wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
10847 commits 20 branches 302 tags 153 MiB
Commit graph

1457 commits

Author SHA1 Message Date
Dr. Stephen Henson
fc6fc7ff38 Add options to set additional type specific certificate chains to 
s_server.
 2012-04-11 16:53:11 +00:00
Dr. Stephen Henson
a43526302f Add support for automatic ECDH temporary key parameter selection. When 
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
 2012-04-05 13:38:27 +00:00
Dr. Stephen Henson
d0595f170c Initial revision of ECC extension handling. 
Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
 2012-03-28 15:05:04 +00:00
Dr. Stephen Henson
bbbe61c958 Always use SSLv23_{client,server}_method in s_client.c and s_server.c, 
the old code came from SSLeay days before TLS was even supported.
 2012-03-18 18:16:46 +00:00
Dr. Stephen Henson
156421a2af oops, revert unrelated patches 2012-03-14 13:46:50 +00:00
Dr. Stephen Henson
61ad8262a0 update FAQ, NEWS 2012-03-14 13:44:57 +00:00
Dr. Stephen Henson
15a40af2ed Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> 
Add more extension names in s_cb.c extension printing code.
 2012-03-09 18:38:35 +00:00
Dr. Stephen Henson
e7f8ff4382 New ctrls to retrieve supported signature algorithms and curves and 
extensions to s_client and s_server to print out retrieved valued.

Extend CERT structure to cache supported signature algorithm data.
 2012-03-06 14:28:21 +00:00
Dr. Stephen Henson
64095ce9d7 Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert 
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
 2012-02-21 14:41:13 +00:00
Dr. Stephen Henson
fc7dae5229 PR: 2717 
Submitted by: Tim Rice <tim@multitalents.net>

Make compilation work on OpenServer 5.0.7
 2012-02-11 23:41:19 +00:00
Dr. Stephen Henson
be81f4dd81 PR: 2716 
Submitted by: Adam Langley <agl@google.com>

Fix handling of exporter return value and use OpenSSL indentation in
s_client, s_server.
 2012-02-11 23:20:53 +00:00
Andy Polyakov
cbc0b0ec2d apps/s_cb.c: recognized latest TLS version. 2012-02-11 13:30:47 +00:00
Dr. Stephen Henson
3770b988c0 PR: 2710 
Submitted by: Tomas Mraz <tmraz@redhat.com>

Check return codes for load_certs_crls.
 2012-02-10 19:54:54 +00:00
Dr. Stephen Henson
9641be2aac PR: 2714 
Submitted by: Tomas Mraz <tmraz@redhat.com>

Make no-srp work.
 2012-02-10 19:43:14 +00:00
Dr. Stephen Henson
7951c2699f add fips blocking overrides to command line utilities 2012-02-10 16:47:40 +00:00
Dr. Stephen Henson
57559471bf oops, revert unrelated changes 2012-02-09 15:43:58 +00:00
Dr. Stephen Henson
f4e1169341 Modify client hello version when renegotiating to enhance interop with 
some servers.
 2012-02-09 15:42:10 +00:00
Dr. Stephen Henson
2ff5ac55c5 oops revert debug change 2012-01-22 13:52:39 +00:00
Dr. Stephen Henson
855d29184e Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
 2012-01-18 18:15:27 +00:00
Andy Polyakov
a50bce82ec Sanitize usage of <ctype.h> functions. It's important that characters 
are passed zero-extended, not sign-extended.
PR: 2682
 2012-01-12 16:21:35 +00:00
Andy Polyakov
5beb93e114 speed.c: typo in pkey_print_message. 
PR: 2681
Submitted by: Annie Yousar
 2012-01-11 21:48:31 +00:00
Bodo Möller
6620bf3444 Fix usage indentation 2012-01-05 13:16:30 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
 2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
84b6e277d4 make update 2011-12-27 14:46:03 +00:00
Dr. Stephen Henson
c79f22c63a PR: 1794 
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

- remove some unncessary SSL_err and permit
an srp user callback to allow a worker to obtain
a user verifier.

- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup
 2011-12-27 14:21:45 +00:00
Dr. Stephen Henson
f9b0b45238 New ctrl values to clear or retrieve extra chain certs from an SSL_CTX. 
New function to retrieve compression method from SSL_SESSION structure.

Delete SSL_SESSION_get_id_len and SSL_SESSION_get0_id functions
as they duplicate functionality of SSL_SESSION_get_id. Note: these functions
have never appeared in any release version of OpenSSL.
 2011-12-22 15:14:32 +00:00
Andy Polyakov
7aba22ba28 apps/speed.c: fix typo in last commit. 2011-12-19 14:33:09 +00:00
Andy Polyakov
bdba45957a apps/speed.c: Cygwin alarm() fails sometimes. 
PR: 2655
 2011-12-15 22:30:03 +00:00
Dr. Stephen Henson
f2fc30751e PR: 1794 
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Remove unnecessary code for srp and to add some comments to
s_client.

- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable

- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
 2011-12-14 22:17:06 +00:00
Ben Laurie
9a436c0f89 Back out redundant verification time change. 2011-12-13 15:00:43 +00:00
Ben Laurie
7fd5df6b12 Make it possible to set a time for verification. 2011-12-13 14:38:12 +00:00
Dr. Stephen Henson
16363c0165 implement -attime option as a verify parameter then it works with all relevant applications 2011-12-10 00:37:22 +00:00
Dr. Stephen Henson
990390ab52 Replace expired test server and client certificates with new ones. 2011-12-08 14:44:05 +00:00
Dr. Stephen Henson
2ca873e8d8 transparently handle X9.42 DH parameters 2011-12-07 12:44:03 +00:00
Dr. Stephen Henson
df0cdf4ceb The default CN prompt message can be confusing when often the CN needs to 
be the server FQDN: change it.
[Reported by PSW Group]
 2011-12-06 00:00:30 +00:00
Ben Laurie
e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00
Ben Laurie
333f926d67 Add DTLS-SRTP. 2011-11-15 22:59:20 +00:00
Ben Laurie
ae55176091 Fix some warnings caused by __owur. Temporarily (I hope) remove the more 
aspirational __owur annotations.
 2011-11-14 00:36:10 +00:00
Dr. Stephen Henson
0c58d22ad9 PR: 1794 
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Document unknown_psk_identify alert, remove pre-RFC 5054 string from
ssl_stat.c
 2011-11-13 13:13:01 +00:00
Dr. Stephen Henson
7d7c13cbab Don't disable TLS v1.2 by default now. 2011-10-09 23:26:39 +00:00
Dr. Stephen Henson
43206a2d7c New -force_pubkey option to x509 utility to supply a different public 
key to the one in a request. This is useful for cases where the public
key cannot be used for signing e.g. DH.
 2011-10-07 15:18:09 +00:00
Dr. Stephen Henson
1579e65604 use keyformat for -x509toreq, don't hard code PEM 2011-09-23 21:48:34 +00:00
Dr. Stephen Henson
07dda896cb PR: 2347 
Submitted by: Tomas Mraz <tmraz@redhat.com>
Reviewed by: steve

Fix usage message.
 2011-09-23 13:12:25 +00:00
Dr. Stephen Henson
be1242cbd1 PR: 2527 
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Set cnf to NULL to avoid possible double free.
 2011-05-25 15:05:39 +00:00
Dr. Stephen Henson
086e32a6c7 Implement FIPS_mode and FIPS_mode_set 2011-05-19 18:09:02 +00:00
Dr. Stephen Henson
d39c495130 Enter FIPS mode by calling FIPS_module_mode_set in openssl.c until 
FIPS_mode_set is implemented.
 2011-05-12 17:59:47 +00:00
Dr. Stephen Henson
4f7a2ab8b1 make kerberos work with OPENSSL_NO_SSL_INTERN 2011-05-11 22:50:18 +00:00
Dr. Stephen Henson
a2f9200fba Initial TLS v1.2 client support. Include a default supported signature 
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.

Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
 2011-05-09 15:44:01 +00:00
Dr. Stephen Henson
6b7be581e5 Continuing TLS v1.2 support: add support for server parsing of 
signature algorithms extension and correct signature format for
server key exchange.

All ciphersuites should now work on the server but no client support and
no client certificate support yet.
 2011-05-06 13:00:07 +00:00
Dr. Stephen Henson
7409d7ad51 Initial incomplete TLS v1.2 support. New ciphersuites added, new version 
checking added, SHA256 PRF support added.

At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
 2011-04-29 22:56:51 +00:00