wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
13124 commits 20 branches 302 tags 153 MiB
Commit graph

1738 commits

Author SHA1 Message Date
Dr. Stephen Henson
09d0d67c13 add missing newline 2012-12-21 16:24:48 +00:00
Dr. Stephen Henson
bbdfbacdef add -rmd option to set OCSP response signing digest 2012-12-16 00:10:03 +00:00
Dr. Stephen Henson
99fc818e93 Return success when the responder is active. 
Don't verify our own responses.
 2012-12-15 02:56:02 +00:00
Dr. Stephen Henson
265f835e3e typo 2012-12-15 00:29:12 +00:00
Dr. Stephen Henson
33826fd028 Add support for '-' as input and output filenames in ocsp utility. 
Recognise verification arguments.
 2012-12-14 23:30:56 +00:00
Dr. Stephen Henson
92821996de oops, revert, committed in error 2012-12-14 23:29:58 +00:00
Dr. Stephen Henson
11e2957d5f apps/ocsp.c 2012-12-14 23:28:19 +00:00
Dr. Stephen Henson
51e7a4378a New verify flag to return success if we have any certificate in the 
trusted store instead of the default which is to return an error if
we can't build the complete chain.
 2012-12-13 18:14:46 +00:00
Dr. Stephen Henson
60938ae772 add -crl_download option to s_server 2012-12-12 03:35:31 +00:00
Dr. Stephen Henson
4e71d95260 add -cert_chain option to s_client 2012-12-12 00:50:26 +00:00
Ben Laurie
fefc111a2a Make openssl verify return errors. 2012-12-11 16:05:14 +00:00
Dr. Stephen Henson
1e8b9e7e69 add -badsig option to ocsp utility too. 2012-12-09 16:21:46 +00:00
Ben Laurie
30c278aa6b Fix OCSP checking. 2012-12-07 18:47:47 +00:00
Dr. Stephen Henson
0090a686c0 Add code to download CRLs based on CRLDP extension. 
Just a sample, real world applications would have to be cleverer.
 2012-12-06 18:43:40 +00:00
Dr. Stephen Henson
f5a7d5b164 remove print_ssl_cert_checks() from openssl application: it is no longer used 2012-12-06 18:36:51 +00:00
Dr. Stephen Henson
3bf15e2974 Integrate host, email and IP address checks into X509_verify. 
Add new verify options to set checks.

Remove previous -check* commands from s_client and s_server.
 2012-12-05 18:35:20 +00:00
Dr. Stephen Henson
fbeb85ecb9 don't print verbose policy check messages when -quiet is selected even on error 2012-12-04 23:18:44 +00:00
Dr. Stephen Henson
2e8cb108dc initial support for delta CRL generations by diffing two full CRLs 2012-12-04 18:35:36 +00:00
Dr. Stephen Henson
256f9573c5 make -subj always override config file 2012-12-04 18:35:04 +00:00
Dr. Stephen Henson
b6b094fb77 check mval for NULL too 2012-12-04 17:25:34 +00:00
Dr. Stephen Henson
0db46a7dd7 fix leak 2012-12-03 16:32:52 +00:00
Dr. Stephen Henson
2537d46903 oops, really check brief mode only ;-) 2012-12-03 03:40:57 +00:00
Dr. Stephen Henson
5447f836a0 don't check errno is zero, just print out message 2012-12-03 03:39:23 +00:00
Dr. Stephen Henson
66d9f2e521 if no error code and -brief selected print out connection closed instead of read error 2012-12-03 03:33:44 +00:00
Dr. Stephen Henson
139cd16cc5 add -badsig option to corrupt CRL signatures for testing too 2012-12-02 16:48:25 +00:00
Dr. Stephen Henson
fdb78f3d88 New option to add CRLs for s_client and s_server. 2012-12-02 16:16:28 +00:00
Dr. Stephen Henson
95ea531864 add option to get a certificate or CRL from a URL 2012-12-02 14:00:22 +00:00
Dr. Stephen Henson
df316fd43c Add new test option set the version in generated certificates: this 
is needed to test some profiles/protocols which reject certificates
with unsupported versions.
 2012-11-30 19:24:13 +00:00
Dr. Stephen Henson
84bafb7471 Print out point format list for clients too. 2012-11-26 18:39:38 +00:00
Dr. Stephen Henson
55b66f084d set cmdline flag in s_server 2012-11-26 12:51:12 +00:00
Dr. Stephen Henson
96cfba0fb4 option to output corrupted signature in certificates for testing purposes 2012-11-25 22:29:52 +00:00
Dr. Stephen Henson
a5afc0a8f4 Don't display messages about verify depth in s_server if -quiet it set. 
Add support for separate verify and chain stores in s_client.
 2012-11-23 18:56:25 +00:00
Dr. Stephen Henson
20b431e3a9 Add support for printing out and retrieving EC point formats extension. 2012-11-22 15:20:53 +00:00
Dr. Stephen Henson
1740c9fbfc support -quiet with -msg or -trace 2012-11-21 17:11:42 +00:00
Dr. Stephen Henson
191b3f0ba9 only use a default curve if not already set 2012-11-21 16:47:25 +00:00
Dr. Stephen Henson
5c1393bfc3 PR: 2908 
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>

Fix DH double free if parameter generation fails.
 2012-11-21 14:02:40 +00:00
Dr. Stephen Henson
f7ac0ec89d fix printout of expiry days if -enddate is used in ca 2012-11-20 15:22:15 +00:00
Dr. Stephen Henson
22b5d7c80b fix leaks 2012-11-20 00:24:52 +00:00
Dr. Stephen Henson
685755937a with -rev close connection if client sends "CLOSE" 2012-11-19 23:41:24 +00:00
Dr. Stephen Henson
7c8ac50504 update usage messages 2012-11-19 23:20:40 +00:00
Dr. Stephen Henson
98a7edf9f0 make depend 2012-11-19 13:18:09 +00:00
Dr. Stephen Henson
7831969634 don't call gethostbyname if OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL is set 2012-11-19 12:36:04 +00:00
Dr. Stephen Henson
9ba297e49f remove obsolete code 2012-11-19 03:46:49 +00:00
Dr. Stephen Henson
b5cadfb564 add -naccept <n> option to s_server to automatically exit after <n> connections 2012-11-18 15:45:16 +00:00
Dr. Stephen Henson
9fc81acae6 fix error messages 2012-11-17 15:22:50 +00:00
Dr. Stephen Henson
5d2e07f182 Delegate command line handling for many common options in s_client/s_server 
to the SSL_CONF APIs.

This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.
 2012-11-17 14:42:22 +00:00
Dr. Stephen Henson
51b9115b6d new command line option -stdname to ciphers utility 2012-11-16 00:35:46 +00:00
Dr. Stephen Henson
95bba34b83 contify 2012-11-05 19:38:32 +00:00
Dr. Stephen Henson
671c9e2dc8 oops, fix compilation errors in s_server 2012-10-11 18:03:42 +00:00
Dr. Stephen Henson
a70da5b3ec New functions to check a hostname email or IP address against a 
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
 2012-10-08 15:10:07 +00:00
Andy Polyakov
27e0c86307 md5-sparcv9.pl: more accurate performance result. 2012-09-28 09:25:49 +00:00
Dr. Stephen Henson
4f3df8bea2 Add -rev test option to s_server to just reverse order of characters received 
by client and send back to server. Also prints an abbreviated summary of
the connection parameters.
 2012-09-14 13:27:05 +00:00
Dr. Stephen Henson
2a7cbe77b3 Add -brief option to s_client and s_server to summarise connection details. 
New option -verify_quiet to shut up the verify callback unless there is
an error.
 2012-09-12 23:14:28 +00:00
Dr. Stephen Henson
0a17b8de06 fix memory leak 2012-09-11 13:43:57 +00:00
Dr. Stephen Henson
147d4c96b0 fix memory leak 2012-09-09 21:19:32 +00:00
Dr. Stephen Henson
648f551a4a New -valid option to add a certificate to the ca index.txt that is valid and not revoked 2012-09-09 12:58:49 +00:00
Dr. Stephen Henson
33a8de69dc new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client 2012-09-08 13:59:51 +00:00
Dr. Stephen Henson
319354eb6c store and print out message digest peer signed with in TLS 1.2 2012-09-07 12:53:42 +00:00
Dr. Stephen Henson
ed83ba5321 Add compilation flag to disable certain protocol checks and allow use of 
some invalid operations for testing purposes. Currently this can be used
to sign using digests the peer doesn't support, EC curves the peer
doesn't support and use certificates which don't match the type associated
with a ciphersuite.
 2012-08-29 13:18:34 +00:00
Bodo Möller
619aab841c Oops - didn't mean to change Makefile on previous submit 2012-08-16 13:49:34 +00:00
Bodo Möller
a4aafeeef4 Enable message names for TLS 1.1, 1.2 with -msg. 2012-08-16 13:41:40 +00:00
Dr. Stephen Henson
2ea8035460 Add three Suite B modes to TLS code, supporting RFC6460. 2012-08-15 15:15:05 +00:00
Dr. Stephen Henson
3ad344a517 add suite B chain validation flags and associated verify errors 2012-08-03 13:51:43 +00:00
Dr. Stephen Henson
6dbb6219e7 Make tls1_check_chain return a set of flags indicating checks passed 
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.

Print out results of checks for each candidate chain tested in
s_server/s_client.
 2012-07-27 13:39:23 +00:00
Dr. Stephen Henson
74ecfab401 Add support for certificate stores in CERT structure. This makes it 
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
 2012-07-23 23:34:28 +00:00
Dr. Stephen Henson
9f27b1eec3 Add new ctrl to retrieve client certificate types, print out 
details in s_client.

Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.

Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
 2012-07-08 14:22:45 +00:00
Dr. Stephen Henson
dd25165968 Fix memory leak. 
Always perform nexproto callback argument initialisation in s_server
otherwise we use uninitialised data if -nocert is specified.
 2012-07-03 16:37:50 +00:00
Dr. Stephen Henson
657e29c199 cert_flags is unsigned 2012-07-03 14:54:59 +00:00
Dr. Stephen Henson
3208fc59db add support for client certificate callbak, fix memory leak 2012-07-03 14:53:27 +00:00
Dr. Stephen Henson
3dbc46dfcd Separate client and server permitted signature algorithm support: by default 
the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
 2012-07-03 12:51:14 +00:00
Dr. Stephen Henson
18d7158809 Add certificate callback. If set this is called whenever a certificate 
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
 2012-06-29 14:24:42 +00:00
Dr. Stephen Henson
d61ff83be9 Add new "valid_flags" field to CERT_PKEY structure which determines what 
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
 2012-06-28 12:45:49 +00:00
Dr. Stephen Henson
4453cd8c73 Reorganise supported signature algorithm extension processing. 
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
 2012-06-25 14:32:30 +00:00
Dr. Stephen Henson
0f229cce65 Add support for application defined signature algorithms for use with 
TLS v1.2. These are sent as an extension for clients and during a certificate
request for servers.

TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
 2012-06-22 14:03:31 +00:00
Dr. Stephen Henson
020091406c oops, add -debug_decrypt option which was accidenatally left out 2012-06-19 13:39:30 +00:00
Dr. Stephen Henson
93ab9e421e Initial record tracing code. Print out all fields in SSL/TLS records 
for debugging purposes. Needs "enable-ssl-trace" configuration option.
 2012-06-15 12:46:09 +00:00
Ben Laurie
7a71af86ce Rearrange and test authz extension. 2012-06-07 13:20:47 +00:00
Ben Laurie
71fa451343 Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
Ben Laurie
a9e1c50bb0 RFC 5878 support. 2012-05-30 10:10:58 +00:00
Dr. Stephen Henson
ce33b42bc6 oops, not yet ;-) 2012-04-23 21:58:29 +00:00
Dr. Stephen Henson
579d553464 update NEWS 2012-04-23 21:56:33 +00:00
Dr. Stephen Henson
fc6fc7ff38 Add options to set additional type specific certificate chains to 
s_server.
 2012-04-11 16:53:11 +00:00
Dr. Stephen Henson
a43526302f Add support for automatic ECDH temporary key parameter selection. When 
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
 2012-04-05 13:38:27 +00:00
Dr. Stephen Henson
d0595f170c Initial revision of ECC extension handling. 
Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
 2012-03-28 15:05:04 +00:00
Dr. Stephen Henson
bbbe61c958 Always use SSLv23_{client,server}_method in s_client.c and s_server.c, 
the old code came from SSLeay days before TLS was even supported.
 2012-03-18 18:16:46 +00:00
Dr. Stephen Henson
156421a2af oops, revert unrelated patches 2012-03-14 13:46:50 +00:00
Dr. Stephen Henson
61ad8262a0 update FAQ, NEWS 2012-03-14 13:44:57 +00:00
Dr. Stephen Henson
15a40af2ed Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> 
Add more extension names in s_cb.c extension printing code.
 2012-03-09 18:38:35 +00:00
Dr. Stephen Henson
e7f8ff4382 New ctrls to retrieve supported signature algorithms and curves and 
extensions to s_client and s_server to print out retrieved valued.

Extend CERT structure to cache supported signature algorithm data.
 2012-03-06 14:28:21 +00:00
Dr. Stephen Henson
64095ce9d7 Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert 
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
 2012-02-21 14:41:13 +00:00
Dr. Stephen Henson
fc7dae5229 PR: 2717 
Submitted by: Tim Rice <tim@multitalents.net>

Make compilation work on OpenServer 5.0.7
 2012-02-11 23:41:19 +00:00
Dr. Stephen Henson
be81f4dd81 PR: 2716 
Submitted by: Adam Langley <agl@google.com>

Fix handling of exporter return value and use OpenSSL indentation in
s_client, s_server.
 2012-02-11 23:20:53 +00:00
Andy Polyakov
cbc0b0ec2d apps/s_cb.c: recognized latest TLS version. 2012-02-11 13:30:47 +00:00
Dr. Stephen Henson
3770b988c0 PR: 2710 
Submitted by: Tomas Mraz <tmraz@redhat.com>

Check return codes for load_certs_crls.
 2012-02-10 19:54:54 +00:00
Dr. Stephen Henson
9641be2aac PR: 2714 
Submitted by: Tomas Mraz <tmraz@redhat.com>

Make no-srp work.
 2012-02-10 19:43:14 +00:00
Dr. Stephen Henson
7951c2699f add fips blocking overrides to command line utilities 2012-02-10 16:47:40 +00:00
Dr. Stephen Henson
57559471bf oops, revert unrelated changes 2012-02-09 15:43:58 +00:00
Dr. Stephen Henson
f4e1169341 Modify client hello version when renegotiating to enhance interop with 
some servers.
 2012-02-09 15:42:10 +00:00
Dr. Stephen Henson
2ff5ac55c5 oops revert debug change 2012-01-22 13:52:39 +00:00
Dr. Stephen Henson
855d29184e Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
 2012-01-18 18:15:27 +00:00
Andy Polyakov
a50bce82ec Sanitize usage of <ctype.h> functions. It's important that characters 
are passed zero-extended, not sign-extended.
PR: 2682
 2012-01-12 16:21:35 +00:00
Andy Polyakov
5beb93e114 speed.c: typo in pkey_print_message. 
PR: 2681
Submitted by: Annie Yousar
 2012-01-11 21:48:31 +00:00
Bodo Möller
6620bf3444 Fix usage indentation 2012-01-05 13:16:30 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
 2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
84b6e277d4 make update 2011-12-27 14:46:03 +00:00
Dr. Stephen Henson
c79f22c63a PR: 1794 
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

- remove some unncessary SSL_err and permit
an srp user callback to allow a worker to obtain
a user verifier.

- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup
 2011-12-27 14:21:45 +00:00
Dr. Stephen Henson
f9b0b45238 New ctrl values to clear or retrieve extra chain certs from an SSL_CTX. 
New function to retrieve compression method from SSL_SESSION structure.

Delete SSL_SESSION_get_id_len and SSL_SESSION_get0_id functions
as they duplicate functionality of SSL_SESSION_get_id. Note: these functions
have never appeared in any release version of OpenSSL.
 2011-12-22 15:14:32 +00:00
Andy Polyakov
7aba22ba28 apps/speed.c: fix typo in last commit. 2011-12-19 14:33:09 +00:00
Andy Polyakov
bdba45957a apps/speed.c: Cygwin alarm() fails sometimes. 
PR: 2655
 2011-12-15 22:30:03 +00:00
Dr. Stephen Henson
f2fc30751e PR: 1794 
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Remove unnecessary code for srp and to add some comments to
s_client.

- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable

- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
 2011-12-14 22:17:06 +00:00
Ben Laurie
9a436c0f89 Back out redundant verification time change. 2011-12-13 15:00:43 +00:00
Ben Laurie
7fd5df6b12 Make it possible to set a time for verification. 2011-12-13 14:38:12 +00:00
Dr. Stephen Henson
16363c0165 implement -attime option as a verify parameter then it works with all relevant applications 2011-12-10 00:37:22 +00:00
Dr. Stephen Henson
990390ab52 Replace expired test server and client certificates with new ones. 2011-12-08 14:44:05 +00:00
Dr. Stephen Henson
2ca873e8d8 transparently handle X9.42 DH parameters 2011-12-07 12:44:03 +00:00
Dr. Stephen Henson
df0cdf4ceb The default CN prompt message can be confusing when often the CN needs to 
be the server FQDN: change it.
[Reported by PSW Group]
 2011-12-06 00:00:30 +00:00
Ben Laurie
e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00
Ben Laurie
333f926d67 Add DTLS-SRTP. 2011-11-15 22:59:20 +00:00
Ben Laurie
ae55176091 Fix some warnings caused by __owur. Temporarily (I hope) remove the more 
aspirational __owur annotations.
 2011-11-14 00:36:10 +00:00
Dr. Stephen Henson
0c58d22ad9 PR: 1794 
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Document unknown_psk_identify alert, remove pre-RFC 5054 string from
ssl_stat.c
 2011-11-13 13:13:01 +00:00
Dr. Stephen Henson
7d7c13cbab Don't disable TLS v1.2 by default now. 2011-10-09 23:26:39 +00:00
Dr. Stephen Henson
43206a2d7c New -force_pubkey option to x509 utility to supply a different public 
key to the one in a request. This is useful for cases where the public
key cannot be used for signing e.g. DH.
 2011-10-07 15:18:09 +00:00
Dr. Stephen Henson
1579e65604 use keyformat for -x509toreq, don't hard code PEM 2011-09-23 21:48:34 +00:00
Dr. Stephen Henson
07dda896cb PR: 2347 
Submitted by: Tomas Mraz <tmraz@redhat.com>
Reviewed by: steve

Fix usage message.
 2011-09-23 13:12:25 +00:00
Dr. Stephen Henson
be1242cbd1 PR: 2527 
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Set cnf to NULL to avoid possible double free.
 2011-05-25 15:05:39 +00:00
Dr. Stephen Henson
086e32a6c7 Implement FIPS_mode and FIPS_mode_set 2011-05-19 18:09:02 +00:00
Dr. Stephen Henson
d39c495130 Enter FIPS mode by calling FIPS_module_mode_set in openssl.c until 
FIPS_mode_set is implemented.
 2011-05-12 17:59:47 +00:00
Dr. Stephen Henson
4f7a2ab8b1 make kerberos work with OPENSSL_NO_SSL_INTERN 2011-05-11 22:50:18 +00:00
Dr. Stephen Henson
a2f9200fba Initial TLS v1.2 client support. Include a default supported signature 
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.

Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
 2011-05-09 15:44:01 +00:00
Dr. Stephen Henson
6b7be581e5 Continuing TLS v1.2 support: add support for server parsing of 
signature algorithms extension and correct signature format for
server key exchange.

All ciphersuites should now work on the server but no client support and
no client certificate support yet.
 2011-05-06 13:00:07 +00:00
Dr. Stephen Henson
7409d7ad51 Initial incomplete TLS v1.2 support. New ciphersuites added, new version 
checking added, SHA256 PRF support added.

At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
 2011-04-29 22:56:51 +00:00
Dr. Stephen Henson
08557cf22c Initial "opaque SSL" framework. If an application defines 
OPENSSL_NO_SSL_INTERN all ssl related structures are opaque
and internals cannot be directly accessed. Many applications
will need some modification to support this and most likely some
additional functions added to OpenSSL.

The advantage of this option is that any application supporting
it will still be binary compatible if SSL structures change.
 2011-04-29 22:37:12 +00:00
Dr. Stephen Henson
69a80f7d5e More fixes for DSA FIPS overrides. 2011-04-23 21:59:12 +00:00
Dr. Stephen Henson
dc03504d09 Make sure overrides work for RSA/DSA. 2011-04-23 21:15:05 +00:00
Dr. Stephen Henson
1ee49722dc Add fips hmac key to dgst utility. 2011-04-06 23:40:46 +00:00
Dr. Stephen Henson
856650deb0 FIPS mode support for openssl utility: doesn't work properly yet due 
to missing DRBG support in libcrypto.
 2011-04-04 17:16:28 +00:00
Richard Levitte
3a660e7364 Corrections to the VMS build system. 
Submitted by Steven M. Schweda <sms@antinode.info>
 2011-03-25 16:20:35 +00:00
Richard Levitte
4ec3e8ca51 For VMS, implement the possibility to choose 64-bit pointers with 
different options:
"64"		The build system will choose /POINTER_SIZE=64=ARGV if
		the compiler supports it, otherwise /POINTER_SIZE=64.
"64="		The build system will force /POINTER_SIZE=64.
"64=ARGV"	The build system will force /POINTER_SIZE=64=ARGV.
 2011-03-25 09:40:48 +00:00
Richard Levitte
487b023f3d make update (1.1.0-dev) 
This meant alarger renumbering in util/libeay.num due to symbols
appearing in 1.0.0-stable and 1.0.1-stable.  However, since there's
been no release on this branch yet, it should be harmless.
 2011-03-23 00:11:32 +00:00
Richard Levitte
2d1122b802 * apps/makeapps.com: Add srp. 2011-03-20 17:34:04 +00:00
Richard Levitte
f0d9196237 * apps/makeapps.com: Forgot to end the check for /POINTER_SIZE=64=ARGV 
with turning trapping back on.
* test/maketests.com: Do the same check for /POINTER_SIZE=64=ARGV
  here.
* test/clean-test.com: A new script for cleaning up.
 2011-03-20 14:02:20 +00:00
Richard Levitte
8ecef24a66 * apps/openssl.c: For VMS, take care of copying argv if needed much earlier, 
directly in main().  'if needed' also includes when argv is a 32 bit
  pointer in an otherwise 64 bit environment.
* apps/makeapps.com: When using /POINTER_SIZE=64, try to use the additional
  =ARGV, but only if it's supported.  Fortunately, DCL is very helpful
  telling us in this case.
 2011-03-20 13:15:33 +00:00
Richard Levitte
537c982306 After some adjustments, apply the changes OpenSSL 1.0.0d on OpenVMS 
submitted by Steven M. Schweda <sms@antinode.info>
 2011-03-19 10:58:14 +00:00
Dr. Stephen Henson
27131fe8f7 Fix warnings about ignored return values. 2011-03-17 14:43:13 +00:00
Ben Laurie
8cd3d99f57 Missing SRP files. 2011-03-16 11:50:33 +00:00
Dr. Stephen Henson
aa24c4a736 PR: 2469 
Submitted by: Jim Studt <jim@studt.net>
Reviewed by: steve

Check mac is present before trying to retrieve mac iteration count.
 2011-03-13 18:20:01 +00:00
Dr. Stephen Henson
d70fcb96ac Fix warnings: signed/unisgned comparison, shadowing (in some cases global 
functions such as rand() ).
 2011-03-12 17:27:03 +00:00
Ben Laurie
edc032b5e3 Add SRP support. 2011-03-12 17:01:19 +00:00
Ben Laurie
0c4e67102e Fix warning. 2011-03-12 13:55:24 +00:00
Dr. Stephen Henson
329c744f51 make no-dsa work again 2011-03-10 18:26:50 +00:00
Dr. Stephen Henson
61f477f4ab Fix duplicate code and typo. 2011-02-06 00:51:05 +00:00
Bodo Möller
9d0397e977 make update 2011-02-03 10:17:53 +00:00
Ben Laurie
105d62cbf1 Constify. 2011-01-09 17:50:18 +00:00
Richard Levitte
c596b2ab5b Part of the IF structure didn't get pasted here... 
PR: 2393
 2010-12-14 21:44:31 +00:00
Richard Levitte
b7ef916c38 First attempt at adding the possibility to set the pointer size for the builds on VMS. 
PR: 2393
 2010-12-14 19:19:04 +00:00
Andy Polyakov
de3bb266f4 apps/x590.c: harmonize usage of STDout and out_err. 
PR: 2323
 2010-12-12 10:52:56 +00:00
Dr. Stephen Henson
91f0828c95 fix no SIGALRM case in speed.c 2010-11-18 13:22:53 +00:00
Dr. Stephen Henson
f7d2f17a07 add TLS v1.1 options to s_server 2010-11-16 14:16:00 +00:00
Dr. Stephen Henson
838ea7f824 PR: 2366 
Submitted by: Damien Miller <djm@mindrot.org>
Reviewed by: steve

Stop pkeyutl crashing if some arguments are missing. Also make str2fmt
tolerate NULL parameter.
 2010-11-11 14:42:50 +00:00
Ben Laurie
bf48836c7c Fixes to NPN from Adam Langley. 2010-09-05 17:14:01 +00:00
Bodo Möller
7c2d4fee25 For better forward-security support, add functions 
SSL_[CTX_]set_not_resumable_session_callback.

Submitted by: Emilia Kasper (Google)

[A part of this change affecting ssl/s3_lib.c was accidentally commited
separately, together with a compilation fix for that file;
see s3_lib.c CVS revision 1.133 (http://cvs.openssl.org/chngview?cn=19855).]
 2010-08-26 15:15:47 +00:00
Ben Laurie
ee2ffc2794 Add Next Protocol Negotiation. 2010-07-28 10:06:55 +00:00
Ben Laurie
3c530fef67 Sign mismatch. 2010-07-27 16:57:05 +00:00
Andy Polyakov
6acb4ff389 gcm128.c: API modification and readability improvements, 
add ghash benchmark to apps/speed.c.
 2010-07-09 14:10:51 +00:00
Dr. Stephen Henson
dc53a037b0 i variable is used on some platforms 2010-07-05 11:05:24 +00:00
Ben Laurie
c8bbd98a2b Fix warnings. 2010-06-12 14:13:23 +00:00
Dr. Stephen Henson
4e96633ac7 PR: 2262 
Submitted By: Victor Wagner <vitus@cryptocom.ru>

Fix error reporting in load_key function.
 2010-05-27 14:09:03 +00:00
Dr. Stephen Henson
acf635b9b2 oops, revert test patch 2010-05-15 00:35:39 +00:00
Dr. Stephen Henson
19674b5a1d PR: 2253 
Submitted By: Ger Hobbelt <ger@hobbelt.com>

Check callback return value when outputting errors.
 2010-05-15 00:34:06 +00:00
Dr. Stephen Henson
00a37b5a9b PR: 2220 
Fixes to make OpenSSL compile with no-rc4
 2010-04-06 11:18:59 +00:00
Dr. Stephen Henson
624fbfcadb free up sigopts STACK 2010-03-14 13:09:00 +00:00
Dr. Stephen Henson
510777f2fc clear bogus errors in ca utility 2010-03-14 13:07:48 +00:00
Dr. Stephen Henson
4c623cddbe add -sigopt option to ca utility 2010-03-14 12:54:45 +00:00
Dr. Stephen Henson
cdb182b55a new sigopt and PSS support for req and x509 utilities 2010-03-12 14:41:00 +00:00
Dr. Stephen Henson
77163b6234 don't leave bogus errors in the queue 2010-03-10 13:48:09 +00:00
Dr. Stephen Henson
bea29921a8 oops 2010-03-07 16:41:54 +00:00
Dr. Stephen Henson
7ed485bc9f The OID sanity check was incorrect. It should only disallow *leading* 0x80 
values.
 2010-03-07 16:40:05 +00:00
Dr. Stephen Henson
bb845ee044 Add -engine_impl option to dgst which will use an implementation of 
an algorithm from the supplied engine instead of just the default one.
 2010-03-05 13:28:21 +00:00
Dr. Stephen Henson
ebaa2cf5b2 PR: 2183 
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
 2010-03-03 19:56:34 +00:00
Dr. Stephen Henson
a05b8d0ede use supplied ENGINE in genrsa 2010-03-01 14:22:21 +00:00
Dr. Stephen Henson
40c5eaeeec oops, revert verify.c change 2010-02-27 23:03:26 +00:00
Dr. Stephen Henson
c1ca9d3238 Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and 
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
 2010-02-27 23:02:41 +00:00
Dr. Stephen Henson
48435b2098 include TVS 1.1 version string 2010-02-26 19:38:33 +00:00
Dr. Stephen Henson
db28aa86e0 add -trusted_first option and verify flag 2010-02-25 12:21:48 +00:00
Dr. Stephen Henson
04e4b82726 allow setting of verify names in command line utilities and print out verify names in verify utility 2010-02-25 00:11:32 +00:00
Dr. Stephen Henson
5a9e3f05ff PR: 2170 
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>

Make -c option in dgst work again.
 2010-02-12 17:07:16 +00:00
Dr. Stephen Henson
17ebc10ffa PR: 2161 
Submitted by: Doug Goldstein <cardoe@gentoo.org>, Steve.

Make no-dsa, no-ecdsa and no-rsa compile again.
 2010-02-02 13:35:27 +00:00
Dr. Stephen Henson
08c239701b Experimental renegotiation support in s_server test -www server. 2010-01-28 19:48:36 +00:00
Dr. Stephen Henson
c2963f5b87 revert wrongly committed test code 2010-01-27 17:49:33 +00:00
Dr. Stephen Henson
4ba1aa393b typo 2010-01-27 14:05:39 +00:00
Richard Levitte
407a410136 Have the VMS build system catch up with the 1.0.0-stable branch. 2010-01-27 09:18:42 +00:00
Dr. Stephen Henson
ba64ae6cd1 Tolerate PKCS#8 DSA format with negative private key. 2010-01-22 20:17:12 +00:00
Andy Polyakov
d582c98d8f apps/speed.c: limit loop counters to 2^31 in order to avoid overflows 
in performance calculations. For the moment there is only one code
fast enough to suffer from this: Intel AES-NI engine.
PR: 2096
 2010-01-17 17:31:38 +00:00
Dr. Stephen Henson
0e0c6821fa PR: 2136 
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
 2010-01-12 17:29:34 +00:00
Andy Polyakov
cba9ffc32a Fix compilation on older Linux. Linux didn't always have sockaddr_storage, 
not to mention that first sockaddr_storage had __ss_family, not ss_family.
In other words it makes more sense to avoid sockaddr_storage...
 2010-01-06 21:22:56 +00:00
Dr. Stephen Henson
35b0ea4efe Add simple external session cache to s_server. This serialises sessions 
just like a "real" server making it easier to trace any problems.
 2009-12-27 23:24:45 +00:00
Dr. Stephen Henson
ef51b4b9b4 New option to enable/disable connection to unpatched servers 2009-12-16 20:25:59 +00:00
Dr. Stephen Henson
5430200b8b Add ctrl and macro so we can determine if peer support secure renegotiation. 2009-12-08 13:42:08 +00:00
Dr. Stephen Henson
637f374ad4 Initial experimental TLSv1.1 support 2009-12-07 13:31:02 +00:00
Dr. Stephen Henson
3533ab1fee Replace the broken SPKAC certification with the correct version. 2009-12-02 14:41:51 +00:00
Dr. Stephen Henson
d2a53c2238 Experimental CMS password based recipient Info support. 2009-11-26 18:57:39 +00:00
Richard Levitte
0a02d1db34 Update from 1.0.0-stable 2009-11-12 17:03:10 +00:00
Dr. Stephen Henson
860c3dd1b6 add missing parts of reneg port, fix apps patch 2009-11-11 14:51:19 +00:00
Dr. Stephen Henson
2942dde56c commit missing apps code for reneg fix 2009-11-11 14:10:24 +00:00
Dr. Stephen Henson
2008e714f3 Add missing functions to allow access to newer X509_STORE_CTX status 
information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.
 2009-10-31 19:22:18 +00:00
Dr. Stephen Henson
245d2ee3d0 Add option to allow in-band CRL loading in verify utility. Add function 
load_crls and tidy up load_certs. Remove useless purpose variable from
verify utility: now done with args_verify.
 2009-10-31 13:33:57 +00:00
Dr. Stephen Henson
d4be92896c Add -no_cache option to s_server 2009-10-28 17:49:30 +00:00
Dr. Stephen Henson
6aa1770c6d Use new X509_STORE_set_verify_cb function instead of old macro. 2009-10-18 14:40:33 +00:00
Dr. Stephen Henson
be45636661 Fix for WIN32 and possibly other platforms which don't define in_port_t. 2009-10-15 18:49:30 +00:00
Dr. Stephen Henson
636b6b450d PR: 2069 
Submitted by: Michael Tuexen <tuexen@fh-muenster.de>
Approved by: steve@openssl.org

IPv6 support for DTLS.
 2009-10-15 17:41:31 +00:00
Dr. Stephen Henson
2c55c0d367 PR: 1847 
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Integrated patches to CA.sh to bring it into line with CA.pl functionality.
 2009-10-15 17:27:34 +00:00
Dr. Stephen Henson
0431941ec5 Revert extra changes from previous commit. 2009-10-15 17:17:45 +00:00
Dr. Stephen Henson
42733b3bea PR: 2066 
Submitted by: Guenter <lists@gknw.net>
Approved by: steve@openssl.org

Add -r option to dgst to produce format compatible with core utilities.
 2009-10-15 17:13:54 +00:00
Dr. Stephen Henson
0e039aa797 Fix warnings about ignoring fgets return value 2009-10-04 16:42:56 +00:00
Dr. Stephen Henson
b48315d9b6 PR: 2061 
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct i2b_PVK_bio error handling in rsa.c, dsa.c
 2009-10-01 00:25:24 +00:00
Dr. Stephen Henson
18e503f30f PR: 2064, 728 
Submitted by: steve@openssl.org

Add support for custom headers in OCSP requests.
 2009-09-30 21:40:55 +00:00
Dr. Stephen Henson
37fc562bd8 Free SSL_CTX after BIO 2009-09-30 21:36:17 +00:00
Dr. Stephen Henson
a25f33d28a Submitted by: Julia Lawall <julia@diku.dk> 
The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
 2009-09-13 11:29:29 +00:00
Dr. Stephen Henson
08882ac5be PR: 2038 
Submitted by: Artem Chuprina <ran@cryptocom.ru>
Approved by: steve@openssl.org

Avoid double call to BIO_free().
 2009-09-11 11:02:52 +00:00
Dr. Stephen Henson
b5ca7df5aa PR: 2031 
Submitted by: steve@openssl.org

Tolerate application/timestamp-response which some servers send out.
 2009-09-07 17:57:18 +00:00
Dr. Stephen Henson
e0d4e97c1a Make update, deleting bogus DTLS error code 2009-09-06 15:58:19 +00:00
Dr. Stephen Henson
f4274da164 PR: 1644 
Submitted by: steve@openssl.org

Fix to make DHparams_dup() et al work in C++.

For 1.0 fix the final argument to ASN1_dup() so it is void *. Replace some
*_dup macros with functions.
 2009-09-06 15:49:46 +00:00
Dr. Stephen Henson
07a9d1a2c2 PR: 2028 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS cookie management bugs.
 2009-09-04 17:42:53 +00:00
Dr. Stephen Henson
2d1cbca960 PR: 2020 
Submitted by: Keith Beckman <kbeckman@mcg.edu>,  Tomas Mraz <tmraz@redhat.com>
Checked by: steve@openssl.org

Fix improperly capitalized references to WWW::Curl::Easy.
 2009-09-02 15:57:24 +00:00
Dr. Stephen Henson
17b5326ba9 PR: 2013 
Submitted by: steve@openssl.org

Include a flag ASN1_STRING_FLAG_MSTRING when a multi string type is created.
This makes it possible to tell if the underlying type is UTCTime,
GeneralizedTime or Time when the structure is reused and X509_time_adj_ex()
can handle each case in an appropriate manner.

Add error checking to CRL generation in ca utility when nextUpdate is being
set.
 2009-09-02 13:54:50 +00:00
Dr. Stephen Henson
1771668096 Tidy up and fix verify callbacks to avoid structure dereference, use of 
obsolete functions and enhance to handle new conditions such as policy printing.
 2009-09-02 12:47:28 +00:00
Dr. Stephen Henson
ba4526e071 Stop unused variable warning on WIN32 et al. 2009-08-18 11:15:33 +00:00
Dr. Stephen Henson
3ed3603b60 Update default dependency flags. 
Make error name discrepancies a fatal error.
Fix error codes.
make update
 2009-08-12 17:30:37 +00:00
Dr. Stephen Henson
b972fbaa8f PR: 1997 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timeout handling fix.
 2009-08-12 13:19:54 +00:00
Dr. Stephen Henson
77c7f17a5e Typo 2009-08-10 15:52:49 +00:00
Dr. Stephen Henson
b318cfb169 PR: 1999 
Submitted by: "Bayram Kurumahmut" <kbayram@ubicom.com>
Approved by: steve@openssl.org

Don't use HAVE_FORK in apps/speed.c it can conflict with configured version.
 2009-08-10 15:30:40 +00:00
Dr. Stephen Henson
f10f4447da Update from 1.0.0-stable. 2009-08-05 15:29:58 +00:00
Dr. Stephen Henson
c869da8839 Update from 1.0.0-stable 2009-07-27 21:10:00 +00:00
Dr. Stephen Henson
bdfa4ff947 Update from 0.9.8-stable 2009-07-24 11:17:10 +00:00
Dr. Stephen Henson
3f7c592082 Updates from 1.0.0-stable. 2009-07-14 15:30:05 +00:00
Dr. Stephen Henson
6053ef80e5 Use new time routines to avoid possible overflow. 2009-07-13 11:40:14 +00:00
Dr. Stephen Henson
c55d27ac33 Make update. 2009-07-08 09:19:53 +00:00
Dr. Stephen Henson
db99779bee Use common verify parameters instead of the small ad-hoc subset in 
s_client, s_server.
 2009-06-30 15:56:35 +00:00
Dr. Stephen Henson
e5b2b0f91f Updates from 1.0.0-stable 2009-06-30 15:28:16 +00:00
Dr. Stephen Henson
9a5faeaa42 Allow setting of verify depth in verify parameters (as opposed to the depth 
implemented using the verify callback).
 2009-06-29 16:09:37 +00:00
Dr. Stephen Henson
f3be6c7b7d Update from 1.0.0-stable. 2009-06-26 11:29:26 +00:00
Dr. Stephen Henson
c05353c50a Rename asc2uni and uni2asc functions to avoid clashes. 2009-06-17 12:04:56 +00:00
Dr. Stephen Henson
eddee61671 PR: 1956 
Submitted by: Guenter <lists@gknw.net>
Approved by: steve@openssl.org

Netware doesn't have strings.h
 2009-06-17 11:32:59 +00:00
Dr. Stephen Henson
58f41a926a Updates from 1.0.0-stable 2009-06-05 14:59:26 +00:00
Dr. Stephen Henson
046f210112 Update from 1.0.0-stable. 2009-05-17 16:04:58 +00:00
Richard Levitte
cc8cc9a3a1 Functional VMS changes submitted by sms@antinode.info (Steven M. Schweda). 
Thank you\!
(note: not tested for now, a few nightly builds should give indications though)
 2009-05-15 16:36:56 +00:00
Dr. Stephen Henson
83d8fa7dd1 Update from stable branch. 2009-05-13 11:32:46 +00:00
Dr. Stephen Henson
d4f0339c66 Update from 1.0.0-stable. 2009-04-26 22:18:22 +00:00
Richard Levitte
7184ef1210 Cast to avoid signedness confusion 2009-04-26 12:16:08 +00:00
Dr. Stephen Henson
ef236ec3b2 Merge from 1.0.0-stable branch. 2009-04-23 16:32:42 +00:00