Commits · 8c3f86898340e09c31aeb8f58b03c28207ef785f · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

30 Dec, 2012 1 commit
- remove unused cipher functionality from s_client · 8c3f8689
  Dr. Stephen Henson authored Dec 30, 2012
  
  8c3f8689
29 Dec, 2012 5 commits
- Update debug-steve* options. · d03cc94f
  Dr. Stephen Henson authored Dec 29, 2012
  
  d03cc94f
- make JPAKE work again, fix memory leaks · 5477ff9b
  Dr. Stephen Henson authored Dec 29, 2012
  
  5477ff9b
- update ordinals · 46b11600
  Dr. Stephen Henson authored Dec 29, 2012
  
  46b11600
- Delegate command line handling for many common options in s_client/s_server to · 15387e4c
  Dr. Stephen Henson authored Dec 29, 2012
```
the SSL_CONF APIs.

This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.

(backport from HEAD)
```
  15387e4c
- add SSL_CONF functions and documentation (backport from HEAD) · 49ef33fa
  Dr. Stephen Henson authored Dec 29, 2012
  
  49ef33fa
26 Dec, 2012 34 commits
- Update ordinals. · 11663235
  Dr. Stephen Henson authored Dec 26, 2012
  
  11663235
- Portability fix: use BIO_snprintf and pick up strcasecmp alternative · 29113688
  Dr. Stephen Henson authored Dec 26, 2012
```
definitions from e_os.h
```
  29113688
- typo · 44c97074
  Dr. Stephen Henson authored Dec 26, 2012
  
  44c97074
- SSL/TLS record tracing code (backport from HEAD). · bc200e69
  Dr. Stephen Henson authored Dec 26, 2012
  
  bc200e69
- Reject zero length ec point format list. · a08f8d73
  Dr. Stephen Henson authored Dec 26, 2012
```
Give more meaningful error is attempt made to use incorrect curve.

(from HEAD)
```
  a08f8d73
- handle point format list retrieval for clients too (from HEAD) · b52f12b3
  Dr. Stephen Henson authored Dec 26, 2012
  
  b52f12b3
- Add support for printing out and retrieving EC point formats extension. · 78b5d89d
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  78b5d89d
- return error if Suite B mode is selected and TLS 1.2 can't be used. · b79df62e
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  b79df62e
- set auto ecdh parameter selction for Suite B · e3c76874
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  e3c76874
- add Suite B 128 bit mode offering only combination 2 · 4347394a
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  4347394a
- Use client version when deciding which cipher suites to disable. · 53bb7238
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  53bb7238
- Use default point formats extension for server side as well as client · 684a2264
  Dr. Stephen Henson authored Dec 26, 2012
```
side, if possible.

Don't advertise compressed char2 for SuiteB as it is not supported.
(backport from HEAD)
```
  684a2264
- add Suite B verification flags · fde8dc17
  Dr. Stephen Henson authored Dec 26, 2012
  
  fde8dc17
- contify · 3c87a2bd
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  3c87a2bd
- Add ctrl and utility functions to retrieve raw cipher list sent by client in · 1520e6c0
  Dr. Stephen Henson authored Dec 26, 2012
```
client hello message. Previously this could only be retrieved on an initial
connection and it was impossible to determine the cipher IDs of any uknown
ciphersuites.
(backport from HEAD)
```
  1520e6c0
- new ctrl to retrive value of received temporary key in server key exchange... · 2001129f
  Dr. Stephen Henson authored Dec 26, 2012
```
new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client
(backport from HEAD)
```
  2001129f
- store and print out message digest peer signed with in TLS 1.2 · a50ecaee
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  a50ecaee
- perform sanity checks on server certificate type as soon as it is received... · 67d9dcf0
  Dr. Stephen Henson authored Dec 26, 2012
```
perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange
(backport from HEAD)
```
  67d9dcf0
- give more meaningful error if presented with wrong certificate type by server · 79dcae32
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  79dcae32
- Add three Suite B modes to TLS code, supporting RFC6460. · ccf6a19e
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  ccf6a19e
- Add missing prototype to x509.h · 28fbbe3b
  Dr. Stephen Henson authored Dec 26, 2012
  
  28fbbe3b
- New function X509_chain_up_ref to dup and up the reference count of · 8d2dbe6a
  Dr. Stephen Henson authored Dec 26, 2012
```
a STACK_OF(X509): replace equivalent functionality in several places
by the equivalent call.
(backport from HEAD)
```
  8d2dbe6a
- add suite B chain validation flags and associated verify errors · ba8bdea7
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  ba8bdea7
- Oops, add missing v3nametest.c · 3d991629
  Dr. Stephen Henson authored Dec 26, 2012
  
  3d991629
- New -valid option to add a certificate to the ca index.txt that is valid and not revoked · 87054c4f
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  87054c4f
- Make tls1_check_chain return a set of flags indicating checks passed · 6660baee
  Dr. Stephen Henson authored Dec 26, 2012
```
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.

Print out results of checks for each candidate chain tested in
s_server/s_client.
(backport from HEAD)
```
  6660baee
- Abort handshake if signature algorithm used not supported by peer. · 25d4c925
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  25d4c925
- check EC tmp key matches preferences · 44adfeb6
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  44adfeb6
- typo · 5ff2ef79
  Dr. Stephen Henson authored Dec 26, 2012
  
  5ff2ef79
- Add support for certificate stores in CERT structure. This makes it · b762acad
  Dr. Stephen Henson authored Dec 26, 2012
```
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
(backport from HEAD)
```
  b762acad
- add ssl_locl.h to err header files, rebuild ssl error strings · 7d779eef
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  7d779eef
- set ciphers to NULL before calling cert_cb · 35b7757f
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  35b7757f
- stop warning · 23195e4d
  Dr. Stephen Henson authored Dec 26, 2012
```
(backport from HEAD)
```
  23195e4d
- New function ssl_set_client_disabled to set masks for any ciphersuites · b28fbdfa
  Dr. Stephen Henson authored Dec 26, 2012
```
that are disabled for this session (as opposed to always disabled by
configuration).
(backport from HEAD)
```
  b28fbdfa