for automatic ECDH temporary key parameter selection. When
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
2012-04-05 13:38:27 +00:00
Dr. Stephen Henson
fd2b65ce53 Tidy up EC parameter check code: instead of accessing internal structures
add utility functions to t1_lib.c to check if EC certificates and parameters
are consistent with peer.
2012-04-04 14:41:01 +00:00
Dr. Stephen Henson
d0595f170c Initial revision of ECC extension handling.
Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
2012-03-28 15:05:04 +00:00
Dr. Stephen Henson
ea6e386008 PR: 2756
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix DTLS timeout handling.
2012-03-09 15:52:33 +00:00
Dr. Stephen Henson
e7f8ff4382 New ctrls to retrieve supported signature algorithms and curves and
extensions to s_client and s_server to print out retrieved valued.

Extend CERT structure to cache supported signature algorithm data.
2012-03-06 14:28:21 +00:00
Dr. Stephen Henson
74b4b49494 SSL export fixes (from Adam Langley) [original from 1.0.1] 2012-02-22 15:06:56 +00:00
Dr. Stephen Henson
f71c6e52f7 Add support for distinct certificate chains per key type and per SSL
structure.

Before this the only way to add a custom chain was in the parent SSL_CTX
(which is shared by all key types and SSL structures) or rely on auto
chain building (which is performed on each handshake) from the trust store.
2012-01-31 14:00:10 +00:00
Dr. Stephen Henson
c526ed410c Revise ssl code to use a CERT_PKEY structure when outputting a
certificate chain instead of an X509 structure.

This makes it easier to enhance code in future and the chain
output functions have access to the CERT_PKEY structure being
used.
2012-01-26 16:00:34 +00:00
Dr. Stephen Henson
4379d0e457 Tidy/enhance certificate chain output code.
New function ssl_add_cert_chain which adds a certificate chain to
SSL internal BUF_MEM. Use this function in ssl3_output_cert_chain
and dtls1_output_cert_chain instead of partly duplicating code.
2012-01-26 15:47:32 +00:00
Dr. Stephen Henson
8e1dc4d7ca Support for fixed DH ciphersuites.
The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
finally enabled.

Various additional changes were needed to make them work properly: many
unused fixed DH sections of code were untested.
2012-01-16 18:19:14 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
7e159e0133 PR: 2535
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Add SCTP support for DTLS (RFC 6083).
2011-12-25 14:45:15 +00:00
Dr. Stephen Henson
1c78c43bd3 move internal functions to ssl_locl.h 2011-11-21 22:52:13 +00:00
Ben Laurie
e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00
Dr. Stephen Henson
1d7392f219 PR: 2602
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS bug which prevents manual MTU setting
2011-09-23 13:34:48 +00:00
Dr. Stephen Henson
28dd49faec Expand range of ctrls for AES GCM to support retrieval and setting of
invocation field.

Add complete support for AES GCM ciphersuites including all those in
RFC5288 and RFC5289.
2011-08-03 15:37:22 +00:00
Dr. Stephen Henson
d09677ac45 Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support and
prohibit use of these ciphersuites for TLS < 1.2
2011-07-25 20:41:32 +00:00
Dr. Stephen Henson
f37f20ffd3 PR: 2295
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2011-05-20 14:56:29 +00:00
Dr. Stephen Henson
8f82912460 Process signature algorithms during TLS v1.2 client authentication.
Make sure message is long enough for signature algorithms.
2011-05-12 14:38:01 +00:00
Dr. Stephen Henson
a2f9200fba Initial TLS v1.2 client support. Include a default supported signature
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.

Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
2011-05-09 15:44:01 +00:00
Dr. Stephen Henson
6b7be581e5 Continuing TLS v1.2 support: add support for server parsing of
signature algorithms extension and correct signature format for
server key exchange.

All ciphersuites should now work on the server but no client support and
no client certificate support yet.
2011-05-06 13:00:07 +00:00
Dr. Stephen Henson
7409d7ad51 Initial incomplete TLS v1.2 support. New ciphersuites added, new version
checking added, SHA256 PRF support added.

At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
2011-04-29 22:56:51 +00:00
Ben Laurie
edc032b5e3 Add SRP support. 2011-03-12 17:01:19 +00:00
Ben Laurie
bf48836c7c Fixes to NPN from Adam Langley. 2010-09-05 17:14:01 +00:00
Ben Laurie
ee2ffc2794 Add Next Protocol Negotiation. 2010-07-28 10:06:55 +00:00
Dr. Stephen Henson
8025e25113 PR: 2121
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Add extension support to DTLS code mainly using existing implementation for
TLS.
2009-12-08 11:37:40 +00:00
Dr. Stephen Henson
637f374ad4 Initial experimental TLSv1.1 support 2009-12-07 13:31:02 +00:00
Dr. Stephen Henson
499684404c PR: 2115
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
2009-12-01 17:42:15 +00:00
Dr. Stephen Henson
e0e7997212 First cut of renegotiation extension. (port to HEAD) 2009-11-09 19:03:34 +00:00
Dr. Stephen Henson
b972fbaa8f PR: 1997
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timeout handling fix.
2009-08-12 13:19:54 +00:00
Dr. Stephen Henson
9289f21b7d Update from 1.0.0 stable branch. 2009-05-16 11:15:42 +00:00
Dr. Stephen Henson
eb38b26dbc Update from 1.0.0-stable. 2009-05-15 22:58:40 +00:00
Dr. Stephen Henson
e5fa864f62 Updates from 1.0.0-stable. 2009-04-15 15:27:03 +00:00
Dr. Stephen Henson
cc7399e79c Changes from 1.0.0-stable. 2009-04-07 16:33:26 +00:00
Lutz Jänicke
fceac0bc74 Fix compilation with -no-comp by adding some more #ifndef OPENSSL_NO_COMP
Some #include statements were not properly protected. This will go unnoted
on most systems as openssl/comp.h tends to be installed as a system header
file by default but may become visible when cross compiling.
2009-01-05 14:43:05 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should
test for them!
2008-12-29 16:11:58 +00:00
Ben Laurie
6ba71a7173 Handle the unlikely event that BIO_get_mem_data() returns -ve. 2008-12-27 02:00:38 +00:00
Dr. Stephen Henson
e19106f5fb Create function of the form OBJ_bsearch_xxx() in bsearch typesafe macros
with the appropriate parameters which calls OBJ_bsearch(). A compiler will
typically inline this.

This avoids the need for cmp_xxx variables and fixes unchecked const issues
with CHECKED_PTR_OF()
2008-10-22 15:43:01 +00:00
Dr. Stephen Henson
606f6c477a Fix a shed load or warnings:
Duplicate const.
Use of ; outside function.
2008-10-20 15:12:00 +00:00
Ben Laurie
babb379849 Type-checked (and modern C compliant) OBJ_bsearch. 2008-10-12 14:32:47 +00:00
Bodo Möller
96562f2fb3 update comment 2008-09-14 19:50:55 +00:00
Dr. Stephen Henson
3ad74edce8 Add SSL_FIPS flag for FIPS 140-2 approved ciphersuites and add a new
strength "FIPS" to represent all FIPS approved ciphersuites without NULL
encryption.
2008-09-10 16:02:09 +00:00
Bodo Möller
474b3b1cc8 Fix error codes for memory-saving patch.
Also, get rid of compile-time switch OPENSSL_NO_RELEASE_BUFFERS
because it was rather pointless (the new behavior has to be explicitly
requested by setting SSL_MODE_RELEASE_BUFFERS anyway).
2008-08-04 22:10:38 +00:00
Dr. Stephen Henson
45d3767d28 Prevent signed/unsigned warning on VC++ 2008-06-03 10:17:45 +00:00
Ben Laurie
8671b89860 Memory saving patch. 2008-06-03 02:48:34 +00:00
Dr. Stephen Henson
368888bcb6 Add client cert engine to SSL routines. 2008-06-01 22:33:24 +00:00
Andy Polyakov
5d58f1bbfe Prohibit RC4 in DTLS. 2007-10-05 21:04:56 +00:00
Dr. Stephen Henson
67c8e7f414 Support for certificate status TLS extension. 2007-09-26 21:56:59 +00:00
Bodo Möller
761772d7e1 Implement the Opaque PRF Input TLS extension
(draft-rescorla-tls-opaque-prf-input-00.txt), and do some cleanups and
bugfixes on the way.  In particular, this fixes the buffer bounds
checks in ssl_add_clienthello_tlsext() and in ssl_add_serverhello_tlsext().

Note that the opaque PRF Input TLS extension is not compiled by default;
see CHANGES.
2007-09-21 06:54:24 +00:00
Dr. Stephen Henson
81025661a9 Update ssl code to support digests other than MD5+SHA1 in handshake.
Submitted by: Victor B. Wagner <vitus@cryptocom.ru>
2007-08-31 12:42:53 +00:00
Dr. Stephen Henson
956006b741 Use SHA256 for ticket HMAC if possible. 2007-08-20 12:35:20 +00:00
Dr. Stephen Henson
367eb1f125 Fix warning and make no-tlsext work. 2007-08-12 18:56:14 +00:00
Dr. Stephen Henson
6434abbfc6 RFC4507 (including RFC4507bis) TLS stateless session resumption support
for OpenSSL.
2007-08-11 23:18:29 +00:00
Dr. Stephen Henson
b948e2c59e Update ssl library to support EVP_PKEY MAC API. Include generic MAC support. 2007-06-04 17:04:40 +00:00
Bodo Möller
96afc1cfd5 Add SEED encryption algorithm.
PR: 1503
Submitted by: KISA
Reviewed by: Bodo Moeller
2007-04-23 23:48:59 +00:00
Dr. Stephen Henson
9981a51e42 Stage 1 GOST ciphersuite support.
Submitted by: ran@cryptocom.ru
Reviewed by: steve@openssl.org
2007-03-23 17:04:05 +00:00
Bodo Möller
52b8dad8ec Reorganize the data used for SSL ciphersuite pattern matching.
This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).

In some cases the ciphersuite list generated from a given string is
affected by this change.  I hope this is just in those cases where the
previous behaviour did not make sense.
2007-02-17 06:45:38 +00:00
Bodo Möller
ed3ecd801e Error messages for client ECC cert verification.
Also, change the default ciphersuite to give some prefererence to
ciphersuites with forwared secrecy (rather than using a random order).
2006-06-15 19:58:22 +00:00
Bodo Möller
89bbe14c50 Ciphersuite string bugfixes, and ECC-related (re-)definitions. 2006-06-14 17:40:31 +00:00
Bodo Möller
f3dea9a595 Camellia cipher, contributed by NTT
Submitted by: Masashi Fujita
Reviewed by: Bodo Moeller
2006-06-09 15:44:59 +00:00
Bodo Möller
332737217a Implement Supported Elliptic Curves Extension.
Submitted by: Douglas Stebila
2006-03-30 02:44:56 +00:00
Bodo Möller
36ca4ba63d Implement the Supported Point Formats Extension for ECC ciphersuites
Submitted by: Douglas Stebila
2006-03-11 23:46:37 +00:00
Nils Larsch
ddac197404 add initial support for RFC 4279 PSK SSL ciphersuites
PR: 1191
Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
Reviewed by: Nils Larsch
2006-03-10 23:06:27 +00:00
Bodo Möller
58ece83395 Further TLS extension improvements
Submitted by: Peter Sylvester
2006-01-13 09:21:10 +00:00
Bodo Möller
f1fd4544a3 Various changes in the new TLS extension code, including the following:
- fix indentation
 - rename some functions and macros
 - fix up confusion between SSL_ERROR_... and SSL_AD_... values
2006-01-03 03:27:19 +00:00
Bodo Möller
ed3883d21b Support TLS extensions (specifically, HostName)
Submitted by: Peter Sylvester
2006-01-02 23:14:37 +00:00
Nils Larsch
7f3c9036ea initialize cipher/digest methods table in SSL_library_init() and hence remove the need for a lock 2005-08-21 23:06:23 +00:00
Nils Larsch
4ebb342fcd Let the TLSv1_method() etc. functions return a const SSL_METHOD
pointer and make the SSL_METHOD parameter in SSL_CTX_new,
SSL_CTX_set_ssl_version and SSL_set_ssl_method const.
2005-08-14 21:48:33 +00:00
Nils Larsch
01a9792f05 remove unused internal foo_base_method functions 2005-08-08 19:04:37 +00:00
Dr. Stephen Henson
f3b656b246 Initialize SSL_METHOD structures at compile time. This removes the need
for locking code. The CRYPTO_LOCK_SSL_METHOD lock is now no longer used.
2005-08-05 23:56:11 +00:00
Nils Larsch
3eeaab4bed make
./configure no-deprecated [no-dsa] [no-dh] [no-ec] [no-rsa]
    	make depend all test
work again

PR: 1159
2005-07-16 12:37:36 +00:00
Bodo Möller
c6c2e3135d Don't use the SSL 2.0 Client Hello format if SSL 2.0 is disabled
with the SSL_OP_NO_SSLv2 option.
2005-05-11 18:25:49 +00:00
Dr. Stephen Henson
6c61726b2a Lots of Win32 fixes for DTLS.
1. "unsigned long long" isn't portable changed: to BN_ULLONG.
2. The LL prefix isn't allowed in VC++ but it isn't needed where it is used.
2. Avoid lots of compiler warnings about signed/unsigned mismatches.
3. Include new library directory pqueue in mk1mf build system.
4. Update symbols.
2005-04-27 16:27:14 +00:00
Bodo Möller
480506bd49 remove some functions from exported headers 2005-04-26 18:18:35 +00:00
Bodo Möller
beb056b303 fix SSLerr stuff for DTLS1 code;
move some functions from exported header <openssl/dtl1.h> into "ssl_locl.h";
fix silly indentation (a TAB is *not* always 4 spaces)
2005-04-26 18:08:00 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00
Andy Polyakov
3ed449e94a More cover-ups, removing OPENSSL_GLOBAL/EXTERNS. We can remove more... 2005-04-13 21:46:30 +00:00
Ben Laurie
41a15c4f0f Give everything prototypes (well, everything that's actually used). 2005-03-31 09:26:39 +00:00
Ben Laurie
0821bcd4de Constification. 2005-03-30 10:26:02 +00:00
Geoff Thorpe
d095b68d63 Deprecate quite a few recursive includes from the ssl.h API header and
remove some unnecessary includes from the internal header ssl_locl.h. This
then requires adding includes for bn.h in four C files.
2004-05-17 18:53:47 +00:00
Geoff Thorpe
60a938c6bc (oops) Apologies all, that last header-cleanup commit was from the wrong
tree. This further reduces header interdependencies, and makes some
associated cleanups.
2004-04-19 18:09:28 +00:00
Richard Levitte
0020502a07 SSL_COMP_get_compression_method is a typo (a missing 's' at the end of
the symbol name).
2004-03-25 21:32:30 +00:00
Richard Levitte
875a644a90 Constify d2i, s2i, c2i and r2i functions and other associated
functions and macros.

This change has associated tags: LEVITTE_before_const and
LEVITTE_after_const.  Those will be removed when this change has been
properly reviewed.
2004-03-15 23:15:26 +00:00
Bodo Möller
41fdcfa71e fix warnings 2002-08-09 11:58:28 +00:00
Bodo Möller
ea26226046 ECC ciphersuite support
Submitted by: Douglas Stebila <douglas.stebila@sun.com>
(Authors: Vipul Gupta and Sumit Gupta, Sun Microsystems Laboratories)
2002-08-09 08:56:08 +00:00
Bodo Möller
5574e0ed41 get rid of OpenSSLDie 2002-08-02 11:48:15 +00:00
Lutz Jänicke
063a8905bf Ciphers with NULL encryption were not properly handled because they were
not covered by the strength bit mask.
Submitted by:
Reviewed by:
PR: 130
2002-07-10 06:41:55 +00:00
Bodo Möller
a661b65357 New functions SSL[_CTX]_set_msg_callback().
New macros SSL[_CTX]_set_msg_callback_arg().

Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet).

New '-msg' option for 'openssl s_client' and 'openssl s_server'
that enable a message callback that displays all protocol messages.


In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if
client_version is smaller than the protocol version in use.
Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0
if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the
client will at least see that alert.

Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic
pointer).

Add/update some OpenSSL copyright notices.
2001-10-20 17:56:36 +00:00
Bodo Möller
e34cfcf7e1 Consistently use 'void *' for SSL read, peek and write functions. 2001-03-09 10:09:20 +00:00
Richard Levitte
41d2a336ee e_os.h does not belong with the exported headers. Do not put it there
and make all files the depend on it include it without prefixing it
with openssl/.

This means that all Makefiles will have $(TOP) as one of the include
directories.
2001-02-22 14:45:02 +00:00
Richard Levitte
bc36ee6227 Use new-style system-id macros everywhere possible. I hope I haven't
missed any.

This compiles and runs on Linux, and external applications have no
problems with it.  The definite test will be to build this on VMS.
2001-02-20 08:13:47 +00:00
Lutz Jänicke
836f996010 New Option SSL_OP_CIPHER_SERVER_PREFERENCE allows TLS/SSLv3 server to override
the clients choice; in SSLv2 the client uses the server's preferences.
2001-02-09 19:56:31 +00:00
Dr. Stephen Henson
deb2c1a1c5 Fix AES code.
Update Rijndael source to v3.0

Add AES OIDs.

Change most references of Rijndael to AES.

Add new draft AES ciphersuites.
2001-02-07 18:15:18 +00:00
Ben Laurie
259810e05b Rijdael CBC mode and partial undebugged SSL support. 2001-02-06 14:09:13 +00:00
Richard Levitte
26da3e65ac If OPENSSL_BUILD_SHLIBCRYPTO (for files that end up as libcrypto
objects) or OPENSSL_BUILD_SHLIBSSL (for files that end up as libssl
objects) is defined, redefine OPENSSL_EXTERN to be OPENSSL_EXPORT.
This is actually only important on Win32, and can safely be ignored in
all other cases, at least for now.
2000-12-31 00:23:17 +00:00
Bodo Möller
5a4fbc69c3 First step towards SSL_peek fix. 2000-12-14 17:36:59 +00:00
Richard Levitte
f9b3bff6f7 First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu> 2000-11-30 22:53:34 +00:00
Geoff Thorpe
ccd86b68ef The previous commit to crypto/stack/*.[ch] pulled the type-safety strings
yet tighter, and also put some heat on the rest of the library by
insisting (correctly) that compare callbacks used in stacks are prototyped
with "const" parameters. This has led to a depth-first explosion of
compiler warnings in the code where 1 constification has led to 3 or 4
more. Fortunately these have all been resolved to completion and the code
seems cleaner as a result - in particular many of the _cmp() functions
should have been prototyped with "const"s, and now are. There was one
little problem however;

X509_cmp() should by rights compare "const X509 *" pointers, and it is now
declared as such. However, it's internal workings can involve
recalculating hash values and extensions if they have not already been
setup. Someone with a more intricate understanding of the flow control of
X509 might be able to tighten this up, but for now - this seemed the
obvious place to stop the "depth-first" constification of the code by
using an evil cast (they have migrated all the way here from safestack.h).

Fortunately, this is the only place in the code where this was required
to complete these type-safety changes, and it's reasonably clear and
commented, and seemed the least unacceptable of the options. Trying to
take the constification further ends up exploding out considerably, and
indeed leads directly into generalised ASN functions which are not likely
to cooperate well with this.
2000-06-01 02:36:58 +00:00
Bodo Möller
a2a0158959 Fix some bugs and document others 2000-02-21 17:09:54 +00:00
Richard Levitte
d3442bc780 Move the registration of callback functions to special functions
designed for that.  This removes the potential error to mix data and
function pointers.

Please note that I'm a little unsure how incorrect calls to the old
ctrl functions should be handled, in som cases.  I currently return 0
and that's it, but it may be more correct to generate a genuine error
in those cases.
2000-02-20 23:43:02 +00:00
Bodo Möller
b35e9050f2 Tolerate fragmentation and interleaving in the SSL 3/TLS record layer. 2000-02-20 23:04:06 +00:00
Ulf Möller
657e60fa00 ispell (and minor modifications) 2000-02-03 23:23:24 +00:00
Dr. Stephen Henson
018e57c74d Apply Lutz Behnke's 56 bit cipher patch with a few
minor changes.

Docs haven't been added at this stage. They are probably
best included in the 'ciphers' program docs.
2000-01-22 03:17:06 +00:00
Bodo Möller
f2d9a32cf4 Use separate arrays for certificate verify and for finished hashes. 2000-01-06 00:24:24 +00:00
Bodo Möller
245206eadd Use prototypes. 2000-01-05 23:31:47 +00:00
Bodo Möller
c44f754047 Slight code cleanup for handling finished labels. 2000-01-05 23:11:51 +00:00
Ulf Möller
df63a389a5 "extern" is a C++ reserved word.
Pointed out by: Janez Jere <jj@void.si>
1999-06-09 16:33:18 +00:00
Bodo Möller
7e70181723 It was a very bad idea to use #include "../e_os.h" -- when this occurs
in cryptlib.h (which is often included as "../cryptlib.h"), then the
question remains relative to which directory this is to be interpreted.
gcc went one further directory up, as intended; but makedepend thinks
differently, and so probably do some C compilers.  So the ../ must go away;
thus e_os.h goes back into include/openssl (but I now use
#include "openssl/e_os.h" instead of <openssl/e_os.h> to make the point) --
and we have another huge bunch of dependency changes.  Argh.
1999-05-21 11:16:48 +00:00
Bodo Möller
17e3dd1c62 Don't install e_os.h in include/openssl, use it only as a local
include file.
1999-05-20 21:59:20 +00:00
Bodo Möller
3398f6cc21 OPENSSL_EXTERN 1999-05-15 14:30:31 +00:00
Bodo Möller
224551f732 Some tiny clean-ups related to the cert_st / sess_cert_st change. 1999-05-13 15:27:45 +00:00
Bodo Möller
b56bce4fc7 New structure type SESS_CERT used instead of CERT inside SSL_SESSION.
While modifying the sources, I found some inconsistencies on the use of
s->cert vs. s->session->sess_cert; I don't know if those could
really have caused problems, but possibly this is a proper bug-fix
and not just a clean-up.
1999-05-13 15:09:38 +00:00
Ulf Möller
7d7d2cbcb0 VMS support.
Submitted by: Richard Levitte <richard@levitte.org>
1999-05-13 11:37:32 +00:00
Bodo Möller
8d111f4a47 Spacing in comment corrected. 1999-05-13 10:36:29 +00:00
Bodo Möller
8a41eb70cc First tiny changes in preparation of changing of "sess_cert" handling.
Also I've subsituted real tabs for 8-spaces sequences in some lines so that
things don't look that weird with a tab-width of 4.
1999-05-13 10:32:04 +00:00
Bodo Möller
ca8e5b9b8a Create a duplicate of the SSL_CTX's CERT in SSL_new instead of copying
pointers.  The cert_st handling is changed by this in various ways.
Submitted by:
Reviewed by:
PR:
1999-05-09 20:12:44 +00:00
Bodo Möller
8d1157c71c One comment was in the wrong line ... some others are new.
Submitted by:
Reviewed by:
PR:
1999-05-09 16:41:00 +00:00
Bodo Möller
8450bddfaf Some tiny changes to the source code to make future diffs smaller
when restructuring the cert_st handling (removed unnused parts,
and the like).
Submitted by:
Reviewed by:
PR:
1999-05-09 15:45:38 +00:00
Ulf Möller
79df9d6272 New Configure option no-<cipher> (rsa, idea, rc5, ...). 1999-04-27 03:19:12 +00:00
Ulf Möller
a9be3af5ad Remove NOPROTO definitions and error code comments. 1999-04-26 16:43:10 +00:00
Bodo Möller
ec577822f9 Change #include filenames from <foo.h> to <openssl.h>.
Submitted by:
Reviewed by:
PR:
1999-04-23 22:13:45 +00:00
Ben Laurie
61f5b6f338 Work with -pedantic! 1999-04-23 15:01:15 +00:00
Ben Laurie
4997138a06 Fix DES export ciphersuites. 1999-04-21 13:24:58 +00:00
Ben Laurie
e778802f53 Massive constification. 1999-04-17 21:25:43 +00:00
Ben Laurie
f73e07cf42 Add type-safe STACKs and SETs. 1999-04-12 17:23:57 +00:00
Ben Laurie
f415fa3243 Fix export ciphersuites, again. 1999-03-06 14:09:36 +00:00
Ralf S. Engelschall
15d21c2df4 Add a bunch of SSL_xxx() functions for configuring the temporary RSA and DH
private keys and/or callback functions which directly correspond to their
SSL_CTX_xxx() counterparts but work on a per-connection basis. This is needed
for applications which have to configure certificates on a per-connection
basis (e.g. Apache+mod_ssl) instead of a per-context basis (e.g.
s_server).

For the RSA certificate situation is makes no difference, but for the DSA
certificate situation this fixes the "no shared cipher" problem where the
OpenSSL cipher selection procedure failed because the temporary keys were not
overtaken from the context and the API provided no way to reconfigure them.

The new functions now let applications reconfigure the stuff and they are in
detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback.  Additionally a new
non-public-API function ssl_cert_instantiate() is used as a helper function
and also to reduce code redundancy inside ssl_rsa.c.

Submitted by: Ralf S. Engelschall
Reviewed by: Ben Laurie
1999-02-25 14:40:29 +00:00
Ben Laurie
60e31c3a4b More stuff for new TLS ciphersuites. 1999-02-21 21:58:59 +00:00
Ben Laurie
a040ea8251 Undo a couple of kludges. 1999-02-21 20:07:41 +00:00
Ben Laurie
06ab81f9f7 Add support for new TLS export ciphersuites. 1999-02-21 20:03:24 +00:00
Mark J. Cox
413c4f45ed Updates to the new SSL compression code
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Fix so that the version number in the master secret, when passed
     via RSA, checks that if TLS was proposed, but we roll back to SSLv3
     (because the server will not accept higher), that the version number
     is 0x03,0x01, not 0x03,0x00
     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Submitted by:
Reviewed by:
PR:
1999-02-16 09:22:21 +00:00
Ben Laurie
f06b01eb62 More prototypes. 1999-01-16 17:56:00 +00:00
Ralf S. Engelschall
651d0aff98 Various cleanups and fixed by Marc and Ralf to start the OpenTLS project 1998-12-22 15:04:48 +00:00
Ralf S. Engelschall
dfeab0689f Import of old SSLeay release: SSLeay 0.9.1b (unreleased) 1998-12-21 11:00:56 +00:00
Ralf S. Engelschall
58964a4922 Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
Ralf S. Engelschall
d02b48c63a Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00