Commit graph

141 commits

Author SHA1 Message Date
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Richard Levitte
c0d64de660 Make internal functions static. 2002-11-13 14:34:53 +00:00
Richard Levitte
c1ce8cf3b8 Name the flag files correctly. 2002-11-13 14:31:34 +00:00
Richard Levitte
bd1fb77245 There's a name clash between OpenSSL and RSAref. Since this engine handles
RSAref data, pretend we don't care for OpenSSL's MD2 and MD5 structures or
implementation.
Remove all kinds of silly warning
2002-10-24 17:02:27 +00:00
Dr. Stephen Henson
5aa3429c5d Typo: v3 is represented by 2. 2002-10-21 00:10:10 +00:00
Richard Levitte
fa4bde98d2 Add a few more target platforms, to see how well the shared library
linking works on them.
2002-10-10 12:46:05 +00:00
Richard Levitte
27bad5ad3d Don't fuss with the demo binaries 2002-10-09 13:57:55 +00:00
Bodo Möller
7cc6ec7af7 add URL for Internet Draft 2002-09-16 13:45:14 +00:00
Bodo Möller
c2bbf275b2 1. switch from "-newkey ecdsa:..." to "-newkey ec:..."
2. automatically create required sub-directories

Submitted by: Vipul Gupta <Vipul.Gupta@sun.com>
2002-09-10 07:36:52 +00:00
Richard Levitte
629d860cbc Some files deserve to be ignored 2002-08-13 22:41:18 +00:00
Richard Levitte
056cc163f5 Merge in demo engines from 0.9.7-stable. 2002-08-13 12:30:27 +00:00
Bodo Möller
18a31aa861 Scripts for testing ECC ciphersuites.
Submitted by: Sun Microsystems Labs
2002-08-12 15:18:48 +00:00
Richard Levitte
a7535a2727 Add the CBC flag for cbc ciphers 2002-08-01 19:32:48 +00:00
Richard Levitte
d16e1131b4 Allow longer program names (VMS allows up to 39 characters).
Submitted by Compaq.
2002-04-06 20:22:48 +00:00
Lutz Jänicke
7e58aa7d71 Fix buggy if-condition (thomas poindessous <poinde_t@epita.fr>). 2002-03-21 19:16:02 +00:00
Bodo Möller
93683c3cf8 '#if OPENSSL_VERSION_NUMBER >= ...' to document the recent change 2002-03-05 09:07:16 +00:00
Bodo Möller
023ec151df Add 'void *' argument to app_verify_callback.
Submitted by: D. K. Smetters <smetters@parc.xerox.com>
Reviewed by: Bodo Moeller
2002-02-28 10:52:56 +00:00
Geoff Thorpe
877b2fbd3c A rough little self-test for tunala. This runs through all cipher-suite /
SSL/TLS version combinations looking for mishaps.
2002-02-20 05:12:45 +00:00
Geoff Thorpe
afeab58a3c Make the "ungunk" logic a little more robust. 2002-02-20 05:09:22 +00:00
Geoff Thorpe
744c49a81b - Add support for cipher suites that require a temporary RSA key for
key-agreement.
- Tolerate signal interruptions of select().
2002-02-20 05:02:50 +00:00
Geoff Thorpe
062d3e39e7 Correct for the recent prototype changes. 2002-01-17 01:51:37 +00:00
Geoff Thorpe
1b58b616e3 Produce less confusing statistics when "-out_totals" is used. 2002-01-16 05:31:02 +00:00
Geoff Thorpe
c70d381775 The sample certs had expired, so these are newer ones that should last
quite a bit longer.
2002-01-16 05:29:11 +00:00
Geoff Thorpe
fd69886aed - Network errors could pollute the buffers because -1 isn't noticed in an
"unsigned int".
- Remove redundant processing with machine->ssl is NULL.
- Remove compiler warnings about uninitialised 'ctx' (it's not used
  uninitialised, but gcc can't see that).
2002-01-10 06:03:12 +00:00
Geoff Thorpe
e523f5f389 - libtool finally annoyed me too much, so I'm nuking it,
- tidy up some output,
- print a warning when running an SSL server with no cert,
- only log each connect/disconnect if the new "-out_conns" switch is used.
2002-01-08 02:58:55 +00:00
Geoff Thorpe
980afccf98 Constify. 2002-01-04 07:01:35 +00:00
Richard Levitte
033c51f0a3 Build dynamic rsaref engine on VMS. Tested on VAX so far. 2001-11-16 09:14:06 +00:00
Richard Levitte
2bd065dfbe make update 2001-11-15 20:24:00 +00:00
Richard Levitte
6d7dbc12f2 Add MD digests.
And this finishes this engine, it now offers all ciphers and digests
that RSAref 2.0 has.
2001-11-15 20:23:29 +00:00
Richard Levitte
b5fe234588 Add DES functions.
Restructure the code and comment it a bit.
Prepare for the presence of digests.
2001-11-15 18:52:28 +00:00
Richard Levitte
c85a157854 Use the generated error code files. 2001-11-15 16:57:36 +00:00
Richard Levitte
0c5d16e4f5 'make update' + some touches. 2001-11-15 16:57:00 +00:00
Richard Levitte
bd2af5e707 Add targets to update the error code files. 2001-11-15 16:56:17 +00:00
Richard Levitte
58d55afa6f Add a local error code configuration file for the rsaref dynamic
engine.
2001-11-15 16:53:50 +00:00
Richard Levitte
1d46b6b3b9 Make use of RSAref's header files instead of EAY's crafted rsaref.h. 2001-11-14 23:39:01 +00:00
Richard Levitte
bbb35447c4 In a Debian Linux environment, it's not a good idea, apparently, to
manually declare the include directory /usr/include at the same time
as the macro PROTOTYPES is defined with the value 1.  Besides,
/usr/include is the standard include directory anyway, so there's no
need to specify it explicitely.
2001-11-14 23:25:46 +00:00
Richard Levitte
6276f1e100 Add a demo that reimplements the RSAref glue in form of a dynamically
loadable engine.
2001-11-14 22:42:35 +00:00
Dr. Stephen Henson
581f1c8494 Modify EVP cipher behaviour in a similar way
to digests to retain compatibility.
2001-10-17 00:37:12 +00:00
Dr. Stephen Henson
cb7fd76f57 Modernise and fix (ancient) "maurice" demos. 2001-09-28 01:48:34 +00:00
Dr. Stephen Henson
89f534e1d3 Make (ancient) sign.c demo compile again. 2001-09-28 00:47:36 +00:00
Bodo Möller
a3d8c0fc5d ignore binary 2001-09-24 07:56:02 +00:00
Bodo Möller
a32d795aae avoid everything resembling a magic trigraph 2001-09-24 07:54:11 +00:00
Bodo Möller
b263b66746 Change Makefile so that it works without any additional changes
at least on Solaris
2001-09-18 09:15:40 +00:00
Bodo Möller
5294dd705d Another demo. 2001-09-17 19:07:00 +00:00
Dr. Stephen Henson
96bd6f730a Add certificate and request demos.
Fix X509V3 macro so they compile.
2001-09-12 00:19:20 +00:00
Geoff Thorpe
3866752e7e - New INSTALL document describing different ways to build "tunala" and
possible problems.
- New file breakage.c handles (so far) missing functions.
- Get rid of some signed/unsigned/const warnings thanks to solaris-cc
- Add autoconf/automake input files, and helper scripts to populate missing
  (but auto-generated) files.

This change adds a configure.in and Makefile.am to build everything using
autoconf, automake, and libtool - and adds "gunk" scripts to generate the
various files those things need (and clean then up again after). This means
that "autogunk.sh" needs to be run first on a system with the autotools,
but the resulting directory should be "configure"able and compilable on
systems without those tools.
2001-07-23 19:03:48 +00:00
Richard Levitte
cf1b7d9664 Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
2001-02-19 16:06:34 +00:00
Geoff Thorpe
9a04387362 Re-order a couple of static functions and "#if 0" out unused ones - this
gets rid of gcc warnings.
2001-02-12 02:30:19 +00:00
Geoff Thorpe
282d8b1c38 This change was a quick experiment that I'd wanted to try that works quite
well (and is a good demonstration of how encapsulating the SSL in a
memory-based state machine can make it easier to apply to different
situations).

The change implements a new command-line switch "-flipped <0|1>" which, if
set to 1, reverses the usual interpretation of a client and server for SSL
tunneling. Normally, an ssl client (ie. "-server 0") accepts "cleartext"
connections and conducts SSL/TLS over a proxied connection acting as an SSL
client. Likewise, an ssl server (ie. "-server 1") accepts connections and
conducts SSL/TLS (as an SSL server) over them and passes "cleartext" over
the proxied connection. With "-flipped 1", an SSL client (specified with
"-server 0") in fact accepts SSL connections and proxies clear, whereas an
SSL server ("-server 1") accepts clear and proxies SSL. NB: most of this
diff is command-line handling, the actual meat of the change is simply the
line or two that plugs "clean" and "dirty" file descriptors into the item
that holds the state-machine - reverse them and you get the desired
behaviour.

This allows a network server to be an SSL client, and a network client to
be an SSL server. Apart from curiosity value, there's a couple of possibly
interesting applications - SSL/TLS is inherently vulnerable to trivial DoS
attacks, because the SSL server usually has to perform a private key
operation first, even if the client is authenticated. With this scenario,
the network client is the SSL server and performs the first private key
operation, whereas the network server serves as the SSL client. Another
possible application is when client-only authentication is required (ie.
the underlying protocol handles (or doesn't care about) authenticating the
server). Eg. an SSL/TLS version of 'ssh' could be concocted where the
client's signed certificate is used to validate login to a server system -
whether or not the client needs to validate who the server is can be
configured at the client end rather than at the server end (ie. a complete
inversion of what happens in normal SSL/TLS).

NB: This is just an experiment/play-thing, using "-flipped 1" probably
creates something that is interoperable with exactly nothing. :-)
2001-02-12 02:28:29 +00:00
Ben Laurie
171cc53a96 Improve the state machine. 2001-02-06 13:13:31 +00:00
Ulf Möller
4327aae816 format strings 2001-02-06 02:57:35 +00:00
Geoff Thorpe
895959b736 Re-order the options in tunala and add command switches like s_server for
disabling different SSL/TLS protocol versions.
2000-12-21 02:49:13 +00:00
Geoff Thorpe
1cc0b0a66a This adds support to 'tunala' for supplying DH parameters (without which it
will not support EDH cipher suites). The parameters can either be loaded
from a file (via "-dh_file"), generated by the application on start-up
("-dh_special generate"), or be standard DH parameters (as used in
s_server, etc).
2000-12-20 22:14:23 +00:00
Geoff Thorpe
beb23252a6 Some minor changes to the "tunala" demo.
* Seal off some buffer functions so that only the higher-level IO functions
  are exposed.

* Using the above change to buffer, add support to tunala for displaying
  traffic totals when a tunnel closes. Useful in debugging and analysis -
  you get to see the total encrypted traffic versus the total tunneled
  traffic. This shows not only how much expansion your data suffers from
  SSL (a lot if you send/receive a few bytes at a time), but also the
  overhead of SSL handshaking relative to the payload sent through the
  tunnel. This is controlled by the "-out_totals" switch to tunala.

* Fix and tweak some bits in the README.

Eg. sample output of "-out_totals" from a tunnel client when tunneling a brief
"telnet" session.

Tunnel closing, traffic stats follow
    SSL (network) traffic to/from server;     7305 bytes in,     3475 bytes out
    tunnelled data to/from server;            4295 bytes in,      186 bytes out
2000-12-20 19:30:19 +00:00
Dr. Stephen Henson
9d6b1ce644 Merge from the ASN1 branch of new ASN1 code
to main trunk.

Lets see if the makes it to openssl-cvs :-)
2000-12-08 19:09:35 +00:00
Geoff Thorpe
3465dd3853 * Fix a slight bug in the state-machine. This caused the client end of a
tunnel to not pro-actively close down when failing an SSL handshake.

* Change the cert-chain callback - originally this was the same one used in
  s_client and s_server but the output's as ugly as sin, so I've prettied
  tunala's copy output up a bit (and made the output level configurable).

* Remove the superfluous "errors" from the SSL state callback - these are just
  non-blocking side-effects.
2000-11-30 01:34:26 +00:00
Geoff Thorpe
a9376dbff9 More little changes to the tunala demo;
* A little bit of code-cleanup
* Reformat the usage string (not so wide)
* Allow adding an alternative (usually DSA) cert/key pair (a la s_server)
* Allow control over cert-chain verify depth
2000-11-29 19:22:54 +00:00
Geoff Thorpe
f2cc7559dd Make s_client/s_server-style cert verification output configurable by
command line, and make the peer-authentication similarly configurable.
2000-11-29 01:29:08 +00:00
Geoff Thorpe
4aa69fe0b6 Minor tweaks and improvements to the tunala demo.
- Add "-cipher" and "-out_state" command line arguments to control SSL
  cipher-suites and handshake debug output respectively.

- Implemented error handling for SSL handshakes that break down. This uses
  a cheat - storing a non-NULL pointer as "app_data" in the SSL structure
  when the SSL should be killed.
2000-11-28 23:27:23 +00:00
Geoff Thorpe
b984cd2b01 A typo and a couple of logic errors fixed. I think there may still be one
or two kinks lurking around, but it now appears to deal with the basic
test cases ok.
2000-11-28 19:09:58 +00:00
Ben Laurie
cd26e6c79d Oops! Read a full buffer instead of some spurious number from elswhere. 2000-11-21 21:37:48 +00:00
Geoff Thorpe
ce23b0f73e oops, remove comments that are no longer true. 2000-11-01 23:14:19 +00:00
Geoff Thorpe
d313047f63 Explanation, tips, etc. 2000-11-01 23:12:01 +00:00
Geoff Thorpe
d1855cc7af This is a demo that performs SSL tunneling (client and/or server) and is
built using an abstracted state machine with a non-blocking IP wrapper
around it. README will follow in the next commit.
2000-11-01 23:11:19 +00:00
Richard Levitte
ef0ab7f94f John Denney <jdenney@ca.mdis.com> reports that we forgot to convert
Free to OPENSSL_free in the SSL demos.
2000-10-18 19:36:27 +00:00
Dr. Stephen Henson
84b65340e1 Two new PKCS#12 demo programs.
Update PKCS12_parse().

Make the keyid in certificate aux info more usable.
2000-09-07 23:14:26 +00:00
Ben Laurie
4af6e2432b Ignore executable. 2000-09-05 18:56:55 +00:00
Ben Laurie
f3f53c8ca5 Handle WANT_READ more correctly (thanks to Bodo). 2000-09-05 18:47:57 +00:00
Ben Laurie
29eb7d9ce0 Distinguish between assertions and conditions that should cause death. 2000-09-05 17:06:45 +00:00
Bodo Möller
54705b3992 -Wall insists that main return an int. 2000-09-04 15:29:06 +00:00
Ben Laurie
7049ef5f90 Add demo state machine. 2000-08-30 18:14:28 +00:00
Richard Levitte
26a3a48d65 There have been a number of complaints from a number of sources that names
like Malloc, Realloc and especially Free conflict with already existing names
on some operating systems or other packages.  That is reason enough to change
the names of the OpenSSL memory allocation macros to something that has a
better chance of being unique, like prepending them with OPENSSL_.

This change includes all the name changes needed throughout all C files.
2000-06-01 22:19:21 +00:00
Dr. Stephen Henson
c9080477ec Modernise 'selfsign.c' to use new X509_NAME code
and add example of extension aliasing. Also fix
the extension aliasing because it didn't work :-)
2000-02-13 00:28:26 +00:00
Dr. Stephen Henson
af57d84312 Rename SSLeay_add_all_algorithms() et al to
OpenSSL_add_all_algorithms(). Move these into
separate files so they work properly.
2000-02-04 14:01:38 +00:00
Dr. Stephen Henson
a0ad17bb6c Fix to the -revoke option in ca. It was leaking memory, crashing and just
plain not working :-(

Also fix some memory leaks in the new X509_NAME code.

Fix so new app_rand code doesn't crash 'x509' and move #include so it compiles
under Win32.
1999-11-08 13:58:08 +00:00
Bodo Möller
f3db3d172f SSL_shutdown was done too early. 1999-08-01 11:19:59 +00:00
Bodo Möller
e014492646 don't prematurely shut down socket -- use SSL_shutdown 1999-08-01 10:04:37 +00:00
Dr. Stephen Henson
5f6d0ea210 Reformat and "modernise" the sign.c demo. 1999-06-09 23:33:48 +00:00
Dr. Stephen Henson
f62676b92d Change the PEM function implementation to use a common set of macros: this
should make modifying them easier.

Fix the selfsign demo: it was rather ancient and used deleted functions.
1999-06-09 18:05:30 +00:00
Ben Laurie
72fbe87dc6 Survive pedanticism. 1999-06-08 18:37:43 +00:00
Ben Laurie
426edadf98 Stack. 1999-05-31 20:35:31 +00:00
Bodo Möller
054009a638 Updated C++ SSL demos.
Submitted (a month ago) by: Wade Scholine
1999-05-27 23:59:58 +00:00
Bodo Möller
71f080935a Updated some demos.
Submitted by: Sean O Riordain <Sean.ORiordain@cyrona.com>
1999-05-27 23:52:31 +00:00
Bodo Möller
472bde404f Change function call according to current API. 1999-05-27 20:49:27 +00:00
Bodo Möller
7ebf7674be Submitted by:
Reviewed by:
PR:
1999-04-24 00:53:29 +00:00
Bodo Möller
dd3c43c532 Submitted by:
Reviewed by:
PR:
1999-04-23 23:28:26 +00:00
Bodo Möller
ec577822f9 Change #include filenames from <foo.h> to <openssl.h>.
Submitted by:
Reviewed by:
PR:
1999-04-23 22:13:45 +00:00
Ben Laurie
c2245b68f5 Don't confuse matters by using the wrong library. 1999-01-02 19:03:46 +00:00
Ralf S. Engelschall
dfeab0689f Import of old SSLeay release: SSLeay 0.9.1b (unreleased) 1998-12-21 11:00:56 +00:00
Ralf S. Engelschall
58964a4922 Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
Ralf S. Engelschall
d02b48c63a Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00