aboutsummaryrefslogtreecommitdiffstats
path: root/ssl/ssl_conf.c
Commit message (Collapse)AuthorAgeFilesLines
* Copyright consolidation 01/10Rich Salz2016-05-171-53/+5
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* New SSL test frameworkEmilia Kasper2016-04-051-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, SSL tests are configured via command-line switches to ssltest.c. This results in a lot of duplication between ssltest.c and apps, and a complex setup. ssltest.c is also simply old and needs maintenance. Instead, we already have a way to configure SSL servers and clients, so we leverage that. SSL tests can now be configured from a configuration file. Test servers and clients are configured using the standard ssl_conf module. Additional test settings are configured via a test configuration. Moreover, since the CONF language involves unnecessary boilerplate, the test conf itself is generated from a shorter Perl syntax. The generated testcase files are checked in to the repo to make it easier to verify that the intended test cases are in fact run; and to simplify debugging failures. To demonstrate the approach, min/max protocol tests are converted to the new format. This change also fixes MinProtocol and MaxProtocol handling. It was previously requested that an SSL_CTX have both the server and client flags set for these commands; this clearly can never work. Guide to this PR: - test/ssl_test.c - test framework - test/ssl_test_ctx.* - test configuration structure - test/handshake_helper.* - new SSL test handshaking code - test/ssl-tests/ - test configurations - test/generate_ssl_tests.pl - script for generating CONF-style test configurations from perl inputs Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove #error from include files.Rich Salz2016-03-201-3/+1
| | | | | | | | Don't have #error statements in header files, but instead wrap the contents of that file in #ifndef OPENSSL_NO_xxx This means it is now always safe to include the header file. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove outdated DEBUG flags.Rich Salz2016-02-181-6/+0
| | | | | | | | | | | | | | | | | Add -DBIO_DEBUG to --strict-warnings. Remove comments about outdated debugging ifdef guards. Remove md_rand ifdef guarding an assert; it doesn't seem used. Remove the conf guards in conf_api since we use OPENSSL_assert, not assert. For pkcs12 stuff put OPENSSL_ in front of the macro name. Merge TLS_DEBUG into SSL_DEBUG. Various things just turned on/off asserts, mainly for checking non-NULL arguments, which is now removed: camellia, bn_ctx, crypto/modes. Remove some old debug code, that basically just printed things to stderr: DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG, RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG. Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Move to REF_DEBUG, for consistency.Rich Salz2016-02-111-3/+0
| | | | | | | Add utility macros REF_ASSERT_NOT and REF_PRINT_COUNT This is also RT 4181 Reviewed-by: Richard Levitte <levitte@openssl.org>
* Restore -no_comp switch for backwards compatible behaviourViktor Dukhovni2016-02-051-1/+3
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org>
* RT3234: disable compressionEmilia Kasper2016-02-031-2/+2
| | | | | | | | | | | | | | | | | CRIME protection: disable compression by default, even if OpenSSL is compiled with zlib enabled. Applications can still enable compression by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using the SSL_CONF library to configure compression. SSL_CONF continues to work as before: SSL_CONF_cmd(ctx, "Options", "Compression") enables compression. SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now no-op by default). The command-line switch has changed from -no_comp to -comp. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Allow disabling the min and max versionKurt Roeckx2016-01-101-0/+1
| | | | Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
* Protocol version selection and negotiation rewriteViktor Dukhovni2016-01-021-14/+18
| | | | | | | | | | | | | | | | | | | The protocol selection code is now consolidated in a few consecutive short functions in a single file and is table driven. Protocol-specific constraints that influence negotiation are moved into the flags field of the method structure. The same protocol version constraints are now applied in all code paths. It is now much easier to add new protocol versions without reworking the protocol selection logic. In the presence of "holes" in the list of enabled client protocols we no longer select client protocols below the hole based on a subset of the constraints and then fail shortly after when it is found that these don't meet the remaining constraints (suiteb, FIPS, security level, ...). Ideally, with the new min/max controls users will be less likely to create "holes" in the first place. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* Add support for minimum and maximum protocol versionKurt Roeckx2016-01-021-1/+80
| | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* Rename some BUF_xxx to OPENSSL_xxxRich Salz2015-12-161-2/+2
| | | | | | | | | Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} Add #define's for the old names. Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDHKurt Roeckx2015-12-041-41/+16
| | | | Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Standardise our style for checking malloc failuresMatt Caswell2015-11-091-2/+2
| | | | | | | | if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x| for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise the approach in libssl. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* Remove BIO_s_file_internal macro.Rich Salz2015-10-021-1/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* remove 0 assignments.Rich Salz2015-09-031-17/+1
| | | | | | | After openssl_zalloc, cleanup more "set to 0/NULL" assignments. Many are from github feedback. Reviewed-by: Tim Hudson <tjh@openssl.org>
* free names before contextDr. Stephen Henson2015-07-211-1/+1
| | | | Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* typoDr. Stephen Henson2015-07-211-1/+1
| | | | Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* SSL_CONF additions.Dr. Stephen Henson2015-07-211-12/+144
| | | | | | | | | | Add support for loading verify and chain stores in SSL_CONF. Commands to set verify mode and client CA names. Add documentation. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* Use uint32_t consistently for flags.Dr. Stephen Henson2015-07-181-2/+2
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Remove support for OPENSSL_NO_TLSEXTMatt Caswell2015-05-221-4/+0
| | | | | | | | | | Given the pervasive nature of TLS extensions it is inadvisable to run OpenSSL without support for them. It also means that maintaining the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably not well tested). Therefore it is being removed. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Add SSL_use_certificate_chain_file functionDr. Stephen Henson2015-05-081-1/+1
| | | | | | | | | | | Add SSL_use_certiicate_chain file functions: this is works the same way as SSL_CTX_use_certificate_chain_file but for an SSL structure. Update SSL_CONF code to use the new function. Update docs. Update ordinals. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Use "==0" instead of "!strcmp" etcRich Salz2015-05-061-4/+4
| | | | | | | For the various string-compare routines (strcmp, strcasecmp, str.*cmp) use "strcmp()==0" instead of "!strcmp()" Reviewed-by: Tim Hudson <tjh@openssl.org>
* SSL_CONF table reorganisation.Dr. Stephen Henson2015-05-061-95/+144
| | | | | | | | | Add command line switch entries to table and return SSL_CONF_TYPE_NONE for them in SSL_CONF_cmd_value_type. Update docs. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Use safer sizeof variant in mallocRich Salz2015-05-041-2/+2
| | | | | | | | | | | | | For a local variable: TYPE *p; Allocations like this are "risky": p = OPENSSL_malloc(sizeof(TYPE)); if the type of p changes, and the malloc call isn't updated, you could get memory corruption. Instead do this: p = OPENSSL_malloc(sizeof(*p)); Also fixed a few memset() calls that I noticed while doing this. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Add OSSL_NELEM macro.Dr. Stephen Henson2015-05-031-5/+4
| | | | | | | Add OSSL_NELEM macro to e_os.h to determine the number of elements in an array. Reviewed-by: Tim Hudson <tjh@openssl.org>
* free null cleanup finaleRich Salz2015-05-011-8/+4
| | | | | | Don't check for NULL before calling OPENSSL_free Reviewed-by: Richard Levitte <levitte@openssl.org>
* Big apps cleanup (option-parsing, etc)Rich Salz2015-04-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is merges the old "rsalz-monolith" branch over to master. The biggest change is that option parsing switch from cascasding 'else if strcmp("-foo")' to a utility routine and somethin akin to getopt. Also, an error in the command line no longer prints the full summary; use -help (or --help :) for that. There have been many other changes and code-cleanup, see bullet list below. Special thanks to Matt for the long and detailed code review. TEMPORARY: For now, comment out CRYPTO_mem_leaks() at end of main Tickets closed: RT3515: Use 3DES in pkcs12 if built with no-rc2 RT1766: s_client -reconnect and -starttls broke RT2932: Catch write errors RT2604: port should be 'unsigned short' RT2983: total_bytes undeclared #ifdef RENEG RT1523: Add -nocert to fix output in x509 app RT3508: Remove unused variable introduced by b09eb24 RT3511: doc fix; req default serial is random RT1325,2973: Add more extensions to c_rehash RT2119,3407: Updated to dgst.pod RT2379: Additional typo fix RT2693: Extra include of string.h RT2880: HFS is case-insensitive filenames RT3246: req command prints version number wrong Other changes; incompatibilities marked with *: Add SCSV support Add -misalign to speed command Make dhparam, dsaparam, ecparam, x509 output C in proper style Make some internal ocsp.c functions void Only display cert usages with -help in verify Use global bio_err, remove "BIO*err" parameter from functions For filenames, - always means stdin (or stdout as appropriate) Add aliases for -des/aes "wrap" ciphers. *Remove support for IISSGC (server gated crypto) *The undocumented OCSP -header flag is now "-header name=value" *Documented the OCSP -header flag Reviewed-by: Matt Caswell <matt@openssl.org>
* free NULL cleanupRich Salz2015-03-251-2/+1
| | | | | | | This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free BIO_free BIO_free_all BIO_vfree Reviewed-by: Matt Caswell <matt@openssl.org>
* Support key loading from certificate fileDr. Stephen Henson2015-03-251-2/+45
| | | | | | | | | | | Support loading of key and certificate from the same file if SSL_CONF_FLAG_REQUIRE_PRIVATE is set. This is done by remembering the filename used for each certificate type and attempting to load a private key from the file when SSL_CONF_CTX_finish is called. Update docs. Reviewed-by: Richard Levitte <levitte@openssl.org>
* free NULL cleanupRich Salz2015-03-241-2/+1
| | | | | | | | Start ensuring all OpenSSL "free" routines allow NULL, and remove any if check before calling them. This gets DH_free, DSA_free, RSA_free Reviewed-by: Matt Caswell <matt@openssl.org>
* Merge OPENSSL_NO_EC{DH,DSA} into OPENSSL_NO_ECRich Salz2015-03-111-2/+2
| | | | | | Suggested by John Foley <foleyj@cisco.com>. Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix segfault with empty fields as last in the config.Kurt Roeckx2015-01-241-0/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-558/+524
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Allow using -SSLv2 again when setting Protocol in the config.Kurt Roeckx2014-12-151-0/+1
| | | | | | RT#3625 Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Remove SSLv2 supportKurt Roeckx2014-12-041-2/+0
| | | | | | The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Add -no_resumption_on_reneg to SSL_CONF.Dr. Stephen Henson2014-03-271-0/+2
| | | | (cherry picked from commit 1f44dac24d1cb752b1a06be9091bb03a88a8598e)
* Add ServerInfoFile to SSL_CONF, update docs.Dr. Stephen Henson2014-01-031-0/+14
|
* Delete duplicate entry.Krzysztof Kwiatkowski2013-11-131-1/+0
| | | | PR#3172
* Add -ecdh_single option.Dr. Stephen Henson2013-11-011-0/+1
| | | | | Add -ecdh_single option to set SSL_OP_SINGLE_ECDH_USE on the command line. (cherry picked from commit f14a4a861d2d221ed565a75441a218f85b8db530)
* Fix warning.Dr. Stephen Henson2013-11-011-0/+3
|
* Add SSL_CONF command to set DH Parameters.Dr. Stephen Henson2013-10-221-2/+37
|
* Fix argument processing.Dr. Stephen Henson2013-10-221-1/+1
|
* Constification.Dr. Stephen Henson2013-10-211-5/+5
|
* Extend SSL_CONFDr. Stephen Henson2013-10-201-41/+105
| | | | | | | | Extend SSL_CONF to return command value types. Add certificate and key options. Update documentation.
* Typo.Dr. Stephen Henson2013-10-201-1/+1
|
* Make no-ec compilation work.Dr. Stephen Henson2013-08-171-2/+4
|
* really fix automatic ;-)Dr. Stephen Henson2012-12-071-1/+1
|
* fix handling of "automatic" in file modeDr. Stephen Henson2012-12-061-1/+6
|
* return error if Suite B mode is selected and TLS 1.2 can't be used. Correct ↵Dr. Stephen Henson2012-12-011-3/+3
| | | | error coded
* curves can be set in both client and serverDr. Stephen Henson2012-11-211-2/+0
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-24 00:09:11 +0000