Loading CHANGES +3 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,9 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) RFC 5878 support. [Emilia Kasper, Adam Langley, Ben Laurie (Google)] *) Support for automatic EC temporary key parameter selection. If enabled the most preferred EC parameters are automatically used instead of hardcoded fixed parameters. Now a server just has to call: Loading apps/s_apps.h +4 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, STACK_OF(X509) *chain); # ifndef OPENSSL_NO_TLSEXT int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, unsigned char *authz, size_t authz_length); # endif int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); #endif Loading apps/s_cb.c +13 −13 Original line number Diff line number Diff line Loading @@ -261,6 +261,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, ERR_print_errors(bio_err); return 0; } if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) { BIO_printf(bio_err,"error setting private key\n"); Loading @@ -268,7 +269,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, return 0; } /* Now we know that a key and cert have been set against * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) Loading apps/s_client.c +30 −0 Original line number Diff line number Diff line Loading @@ -202,6 +202,7 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_status_req=0; static int c_proof_debug=0; #endif static int c_msg=0; static int c_showcerts=0; Loading @@ -213,6 +214,7 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); static int audit_proof_cb(SSL *s, void *arg); #endif static BIO *bio_c_out=NULL; static int c_quiet=0; Loading Loading @@ -357,6 +359,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif Loading Loading @@ -731,6 +734,8 @@ int MAIN(int argc, char **argv) c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) c_status_req=1; else if (strcmp(*argv,"-proof_debug") == 0) c_proof_debug=1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) Loading Loading @@ -1212,6 +1217,9 @@ bad: } #endif if (c_proof_debug) SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, audit_proof_cb); #endif con=SSL_new(ctx); Loading Loading @@ -2147,4 +2155,26 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; } static int audit_proof_cb(SSL *s, void *arg) { const unsigned char *proof; size_t proof_len; size_t i; SSL_SESSION *sess = SSL_get_session(s); proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, &proof_len); if (proof != NULL) { BIO_printf(bio_c_out, "Audit proof: "); for (i = 0; i < proof_len; ++i) BIO_printf(bio_c_out, "%02X", proof[i]); BIO_printf(bio_c_out, "\n"); } else { BIO_printf(bio_c_out, "No audit proof found.\n"); } return 1; } #endif apps/s_server.c +50 −1 Original line number Diff line number Diff line Loading @@ -313,6 +313,12 @@ static long socket_mtu; static int cert_chain = 0; #endif #ifndef OPENSSL_NO_TLSEXT static BIO *authz_in = NULL; static const char *s_authz_file = NULL; static unsigned char *authz = NULL; static size_t authz_length; #endif #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; Loading Loading @@ -473,6 +479,7 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ Loading Loading @@ -1044,6 +1051,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_cert_file= *(++argv); } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-authz") == 0) { if (--argc < 1) goto bad; s_authz_file = *(++argv); } #endif else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; Loading Loading @@ -1490,7 +1504,34 @@ bad: next_proto.data = NULL; } # endif #endif if (s_authz_file != NULL) { /* Allow authzs up to 64KB bytes. */ static const size_t authz_limit = 65536; authz_in = BIO_new(BIO_s_file_internal()); if (authz_in == NULL) { ERR_print_errors(bio_err); goto end; } if (BIO_read_filename(authz_in, s_authz_file) <= 0) { ERR_print_errors(bio_err); goto end; } authz = OPENSSL_malloc(authz_limit); authz_length = BIO_read(authz_in, authz, authz_limit); if (authz_length == authz_limit || authz_length <= 0) { BIO_printf(bio_err, "authz too large\n"); goto end; } BIO_free(authz_in); authz_in = NULL; } #endif /* OPENSSL_NO_TLSEXT */ } Loading Loading @@ -1789,6 +1830,10 @@ bad: if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length)) goto end; #endif #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; Loading Loading @@ -1983,6 +2028,10 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); if (authz != NULL) OPENSSL_free(authz); if (authz_in != NULL) BIO_free(authz_in); #endif if (bio_s_out != NULL) { Loading Loading
CHANGES +3 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,9 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] *) RFC 5878 support. [Emilia Kasper, Adam Langley, Ben Laurie (Google)] *) Support for automatic EC temporary key parameter selection. If enabled the most preferred EC parameters are automatically used instead of hardcoded fixed parameters. Now a server just has to call: Loading
apps/s_apps.h +4 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, STACK_OF(X509) *chain); # ifndef OPENSSL_NO_TLSEXT int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, unsigned char *authz, size_t authz_length); # endif int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); #endif Loading
apps/s_cb.c +13 −13 Original line number Diff line number Diff line Loading @@ -261,6 +261,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, ERR_print_errors(bio_err); return 0; } if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) { BIO_printf(bio_err,"error setting private key\n"); Loading @@ -268,7 +269,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, return 0; } /* Now we know that a key and cert have been set against * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) Loading
apps/s_client.c +30 −0 Original line number Diff line number Diff line Loading @@ -202,6 +202,7 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_status_req=0; static int c_proof_debug=0; #endif static int c_msg=0; static int c_showcerts=0; Loading @@ -213,6 +214,7 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); static int audit_proof_cb(SSL *s, void *arg); #endif static BIO *bio_c_out=NULL; static int c_quiet=0; Loading Loading @@ -357,6 +359,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif Loading Loading @@ -731,6 +734,8 @@ int MAIN(int argc, char **argv) c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) c_status_req=1; else if (strcmp(*argv,"-proof_debug") == 0) c_proof_debug=1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) Loading Loading @@ -1212,6 +1217,9 @@ bad: } #endif if (c_proof_debug) SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, audit_proof_cb); #endif con=SSL_new(ctx); Loading Loading @@ -2147,4 +2155,26 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; } static int audit_proof_cb(SSL *s, void *arg) { const unsigned char *proof; size_t proof_len; size_t i; SSL_SESSION *sess = SSL_get_session(s); proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, &proof_len); if (proof != NULL) { BIO_printf(bio_c_out, "Audit proof: "); for (i = 0; i < proof_len; ++i) BIO_printf(bio_c_out, "%02X", proof[i]); BIO_printf(bio_c_out, "\n"); } else { BIO_printf(bio_c_out, "No audit proof found.\n"); } return 1; } #endif
apps/s_server.c +50 −1 Original line number Diff line number Diff line Loading @@ -313,6 +313,12 @@ static long socket_mtu; static int cert_chain = 0; #endif #ifndef OPENSSL_NO_TLSEXT static BIO *authz_in = NULL; static const char *s_authz_file = NULL; static unsigned char *authz = NULL; static size_t authz_length; #endif #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; Loading Loading @@ -473,6 +479,7 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ Loading Loading @@ -1044,6 +1051,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_cert_file= *(++argv); } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-authz") == 0) { if (--argc < 1) goto bad; s_authz_file = *(++argv); } #endif else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; Loading Loading @@ -1490,7 +1504,34 @@ bad: next_proto.data = NULL; } # endif #endif if (s_authz_file != NULL) { /* Allow authzs up to 64KB bytes. */ static const size_t authz_limit = 65536; authz_in = BIO_new(BIO_s_file_internal()); if (authz_in == NULL) { ERR_print_errors(bio_err); goto end; } if (BIO_read_filename(authz_in, s_authz_file) <= 0) { ERR_print_errors(bio_err); goto end; } authz = OPENSSL_malloc(authz_limit); authz_length = BIO_read(authz_in, authz, authz_limit); if (authz_length == authz_limit || authz_length <= 0) { BIO_printf(bio_err, "authz too large\n"); goto end; } BIO_free(authz_in); authz_in = NULL; } #endif /* OPENSSL_NO_TLSEXT */ } Loading Loading @@ -1789,6 +1830,10 @@ bad: if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length)) goto end; #endif #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; Loading Loading @@ -1983,6 +2028,10 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); if (authz != NULL) OPENSSL_free(authz); if (authz_in != NULL) BIO_free(authz_in); #endif if (bio_s_out != NULL) { Loading
