Loading CHANGES +18 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,24 @@ Changes between 0.9.8f and 0.9.9 [xx XXX xxxx] *) Add RFC4507 support to OpenSSL. This includes the corrections in RFC4507bis. The encrypted ticket format is an encrypted encoded SSL_SESSION structure, that way new session features are automatically supported. If a client application caches session in an SSL_SESSION support it should automatically be supported because an extension includes the ticket in the structure. The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification. If a client or server wishes to disable RFC4507 support then the option SSL_OP_NO_TICKET can be set. Add a TLS extension debugging callback to allow the contents of any client or server extensions to be examined. [Steve Henson] *) Final changes to avoid use of pointer pointer casts in OpenSSL. OpenSSL should now compile cleanly on gcc 4.2 [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] Loading apps/s_apps.h +3 −0 Original line number Diff line number Diff line Loading @@ -167,4 +167,7 @@ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, #ifdef HEADER_SSL_H void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret); void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg); #endif apps/s_cb.c +59 −0 Original line number Diff line number Diff line Loading @@ -592,3 +592,62 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * } BIO_flush(bio); } void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg) { BIO *bio = arg; char *extname; switch(type) { case TLSEXT_TYPE_server_name: extname = "server name"; break; case TLSEXT_TYPE_max_fragment_length: extname = "max fragment length"; break; case TLSEXT_TYPE_client_certificate_url: extname = "client certificate URL"; break; case TLSEXT_TYPE_trusted_ca_keys: extname = "trusted CA keys"; break; case TLSEXT_TYPE_truncated_hmac: extname = "truncated HMAC"; break; case TLSEXT_TYPE_status_request: extname = "status request"; break; case TLSEXT_TYPE_elliptic_curves: extname = "elliptic curves"; break; case TLSEXT_TYPE_ec_point_formats: extname = "EC point formats"; break; case TLSEXT_TYPE_session_ticket: extname = "server ticket"; break; default: extname = "unknown"; break; } BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n", client_server ? "server": "client", extname, type, len); BIO_dump(bio, data, len); BIO_flush(bio); } apps/s_client.c +64 −0 Original line number Diff line number Diff line Loading @@ -194,6 +194,9 @@ static int c_nbio=0; #endif static int c_Pause=0; static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; #endif static int c_msg=0; static int c_showcerts=0; Loading Loading @@ -406,6 +409,8 @@ int MAIN(int argc, char **argv) tlsextctx tlsextcbp = {NULL,0}; #endif char *sess_in = NULL; char *sess_out = NULL; struct sockaddr peer; int peerlen = sizeof(peer); int enable_timeouts = 0 ; Loading Loading @@ -480,6 +485,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_file= *(++argv); } else if (strcmp(*argv,"-sess_out") == 0) { if (--argc < 1) goto bad; sess_out = *(++argv); } else if (strcmp(*argv,"-sess_in") == 0) { if (--argc < 1) goto bad; sess_in = *(++argv); } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; Loading @@ -506,6 +521,10 @@ int MAIN(int argc, char **argv) c_Pause=1; else if (strcmp(*argv,"-debug") == 0) c_debug=1; #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-tlsextdebug") == 0) c_tlsextdebug=1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) dbug_init(); Loading Loading @@ -604,6 +623,10 @@ int MAIN(int argc, char **argv) off|=SSL_OP_NO_SSLv2; else if (strcmp(*argv,"-no_comp") == 0) { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } #endif else if (strcmp(*argv,"-serverpref") == 0) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; else if (strcmp(*argv,"-cipher") == 0) Loading Loading @@ -791,6 +814,29 @@ bad: #endif con=SSL_new(ctx); if (sess_in) { SSL_SESSION *sess; BIO *stmp = BIO_new_file(sess_in, "r"); if (!stmp) { BIO_printf(bio_err, "Can't open session file %s\n", sess_in); ERR_print_errors(bio_err); goto end; } sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); BIO_free(stmp); if (!sess) { BIO_printf(bio_err, "Can't open session file %s\n", sess_in); ERR_print_errors(bio_err); goto end; } SSL_set_session(con, sess); SSL_SESSION_free(sess); } #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { Loading Loading @@ -893,6 +939,13 @@ re_start: SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_c_out); } #ifndef OPENSSL_NO_TLSEXT if (c_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_c_out); } #endif SSL_set_bio(con,sbio,sbio); SSL_set_connect_state(con); Loading Loading @@ -1022,6 +1075,17 @@ re_start: BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); } #endif if (sess_out) { BIO *stmp = BIO_new_file(sess_out, "w"); if (stmp) { PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); BIO_free(stmp); } else BIO_printf(bio_err, "Error writing session file %s\n", sess_out); } print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; Loading apps/s_server.c +32 −0 Original line number Diff line number Diff line Loading @@ -281,6 +281,9 @@ static int www=0; static BIO *bio_s_out=NULL; static int s_debug=0; #ifndef OPENSSL_NO_TLSEXT static int s_tlsextdebug=0; #endif static int s_msg=0; static int s_quiet=0; Loading Loading @@ -869,6 +872,10 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-debug") == 0) { s_debug=1; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-tlsextdebug") == 0) s_tlsextdebug=1; #endif else if (strcmp(*argv,"-msg") == 0) { s_msg=1; } else if (strcmp(*argv,"-hack") == 0) Loading Loading @@ -922,6 +929,10 @@ int MAIN(int argc, char *argv[]) { off|=SSL_OP_NO_TLSv1; } else if (strcmp(*argv,"-no_comp") == 0) { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } #endif #ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) { meth=SSLv2_server_method(); } Loading Loading @@ -1541,6 +1552,13 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (con == NULL) { con=SSL_new(ctx); #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif #ifndef OPENSSL_NO_KRB5 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) { Loading Loading @@ -1610,6 +1628,13 @@ static int sv_body(char *hostname, int s, unsigned char *context) SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_s_out); } #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif width=s+1; for (;;) Loading Loading @@ -1989,6 +2014,13 @@ static int www_body(char *hostname, int s, unsigned char *context) if (!BIO_set_write_buffer_size(io,bufsize)) goto err; if ((con=SSL_new(ctx)) == NULL) goto err; #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif #ifndef OPENSSL_NO_KRB5 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) { Loading Loading
CHANGES +18 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,24 @@ Changes between 0.9.8f and 0.9.9 [xx XXX xxxx] *) Add RFC4507 support to OpenSSL. This includes the corrections in RFC4507bis. The encrypted ticket format is an encrypted encoded SSL_SESSION structure, that way new session features are automatically supported. If a client application caches session in an SSL_SESSION support it should automatically be supported because an extension includes the ticket in the structure. The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification. If a client or server wishes to disable RFC4507 support then the option SSL_OP_NO_TICKET can be set. Add a TLS extension debugging callback to allow the contents of any client or server extensions to be examined. [Steve Henson] *) Final changes to avoid use of pointer pointer casts in OpenSSL. OpenSSL should now compile cleanly on gcc 4.2 [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] Loading
apps/s_apps.h +3 −0 Original line number Diff line number Diff line Loading @@ -167,4 +167,7 @@ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, #ifdef HEADER_SSL_H void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret); void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg); #endif
apps/s_cb.c +59 −0 Original line number Diff line number Diff line Loading @@ -592,3 +592,62 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * } BIO_flush(bio); } void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg) { BIO *bio = arg; char *extname; switch(type) { case TLSEXT_TYPE_server_name: extname = "server name"; break; case TLSEXT_TYPE_max_fragment_length: extname = "max fragment length"; break; case TLSEXT_TYPE_client_certificate_url: extname = "client certificate URL"; break; case TLSEXT_TYPE_trusted_ca_keys: extname = "trusted CA keys"; break; case TLSEXT_TYPE_truncated_hmac: extname = "truncated HMAC"; break; case TLSEXT_TYPE_status_request: extname = "status request"; break; case TLSEXT_TYPE_elliptic_curves: extname = "elliptic curves"; break; case TLSEXT_TYPE_ec_point_formats: extname = "EC point formats"; break; case TLSEXT_TYPE_session_ticket: extname = "server ticket"; break; default: extname = "unknown"; break; } BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n", client_server ? "server": "client", extname, type, len); BIO_dump(bio, data, len); BIO_flush(bio); }
apps/s_client.c +64 −0 Original line number Diff line number Diff line Loading @@ -194,6 +194,9 @@ static int c_nbio=0; #endif static int c_Pause=0; static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; #endif static int c_msg=0; static int c_showcerts=0; Loading Loading @@ -406,6 +409,8 @@ int MAIN(int argc, char **argv) tlsextctx tlsextcbp = {NULL,0}; #endif char *sess_in = NULL; char *sess_out = NULL; struct sockaddr peer; int peerlen = sizeof(peer); int enable_timeouts = 0 ; Loading Loading @@ -480,6 +485,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_file= *(++argv); } else if (strcmp(*argv,"-sess_out") == 0) { if (--argc < 1) goto bad; sess_out = *(++argv); } else if (strcmp(*argv,"-sess_in") == 0) { if (--argc < 1) goto bad; sess_in = *(++argv); } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; Loading @@ -506,6 +521,10 @@ int MAIN(int argc, char **argv) c_Pause=1; else if (strcmp(*argv,"-debug") == 0) c_debug=1; #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-tlsextdebug") == 0) c_tlsextdebug=1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) dbug_init(); Loading Loading @@ -604,6 +623,10 @@ int MAIN(int argc, char **argv) off|=SSL_OP_NO_SSLv2; else if (strcmp(*argv,"-no_comp") == 0) { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } #endif else if (strcmp(*argv,"-serverpref") == 0) off|=SSL_OP_CIPHER_SERVER_PREFERENCE; else if (strcmp(*argv,"-cipher") == 0) Loading Loading @@ -791,6 +814,29 @@ bad: #endif con=SSL_new(ctx); if (sess_in) { SSL_SESSION *sess; BIO *stmp = BIO_new_file(sess_in, "r"); if (!stmp) { BIO_printf(bio_err, "Can't open session file %s\n", sess_in); ERR_print_errors(bio_err); goto end; } sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); BIO_free(stmp); if (!sess) { BIO_printf(bio_err, "Can't open session file %s\n", sess_in); ERR_print_errors(bio_err); goto end; } SSL_set_session(con, sess); SSL_SESSION_free(sess); } #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { Loading Loading @@ -893,6 +939,13 @@ re_start: SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_c_out); } #ifndef OPENSSL_NO_TLSEXT if (c_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_c_out); } #endif SSL_set_bio(con,sbio,sbio); SSL_set_connect_state(con); Loading Loading @@ -1022,6 +1075,17 @@ re_start: BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not "); } #endif if (sess_out) { BIO *stmp = BIO_new_file(sess_out, "w"); if (stmp) { PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); BIO_free(stmp); } else BIO_printf(bio_err, "Error writing session file %s\n", sess_out); } print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; Loading
apps/s_server.c +32 −0 Original line number Diff line number Diff line Loading @@ -281,6 +281,9 @@ static int www=0; static BIO *bio_s_out=NULL; static int s_debug=0; #ifndef OPENSSL_NO_TLSEXT static int s_tlsextdebug=0; #endif static int s_msg=0; static int s_quiet=0; Loading Loading @@ -869,6 +872,10 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-debug") == 0) { s_debug=1; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-tlsextdebug") == 0) s_tlsextdebug=1; #endif else if (strcmp(*argv,"-msg") == 0) { s_msg=1; } else if (strcmp(*argv,"-hack") == 0) Loading Loading @@ -922,6 +929,10 @@ int MAIN(int argc, char *argv[]) { off|=SSL_OP_NO_TLSv1; } else if (strcmp(*argv,"-no_comp") == 0) { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-no_ticket") == 0) { off|=SSL_OP_NO_TICKET; } #endif #ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) { meth=SSLv2_server_method(); } Loading Loading @@ -1541,6 +1552,13 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (con == NULL) { con=SSL_new(ctx); #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif #ifndef OPENSSL_NO_KRB5 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) { Loading Loading @@ -1610,6 +1628,13 @@ static int sv_body(char *hostname, int s, unsigned char *context) SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_s_out); } #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif width=s+1; for (;;) Loading Loading @@ -1989,6 +2014,13 @@ static int www_body(char *hostname, int s, unsigned char *context) if (!BIO_set_write_buffer_size(io,bufsize)) goto err; if ((con=SSL_new(ctx)) == NULL) goto err; #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif #ifndef OPENSSL_NO_KRB5 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) { Loading
