Loading CHANGES +3 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,9 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) RFC 5878 support. [Emilia Kasper, Adam Langley, Ben Laurie (Google)] *) Support for automatic EC temporary key parameter selection. If enabled *) Support for automatic EC temporary key parameter selection. If enabled the most preferred EC parameters are automatically used instead of the most preferred EC parameters are automatically used instead of hardcoded fixed parameters. Now a server just has to call: hardcoded fixed parameters. Now a server just has to call: Loading apps/s_apps.h +4 −0 Original line number Original line Diff line number Diff line Loading @@ -156,6 +156,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, STACK_OF(X509) *chain); STACK_OF(X509) *chain); # ifndef OPENSSL_NO_TLSEXT int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, unsigned char *authz, size_t authz_length); # endif int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); #endif #endif Loading apps/s_cb.c +13 −13 Original line number Original line Diff line number Diff line Loading @@ -261,6 +261,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, ERR_print_errors(bio_err); ERR_print_errors(bio_err); return 0; return 0; } } if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) { { BIO_printf(bio_err,"error setting private key\n"); BIO_printf(bio_err,"error setting private key\n"); Loading @@ -268,7 +269,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, return 0; return 0; } } /* Now we know that a key and cert have been set against /* Now we know that a key and cert have been set against * the SSL context */ * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) if (!SSL_CTX_check_private_key(ctx)) Loading apps/s_client.c +30 −0 Original line number Original line Diff line number Diff line Loading @@ -202,6 +202,7 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_tlsextdebug=0; static int c_status_req=0; static int c_status_req=0; static int c_proof_debug=0; #endif #endif static int c_msg=0; static int c_msg=0; static int c_showcerts=0; static int c_showcerts=0; Loading @@ -213,6 +214,7 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); static int ocsp_resp_cb(SSL *s, void *arg); static int audit_proof_cb(SSL *s, void *arg); #endif #endif static BIO *bio_c_out=NULL; static BIO *bio_c_out=NULL; static int c_quiet=0; static int c_quiet=0; Loading Loading @@ -357,6 +359,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); # ifndef OPENSSL_NO_NEXTPROTONEG # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif # endif Loading Loading @@ -731,6 +734,8 @@ int MAIN(int argc, char **argv) c_tlsextdebug=1; c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) else if (strcmp(*argv,"-status") == 0) c_status_req=1; c_status_req=1; else if (strcmp(*argv,"-proof_debug") == 0) c_proof_debug=1; #endif #endif #ifdef WATT32 #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) else if (strcmp(*argv,"-wdebug") == 0) Loading Loading @@ -1212,6 +1217,9 @@ bad: } } #endif #endif if (c_proof_debug) SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, audit_proof_cb); #endif #endif con=SSL_new(ctx); con=SSL_new(ctx); Loading Loading @@ -2147,4 +2155,26 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; return 1; } } static int audit_proof_cb(SSL *s, void *arg) { const unsigned char *proof; size_t proof_len; size_t i; SSL_SESSION *sess = SSL_get_session(s); proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, &proof_len); if (proof != NULL) { BIO_printf(bio_c_out, "Audit proof: "); for (i = 0; i < proof_len; ++i) BIO_printf(bio_c_out, "%02X", proof[i]); BIO_printf(bio_c_out, "\n"); } else { BIO_printf(bio_c_out, "No audit proof found.\n"); } return 1; } #endif #endif apps/s_server.c +50 −1 Original line number Original line Diff line number Diff line Loading @@ -313,6 +313,12 @@ static long socket_mtu; static int cert_chain = 0; static int cert_chain = 0; #endif #endif #ifndef OPENSSL_NO_TLSEXT static BIO *authz_in = NULL; static const char *s_authz_file = NULL; static unsigned char *authz = NULL; static size_t authz_length; #endif #ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; static char *psk_identity="Client_identity"; Loading Loading @@ -473,6 +479,7 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ Loading Loading @@ -1044,6 +1051,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; if (--argc < 1) goto bad; s_cert_file= *(++argv); s_cert_file= *(++argv); } } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-authz") == 0) { if (--argc < 1) goto bad; s_authz_file = *(++argv); } #endif else if (strcmp(*argv,"-certform") == 0) else if (strcmp(*argv,"-certform") == 0) { { if (--argc < 1) goto bad; if (--argc < 1) goto bad; Loading Loading @@ -1490,7 +1504,34 @@ bad: next_proto.data = NULL; next_proto.data = NULL; } } # endif # endif #endif if (s_authz_file != NULL) { /* Allow authzs up to 64KB bytes. */ static const size_t authz_limit = 65536; authz_in = BIO_new(BIO_s_file_internal()); if (authz_in == NULL) { ERR_print_errors(bio_err); goto end; } if (BIO_read_filename(authz_in, s_authz_file) <= 0) { ERR_print_errors(bio_err); goto end; } authz = OPENSSL_malloc(authz_limit); authz_length = BIO_read(authz_in, authz, authz_limit); if (authz_length == authz_limit || authz_length <= 0) { BIO_printf(bio_err, "authz too large\n"); goto end; } BIO_free(authz_in); authz_in = NULL; } #endif /* OPENSSL_NO_TLSEXT */ } } Loading Loading @@ -1789,6 +1830,10 @@ bad: if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; goto end; #ifndef OPENSSL_NO_TLSEXT if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length)) goto end; #endif #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; goto end; Loading Loading @@ -1983,6 +2028,10 @@ end: X509_free(s_cert2); X509_free(s_cert2); if (s_key2) if (s_key2) EVP_PKEY_free(s_key2); EVP_PKEY_free(s_key2); if (authz != NULL) OPENSSL_free(authz); if (authz_in != NULL) BIO_free(authz_in); #endif #endif if (bio_s_out != NULL) if (bio_s_out != NULL) { { Loading Loading
CHANGES +3 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,9 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) RFC 5878 support. [Emilia Kasper, Adam Langley, Ben Laurie (Google)] *) Support for automatic EC temporary key parameter selection. If enabled *) Support for automatic EC temporary key parameter selection. If enabled the most preferred EC parameters are automatically used instead of the most preferred EC parameters are automatically used instead of hardcoded fixed parameters. Now a server just has to call: hardcoded fixed parameters. Now a server just has to call: Loading
apps/s_apps.h +4 −0 Original line number Original line Diff line number Diff line Loading @@ -156,6 +156,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, STACK_OF(X509) *chain); STACK_OF(X509) *chain); # ifndef OPENSSL_NO_TLSEXT int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, unsigned char *authz, size_t authz_length); # endif int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); #endif #endif Loading
apps/s_cb.c +13 −13 Original line number Original line Diff line number Diff line Loading @@ -261,6 +261,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, ERR_print_errors(bio_err); ERR_print_errors(bio_err); return 0; return 0; } } if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) { { BIO_printf(bio_err,"error setting private key\n"); BIO_printf(bio_err,"error setting private key\n"); Loading @@ -268,7 +269,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, return 0; return 0; } } /* Now we know that a key and cert have been set against /* Now we know that a key and cert have been set against * the SSL context */ * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) if (!SSL_CTX_check_private_key(ctx)) Loading
apps/s_client.c +30 −0 Original line number Original line Diff line number Diff line Loading @@ -202,6 +202,7 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_tlsextdebug=0; static int c_status_req=0; static int c_status_req=0; static int c_proof_debug=0; #endif #endif static int c_msg=0; static int c_msg=0; static int c_showcerts=0; static int c_showcerts=0; Loading @@ -213,6 +214,7 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); static int ocsp_resp_cb(SSL *s, void *arg); static int audit_proof_cb(SSL *s, void *arg); #endif #endif static BIO *bio_c_out=NULL; static BIO *bio_c_out=NULL; static int c_quiet=0; static int c_quiet=0; Loading Loading @@ -357,6 +359,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); # ifndef OPENSSL_NO_NEXTPROTONEG # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif # endif Loading Loading @@ -731,6 +734,8 @@ int MAIN(int argc, char **argv) c_tlsextdebug=1; c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) else if (strcmp(*argv,"-status") == 0) c_status_req=1; c_status_req=1; else if (strcmp(*argv,"-proof_debug") == 0) c_proof_debug=1; #endif #endif #ifdef WATT32 #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) else if (strcmp(*argv,"-wdebug") == 0) Loading Loading @@ -1212,6 +1217,9 @@ bad: } } #endif #endif if (c_proof_debug) SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, audit_proof_cb); #endif #endif con=SSL_new(ctx); con=SSL_new(ctx); Loading Loading @@ -2147,4 +2155,26 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; return 1; } } static int audit_proof_cb(SSL *s, void *arg) { const unsigned char *proof; size_t proof_len; size_t i; SSL_SESSION *sess = SSL_get_session(s); proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, &proof_len); if (proof != NULL) { BIO_printf(bio_c_out, "Audit proof: "); for (i = 0; i < proof_len; ++i) BIO_printf(bio_c_out, "%02X", proof[i]); BIO_printf(bio_c_out, "\n"); } else { BIO_printf(bio_c_out, "No audit proof found.\n"); } return 1; } #endif #endif
apps/s_server.c +50 −1 Original line number Original line Diff line number Diff line Loading @@ -313,6 +313,12 @@ static long socket_mtu; static int cert_chain = 0; static int cert_chain = 0; #endif #endif #ifndef OPENSSL_NO_TLSEXT static BIO *authz_in = NULL; static const char *s_authz_file = NULL; static unsigned char *authz = NULL; static size_t authz_length; #endif #ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; static char *psk_identity="Client_identity"; Loading Loading @@ -473,6 +479,7 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ Loading Loading @@ -1044,6 +1051,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; if (--argc < 1) goto bad; s_cert_file= *(++argv); s_cert_file= *(++argv); } } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-authz") == 0) { if (--argc < 1) goto bad; s_authz_file = *(++argv); } #endif else if (strcmp(*argv,"-certform") == 0) else if (strcmp(*argv,"-certform") == 0) { { if (--argc < 1) goto bad; if (--argc < 1) goto bad; Loading Loading @@ -1490,7 +1504,34 @@ bad: next_proto.data = NULL; next_proto.data = NULL; } } # endif # endif #endif if (s_authz_file != NULL) { /* Allow authzs up to 64KB bytes. */ static const size_t authz_limit = 65536; authz_in = BIO_new(BIO_s_file_internal()); if (authz_in == NULL) { ERR_print_errors(bio_err); goto end; } if (BIO_read_filename(authz_in, s_authz_file) <= 0) { ERR_print_errors(bio_err); goto end; } authz = OPENSSL_malloc(authz_limit); authz_length = BIO_read(authz_in, authz, authz_limit); if (authz_length == authz_limit || authz_length <= 0) { BIO_printf(bio_err, "authz too large\n"); goto end; } BIO_free(authz_in); authz_in = NULL; } #endif /* OPENSSL_NO_TLSEXT */ } } Loading Loading @@ -1789,6 +1830,10 @@ bad: if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; goto end; #ifndef OPENSSL_NO_TLSEXT if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length)) goto end; #endif #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; goto end; Loading Loading @@ -1983,6 +2028,10 @@ end: X509_free(s_cert2); X509_free(s_cert2); if (s_key2) if (s_key2) EVP_PKEY_free(s_key2); EVP_PKEY_free(s_key2); if (authz != NULL) OPENSSL_free(authz); if (authz_in != NULL) BIO_free(authz_in); #endif #endif if (bio_s_out != NULL) if (bio_s_out != NULL) { { Loading
