| #
0cfefe4b |
| 19-Aug-2014 |
Dr. Stephen Henson |
Rename some callbacks, fix alignment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
| #
8cafe9e8 |
| 19-Aug-2014 |
Dr. Stephen Henson |
Use consistent function naming.
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by:
Use consistent function naming.
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
show more ...
|
| #
33f653ad |
| 16-Aug-2014 |
Dr. Stephen Henson |
New extension callback features.
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions
New extension callback features.
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.
Modify parse_cb handling so <= 0 is an error.
Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.
NOTE: these changes WILL break existing code.
Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
show more ...
|
| #
de2a9e38 |
| 14-Aug-2014 |
Dr. Stephen Henson |
Callback revision.
Use "parse" and "add" for function and callback names instead of
"first" and "second".
Change arguments to callback so the extension type is unsigned int
Callback revision.
Use "parse" and "add" for function and callback names instead of
"first" and "second".
Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
show more ...
|
| #
707b026d |
| 12-Aug-2014 |
Dr. Stephen Henson |
Remove serverinfo checks.
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
| #
693b71fa |
| 09-Aug-2014 |
Viktor Szakats |
RT 1988: Add "const" to SSL_use_RSAPrivateKey_ASN1
The "unsigned char *d" should be const.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
|
| #
b362ccab |
| 15-Dec-2013 |
Dr. Stephen Henson |
Security framework.
Security callback: selects which parameters are permitted including
sensible defaults based on bits of security.
The "parameters" which can be selected inclu
Security framework.
Security callback: selects which parameters are permitted including
sensible defaults based on bits of security.
The "parameters" which can be selected include: ciphersuites,
curves, key sizes, certificate signature algorithms, supported
signature algorithms, DH parameters, SSL/TLS version, session tickets
and compression.
In some cases prohibiting the use of a parameters will mean they are
not advertised to the peer: for example cipher suites and ECC curves.
In other cases it will abort the handshake: e.g DH parameters or the
peer key size.
Documentation to follow...
show more ...
|
| #
0a602875 |
| 04-Feb-2014 |
Ben Laurie |
Fix whitespace, new-style comments.
|
| #
e9add063 |
| 04-Feb-2014 |
Scott Deboy |
Re-add alert variables removed during rebase
Whitespace fixes
|
| #
ac20719d |
| 12-Sep-2013 |
Scott Deboy |
Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplement
Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.
Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
show more ...
|
| #
a4339ea3 |
| 03-Jan-2014 |
Dr. Stephen Henson |
Use algorithm specific chains for certificates.
Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.
Update docs.
|
| #
9725bda7 |
| 24-Sep-2013 |
Ben Laurie |
Show useful errors.
Conflicts:
apps/s_server.c
|
| #
92acab0b |
| 14-Sep-2013 |
Trevor Perrin |
Redo deletion of some serverinfo code that supplemental data code mistakenly reinstated.
|
| #
c655f40e |
| 14-Sep-2013 |
Trevor Perrin |
Require ServerInfo PEMs to be named "BEGIN SERVERINFO FOR"...
|
| #
91031975 |
| 14-Sep-2013 |
Trevor Perrin |
Redo deletion of some serverinfo code that supplemental data code mistakenly reinstated.
|
| #
36086186 |
| 18-Jun-2013 |
Scott Deboy |
Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented u
Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
show more ...
|
| #
0b2bde70 |
| 28-Jul-2013 |
Trevor Perrin |
Various custom extension fixes.
Force no SSL2 when custom extensions in use.
Don't clear extension state when cert is set.
Clear on renegotiate.
|
| #
5382adbf |
| 24-Jun-2013 |
Trevor |
Cosmetic touchups.
|
| #
9cd50f73 |
| 14-Jun-2013 |
Trevor |
Cleanup of custom extension stuff.
serverinfo rejects non-empty extensions.
Omit extension if no relevant serverinfo data.
Improve error-handling in serverinfo callback.
Cleanup of custom extension stuff.
serverinfo rejects non-empty extensions.
Omit extension if no relevant serverinfo data.
Improve error-handling in serverinfo callback.
Cosmetic cleanups.
s_client documentation.
s_server documentation.
SSL_CTX_serverinfo documentation.
Cleaup -1 and NULL callback handling for custom extensions, add tests.
Cleanup ssl_rsa.c serverinfo code.
Whitespace cleanup.
Improve comments in ssl.h for serverinfo.
Whitespace.
Cosmetic cleanup.
Reject non-zero-len serverinfo extensions.
Whitespace.
Make it build.
show more ...
|
| #
a398f821 |
| 13-May-2013 |
Trevor |
Add support for arbitrary TLS extensions.
Contributed by Trevor Perrin.
|
|
Revision tags: OpenSSL-fips-2_0_3, OpenSSL_1_0_1e, OpenSSL_0_9_8y, OpenSSL_1_0_0k, OpenSSL_1_0_1d, OpenSSL-fips-2_0-pl1, OpenSSL-fips-2_0_2, OpenSSL-fips-2_0_1 |
|
| #
7a71af86 |
| 07-Jun-2012 |
Ben Laurie |
Rearrange and test authz extension.
|
| #
a9e1c50b |
| 30-May-2012 |
Ben Laurie |
RFC 5878 support.
|
|
Revision tags: OpenSSL_1_0_1c, OpenSSL_1_0_0j, OpenSSL_0_9_8x, OpenSSL_1_0_1b, OpenSSL_0_9_8w, OpenSSL_1_0_1a, OpenSSL_0_9_8v, OpenSSL_1_0_0i, OpenSSL_1_0_1, OpenSSL_1_0_0h, OpenSSL_0_9_8u, OpenSSL_1_0_1-beta3, OpenSSL_1_0_1-beta2, OpenSSL-fips-2_0, OpenSSL_1_0_0g, OpenSSL_0_9_8t |
|
| #
8e1dc4d7 |
| 16-Jan-2012 |
Dr. Stephen Henson |
Support for fixed DH ciphersuites.
The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
Support for fixed DH ciphersuites.
The cipher definitions of these ciphersuites have been around since SSLeay
but were always disabled. Now OpenSSL supports DH certificates they can be
finally enabled.
Various additional changes were needed to make them work properly: many
unused fixed DH sections of code were untested.
show more ...
|
|
Revision tags: OpenSSL_0_9_8s, OpenSSL_1_0_0f, OpenSSL-fips-2_0-rc8, OpenSSL_1_0_1-beta1, OpenSSL-fips-2_0-rc7, OpenSSL-fips-2_0-rc6, OpenSSL-fips-2_0-rc5, OpenSSL-fips-2_0-rc4, OpenSSL-fips-2_0-rc3, OpenSSL-fips-2_0-rc2, OpenSSL-fips-2_0-rc1, OpenSSL-fips-1_2_3, OpenSSL-fips-1_2_2, OpenSSL-fips-1_2_1, OpenSSL_1_0_0e, OpenSSL_1_0_0d, OpenSSL_0_9_8r, OpenSSL_0_9_8q, OpenSSL_1_0_0c, OpenSSL_0_9_8p, OpenSSL_1_0_0b, OpenSSL_0_9_8o, OpenSSL_1_0_0a, OpenSSL_1_0_0, OpenSSL_0_9_8n, OpenSSL_0_9_8m, OpenSSL_0_9_8m-beta1, OpenSSL_1_0_0-beta5, OpenSSL_1_0_0-beta4, OpenSSL_0_9_8l |
|
| #
33130b07 |
| 12-Sep-2009 |
Dr. Stephen Henson |
PR: 1411
Submitted by: steve@openssl.org
Allow use of trusted certificates in SSL_CTX_use_chain_file()
|
|
Revision tags: OpenSSL_1_0_0-beta3, OpenSSL_1_0_0-beta2, OpenSSL_1_0_0-beta1, OpenSSL_0_9_8k, OpenSSL_0_9_8j, OpenSSL_0_9_8i, OpenSSL_0_9_8h |
|
| #
17a4a4df |
| 26-May-2008 |
Lutz Jänicke |
Reword comment to be much shorter to stop other people from complaining
about "overcommenting".
|
