| Age | Commit message (Collapse) | Author |
|---|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 0cfefe4b6dcc6947c236b0f10a7f9e2f02273075)
|
|
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 8cafe9e8bfcc99d12adf083c61411955995668c4)
|
|
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.
Modify parse_cb handling so <= 0 is an error.
Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.
NOTE: these changes WILL break existing code.
Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 33f653adf3bff5b0795e22de1f54b7c5472252d0)
|
|
Use "parse" and "add" for function and callback names instead of
"first" and "second".
Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit de2a9e38f39eacc2e052d694f5b5fa5b7e734abc)
|
|
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 707b026d7871eb12c23671c975e6a15a8c331785)
Conflicts:
ssl/ssl3.h
ssl/t1_lib.c
|
|
|
|
Whitespace fixes
(cherry picked from commit e9add063b50e8a460d5636055156d2760c2fe29f)
Conflicts:
ssl/s3_clnt.c
|
|
support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.
Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
(cherry picked from commit ac20719d994729970eb3b775c7bffa81f0e9f960)
Conflicts:
ssl/t1_lib.c
|
|
reinstated.
|
|
entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
(cherry picked from commit 36086186a9b90cdad0d2cd0a598a10f03f8f4bcc)
Conflicts:
Configure
apps/s_client.c
apps/s_server.c
ssl/ssl.h
ssl/ssl3.h
ssl/ssltest.c
|
|
Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.
Update docs.
(cherry picked from commit a4339ea3ba045b7da038148f0d48ce25f2996971)
Conflicts:
CHANGES
|
|
|
|
|
|
Force no SSL2 when custom extensions in use.
Don't clear extension state when cert is set.
Clear on renegotiate.
Conflicts:
ssl/t1_lib.c
|
|
|
|
Add support for arbitrary TLS extensions.
Contributed by Trevor Perrin.
Conflicts:
CHANGES
ssl/ssl.h
ssl/ssltest.c
test/testssl
Fix compilation due to #endif.
Cherrypicking more stuff.
Cleanup of custom extension stuff.
serverinfo rejects non-empty extensions.
Omit extension if no relevant serverinfo data.
Improve error-handling in serverinfo callback.
Cosmetic cleanups.
s_client documentation.
s_server documentation.
SSL_CTX_serverinfo documentation.
Cleaup -1 and NULL callback handling for custom extensions, add tests.
Cleanup ssl_rsa.c serverinfo code.
Whitespace cleanup.
Improve comments in ssl.h for serverinfo.
Whitespace.
Cosmetic cleanup.
Reject non-zero-len serverinfo extensions.
Whitespace.
Make it build.
Conflicts:
test/testssl
|
|
|
|
|
|
|
|
Submitted by: steve@openssl.org
Allow use of trusted certificates in SSL_CTX_use_chain_file()
|
|
about "overcommenting".
|
|
PR: 1417, 1513
Submitted by: Erik de Castro Lopo <mle+openssl@mega-nerd.com>
|
|
and SSL_use_PrivateKey_file()
PR: 1035
Submitted by: Walter Goulet
Reviewed by: Nils Larsch
|
|
Reviewed by: Bodo Moeller
|
|
PR: 860
|
|
functions and macros.
This change has associated tags: LEVITTE_before_const and
LEVITTE_after_const. Those will be removed when this change has been
properly reviewed.
|
|
|
|
des_old.h redefines crypt:
#define crypt(b,s)\
DES_crypt((b),(s))
This scheme leads to failure, if header files with the OS's true definition
of crypt() are processed _after_ des_old.h was processed. This is e.g. the
case on HP-UX with unistd.h.
As evp.h now again includes des.h (which includes des_old.h), this problem
only came up after this modification.
Solution: move header files (indirectly) including e_os.h before the header
files (indirectly) including evp.h.
Submitted by:
Reviewed by:
PR:
|
|
|
|
[DR]SA_up => [DR]SA_up_ref
|
|
counts in DH, DSA, and RSA structures. Instead they use the new "***_up()"
functions that handle this.
|
|
missed any.
This compiles and runs on Linux, and external applications have no
problems with it. The definite test will be to build this on VMS.
|
|
pointer to a const double pointe parameter, the pointer must point to
const data as well.
|
|
|
|
and to lots of PEM_... functions.
Submitted by: Damien Miller <dmiller@ilogic.com.au>
|
|
pointers. The cert_st handling is changed by this in various ways.
Submitted by:
Reviewed by:
PR:
|
|
Submitted by:
Reviewed by:
PR:
|
|
Submitted by:
Reviewed by:
PR:
|
|
|
|
Submitted by:
Reviewed by:
PR:
|
|
|
|
private keys and/or callback functions which directly correspond to their
SSL_CTX_xxx() counterparts but work on a per-connection basis. This is needed
for applications which have to configure certificates on a per-connection
basis (e.g. Apache+mod_ssl) instead of a per-context basis (e.g.
s_server).
For the RSA certificate situation is makes no difference, but for the DSA
certificate situation this fixes the "no shared cipher" problem where the
OpenSSL cipher selection procedure failed because the temporary keys were not
overtaken from the context and the API provided no way to reconfigure them.
The new functions now let applications reconfigure the stuff and they are in
detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
non-public-API function ssl_cert_instantiate() is used as a helper function
and also to reduce code redundancy inside ssl_rsa.c.
Submitted by: Ralf S. Engelschall
Reviewed by: Ben Laurie
|
|
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
Fix so that the version number in the master secret, when passed
via RSA, checks that if TLS was proposed, but we roll back to SSLv3
(because the server will not accept higher), that the version number
is 0x03,0x01, not 0x03,0x00
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
Submitted by:
Reviewed by:
PR:
|
|
|
|
|
|
|
|
|
