summaryrefslogtreecommitdiffstats
path: root/apps/ciphers.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Use minimum and maximum protocol version instead of version fixed methodsKurt Roeckx2016-03-091-12/+14
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> MR: #1824
* Support disabling any or all TLS or DTLS versionsViktor Dukhovni2016-01-191-3/+15
| | | | | | | | | | | | | | | Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just TLS 1.2. In the future they might want to disable TLS 1.2 and enable just TLS 1.3, ... This commit makes it possible to disable any or all of the TLS or DTLS protocols. It also considerably simplifies the SSL/TLS tests, by auto-generating the min/max version tests based on the set of supported protocols (425 explicitly written out tests got replaced by two loops that generate all 425 tests if all protocols are enabled, fewer otherwise). Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix declarations and constification for inline stack.Dr. Stephen Henson2016-01-071-2/+2
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix no-psk compile failureMatt Caswell2015-12-151-0/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* add -psk option to ciphers commandDr. Stephen Henson2015-11-141-0/+24
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* add -tls1_2,-tls1_1 options to ciphers commandDr. Stephen Henson2015-11-141-0/+10
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* Centralise loading default apps config fileMatt Caswell2015-10-121-3/+0
| | | | | | | | | | | | | | | | | Loading the config file after processing command line options can cause problems, e.g. where an engine provides new ciphers/digests these are not then recoginised on the command line. Move the default config file loading to before the command line option processing. Whilst we're doing this we might as well centralise this instead of doing it individually for each application. Finally if we do it before the OpenSSL_add_ssl_algorithms() call then ciphersuites provided by an engine (e.g. GOST) can be available to the apps. RT#4085 RT#4086 Reviewed-by: Richard Levitte <levitte@openssl.org>
* Standardize handling of #ifdef'd options.Rich Salz2015-06-021-9/+5
| | | | | | | | | | | | | | | | | | Here are the "rules" for handling flags that depend on #ifdef: - Do not ifdef the enum. Only ifdef the OPTIONS table. All ifdef'd entries appear at the end; by convention "engine" is last. This ensures that at run-time, the flag will never be recognized/allowed. The next two bullets entries are for silencing compiler warnings: - In the while/switch parsing statement, use #ifdef for the body to disable it; leave the "case OPT_xxx:" and "break" statements outside the ifdef/ifndef. See ciphers.c for example. - If there are multiple options controlled by a single guard, OPT_FOO, OPT_BAR, etc., put a an #ifdef around the set, and then do "#else" and a series of case labels and a break. See OPENSSL_NO_AES in cms.c for example. Reviewed-by: Matt Caswell <matt@openssl.org>
* Restore module loadingRichard Levitte2015-05-291-0/+3
| | | | | | | The module loading feature got broken a while ago, so restore it, but have it a bit more explicit this time around. Reviewed-by: Stephen Henson <steve@openssl.org>
* Server side version negotiation rewriteMatt Caswell2015-05-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes the way that we do server side protocol version negotiation. Previously we had a whole set of code that had an "up front" state machine dedicated to the negotiating the protocol version. This adds significant complexity to the state machine. Historically the justification for doing this was the support of SSLv2 which works quite differently to SSLv3+. However, we have now removed support for SSLv2 so there is little reason to maintain this complexity. The one slight difficulty is that, although we no longer support SSLv2, we do still support an SSLv3+ ClientHello in an SSLv2 backward compatible ClientHello format. This is generally only used by legacy clients. This commit adds support within the SSLv3 code for these legacy format ClientHellos. Server side version negotiation now works in much the same was as DTLS, i.e. we introduce the concept of TLS_ANY_VERSION. If s->version is set to that then when a ClientHello is received it will work out the most appropriate version to respond with. Also, SSLv23_method and SSLv23_server_method have been replaced with TLS_method and TLS_server_method respectively. The old SSLv23* names still exist as macros pointing at the new name, although they are deprecated. Subsequent commits will look at client side version negotiation, as well of removal of the old s23* code. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* free NULL cleanup -- codaRich Salz2015-05-011-1/+1
| | | | | | | | After the finale, the "real" final part. :) Do a recursive grep with "-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are an "if NULL" check that can be removed. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Big apps cleanup (option-parsing, etc)Rich Salz2015-04-241-86/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is merges the old "rsalz-monolith" branch over to master. The biggest change is that option parsing switch from cascasding 'else if strcmp("-foo")' to a utility routine and somethin akin to getopt. Also, an error in the command line no longer prints the full summary; use -help (or --help :) for that. There have been many other changes and code-cleanup, see bullet list below. Special thanks to Matt for the long and detailed code review. TEMPORARY: For now, comment out CRYPTO_mem_leaks() at end of main Tickets closed: RT3515: Use 3DES in pkcs12 if built with no-rc2 RT1766: s_client -reconnect and -starttls broke RT2932: Catch write errors RT2604: port should be 'unsigned short' RT2983: total_bytes undeclared #ifdef RENEG RT1523: Add -nocert to fix output in x509 app RT3508: Remove unused variable introduced by b09eb24 RT3511: doc fix; req default serial is random RT1325,2973: Add more extensions to c_rehash RT2119,3407: Updated to dgst.pod RT2379: Additional typo fix RT2693: Extra include of string.h RT2880: HFS is case-insensitive filenames RT3246: req command prints version number wrong Other changes; incompatibilities marked with *: Add SCSV support Add -misalign to speed command Make dhparam, dsaparam, ecparam, x509 output C in proper style Make some internal ocsp.c functions void Only display cert usages with -help in verify Use global bio_err, remove "BIO*err" parameter from functions For filenames, - always means stdin (or stdout as appropriate) Add aliases for -des/aes "wrap" ciphers. *Remove support for IISSGC (server gated crypto) *The undocumented OCSP -header flag is now "-header name=value" *Documented the OCSP -header flag Reviewed-by: Matt Caswell <matt@openssl.org>
* free NULL cleanup 10Rich Salz2015-04-111-4/+2
| | | | | | | | | | Avoid checking for NULL before calling free functions. This gets ssl.*free: ssl_sess_cert_free ssl_free ssl_excert_free ssl_cert_free SSL_free SSL_SRP_CTX_free SSL_SESSION_free SSL_CTX_free SSL_CTX_SRP_CTX_free SSL_CONF_CTX_free Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* free NULL cleanupRich Salz2015-03-251-2/+1
| | | | | | | This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free BIO_free BIO_free_all BIO_vfree Reviewed-by: Matt Caswell <matt@openssl.org>
* OPENSSL_NO_XXX cleanup: NO_TLS, NO_TLS1Rich Salz2015-01-271-2/+0
| | | | | | TLS and TLS1 are no longer optional. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-168/+159
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix source where indent will not be able to copeMatt Caswell2015-01-221-2/+8
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* RT3548: Remove unsupported platformsRich Salz2015-01-121-3/+0
| | | | | | | This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove SSLv2 supportKurt Roeckx2014-12-041-8/+1
| | | | | | The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Make no-ssl3 no-ssl2 do more sensible things.Dr. Stephen Henson2014-06-291-6/+0
|
* Fix warning.Ben Laurie2014-03-291-1/+1
|
* Allow return of supported ciphers.Dr. Stephen Henson2014-03-281-3/+12
| | | | | | | | | | New function ssl_cipher_disabled. Check for disabled client ciphers using ssl_cipher_disabled. New function to return only supported ciphers. New option to ciphers utility to print only supported ciphers.
* new command line option -stdname to ciphers utilityDr. Stephen Henson2012-11-161-1/+16
|
* Initial "opaque SSL" framework. If an application definesDr. Stephen Henson2011-04-301-1/+1
| | | | | | | | | | OPENSSL_NO_SSL_INTERN all ssl related structures are opaque and internals cannot be directly accessed. Many applications will need some modification to support this and most likely some additional functions added to OpenSSL. The advantage of this option is that any application supporting it will still be binary compatible if SSL structures change.
* Stage 1 GOST ciphersuite support.Dr. Stephen Henson2007-03-231-0/+2
| | | | | Submitted by: ran@cryptocom.ru Reviewed by: steve@openssl.org
* fix stupid typoBodo Möller2005-10-261-1/+1
|
* new option "openssl ciphers -V"Bodo Möller2005-10-011-6/+27
|
* Let the TLSv1_method() etc. functions return a const SSL_METHODNils Larsch2005-08-141-1/+1
| | | | | pointer and make the SSL_METHOD parameter in SSL_CTX_new, SSL_CTX_set_ssl_version and SSL_set_ssl_method const.
* some const fixesNils Larsch2005-04-051-2/+2
|
* EXIT() may mean return(). That's confusing, so let's have it really meanRichard Levitte2002-12-031-1/+1
| | | | | | exit() in whatever way works for the intended platform, and define OPENSSL_EXIT() to have the old meaning (the name is of course because it's only used in the openssl program)
* Security fixes brought forward from 0.9.7.Ben Laurie2002-11-131-1/+1
|
* Use apps_shutdown() in all applications, in case someone decides notRichard Levitte2001-06-231-0/+1
| | | | | | | to go the monolith way (does anyone do that these days?). NOTE: a few applications are missing in this commit. I've a few more changes in them that I haven't tested yet.
* Use new-style system-id macros everywhere possible. I hope I haven'tRichard Levitte2001-02-201-1/+1
| | | | | | | missed any. This compiles and runs on Linux, and external applications have no problems with it. The definite test will be to build this on VMS.
* Make all configuration macros available for application by makingRichard Levitte2001-02-191-7/+7
| | | | | | | | | | | | sure they are available in opensslconf.h, by giving them names starting with "OPENSSL_" to avoid conflicts with other packages and by making sure e_os2.h will cover all platform-specific cases together with opensslconf.h. I've checked fairly well that nothing breaks with this (apart from external software that will adapt if they have used something like NO_KRB5), but I can't guarantee it completely, so a review of this change would be a good thing.
* format stringsUlf Möller2001-02-061-1/+1
|
* On VMS, stdout may very well lead to a file that is written to in aRichard Levitte2000-09-201-1/+7
| | | | | | | | | | | | | | | | | record-oriented fashion. That means that every write() will write a separate record, which will be read separately by the programs trying to read from it. This can be very confusing. The solution is to put a BIO filter in the way that will buffer text until a linefeed is reached, and then write everything a line at a time, so every record written will be an actual line, not chunks of lines and not (usually doesn't happen, but I've seen it once) several lines in one record. Voila, BIO_f_linebuffer() is born. Since we're so close to release time, I'm making this VMS-only for now, just to make sure no code is needlessly broken by this. After the release, this BIO method will be enabled on all other platforms as well.
* In theory, TLS v1 ciphersuites are not the same as SSL v3 ciphersuitesBodo Möller2000-04-071-0/+5
|
* Make gcc 2.95.2 happy again, even under ``-Wall -Wshadow -Wpointer-arith ↵Ralf S. Engelschall2000-02-111-0/+2
| | | | | | -Wcast-align -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline''.
* Rename SSLeay_add_all_algorithms() et al toDr. Stephen Henson2000-02-041-1/+1
| | | | | OpenSSL_add_all_algorithms(). Move these into separate files so they work properly.
* Apply Lutz Behnke's 56 bit cipher patch with a fewDr. Stephen Henson2000-01-221-2/+6
| | | | | | | minor changes. Docs haven't been added at this stage. They are probably best included in the 'ciphers' program docs.
* Add missing #ifndefs that caused missing symbols when building libsslUlf Möller2000-01-161-4/+0
| | | | | | | | as a shared library without RSA. Use #ifndef NO_SSL2 instead of NO_RSA in ssl/s2*.c. Submitted by: Kris Kennaway <kris@hub.freebsd.org> Modified by Ulf Möller
* New Configure option no-<cipher> (rsa, idea, rc5, ...).Ulf Möller1999-04-271-0/+4
|
* Change #include filenames from <foo.h> to <openssl.h>.Bodo Möller1999-04-241-2/+2
| | | | | | Submitted by: Reviewed by: PR:
* Change functions to ANSI C.Ulf Möller1999-04-191-3/+1
|
* Massive constification.Ben Laurie1999-04-171-1/+2
|
* Add type-safe STACKs and SETs.Ben Laurie1999-04-121-3/+3
|
* Import of old SSLeay release: SSLeay 0.9.0bRalf S. Engelschall1998-12-211-2/+2
|
* Import of old SSLeay release: SSLeay 0.8.1bRalf S. Engelschall1998-12-211-0/+191