Commit graph

50 commits

Author SHA1 Message Date
Matt Caswell
56d9134675 Ensure all EVP calls have their returns checked where appropriate
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-20 15:47:44 +00:00
Kurt Roeckx
0711826ae9 Fix return values when adding serverinfo fails.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #1128

(cherry picked from commit fae11ec714)
2015-09-16 21:03:45 +02:00
Matt Caswell
ae5c8664e5 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:31:38 +00:00
Dr. Stephen Henson
cf8d6c1000 Rename some callbacks, fix alignment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 0cfefe4b6d)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
4164d631bb Use consistent function naming.
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 8cafe9e8bf)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
6db2239c60 New extension callback features.
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.

Modify parse_cb handling so <= 0 is an error.

Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.

NOTE: these changes WILL break existing code.

Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 33f653adf3)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
423ceb8319 Callback revision.
Use "parse" and "add" for function and callback names instead of
"first" and "second".

Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit de2a9e38f3)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
cd2e17020e Remove serverinfo checks.
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 707b026d78)

Conflicts:

	ssl/ssl3.h
	ssl/t1_lib.c
2014-08-28 18:09:59 +01:00
Ben Laurie
130ebe34c8 Fix whitespace, new-style comments. 2014-02-08 16:19:30 -08:00
Scott Deboy
7612511b3b Re-add alert variables removed during rebase
Whitespace fixes

(cherry picked from commit e9add063b5)
Conflicts:
	ssl/s3_clnt.c
2014-02-08 16:19:01 -08:00
Scott Deboy
fc213217e8 Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.

Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.

(cherry picked from commit ac20719d99)
Conflicts:
	ssl/t1_lib.c
2014-02-08 16:17:24 -08:00
Trevor Perrin
7198c5af1f Redo deletion of some serverinfo code that supplemental data code mistakenly reinstated. 2014-02-08 16:15:10 -08:00
Scott Deboy
038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
2014-02-08 16:12:15 -08:00
Dr. Stephen Henson
b9fa413a08 Use algorithm specific chains for certificates.
Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.

Update docs.
(cherry picked from commit a4339ea3ba)

Conflicts:

	CHANGES
2014-01-03 22:45:20 +00:00
Ben Laurie
379f21ce5c Show useful errors. 2013-09-24 23:13:22 +01:00
Ben Laurie
4f8a706dc7 Merge remote-tracking branch 'trevp/pemfix' into trev-pem-fix 2013-09-20 15:39:08 -07:00
Trevor Perrin
6da498991c Various custom extension fixes.
Force no SSL2 when custom extensions in use.
Don't clear extension state when cert is set.
Clear on renegotiate.

Conflicts:
	ssl/t1_lib.c
2013-09-16 18:40:53 +01:00
Trevor
355a6236be Cosmetic touchups. 2013-07-31 16:38:43 +01:00
Trevor
e27711cfdd Trying cherrypick:
Add support for arbitrary TLS extensions.

Contributed by Trevor Perrin.

Conflicts:

	CHANGES
	ssl/ssl.h
	ssl/ssltest.c
	test/testssl

Fix compilation due to #endif.

Cherrypicking more stuff.

Cleanup of custom extension stuff.

serverinfo rejects non-empty extensions.

Omit extension if no relevant serverinfo data.

Improve error-handling in serverinfo callback.

Cosmetic cleanups.

s_client documentation.

s_server documentation.

SSL_CTX_serverinfo documentation.

Cleaup -1 and NULL callback handling for custom extensions, add tests.

Cleanup ssl_rsa.c serverinfo code.

Whitespace cleanup.

Improve comments in ssl.h for serverinfo.

Whitespace.

Cosmetic cleanup.

Reject non-zero-len serverinfo extensions.

Whitespace.

Make it build.

Conflicts:

	test/testssl
2013-07-03 11:53:30 +01:00
Ben Laurie
835d104f46 Rearrange and test authz extension. 2012-06-07 13:20:20 +00:00
Ben Laurie
8a02a46a5c RFC 5878 support. 2012-05-29 17:27:48 +00:00
Dr. Stephen Henson
0ffa49970b Backport support for fixed DH ciphersuites (from HEAD) 2012-04-06 11:33:12 +00:00
Dr. Stephen Henson
0ddd002f60 PR: 1411
Submitted by: steve@openssl.org

Allow use of trusted certificates in SSL_CTX_use_chain_file()
2009-09-12 23:09:26 +00:00
Lutz Jänicke
17a4a4dff8 Reword comment to be much shorter to stop other people from complaining
about "overcommenting".
2008-05-26 06:21:13 +00:00
Lutz Jänicke
c2c2e7a438 Clear error queue when starting SSL_CTX_use_certificate_chain_file
PR: 1417, 1513
Submitted by: Erik de Castro Lopo <mle+openssl@mega-nerd.com>
2008-05-23 10:37:52 +00:00
Nils Larsch
dc0ed30cfe add support for DER encoded private keys to SSL_CTX_use_PrivateKey_file()
and SSL_use_PrivateKey_file()

PR: 1035
Submitted by: Walter Goulet
Reviewed by:  Nils Larsch
2005-04-08 22:52:42 +00:00
Nils Larsch
6049399baf get rid of very buggy and very imcomplete DH cert support
Reviewed by: Bodo Moeller
2005-04-07 23:19:17 +00:00
Nils Larsch
48c832b6b7 really clear the error queue here
PR: 860
2005-04-01 17:50:09 +00:00
Richard Levitte
875a644a90 Constify d2i, s2i, c2i and r2i functions and other associated
functions and macros.

This change has associated tags: LEVITTE_before_const and
LEVITTE_after_const.  Those will be removed when this change has been
properly reviewed.
2004-03-15 23:15:26 +00:00
Bodo Möller
643ecd2ed6 make sure no error is left in the queue that is intentionally ignored 2003-08-11 18:56:22 +00:00
Lutz Jänicke
7b63c0fa8c Reorder inclusion of header files:
des_old.h redefines crypt:
#define crypt(b,s)\
        DES_crypt((b),(s))

This scheme leads to failure, if header files with the OS's true definition
of crypt() are processed _after_ des_old.h was processed. This is e.g. the
case on HP-UX with unistd.h.
As evp.h now again includes des.h (which includes des_old.h), this problem
only came up after this modification.
Solution: move header files (indirectly) including e_os.h before the header
files (indirectly) including evp.h.
Submitted by:
Reviewed by:
PR:
2002-07-10 07:01:54 +00:00
Bodo Möller
9437fef8cc use ERR_peek_last_error() instead of ERR_peek_error() 2002-02-28 14:07:37 +00:00
Bodo Möller
6ac4e8bd6e Rename recently introduced functions for improved code clarity:
[DR]SA_up  =>  [DR]SA_up_ref
2001-09-03 13:40:07 +00:00
Geoff Thorpe
78435364ec Changes crypto/evp/ and ssl/ code from directly incrementing reference
counts in DH, DSA, and RSA structures. Instead they use the new "***_up()"
functions that handle this.
2001-08-25 17:28:23 +00:00
Richard Levitte
bc36ee6227 Use new-style system-id macros everywhere possible. I hope I haven't
missed any.

This compiles and runs on Linux, and external applications have no
problems with it.  The definite test will be to build this on VMS.
2001-02-20 08:13:47 +00:00
Richard Levitte
5e4ca4220e The consequence of constification is that to pass the address to a
pointer to a const double pointe parameter, the pointer must point to
const data as well.
2000-11-06 23:16:04 +00:00
Ralf S. Engelschall
b1816a0408 typo while I poke around... 1999-08-05 13:31:42 +00:00
Bodo Möller
74678cc2f8 Additional user data argument to pem_password_cb function type
and to lots of PEM_... functions.
Submitted by: Damien Miller <dmiller@ilogic.com.au>
1999-07-21 20:57:16 +00:00
Bodo Möller
ca8e5b9b8a Create a duplicate of the SSL_CTX's CERT in SSL_new instead of copying
pointers.  The cert_st handling is changed by this in various ways.
Submitted by:
Reviewed by:
PR:
1999-05-09 20:12:44 +00:00
Bodo Möller
303c002898 Use "const char *" instead of "char *" for filenames passed to functions.
Submitted by:
Reviewed by:
PR:
1999-05-09 10:12:10 +00:00
Bodo Möller
b3ca645f47 New function SSL_CTX_use_certificate_chain_file.
Submitted by:
Reviewed by:
PR:
1999-05-01 17:43:52 +00:00
Ulf Möller
a9be3af5ad Remove NOPROTO definitions and error code comments. 1999-04-26 16:43:10 +00:00
Bodo Möller
ec577822f9 Change #include filenames from <foo.h> to <openssl.h>.
Submitted by:
Reviewed by:
PR:
1999-04-23 22:13:45 +00:00
Ulf Möller
6b691a5c85 Change functions to ANSI C. 1999-04-19 21:31:43 +00:00
Ralf S. Engelschall
15d21c2df4 Add a bunch of SSL_xxx() functions for configuring the temporary RSA and DH
private keys and/or callback functions which directly correspond to their
SSL_CTX_xxx() counterparts but work on a per-connection basis. This is needed
for applications which have to configure certificates on a per-connection
basis (e.g. Apache+mod_ssl) instead of a per-context basis (e.g.
s_server).

For the RSA certificate situation is makes no difference, but for the DSA
certificate situation this fixes the "no shared cipher" problem where the
OpenSSL cipher selection procedure failed because the temporary keys were not
overtaken from the context and the API provided no way to reconfigure them.

The new functions now let applications reconfigure the stuff and they are in
detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback.  Additionally a new
non-public-API function ssl_cert_instantiate() is used as a helper function
and also to reduce code redundancy inside ssl_rsa.c.

Submitted by: Ralf S. Engelschall
Reviewed by: Ben Laurie
1999-02-25 14:40:29 +00:00
Mark J. Cox
413c4f45ed Updates to the new SSL compression code
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Fix so that the version number in the master secret, when passed
     via RSA, checks that if TLS was proposed, but we roll back to SSLv3
     (because the server will not accept higher), that the version number
     is 0x03,0x01, not 0x03,0x00
     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Submitted by:
Reviewed by:
PR:
1999-02-16 09:22:21 +00:00
Dr. Stephen Henson
a8236c8c32 Fix various memory leaks in SSL, apps and DSA 1999-02-15 21:05:21 +00:00
Ralf S. Engelschall
dfeab0689f Import of old SSLeay release: SSLeay 0.9.1b (unreleased) 1998-12-21 11:00:56 +00:00
Ralf S. Engelschall
58964a4922 Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
Ralf S. Engelschall
d02b48c63a Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00