Commit graph

153 commits

Author SHA1 Message Date
Nils Larsch
33ac8b3139 don't try to load cert/key when the "-nocert" option is set 2005-09-02 12:44:59 +00:00
Nils Larsch
4ebb342fcd Let the TLSv1_method() etc. functions return a const SSL_METHOD
pointer and make the SSL_METHOD parameter in SSL_CTX_new,
SSL_CTX_set_ssl_version and SSL_set_ssl_method const.
2005-08-14 21:48:33 +00:00
Nils Larsch
3eeaab4bed make
./configure no-deprecated [no-dsa] [no-dh] [no-ec] [no-rsa]
    	make depend all test
work again

PR: 1159
2005-07-16 12:37:36 +00:00
Richard Levitte
b29228836a DJGPP changes. Contributed by Doug Kaufman <dkaufman@rahul.net> 2005-05-30 22:37:44 +00:00
Nils Larsch
9dd8405341 ecc api cleanup; summary:
- hide the EC_KEY structure definition in ec_lcl.c + add
  some functions to use/access the EC_KEY fields
- change the way how method specific data (ecdsa/ecdh) is
  attached to a EC_KEY
- add ECDSA_sign_ex and ECDSA_do_sign_ex functions with
  additional parameters for pre-computed values
- rebuild libeay.num from 0.9.7
2005-05-16 10:11:04 +00:00
Nils Larsch
8b15c74018 give EC_GROUP_new_by_nid a more meanigful name:
EC_GROUP_new_by_nid -> EC_GROUP_new_by_curve_name
2005-05-10 11:37:47 +00:00
Dr. Stephen Henson
4e321ffaff Fixes for signed/unsigned warnings and shadows. 2005-04-26 17:43:53 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00
Ben Laurie
e9ad6665a5 Add debug target, remove cast, note possible bug. 2005-04-23 06:05:24 +00:00
Nils Larsch
eb3eab20a8 const fixes 2005-04-07 22:48:33 +00:00
Nils Larsch
7d727231b7 some const fixes 2005-04-05 19:11:19 +00:00
Dr. Stephen Henson
826a42a088 PR: 910
Add command line options -certform, -keyform and -pass to s_client and
s_server. This supports the use of alternative passphrase sources, key formats
and keys handled by an ENGINE.

Update docs.
2004-11-16 17:30:59 +00:00
Richard Levitte
2549564009 On systems that use case-insensitive symbol names (i.e. they're all
converted to upper case or something like that), the application-
level bio_dump_cb() has a name clash with the new library function
BIO_dump_cb().  The easiest fix is to rename the function at the
application level.
2004-08-12 08:58:55 +00:00
Geoff Thorpe
bcfea9fb25 Allow RSA key-generation to specify an arbitrary public exponent. Jelte
proposed the change and submitted the patch, I jiggled it slightly and
adjusted the other parts of openssl that were affected.

PR: 867
Submitted by: Jelte Jansen
Reviewed by: Geoff Thorpe
2004-04-26 15:31:35 +00:00
Richard Levitte
4d8743f490 Netware-specific changes,
PR: 780
Submitted by: Verdon Walker <VWalker@novell.com>
Reviewed by: Richard Levitte
2003-11-28 13:10:58 +00:00
Geoff Thorpe
2aaec9cced Update any code that was using deprecated functions so that everything builds
and links with OPENSSL_NO_DEPRECATED defined.
2003-10-29 04:14:08 +00:00
Richard Levitte
3d7c4a5a6d Selected changes for MSDOS, contributed by Gisle Vanem <giva@bgnett.no>.
PR: 669
2003-09-27 21:56:08 +00:00
Richard Levitte
253e893c2b Include the instance in the Kerberos ticket information.
In s_server, print the received Kerberos information.
PR: 693
2003-09-27 17:55:13 +00:00
Richard Levitte
3ae70939ba Correct a lot of printing calls. Remove extra arguments... 2003-04-03 23:39:48 +00:00
Richard Levitte
0b13e9f055 Add the possibility to build without the ENGINE framework.
PR: 287
2003-01-30 17:39:26 +00:00
Geoff Thorpe
5daec7ea0e Undefine OPENSSL_NO_DEPRECATED inside openssl application code if we are
being built with it defined - it is not a symbol to affect how openssl
itself builds, but to alter the way openssl headers can be used from an API
point of view. The "deprecated" function wrappers will always remain inside
OpenSSL at least as long as they're still being used internally. :-)

The exception is dsaparam which has been updated to the BN_GENCB-based
functions to test the new functionality. If GENCB_TEST is defined, dsaparam
will support a "-timebomb <n>" switch to cancel parameter-generation if it
gets as far as 'n' seconds without completion.
2002-12-08 05:38:44 +00:00
Richard Levitte
1c3e4a3660 EXIT() may mean return(). That's confusing, so let's have it really mean
exit() in whatever way works for the intended platform, and define
OPENSSL_EXIT() to have the old meaning (the name is of course because
it's only used in the openssl program)
2002-12-03 16:33:03 +00:00
Richard Levitte
4579924b7e Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
Richard Levitte
0bf23d9b20 WinCE patches 2002-11-15 22:37:18 +00:00
Richard Levitte
8d6e60486f Fix to build better with DJGPP.
PR: 338

Here's the description, submitted by Gisle Vanem <giva@bgnett.no>:

1. sock_init() renamed to ssl_sock_init() in ./apps/s_socket.c due
   to name-clash with Watt-32.

2. rand() renamed to Rand() in ./crypto/bn/divtest.c due to name-clash
   with <stdlib.h>

3. Added calls to dbug_init()/sock_init() in some demo programs.

4. Changed cflags/lflags in configure. Watt-32 install root now taken
   from $WATT_ROOT.
2002-11-14 11:22:01 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Bodo Möller
0fd05a2f0f fix warnings (CHARSET_EBCDIC)
Submitted by: Lorinczy Zsigmond <lzsiga@mail.ahiv.hu>
2002-08-15 14:52:54 +00:00
Bodo Möller
7eb18f1237 Simplify handling of named curves: get rid of EC_GROUP_new_by_name(),
EC_GROUP_new_by_nid() should be enough.  This avoids a lot of
redundancy.

Submitted by: Nils Larsch
2002-08-15 09:21:31 +00:00
Bodo Möller
ea26226046 ECC ciphersuite support
Submitted by: Douglas Stebila <douglas.stebila@sun.com>
(Authors: Vipul Gupta and Sumit Gupta, Sun Microsystems Laboratories)
2002-08-09 08:56:08 +00:00
Richard Levitte
cead7f36da Set up the engine before doing anything random-related, since engine randomness
is only used for seeding and doing it in the wrong order will mean seeding
is done before the engine randomness is hooked in.
Notified by Frederic DONNAT <frederic.donnat@zencod.com>
2002-07-16 06:52:03 +00:00
Dr. Stephen Henson
3647bee263 Config code updates.
CONF_modules_unload() now calls CONF_modules_finish()
automatically.

Default use of section openssl_conf moved to
CONF_modules_load()

Load config file in several openssl utilities.

Most utilities now load modules from the config file,
though in a few (such as version) this isn't done
because it couldn't be used for anything.

In the case of ca and req the config file used is
the same as the utility itself: that is the -config
command line option can be used to specify an
alternative file.
2002-02-22 14:01:21 +00:00
Bodo Möller
4d94ae00d5 ECDSA support
Submitted by: Nils Larsch <nla@trustcenter.de>
2002-02-13 18:21:51 +00:00
Bodo Möller
a661b65357 New functions SSL[_CTX]_set_msg_callback().
New macros SSL[_CTX]_set_msg_callback_arg().

Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet).

New '-msg' option for 'openssl s_client' and 'openssl s_server'
that enable a message callback that displays all protocol messages.


In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if
client_version is smaller than the protocol version in use.
Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0
if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the
client will at least see that alert.

Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic
pointer).

Add/update some OpenSSL copyright notices.
2001-10-20 17:56:36 +00:00
Geoff Thorpe
1372965e2e Reduce the header dependencies on engine.h in apps/. 2001-09-12 02:39:06 +00:00
Lutz Jänicke
e9eb000c53 Oops, one SSL_OP_NON_EXPORT_FIRST was left. 2001-08-03 13:05:44 +00:00
Richard Levitte
2a1ef75435 Patches from Vern Staats <staatsvr@asc.hpc.mil> to get Kerberos 5 in
SSL according to RFC 2712.  His comment is:

This is a patch to openssl-SNAP-20010702 to support Kerberized SSL
authentication.  I'm expecting to have the full kssl-0.5 kit up on
sourceforge by the end of the week.  The full kit includes patches
for mod-ssl, apache, and a few text clients.  The sourceforge URL
is http://sourceforge.net/projects/kssl/ .

Thanks to a note from Simon Wilkinson I've replaced my KRB5 AP_REQ
message with a real KerberosWrapper struct.  I think this is fully
RFC 2712 compliant now, including support for the optional
authenticator field.  I also added openssl-style ASN.1 macros for
a few Kerberos structs; see crypto/krb5/ if you're interested.
2001-07-09 21:46:58 +00:00
Richard Levitte
c04f8cf44a Use apps_shutdown() in all applications, in case someone decides not
to go the monolith way (does anyone do that these days?).

NOTE: a few applications are missing in this commit.  I've a few more
changes in them that I haven't tested yet.
2001-06-23 16:37:32 +00:00
Richard Levitte
531d630b5c Provide an application-common setup function for engines and use it
everywhere.
2001-06-18 06:22:33 +00:00
Dr. Stephen Henson
bdee69f718 Allow various X509_STORE_CTX properties to be
inherited from X509_STORE.

Add CRL checking options to other applications.
2001-05-09 00:30:39 +00:00
Bodo Möller
50b8ba0201 avoid buffer overflow 2001-03-31 07:48:07 +00:00
Bodo Möller
b10ae320f7 this time *really* fix the /../ check ... 2001-03-30 14:55:50 +00:00
Bodo Möller
5d3ab9b096 For -WWW, fix test for ".." directory references (and avoid warning for
index -1).
2001-03-30 10:47:21 +00:00
Richard Levitte
251cb4cfed For some experiments, it is sometimes nice to serve files with complete
HTTP responses.
2001-03-10 16:20:52 +00:00
Geoff Thorpe
e3a9164073 I missed one. 2001-02-23 00:09:50 +00:00
Geoff Thorpe
1aa0d94781 This adds command-line support to s_server for controlling the generation
of session IDs. Namely, passing "-id_prefix <text>" will set a
generate_session_id() callback that generates session IDs as random data
with <text> block-copied over the top of the start of the ID. This can be
viewed by watching the session ID s_client's output when it connects.

This is mostly useful for testing any SSL/TLS code (eg. proxies) that wish
to deal with multiple servers, when each of which might be generating a
unique range of session IDs (eg. with a certain prefix).
2001-02-21 18:38:48 +00:00
Richard Levitte
be1bd9239f Get e_os2.h to get all the system definitions correctly. 2001-02-20 14:07:03 +00:00
Richard Levitte
56dde3ebe6 Include opensslconf.h or the like early to make sure system macros get
correctly defined.
2001-02-20 13:11:54 +00:00
Bodo Möller
ff055b5c89 honour '-no_tmp_rsa' 2001-02-20 12:59:48 +00:00
Richard Levitte
bc36ee6227 Use new-style system-id macros everywhere possible. I hope I haven't
missed any.

This compiles and runs on Linux, and external applications have no
problems with it.  The definite test will be to build this on VMS.
2001-02-20 08:13:47 +00:00
Richard Levitte
cf1b7d9664 Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
2001-02-19 16:06:34 +00:00
Lutz Jänicke
52b621db88 Add "-rand" option to s_client and s_server. 2001-02-15 10:22:07 +00:00
Lutz Jänicke
836f996010 New Option SSL_OP_CIPHER_SERVER_PREFERENCE allows TLS/SSLv3 server to override
the clients choice; in SSLv2 the client uses the server's preferences.
2001-02-09 19:56:31 +00:00
Richard Levitte
f9b3bff6f7 First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu> 2000-11-30 22:53:34 +00:00
Bodo Möller
15d52ddb55 Never call load_dh_param(NULL) because this leads to an illegal
fopen(NULL).
2000-11-02 10:35:10 +00:00
Richard Levitte
5270e7025e Merge the engine branch into the main trunk. All conflicts resolved.
At the same time, add VMS support for Rijndael.
2000-10-26 21:07:28 +00:00
Richard Levitte
26a3a48d65 There have been a number of complaints from a number of sources that names
like Malloc, Realloc and especially Free conflict with already existing names
on some operating systems or other packages.  That is reason enough to change
the names of the OpenSSL memory allocation macros to something that has a
better chance of being unique, like prepending them with OPENSSL_.

This change includes all the name changes needed throughout all C files.
2000-06-01 22:19:21 +00:00
Bodo Möller
a2a0158959 Fix some bugs and document others 2000-02-21 17:09:54 +00:00
Ralf S. Engelschall
667ac4ec6a Make gcc 2.95.2 happy again, even under ``-Wall -Wshadow -Wpointer-arith -Wcast-align
-Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline''.
2000-02-11 09:47:18 +00:00
Dr. Stephen Henson
af57d84312 Rename SSLeay_add_all_algorithms() et al to
OpenSSL_add_all_algorithms(). Move these into
separate files so they work properly.
2000-02-04 14:01:38 +00:00
Ulf Möller
657e60fa00 ispell (and minor modifications) 2000-02-03 23:23:24 +00:00
Dr. Stephen Henson
82fc1d9c28 Add new -notext option to 'ca', -pubkey option to spkac.
Remove some "WTF??" casts from applications.

Fixes to keep VC++ happy and avoid warnings.

Docs tidy.
2000-02-03 02:56:48 +00:00
Ulf Möller
51ca375e7e Seek out and destroy another evil cast. 2000-01-30 23:33:40 +00:00
Dr. Stephen Henson
fabce04122 Make s_server, s_client check cipher list return codes.
Update docs.
2000-01-23 02:28:08 +00:00
Ulf Möller
aa82db4fb4 Add missing #ifndefs that caused missing symbols when building libssl
as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
NO_RSA in ssl/s2*.c.

Submitted by: Kris Kennaway <kris@hub.freebsd.org>
Modified by Ulf Möller
2000-01-16 21:10:00 +00:00
Dr. Stephen Henson
dd4134101f Change the trust and purpose code so it doesn't need init
either and has a static and dynamic mix.
1999-12-02 02:33:56 +00:00
Dr. Stephen Henson
bb7cd4e3eb Remainder of SSL purpose and trust code: trust and purpose setting in
SSL_CTX and SSL, functions to set them and defaults if no values set.
1999-11-29 22:35:00 +00:00
Bodo Möller
a31011e8e0 Various randomness handling bugfixes and improvements --
some utilities that should have used RANDFILE did not,
and -rand handling was broken except in genrsa.
1999-10-26 01:56:29 +00:00
Dr. Stephen Henson
3908cdf442 New option -dhparam to s_server to allow the DH parameter file to be set
explicitly. Previously it couldn't be changed because it was hard coded as
"server.pem".
1999-10-04 23:56:06 +00:00
Bodo Möller
dd73193c83 Honor BUFSIZZ definition in s_server, don't use tiny 32 byte
buffer (which leads to truncation of client cipher list).
1999-09-25 11:24:53 +00:00
Bodo Möller
4ad378ea43 Bugfix: avoid opening CAfile when it's NULL. 1999-09-24 20:27:20 +00:00
Dr. Stephen Henson
06f4536a61 Fix to make s_client and s_server work under Windows. A bit of a hack but
an improvement on not working at all.
1999-09-20 22:09:17 +00:00
Bodo Möller
b74ba295da Reinitialize global variables when necessary (for monolith application). 1999-09-03 23:08:45 +00:00
Bodo Möller
1b1a6e7808 -crlf option. 1999-08-09 13:01:48 +00:00
Bodo Möller
204cf1abb0 Comments. 1999-08-08 14:21:04 +00:00
Bodo Möller
1bdb8633c1 New option "-crlf" to s_client and s_server which tells them to convert
LFs into CRLFs when forwarding data from stdin to the TLS connection.
This is necessary for properly talking HTTP.
Because of the code freeze this change is by default disabled for now;
without -DAPPS_CRLF, the code is exactly as before.
1999-08-07 02:51:10 +00:00
Ulf Möller
8c197cc55e VMS updates.
Submitted by: Richard Levitte <levitte@stacken.kth.se>
1999-07-28 23:25:59 +00:00
Bodo Möller
74678cc2f8 Additional user data argument to pem_password_cb function type
and to lots of PEM_... functions.
Submitted by: Damien Miller <dmiller@ilogic.com.au>
1999-07-21 20:57:16 +00:00
Bodo Möller
5059658219 fix memory leak in s3_clnt.c 1999-07-12 17:15:42 +00:00
Bodo Möller
d58d092bc9 Avoid warnings. 1999-06-10 16:29:32 +00:00
Ulf Möller
df63a389a5 "extern" is a C++ reserved word.
Pointed out by: Janez Jere <jj@void.si>
1999-06-09 16:33:18 +00:00
Bodo Möller
cf2562e772 More general definition for S_ISDIR (needed not only for VMS but
also for NeXT).
1999-06-07 00:20:54 +00:00
Ulf Möller
a53955d8ab Support the EBCDIC character set and BS2000/OSD-POSIX (work in progress).
Submitted by: Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>
1999-06-04 21:35:58 +00:00
Ulf Möller
1e44804e33 Avoid type conflict on Unix with DEC C.
Pointed out by Sergio Rabellino <Rabellino@di.unito.it>
1999-06-04 13:41:30 +00:00
Bodo Möller
b56bce4fc7 New structure type SESS_CERT used instead of CERT inside SSL_SESSION.
While modifying the sources, I found some inconsistencies on the use of
s->cert vs. s->session->sess_cert; I don't know if those could
really have caused problems, but possibly this is a proper bug-fix
and not just a clean-up.
1999-05-13 15:09:38 +00:00
Ulf Möller
75e0770d96 VMS support bug fixes. 1999-05-13 13:21:17 +00:00
Ulf Möller
7d7d2cbcb0 VMS support.
Submitted by: Richard Levitte <richard@levitte.org>
1999-05-13 11:37:32 +00:00
Ulf Möller
f5d7a031a3 New Configure option no-<cipher> (rsa, idea, rc5, ...). 1999-04-27 01:14:46 +00:00
Ulf Möller
a9be3af5ad Remove NOPROTO definitions and error code comments. 1999-04-26 16:43:10 +00:00
Bodo Möller
ec577822f9 Change #include filenames from <foo.h> to <openssl.h>.
Submitted by:
Reviewed by:
PR:
1999-04-23 22:13:45 +00:00
Ben Laurie
61f5b6f338 Work with -pedantic! 1999-04-23 15:01:15 +00:00
Ulf Möller
6b691a5c85 Change functions to ANSI C. 1999-04-19 21:31:43 +00:00
Ben Laurie
e778802f53 Massive constification. 1999-04-17 21:25:43 +00:00
Ben Laurie
f73e07cf42 Add type-safe STACKs and SETs. 1999-04-12 17:23:57 +00:00
Ben Laurie
b4cadc6e13 Fix security hole. 1999-03-22 12:22:14 +00:00
Ralf S. Engelschall
15542b2847 Make it more clear what option -WWW to s_server does. 1999-03-09 13:09:07 +00:00
Ralf S. Engelschall
ea14a91f64 Move s_server -dcert and -dkey options out of the undocumented feature area
because they are useful for the DSA situation and should be recognized by the
users. Thanks to Steve for the original hint.
1999-02-25 11:26:26 +00:00
Ben Laurie
60e31c3a4b More stuff for new TLS ciphersuites. 1999-02-21 21:58:59 +00:00
Ben Laurie
c13d4799dd Send the right CAs to the client. 1999-01-07 00:16:37 +00:00
Paul C. Sutton
e170a5c050 Some more changes for renaming the binary from ssleay to openssl.
I wonder what eay.c is?
1999-01-02 14:42:23 +00:00
Ralf S. Engelschall
13e91dd365 Incorporation of RSEs assembled patches 1998-12-22 15:59:57 +00:00