root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity
10,986 Commits 32 Branches 398 Tags 545 MiB
Commit Graph

125 Commits

Author SHA1 Message Date
Matt Caswell 7441e7dbe9 Fixed spelling error in error message. Fix supplied by Marcos Marado 2014-05-01 00:27:02 +01:00
Dr. Stephen Henson 295fd057ce fix error number clash 2014-02-09 19:57:27 +00:00
Scott Deboy 038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions) 
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
 2014-02-08 16:12:15 -08:00
Ben Laurie 379f21ce5c Show useful errors. 2013-09-24 23:13:22 +01:00
Dr. Stephen Henson d307176931 Suite B support for DTLS 1.2 
Check for Suite B support using method flags instead of version numbers:
anything supporting TLS 1.2 cipher suites will also support Suite B.

Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
(cherry picked from commit 4544f0a691)
 2013-09-18 13:46:03 +01:00
Trevor e27711cfdd Trying cherrypick: 
Add support for arbitrary TLS extensions.

Contributed by Trevor Perrin.

Conflicts:

	CHANGES
	ssl/ssl.h
	ssl/ssltest.c
	test/testssl

Fix compilation due to #endif.

Cherrypicking more stuff.

Cleanup of custom extension stuff.

serverinfo rejects non-empty extensions.

Omit extension if no relevant serverinfo data.

Improve error-handling in serverinfo callback.

Cosmetic cleanups.

s_client documentation.

s_server documentation.

SSL_CTX_serverinfo documentation.

Cleaup -1 and NULL callback handling for custom extensions, add tests.

Cleanup ssl_rsa.c serverinfo code.

Whitespace cleanup.

Improve comments in ssl.h for serverinfo.

Whitespace.

Cosmetic cleanup.

Reject non-zero-len serverinfo extensions.

Whitespace.

Make it build.

Conflicts:

	test/testssl
 2013-07-03 11:53:30 +01:00
Dr. Stephen Henson 49ef33fa34 add SSL_CONF functions and documentation (backport from HEAD) 2012-12-29 13:30:56 +00:00
Dr. Stephen Henson b79df62eff return error if Suite B mode is selected and TLS 1.2 can't be used. 
(backport from HEAD)
 2012-12-26 17:39:02 +00:00
Dr. Stephen Henson 67d9dcf003 perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange 
(backport from HEAD)
 2012-12-26 16:22:19 +00:00
Dr. Stephen Henson 79dcae32ef give more meaningful error if presented with wrong certificate type by server 
(backport from HEAD)
 2012-12-26 16:18:15 +00:00
Dr. Stephen Henson ccf6a19e2d Add three Suite B modes to TLS code, supporting RFC6460. 
(backport from HEAD)
 2012-12-26 16:17:40 +00:00
Dr. Stephen Henson 25d4c9254c Abort handshake if signature algorithm used not supported by peer. 
(backport from HEAD)
 2012-12-26 15:27:24 +00:00
Dr. Stephen Henson 44adfeb6c0 check EC tmp key matches preferences 
(backport from HEAD)
 2012-12-26 15:27:04 +00:00
Dr. Stephen Henson b762acadeb Add support for certificate stores in CERT structure. This makes it 
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
(backport from HEAD)
 2012-12-26 15:21:53 +00:00
Dr. Stephen Henson 7d779eefb4 add ssl_locl.h to err header files, rebuild ssl error strings 
(backport from HEAD)
 2012-12-26 15:09:16 +00:00
Dr. Stephen Henson 623a5e24cb Add certificate callback. If set this is called whenever a certificate 
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
(backport from HEAD)
 2012-12-26 14:43:51 +00:00
Dr. Stephen Henson c70a1fee71 Reorganise supported signature algorithm extension processing. 
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
(backport from HEAD)
 2012-12-26 14:26:16 +00:00
Ben Laurie 835d104f46 Rearrange and test authz extension. 2012-06-07 13:20:20 +00:00
Ben Laurie 8a02a46a5c RFC 5878 support. 2012-05-29 17:27:48 +00:00
Dr. Stephen Henson fe9ce2b7d6 Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> 
Reviewed by: steve
Improved localisation of TLS extension handling and code tidy.
 2012-04-24 12:15:17 +00:00
Dr. Stephen Henson f897fe4146 correct error code 2012-04-18 15:17:39 +00:00
Dr. Stephen Henson 736d69750d Backport: tidy/enhance certificate chain output code (from HEAD) 2012-04-06 11:58:17 +00:00
Dr. Stephen Henson f1fa05b407 ABI compliance fixes. 
Move new structure fields to end of structures.

Import library codes from 1.0.0 and recreate new ones.
 2012-02-22 14:01:44 +00:00
Dr. Stephen Henson 943cc09d8a Submitted by: Eric Rescorla <ekr@rtfm.com> 
Fix encoding of use_srtp extension to be compliant with RFC5764
 2012-02-10 00:03:37 +00:00
Dr. Stephen Henson aaa3850ccd Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 23:07:54 +00:00
Dr. Stephen Henson bd6941cfaa PR: 2658 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
 2011-12-31 23:00:36 +00:00
Ben Laurie b1d7429186 Add TLS exporter. 2011-11-15 23:51:22 +00:00
Ben Laurie 060a38a2c0 Add DTLS-SRTP. 2011-11-15 23:02:16 +00:00
Ben Laurie 68b33cc5c7 Add Next Protocol Negotiation. 2011-11-13 21:55:42 +00:00
Dr. Stephen Henson 376838a606 Process signature algorithms during TLS v1.2 client authentication. 
Make sure message is long enough for signature algorithms.

(backport from HEAD).
 2011-05-12 17:44:59 +00:00
Dr. Stephen Henson 9472baae0d Backport TLS v1.2 support from HEAD. 
This includes TLS v1.2 server and client support but at present
client certificate support is not implemented.
 2011-05-11 13:37:52 +00:00
Dr. Stephen Henson 74096890ba Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN 
all ssl related structures are opaque and internals cannot be directly
accessed. Many applications will need some modification to support this and
most likely some additional functions added to OpenSSL.

The advantage of this option is that any application supporting it will still
be binary compatible if SSL structures change.

(backport from HEAD).
 2011-05-11 12:56:38 +00:00
Dr. Stephen Henson 3393e0c02c Fix SRP error codes (from HEAD). 2011-03-16 16:55:12 +00:00
Ben Laurie a149b2466e Add SRP. 2011-03-16 11:26:40 +00:00
Dr. Stephen Henson eb17330837 Updates to conform with draft-ietf-tls-renegotiation-03.txt: 
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
 2010-01-06 17:37:38 +00:00
Dr. Stephen Henson 4cba294d79 Client side compression algorithm sanity checks: ensure old compression 
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).
 2010-01-01 14:39:51 +00:00
Dr. Stephen Henson e642fd7a1c Compression handling on session resume was badly broken: it always 
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
 2010-01-01 00:44:36 +00:00
Ben Laurie 43a107026d Missing error code. 2009-12-12 15:57:53 +00:00
Dr. Stephen Henson 3c44e92bcb Include a more meaningful error message when rejecting legacy renegotiation 2009-11-18 14:19:52 +00:00
Dr. Stephen Henson bc9058d041 First cut of renegotiation extension. (port to 1.0.0-stable) 2009-11-09 18:45:42 +00:00
Dr. Stephen Henson c0688f1aef Make update, deleting bogus DTLS error code 2009-09-06 15:55:54 +00:00
Dr. Stephen Henson 17f8d8db61 PR: 2006 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Do not use multiple DTLS records for a single user message
 2009-08-26 11:51:23 +00:00
Dr. Stephen Henson 5a96822f2c Update default dependency flags. 
Make error name discrepancies a fatal error.
Fix error codes.
make update
 2009-08-12 17:08:44 +00:00
Dr. Stephen Henson 5135d6b985 Fix error codes and indentation. 2009-07-15 11:32:58 +00:00
Dr. Stephen Henson c9a1778134 Fix error codes. 2009-04-05 11:54:34 +00:00
Ben Laurie 9b9cb004f7 Deal with the unlikely event that EVP_MD_CTX_size() returns an error. 
(Coverity ID 140).
 2008-12-27 02:09:24 +00:00
Ben Laurie 6ba71a7173 Handle the unlikely event that BIO_get_mem_data() returns -ve. 2008-12-27 02:00:38 +00:00
Dr. Stephen Henson 12bf56c017 PR: 1574 
Submitted by: Jouni Malinen <j@w1.fi>
Approved by: steve@openssl.org

Ticket override support for EAP-FAST.
 2008-11-15 17:18:12 +00:00
Bodo Möller 1cbf663a6c sanity check 
PR: 1679
 2008-08-13 19:45:06 +00:00
Bodo Möller 474b3b1cc8 Fix error codes for memory-saving patch. 
Also, get rid of compile-time switch OPENSSL_NO_RELEASE_BUFFERS
because it was rather pointless (the new behavior has to be explicitly
requested by setting SSL_MODE_RELEASE_BUFFERS anyway).
 2008-08-04 22:10:38 +00:00