wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
12060 commits 20 branches 302 tags 153 MiB
Commit graph

1624 commits

Author SHA1 Message Date
Scott Deboy
e9add063b5 Re-add alert variables removed during rebase 
Whitespace fixes
 2014-02-05 18:25:46 +00:00
Scott Deboy
ac20719d99 Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert. 
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.

Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
 2014-02-05 18:25:46 +00:00
Dr. Stephen Henson
3323314fc1 Add cert callback retry test. 2014-01-26 16:29:50 +00:00
Piotr Sikora
2911575c6e Fix compilation with no-nextprotoneg. 
PR#3106
 2013-11-14 01:20:12 +00:00
Dr. Stephen Henson
ec2f7e568e Extend SSL_CONF 
Extend SSL_CONF to return command value types.

Add certificate and key options.

Update documentation.
 2013-10-20 22:07:36 +01:00
Ben Laurie
c45a48c186 Constification. 2013-10-07 12:45:26 +01:00
Ben Laurie
70d416ec35 Produce PEM we would consume. 2013-09-25 13:57:36 +01:00
Ben Laurie
9725bda766 Show useful errors. 
Conflicts:
	apps/s_server.c
 2013-09-25 12:45:48 +01:00
Mat
5628ec6673 typo 2013-09-13 14:29:36 +01:00
Scott Deboy
b0d27cb902 Initialize next_proto in s_server - resolves incorrect attempts to free 2013-09-11 17:22:00 -07:00
Dr. Stephen Henson
5e3ff62c34 Experimental encrypt-then-mac support. 
Experimental support for encrypt then mac from
draft-gutmann-tls-encrypt-then-mac-02.txt

To enable it set the appropriate extension number (0x10 for the test server)
using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10

For non-compliant peers (i.e. just about everything) this should have no
effect.
 2013-09-08 13:14:03 +01:00
Ben Laurie
1769dfab06 Const fix. 2013-09-06 14:03:28 +01:00
Scott Deboy
67c408cee9 Free generated supp data after handshake completion, add comment regarding use of num_renegotiations in TLS and supp data generation callbacks 2013-09-06 13:59:14 +01:00
Ben Laurie
5eda213ebe More cleanup. 2013-09-06 13:59:14 +01:00
Ben Laurie
a6a48e87bc Make it build. 2013-09-06 13:59:13 +01:00
Scott Deboy
36086186a9 Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions) 
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
 2013-09-06 13:59:13 +01:00
Veres Lajos
478b50cf67 misspellings fixes by https://github.com/vlajos/misspell_fixer 2013-09-05 21:39:42 +01:00
Ben Laurie
d2625fd657 Clean up layout. 2013-09-05 17:28:05 +01:00
Carlos Alberto Lopez Perez
b98af49d97 Add an "-xmpphost" option to s_client 
* Many XMPP servers are configured with multiple domains (virtual hosts)
 * In order to establish successfully the TLS connection you have to specify
   which virtual host you are trying to connect.
 * Test this, for example with ::
   * Fail:
       openssl s_client -connect talk.google.com:5222 -starttls xmpp
   * Works:
       openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com
 2013-09-05 17:24:56 +01:00
Carlos Alberto Lopez Perez
4249d4ba86 Fix infinite loop on s_client starttls xmpp 
* When the host used in "-connect" is not what the remote XMPP server expects
   the server will return an error like this:
     <stream:error>
       <host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
     </stream:error>
 * But the actual code will stay on the loop forever because the stop condition
   "/stream:features>" will never happen,
 * Make this more robust: The stop condition should be that BIO_read failed
 * Test if for example with ::

    openssl s_client  -connect random.jabb3r.net:5222 -starttls xmpp
 2013-09-05 17:24:56 +01:00
Carlos Alberto Lopez Perez
4e48c77572 Fix XMPP code detection on s_client starttls xmpp 
* Some XMPP Servers (OpenFire) use double quotes.
 * This makes s_client starttls work with this servers.
 * Tested with OpenFire servers from http://xmpp.net/ ::

     openssl s_client -connect coderollers.com:5222 -starttls xmpp
 2013-09-05 17:24:55 +01:00
Dr. Stephen Henson
fcb2bcfe65 Typo: don't call RAND_cleanup during app startup. 
(cherry picked from commit 90e7f983b5)
 2013-08-18 19:06:51 +01:00
Dr. Stephen Henson
14536c8c9c Make no-ec compilation work. 2013-08-17 17:41:13 +01:00
Adam Langley
a898936218 Add tests for ALPN functionality. 
Conflicts:
	ssl/ssltest.c
 2013-07-22 15:47:48 +01:00
Adam Langley
6f017a8f9d Support ALPN. 
This change adds support for ALPN[1] in OpenSSL. ALPN is the IETF
blessed version of NPN and we'll be supporting both ALPN and NPN for
some time yet.

[1] https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-00

Conflicts:
	ssl/ssl3.h
	ssl/t1_lib.c
 2013-07-22 15:28:20 +01:00
Dr. Stephen Henson
5711885a2b Custom key wrap option for cms utility. 2013-07-17 21:45:01 +01:00
Dr. Stephen Henson
02498cc885 Add -keyopt option to cms utility. 
Add support for custom public key parameters in the cms utility using
the -keyopt switch. Works for -sign and also -encrypt if -recip is used.
 2013-06-21 23:43:06 +01:00
Trevor
a398f821fa Add support for arbitrary TLS extensions. 
Contributed by Trevor Perrin.
 2013-06-12 17:01:13 +01:00
Dr. Stephen Henson
c6913eeb76 Dual DTLS version methods. 
Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.

As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
 2013-04-09 14:02:48 +01:00
Dr. Stephen Henson
3d1160d58b Call RAND_cleanup in openssl application. 
(cherry picked from commit 944bc29f90)
 2013-03-28 14:29:39 +00:00
Dr. Stephen Henson
c3b344e36a Provisional DTLS 1.2 support. 
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.

Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
 2013-03-26 15:16:41 +00:00
Andy Polyakov
a006fef78e Improve WINCE support. 
Submitted by: Pierre Delaage
 2013-01-19 21:23:13 +01:00
Dr. Stephen Henson
4badfebefc Typo (PR2959). 2013-01-17 18:20:18 +00:00
Dr. Stephen Henson
abd01ea214 Change default bits to 1024 2013-01-07 16:18:31 +00:00
Dr. Stephen Henson
b252cf0d98 make JPAKE work again, fix memory leaks 2012-12-29 23:38:20 +00:00
Dr. Stephen Henson
89a5e2f704 missing tab 2012-12-26 19:12:57 +00:00
Dr. Stephen Henson
09d0d67c13 add missing newline 2012-12-21 16:24:48 +00:00
Dr. Stephen Henson
bbdfbacdef add -rmd option to set OCSP response signing digest 2012-12-16 00:10:03 +00:00
Dr. Stephen Henson
99fc818e93 Return success when the responder is active. 
Don't verify our own responses.
 2012-12-15 02:56:02 +00:00
Dr. Stephen Henson
265f835e3e typo 2012-12-15 00:29:12 +00:00
Dr. Stephen Henson
33826fd028 Add support for '-' as input and output filenames in ocsp utility. 
Recognise verification arguments.
 2012-12-14 23:30:56 +00:00
Dr. Stephen Henson
92821996de oops, revert, committed in error 2012-12-14 23:29:58 +00:00
Dr. Stephen Henson
11e2957d5f apps/ocsp.c 2012-12-14 23:28:19 +00:00
Dr. Stephen Henson
51e7a4378a New verify flag to return success if we have any certificate in the 
trusted store instead of the default which is to return an error if
we can't build the complete chain.
 2012-12-13 18:14:46 +00:00
Dr. Stephen Henson
60938ae772 add -crl_download option to s_server 2012-12-12 03:35:31 +00:00
Dr. Stephen Henson
4e71d95260 add -cert_chain option to s_client 2012-12-12 00:50:26 +00:00
Ben Laurie
fefc111a2a Make openssl verify return errors. 2012-12-11 16:05:14 +00:00
Dr. Stephen Henson
1e8b9e7e69 add -badsig option to ocsp utility too. 2012-12-09 16:21:46 +00:00
Ben Laurie
30c278aa6b Fix OCSP checking. 2012-12-07 18:47:47 +00:00
Dr. Stephen Henson
0090a686c0 Add code to download CRLs based on CRLDP extension. 
Just a sample, real world applications would have to be cleverer.
 2012-12-06 18:43:40 +00:00
Dr. Stephen Henson
f5a7d5b164 remove print_ssl_cert_checks() from openssl application: it is no longer used 2012-12-06 18:36:51 +00:00
Dr. Stephen Henson
3bf15e2974 Integrate host, email and IP address checks into X509_verify. 
Add new verify options to set checks.

Remove previous -check* commands from s_client and s_server.
 2012-12-05 18:35:20 +00:00
Dr. Stephen Henson
fbeb85ecb9 don't print verbose policy check messages when -quiet is selected even on error 2012-12-04 23:18:44 +00:00
Dr. Stephen Henson
2e8cb108dc initial support for delta CRL generations by diffing two full CRLs 2012-12-04 18:35:36 +00:00
Dr. Stephen Henson
256f9573c5 make -subj always override config file 2012-12-04 18:35:04 +00:00
Dr. Stephen Henson
b6b094fb77 check mval for NULL too 2012-12-04 17:25:34 +00:00
Dr. Stephen Henson
0db46a7dd7 fix leak 2012-12-03 16:32:52 +00:00
Dr. Stephen Henson
2537d46903 oops, really check brief mode only ;-) 2012-12-03 03:40:57 +00:00
Dr. Stephen Henson
5447f836a0 don't check errno is zero, just print out message 2012-12-03 03:39:23 +00:00
Dr. Stephen Henson
66d9f2e521 if no error code and -brief selected print out connection closed instead of read error 2012-12-03 03:33:44 +00:00
Dr. Stephen Henson
139cd16cc5 add -badsig option to corrupt CRL signatures for testing too 2012-12-02 16:48:25 +00:00
Dr. Stephen Henson
fdb78f3d88 New option to add CRLs for s_client and s_server. 2012-12-02 16:16:28 +00:00
Dr. Stephen Henson
95ea531864 add option to get a certificate or CRL from a URL 2012-12-02 14:00:22 +00:00
Dr. Stephen Henson
df316fd43c Add new test option set the version in generated certificates: this 
is needed to test some profiles/protocols which reject certificates
with unsupported versions.
 2012-11-30 19:24:13 +00:00
Dr. Stephen Henson
84bafb7471 Print out point format list for clients too. 2012-11-26 18:39:38 +00:00
Dr. Stephen Henson
55b66f084d set cmdline flag in s_server 2012-11-26 12:51:12 +00:00
Dr. Stephen Henson
96cfba0fb4 option to output corrupted signature in certificates for testing purposes 2012-11-25 22:29:52 +00:00
Dr. Stephen Henson
a5afc0a8f4 Don't display messages about verify depth in s_server if -quiet it set. 
Add support for separate verify and chain stores in s_client.
 2012-11-23 18:56:25 +00:00
Dr. Stephen Henson
20b431e3a9 Add support for printing out and retrieving EC point formats extension. 2012-11-22 15:20:53 +00:00
Dr. Stephen Henson
1740c9fbfc support -quiet with -msg or -trace 2012-11-21 17:11:42 +00:00
Dr. Stephen Henson
191b3f0ba9 only use a default curve if not already set 2012-11-21 16:47:25 +00:00
Dr. Stephen Henson
5c1393bfc3 PR: 2908 
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>

Fix DH double free if parameter generation fails.
 2012-11-21 14:02:40 +00:00
Dr. Stephen Henson
f7ac0ec89d fix printout of expiry days if -enddate is used in ca 2012-11-20 15:22:15 +00:00
Dr. Stephen Henson
22b5d7c80b fix leaks 2012-11-20 00:24:52 +00:00
Dr. Stephen Henson
685755937a with -rev close connection if client sends "CLOSE" 2012-11-19 23:41:24 +00:00
Dr. Stephen Henson
7c8ac50504 update usage messages 2012-11-19 23:20:40 +00:00
Dr. Stephen Henson
98a7edf9f0 make depend 2012-11-19 13:18:09 +00:00
Dr. Stephen Henson
7831969634 don't call gethostbyname if OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL is set 2012-11-19 12:36:04 +00:00
Dr. Stephen Henson
9ba297e49f remove obsolete code 2012-11-19 03:46:49 +00:00
Dr. Stephen Henson
b5cadfb564 add -naccept <n> option to s_server to automatically exit after <n> connections 2012-11-18 15:45:16 +00:00
Dr. Stephen Henson
9fc81acae6 fix error messages 2012-11-17 15:22:50 +00:00
Dr. Stephen Henson
5d2e07f182 Delegate command line handling for many common options in s_client/s_server 
to the SSL_CONF APIs.

This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.
 2012-11-17 14:42:22 +00:00
Dr. Stephen Henson
51b9115b6d new command line option -stdname to ciphers utility 2012-11-16 00:35:46 +00:00
Dr. Stephen Henson
95bba34b83 contify 2012-11-05 19:38:32 +00:00
Dr. Stephen Henson
671c9e2dc8 oops, fix compilation errors in s_server 2012-10-11 18:03:42 +00:00
Dr. Stephen Henson
a70da5b3ec New functions to check a hostname email or IP address against a 
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
 2012-10-08 15:10:07 +00:00
Andy Polyakov
27e0c86307 md5-sparcv9.pl: more accurate performance result. 2012-09-28 09:25:49 +00:00
Dr. Stephen Henson
4f3df8bea2 Add -rev test option to s_server to just reverse order of characters received 
by client and send back to server. Also prints an abbreviated summary of
the connection parameters.
 2012-09-14 13:27:05 +00:00
Dr. Stephen Henson
2a7cbe77b3 Add -brief option to s_client and s_server to summarise connection details. 
New option -verify_quiet to shut up the verify callback unless there is
an error.
 2012-09-12 23:14:28 +00:00
Dr. Stephen Henson
0a17b8de06 fix memory leak 2012-09-11 13:43:57 +00:00
Dr. Stephen Henson
147d4c96b0 fix memory leak 2012-09-09 21:19:32 +00:00
Dr. Stephen Henson
648f551a4a New -valid option to add a certificate to the ca index.txt that is valid and not revoked 2012-09-09 12:58:49 +00:00
Dr. Stephen Henson
33a8de69dc new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client 2012-09-08 13:59:51 +00:00
Dr. Stephen Henson
319354eb6c store and print out message digest peer signed with in TLS 1.2 2012-09-07 12:53:42 +00:00
Dr. Stephen Henson
ed83ba5321 Add compilation flag to disable certain protocol checks and allow use of 
some invalid operations for testing purposes. Currently this can be used
to sign using digests the peer doesn't support, EC curves the peer
doesn't support and use certificates which don't match the type associated
with a ciphersuite.
 2012-08-29 13:18:34 +00:00
Bodo Möller
619aab841c Oops - didn't mean to change Makefile on previous submit 2012-08-16 13:49:34 +00:00
Bodo Möller
a4aafeeef4 Enable message names for TLS 1.1, 1.2 with -msg. 2012-08-16 13:41:40 +00:00
Dr. Stephen Henson
2ea8035460 Add three Suite B modes to TLS code, supporting RFC6460. 2012-08-15 15:15:05 +00:00
Dr. Stephen Henson
3ad344a517 add suite B chain validation flags and associated verify errors 2012-08-03 13:51:43 +00:00
Dr. Stephen Henson
6dbb6219e7 Make tls1_check_chain return a set of flags indicating checks passed 
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.

Print out results of checks for each candidate chain tested in
s_server/s_client.
 2012-07-27 13:39:23 +00:00