wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
10302 commits 20 branches 302 tags 153 MiB
Commit graph

10302 commits

This branch
This branch
All branches
Author SHA1 Message Date
Dr. Stephen Henson
ede5f6cf74 add -chain options to s_client (backrpot from HEAD) 2012-12-30 16:17:29 +00:00
Dr. Stephen Henson
321a9fea75 make no-comp compile 2012-12-30 16:05:03 +00:00
Dr. Stephen Henson
2e00f46b51 stop warning when compiling with no-comp 2012-12-30 01:12:19 +00:00
Dr. Stephen Henson
8c3f868983 remove unused cipher functionality from s_client 2012-12-30 00:03:40 +00:00
Dr. Stephen Henson
d03cc94f47 Update debug-steve* options. 2012-12-29 23:59:18 +00:00
Dr. Stephen Henson
5477ff9ba2 make JPAKE work again, fix memory leaks 2012-12-29 23:58:44 +00:00
Dr. Stephen Henson
46b11600b0 update ordinals 2012-12-29 14:18:14 +00:00
Dr. Stephen Henson
15387e4ce0 Delegate command line handling for many common options in s_client/s_server to 
the SSL_CONF APIs.

This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.

(backport from HEAD)
 2012-12-29 14:16:41 +00:00
Dr. Stephen Henson
49ef33fa34 add SSL_CONF functions and documentation (backport from HEAD) 2012-12-29 13:30:56 +00:00
Dr. Stephen Henson
1166323530 Update ordinals. 2012-12-26 23:53:52 +00:00
Dr. Stephen Henson
29113688a1 Portability fix: use BIO_snprintf and pick up strcasecmp alternative 
definitions from e_os.h
 2012-12-26 23:51:41 +00:00
Dr. Stephen Henson
44c970746f typo 2012-12-26 22:43:43 +00:00
Dr. Stephen Henson
bc200e691c SSL/TLS record tracing code (backport from HEAD). 2012-12-26 22:40:46 +00:00
Dr. Stephen Henson
a08f8d73cc Reject zero length ec point format list. 
Give more meaningful error is attempt made to use incorrect curve.

(from HEAD)
 2012-12-26 18:26:11 +00:00
Dr. Stephen Henson
b52f12b3ba handle point format list retrieval for clients too (from HEAD) 2012-12-26 18:20:07 +00:00
Dr. Stephen Henson
78b5d89ddf Add support for printing out and retrieving EC point formats extension. 
(backport from HEAD)
 2012-12-26 18:13:49 +00:00
Dr. Stephen Henson
b79df62eff return error if Suite B mode is selected and TLS 1.2 can't be used. 
(backport from HEAD)
 2012-12-26 17:39:02 +00:00
Dr. Stephen Henson
e3c76874ad set auto ecdh parameter selction for Suite B 
(backport from HEAD)
 2012-12-26 17:35:02 +00:00
Dr. Stephen Henson
4347394a27 add Suite B 128 bit mode offering only combination 2 
(backport from HEAD)
 2012-12-26 17:34:50 +00:00
Dr. Stephen Henson
53bb723834 Use client version when deciding which cipher suites to disable. 
(backport from HEAD)
 2012-12-26 17:09:39 +00:00
Dr. Stephen Henson
684a2264c5 Use default point formats extension for server side as well as client 
side, if possible.

Don't advertise compressed char2 for SuiteB as it is not supported.
(backport from HEAD)
 2012-12-26 17:09:14 +00:00
Dr. Stephen Henson
fde8dc1798 add Suite B verification flags 2012-12-26 16:57:39 +00:00
Dr. Stephen Henson
3c87a2bdfa contify 
(backport from HEAD)
 2012-12-26 16:49:59 +00:00
Dr. Stephen Henson
1520e6c084 Add ctrl and utility functions to retrieve raw cipher list sent by client in 
client hello message. Previously this could only be retrieved on an initial
connection and it was impossible to determine the cipher IDs of any uknown
ciphersuites.
(backport from HEAD)
 2012-12-26 16:25:06 +00:00
Dr. Stephen Henson
2001129f09 new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client 
(backport from HEAD)
 2012-12-26 16:23:36 +00:00
Dr. Stephen Henson
a50ecaee56 store and print out message digest peer signed with in TLS 1.2 
(backport from HEAD)
 2012-12-26 16:23:13 +00:00
Dr. Stephen Henson
67d9dcf003 perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange 
(backport from HEAD)
 2012-12-26 16:22:19 +00:00
Dr. Stephen Henson
79dcae32ef give more meaningful error if presented with wrong certificate type by server 
(backport from HEAD)
 2012-12-26 16:18:15 +00:00
Dr. Stephen Henson
ccf6a19e2d Add three Suite B modes to TLS code, supporting RFC6460. 
(backport from HEAD)
 2012-12-26 16:17:40 +00:00
Dr. Stephen Henson
28fbbe3b1b Add missing prototype to x509.h 2012-12-26 16:11:10 +00:00
Dr. Stephen Henson
8d2dbe6ac0 New function X509_chain_up_ref to dup and up the reference count of 
a STACK_OF(X509): replace equivalent functionality in several places
by the equivalent call.
(backport from HEAD)
 2012-12-26 16:04:03 +00:00
Dr. Stephen Henson
ba8bdea771 add suite B chain validation flags and associated verify errors 
(backport from HEAD)
 2012-12-26 16:01:31 +00:00
Dr. Stephen Henson
3d9916298a Oops, add missing v3nametest.c 2012-12-26 15:59:57 +00:00
Dr. Stephen Henson
87054c4f0e New -valid option to add a certificate to the ca index.txt that is valid and not revoked 
(backport from HEAD)
 2012-12-26 15:32:13 +00:00
Dr. Stephen Henson
6660baee66 Make tls1_check_chain return a set of flags indicating checks passed 
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.

Print out results of checks for each candidate chain tested in
s_server/s_client.
(backport from HEAD)
 2012-12-26 15:27:44 +00:00
Dr. Stephen Henson
25d4c9254c Abort handshake if signature algorithm used not supported by peer. 
(backport from HEAD)
 2012-12-26 15:27:24 +00:00
Dr. Stephen Henson
44adfeb6c0 check EC tmp key matches preferences 
(backport from HEAD)
 2012-12-26 15:27:04 +00:00
Dr. Stephen Henson
5ff2ef79e6 typo 2012-12-26 15:23:16 +00:00
Dr. Stephen Henson
b762acadeb Add support for certificate stores in CERT structure. This makes it 
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
(backport from HEAD)
 2012-12-26 15:21:53 +00:00
Dr. Stephen Henson
7d779eefb4 add ssl_locl.h to err header files, rebuild ssl error strings 
(backport from HEAD)
 2012-12-26 15:09:16 +00:00
Dr. Stephen Henson
35b7757f9b set ciphers to NULL before calling cert_cb 
(backport from HEAD)
 2012-12-26 14:56:40 +00:00
Dr. Stephen Henson
23195e4dcc stop warning 
(backport from HEAD)
 2012-12-26 14:56:27 +00:00
Dr. Stephen Henson
b28fbdfa7d New function ssl_set_client_disabled to set masks for any ciphersuites 
that are disabled for this session (as opposed to always disabled by
configuration).
(backport from HEAD)
 2012-12-26 14:55:46 +00:00
Dr. Stephen Henson
a897502cd9 Add new ctrl to retrieve client certificate types, print out 
details in s_client.

Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.

Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
(backport from HEAD)
 2012-12-26 14:51:37 +00:00
Dr. Stephen Henson
8546add692 cert_flags is unsigned 
(backport from HEAD)
 2012-12-26 14:48:05 +00:00
Dr. Stephen Henson
aa5c5eb4c1 add support for client certificate callbak, fix memory leak 
(backport from HEAD)
 2012-12-26 14:47:31 +00:00
Dr. Stephen Henson
731abd3bd7 new function SSL_is_server to which returns 1 is the corresponding SSL context is for a server 
(backport from HEAD)
 2012-12-26 14:45:46 +00:00
Dr. Stephen Henson
7531dd18dc no need to check s->server as default_nid is never used for TLS 1.2 client authentication 
(backport from HEAD)
 2012-12-26 14:45:27 +00:00
Dr. Stephen Henson
04c32cddaa Separate client and server permitted signature algorithm support: by default 
the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
(backport from HEAD)
 2012-12-26 14:44:56 +00:00
Dr. Stephen Henson
623a5e24cb Add certificate callback. If set this is called whenever a certificate 
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
(backport from HEAD)
 2012-12-26 14:43:51 +00:00