Commit graph

218 commits

Author SHA1 Message Date
Dr. Stephen Henson
89a5e2f704 missing tab 2012-12-26 19:12:57 +00:00
Dr. Stephen Henson
60938ae772 add -crl_download option to s_server 2012-12-12 03:35:31 +00:00
Dr. Stephen Henson
0090a686c0 Add code to download CRLs based on CRLDP extension.
Just a sample, real world applications would have to be cleverer.
2012-12-06 18:43:40 +00:00
Dr. Stephen Henson
3bf15e2974 Integrate host, email and IP address checks into X509_verify.
Add new verify options to set checks.

Remove previous -check* commands from s_client and s_server.
2012-12-05 18:35:20 +00:00
Dr. Stephen Henson
fdb78f3d88 New option to add CRLs for s_client and s_server. 2012-12-02 16:16:28 +00:00
Dr. Stephen Henson
55b66f084d set cmdline flag in s_server 2012-11-26 12:51:12 +00:00
Dr. Stephen Henson
a5afc0a8f4 Don't display messages about verify depth in s_server if -quiet it set.
Add support for separate verify and chain stores in s_client.
2012-11-23 18:56:25 +00:00
Dr. Stephen Henson
20b431e3a9 Add support for printing out and retrieving EC point formats extension. 2012-11-22 15:20:53 +00:00
Dr. Stephen Henson
1740c9fbfc support -quiet with -msg or -trace 2012-11-21 17:11:42 +00:00
Dr. Stephen Henson
191b3f0ba9 only use a default curve if not already set 2012-11-21 16:47:25 +00:00
Dr. Stephen Henson
22b5d7c80b fix leaks 2012-11-20 00:24:52 +00:00
Dr. Stephen Henson
685755937a with -rev close connection if client sends "CLOSE" 2012-11-19 23:41:24 +00:00
Dr. Stephen Henson
7c8ac50504 update usage messages 2012-11-19 23:20:40 +00:00
Dr. Stephen Henson
9ba297e49f remove obsolete code 2012-11-19 03:46:49 +00:00
Dr. Stephen Henson
b5cadfb564 add -naccept <n> option to s_server to automatically exit after <n> connections 2012-11-18 15:45:16 +00:00
Dr. Stephen Henson
5d2e07f182 Delegate command line handling for many common options in s_client/s_server
to the SSL_CONF APIs.

This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.
2012-11-17 14:42:22 +00:00
Dr. Stephen Henson
95bba34b83 contify 2012-11-05 19:38:32 +00:00
Dr. Stephen Henson
671c9e2dc8 oops, fix compilation errors in s_server 2012-10-11 18:03:42 +00:00
Dr. Stephen Henson
a70da5b3ec New functions to check a hostname email or IP address against a
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
2012-10-08 15:10:07 +00:00
Dr. Stephen Henson
4f3df8bea2 Add -rev test option to s_server to just reverse order of characters received
by client and send back to server. Also prints an abbreviated summary of
the connection parameters.
2012-09-14 13:27:05 +00:00
Dr. Stephen Henson
2a7cbe77b3 Add -brief option to s_client and s_server to summarise connection details.
New option -verify_quiet to shut up the verify callback unless there is
an error.
2012-09-12 23:14:28 +00:00
Dr. Stephen Henson
0a17b8de06 fix memory leak 2012-09-11 13:43:57 +00:00
Dr. Stephen Henson
147d4c96b0 fix memory leak 2012-09-09 21:19:32 +00:00
Dr. Stephen Henson
ed83ba5321 Add compilation flag to disable certain protocol checks and allow use of
some invalid operations for testing purposes. Currently this can be used
to sign using digests the peer doesn't support, EC curves the peer
doesn't support and use certificates which don't match the type associated
with a ciphersuite.
2012-08-29 13:18:34 +00:00
Dr. Stephen Henson
2ea8035460 Add three Suite B modes to TLS code, supporting RFC6460. 2012-08-15 15:15:05 +00:00
Dr. Stephen Henson
74ecfab401 Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
2012-07-23 23:34:28 +00:00
Dr. Stephen Henson
9f27b1eec3 Add new ctrl to retrieve client certificate types, print out
details in s_client.

Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.

Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
2012-07-08 14:22:45 +00:00
Dr. Stephen Henson
dd25165968 Fix memory leak.
Always perform nexproto callback argument initialisation in s_server
otherwise we use uninitialised data if -nocert is specified.
2012-07-03 16:37:50 +00:00
Dr. Stephen Henson
657e29c199 cert_flags is unsigned 2012-07-03 14:54:59 +00:00
Dr. Stephen Henson
3dbc46dfcd Separate client and server permitted signature algorithm support: by default
the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
2012-07-03 12:51:14 +00:00
Dr. Stephen Henson
18d7158809 Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
2012-06-29 14:24:42 +00:00
Dr. Stephen Henson
d61ff83be9 Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
2012-06-28 12:45:49 +00:00
Dr. Stephen Henson
4453cd8c73 Reorganise supported signature algorithm extension processing.
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
2012-06-25 14:32:30 +00:00
Dr. Stephen Henson
0f229cce65 Add support for application defined signature algorithms for use with
TLS v1.2. These are sent as an extension for clients and during a certificate
request for servers.

TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
2012-06-22 14:03:31 +00:00
Dr. Stephen Henson
93ab9e421e Initial record tracing code. Print out all fields in SSL/TLS records
for debugging purposes. Needs "enable-ssl-trace" configuration option.
2012-06-15 12:46:09 +00:00
Ben Laurie
7a71af86ce Rearrange and test authz extension. 2012-06-07 13:20:47 +00:00
Ben Laurie
71fa451343 Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
Ben Laurie
a9e1c50bb0 RFC 5878 support. 2012-05-30 10:10:58 +00:00
Dr. Stephen Henson
fc6fc7ff38 Add options to set additional type specific certificate chains to
s_server.
2012-04-11 16:53:11 +00:00
Dr. Stephen Henson
a43526302f Add support for automatic ECDH temporary key parameter selection. When
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
2012-04-05 13:38:27 +00:00
Dr. Stephen Henson
d0595f170c Initial revision of ECC extension handling.
Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
2012-03-28 15:05:04 +00:00
Dr. Stephen Henson
bbbe61c958 Always use SSLv23_{client,server}_method in s_client.c and s_server.c,
the old code came from SSLeay days before TLS was even supported.
2012-03-18 18:16:46 +00:00
Dr. Stephen Henson
e7f8ff4382 New ctrls to retrieve supported signature algorithms and curves and
extensions to s_client and s_server to print out retrieved valued.

Extend CERT structure to cache supported signature algorithm data.
2012-03-06 14:28:21 +00:00
Dr. Stephen Henson
be81f4dd81 PR: 2716
Submitted by: Adam Langley <agl@google.com>

Fix handling of exporter return value and use OpenSSL indentation in
s_client, s_server.
2012-02-11 23:20:53 +00:00
Dr. Stephen Henson
9641be2aac PR: 2714
Submitted by: Tomas Mraz <tmraz@redhat.com>

Make no-srp work.
2012-02-10 19:43:14 +00:00
Andy Polyakov
a50bce82ec Sanitize usage of <ctype.h> functions. It's important that characters
are passed zero-extended, not sign-extended.
PR: 2682
2012-01-12 16:21:35 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
c79f22c63a PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

- remove some unncessary SSL_err and permit
an srp user callback to allow a worker to obtain
a user verifier.

- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup
2011-12-27 14:21:45 +00:00
Dr. Stephen Henson
f9b0b45238 New ctrl values to clear or retrieve extra chain certs from an SSL_CTX.
New function to retrieve compression method from SSL_SESSION structure.

Delete SSL_SESSION_get_id_len and SSL_SESSION_get0_id functions
as they duplicate functionality of SSL_SESSION_get_id. Note: these functions
have never appeared in any release version of OpenSSL.
2011-12-22 15:14:32 +00:00
Ben Laurie
e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00