The branch master has been updated via ac48fba036e1764dfa98ed0f0aa932491aa1c4ef (commit) via ebfd055b29861b127c9cf4ed76553e109301fc64 (commit) via 51f03f12270cdebf1dff140cc17925991520fb77 (commit) via 495a1e5c3aec4d44558cd86161b8385f1b1b6822 (commit) via d9720a5992315a6936ffba55d2fbbac460fb96a2 (commit) via dc703d6b469f1b186483a55b59013fbaca2228fd (commit) from 65d2c16cbe0da8efed2f285f59930297326fb435 (commit)
- Log ----------------------------------------------------------------- commit ac48fba036e1764dfa98ed0f0aa932491aa1c4ef Author: Antoine Salon <asa...@vmware.com> Date: Tue Nov 6 13:26:49 2018 -0800 Deprecate SSL_set_tmp_ecdh Signed-off-by: Antoine Salon <asa...@vmware.com> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522) commit ebfd055b29861b127c9cf4ed76553e109301fc64 Author: Antoine Salon <asa...@vmware.com> Date: Thu Nov 1 15:41:16 2018 -0700 Making SRP_user_pwd functions public Signed-off-by: Antoine Salon <asa...@vmware.com> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522) commit 51f03f12270cdebf1dff140cc17925991520fb77 Author: Antoine Salon <asa...@vmware.com> Date: Thu Nov 1 11:56:55 2018 -0700 Added SRP_VBASE_add0_user() Signed-off-by: Antoine Salon <asa...@vmware.com> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522) commit 495a1e5c3aec4d44558cd86161b8385f1b1b6822 Author: Antoine Salon <asa...@vmware.com> Date: Thu Oct 25 15:43:35 2018 -0700 SRP module documentation Signed-off-by: Antoine Salon <asa...@vmware.com> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522) commit d9720a5992315a6936ffba55d2fbbac460fb96a2 Author: Antoine Salon <asa...@vmware.com> Date: Tue Oct 16 16:40:01 2018 -0700 Add SSL_CTX_set_tmp_ecdh.pod Signed-off-by: Antoine Salon <asa...@vmware.com> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522) commit dc703d6b469f1b186483a55b59013fbaca2228fd Author: Antoine Salon <asa...@vmware.com> Date: Tue Oct 16 09:07:00 2018 -0700 SSL extra chain certificates doc Signed-off-by: Antoine Salon <asa...@vmware.com> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522) ----------------------------------------------------------------------- Summary of changes: crypto/srp/srp_lib.c | 8 +- crypto/srp/srp_vfy.c | 48 ++++--- doc/man1/srp.pod | 2 +- doc/man3/SRP_VBASE_new.pod | 99 ++++++++++++++ doc/man3/SRP_create_verifier.pod | 110 +++++++++++++++ doc/man3/SRP_user_pwd_new.pod | 70 ++++++++++ doc/man3/SSL_CTX_add_extra_chain_cert.pod | 20 ++- doc/man3/SSL_CTX_set_srp_password.pod | 216 ++++++++++++++++++++++++++++++ doc/man3/SSL_CTX_set_tmp_ecdh.pod | 50 +++++++ doc/man7/ssl.pod | 40 ++++++ include/openssl/srp.h | 6 + include/openssl/ssl.h | 8 +- ssl/s3_lib.c | 8 +- util/libcrypto.num | 5 + util/private.num | 6 + 15 files changed, 665 insertions(+), 31 deletions(-) create mode 100644 doc/man3/SRP_VBASE_new.pod create mode 100644 doc/man3/SRP_create_verifier.pod create mode 100644 doc/man3/SRP_user_pwd_new.pod create mode 100644 doc/man3/SSL_CTX_set_srp_password.pod create mode 100644 doc/man3/SSL_CTX_set_tmp_ecdh.pod diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index b97d630..a9e244e 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -44,13 +44,13 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N) static BIGNUM *srp_Calc_k(const BIGNUM *N, const BIGNUM *g) { - /* k = SHA1(N | PAD(g)) -- tls-srp draft 8 */ + /* k = SHA1(N | PAD(g)) -- tls-srp RFC 5054 */ return srp_Calc_xy(N, g, N); } BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N) { - /* k = SHA1(PAD(A) || PAD(B) ) -- tls-srp draft 8 */ + /* u = SHA1(PAD(A) || PAD(B) ) -- tls-srp RFC 5054 */ return srp_Calc_xy(A, B, N); } @@ -254,13 +254,13 @@ static SRP_gN knowngN[] = { /* * Check if G and N are known parameters. The values have been generated - * from the ietf-tls-srp draft version 8 + * from the IETF RFC 5054 */ char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N) { size_t i; if ((g == NULL) || (N == NULL)) - return 0; + return NULL; for (i = 0; i < KNOWN_GN_NUMBER; i++) { if (BN_cmp(knowngN[i].g, g) == 0 && BN_cmp(knowngN[i].N, N) == 0) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 17b35c0..bfe517b 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -184,7 +184,7 @@ void SRP_user_pwd_free(SRP_user_pwd *user_pwd) OPENSSL_free(user_pwd); } -static SRP_user_pwd *SRP_user_pwd_new(void) +SRP_user_pwd *SRP_user_pwd_new(void) { SRP_user_pwd *ret; @@ -201,16 +201,18 @@ static SRP_user_pwd *SRP_user_pwd_new(void) return ret; } -static void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, - const BIGNUM *N) +void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, + const BIGNUM *N) { vinfo->N = N; vinfo->g = g; } -static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id, - const char *info) +int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id, + const char *info) { + OPENSSL_free(vinfo->id); + OPENSSL_free(vinfo->info); if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id))) return 0; return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info))); @@ -243,8 +245,10 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, return 0; } -static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) +int SRP_user_pwd_set0_sv(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) { + BN_free(vinfo->s); + BN_clear_free(vinfo->v); vinfo->v = v; vinfo->s = s; return (vinfo->s != NULL && vinfo->v != NULL); @@ -260,8 +264,8 @@ static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src) return NULL; SRP_user_pwd_set_gN(ret, src->g, src->N); - if (!SRP_user_pwd_set_ids(ret, src->id, src->info) - || !SRP_user_pwd_set_sv_BN(ret, BN_dup(src->s), BN_dup(src->v))) { + if (!SRP_user_pwd_set1_ids(ret, src->id, src->info) + || !SRP_user_pwd_set0_sv(ret, BN_dup(src->s), BN_dup(src->v))) { SRP_user_pwd_free(ret); return NULL; } @@ -340,12 +344,13 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab) int i; SRP_gN *gN; - if (gN_tab != NULL) + if (gN_tab != NULL) { for (i = 0; i < sk_SRP_gN_num(gN_tab); i++) { gN = sk_SRP_gN_value(gN_tab, i); if (gN && (id == NULL || strcmp(gN->id, id) == 0)) return gN; } + } return SRP_get_default_gN(id); } @@ -374,9 +379,13 @@ static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch) } /* - * this function parses verifier file. Format is: - * string(index):base64(N):base64(g):0 - * string(username):base64(v):base64(salt):int(index) + * This function parses the verifier file generated by the srp app. + * The format for each entry is: + * V base64(verifier) base64(salt) username gNid userinfo(optional) + * or + * I base64(N) base64(g) + * Note that base64 is the SRP variant of base64 encoding described + * in t_fromb64(). */ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) @@ -441,7 +450,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) goto err; SRP_user_pwd_set_gN(user_pwd, lgN->g, lgN->N); - if (!SRP_user_pwd_set_ids + if (!SRP_user_pwd_set1_ids (user_pwd, pp[DB_srpid], pp[DB_srpinfo])) goto err; @@ -509,6 +518,13 @@ static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username) return NULL; } +int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd) +{ + if (sk_SRP_user_pwd_push(vb->users_pwd, user_pwd) <= 0) + return 0; + return 1; +} + # if OPENSSL_API_COMPAT < 0x10100000L /* * DEPRECATED: use SRP_VBASE_get1_by_user instead. @@ -550,7 +566,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) SRP_user_pwd_set_gN(user, vb->default_g, vb->default_N); - if (!SRP_user_pwd_set_ids(user, username, NULL)) + if (!SRP_user_pwd_set1_ids(user, username, NULL)) goto err; if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0) @@ -564,7 +580,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) goto err; EVP_MD_CTX_free(ctxt); ctxt = NULL; - if (SRP_user_pwd_set_sv_BN(user, + if (SRP_user_pwd_set0_sv(user, BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL), BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL))) return user; @@ -605,7 +621,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, g_bn = g_bn_alloc; defgNid = "*"; } else { - SRP_gN *gN = SRP_get_gN_by_id(g, NULL); + SRP_gN *gN = SRP_get_default_gN(g); if (gN == NULL) goto err; N_bn = gN->N; diff --git a/doc/man1/srp.pod b/doc/man1/srp.pod index e858a22..4977431 100644 --- a/doc/man1/srp.pod +++ b/doc/man1/srp.pod @@ -25,7 +25,7 @@ B<openssl srp> =head1 DESCRIPTION -The B<srp> command is user to maintain an SRP (secure remote password) +The B<srp> command is used to maintain an SRP (secure remote password) file. At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options can be specified. diff --git a/doc/man3/SRP_VBASE_new.pod b/doc/man3/SRP_VBASE_new.pod new file mode 100644 index 0000000..8a0fb6d --- /dev/null +++ b/doc/man3/SRP_VBASE_new.pod @@ -0,0 +1,99 @@ +=pod + +=head1 NAME + +SRP_VBASE_new, +SRP_VBASE_free, +SRP_VBASE_init, +SRP_VBASE_add0_user, +SRP_VBASE_get1_by_user, +SRP_VBASE_get_by_user +- Functions to create and manage a stack of SRP user verifier information + +=head1 SYNOPSIS + + #include <openssl/srp.h> + + SRP_VBASE *SRP_VBASE_new(char *seed_key); + void SRP_VBASE_free(SRP_VBASE *vb); + + int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file); + + int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd); + SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username); + SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); + +=head1 DESCRIPTION + +The SRP_VBASE_new() function allocates a structure to store server side SRP +verifier information. +If B<seed_key> is not NULL a copy is stored and used to generate dummy parameters +for users that are not found by SRP_VBASE_get1_by_user(). This allows the server +to hide the fact that it doesn't have a verifier for a particular username, +as described in section 2.5.1.3 'Unknown SRP' of RFC 5054. +The seed string should contain random NUL terminated binary data (therefore +the random data should not contain NUL bytes!). + +The SRP_VBASE_free() function frees up the B<vb> structure. +If B<vb> is NULL, nothing is done. + +The SRP_VBASE_init() function parses the information in a verifier file and +populates the B<vb> structure. +The verifier file is a text file containing multiple entries, whose format is: +flag base64(verifier) base64(salt) username gNid userinfo(optional) +where the flag can be 'V' (valid) or 'R' (revoked). +Note that the base64 encoding used here is non-standard so it is recommended +to use L<srp(1)> to generate this file. + +The SRP_VBASE_add0_user() function adds the B<user_pwd> verifier information +to the B<vb> structure. See L<SRP_user_pwd_new(3)> to create and populate this +record. +The library takes ownership of B<user_pwd>, it should not be freed by the caller. + +The SRP_VBASE_get1_by_user() function returns the password info for the user +whose username matches B<username>. It replaces the deprecated +SRP_VBASE_get_by_user(). +If no matching user is found but a seed_key and default gN parameters have been +set, dummy authentication information is generated from the seed_key, allowing +the server to hide the fact that it doesn't have a verifier for a particular +username. When using SRP as a TLS authentication mechanism, this will cause +the handshake to proceed normally but the first client will be rejected with +a "bad_record_mac" alert, as if the password was incorrect. +If no matching user is found and the seed_key is not set, NULL is returned. +Ownership of the returned pointer is released to the caller, it must be freed +with SRP_user_pwd_free(). + +=head1 RETURN VALUES + +SRP_VBASE_init() returns B<SRP_NO_ERROR> (0) on success and a positive value +on failure. +The error codes are B<SRP_ERR_OPEN_FILE> if the file could not be opened, +B<SRP_ERR_VBASE_INCOMPLETE_FILE> if the file could not be parsed, +B<SRP_ERR_MEMORY> on memory allocation failure and B<SRP_ERR_VBASE_BN_LIB> +for invalid decoded parameter values. + +SRP_VBASE_add0_user() returns 1 on success and 0 on failure. + +=head1 SEE ALSO + +L<srp(1)>, +L<SRP_create_verifier(3)>, +L<SRP_user_pwd_new(3)>, +L<SSL_CTX_set_srp_password(3)> + +=head1 HISTORY + +SRP_VBASE_add0_user() was first added to OpenSSL 1.2.0. + +All other functions were first added to OpenSSL 1.0.1. + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/SRP_create_verifier.pod b/doc/man3/SRP_create_verifier.pod new file mode 100644 index 0000000..ac7c05b --- /dev/null +++ b/doc/man3/SRP_create_verifier.pod @@ -0,0 +1,110 @@ +=pod + +=head1 NAME + +SRP_create_verifier, +SRP_create_verifier_BN, +SRP_check_known_gN_param, +SRP_get_default_gN +- SRP authentication primitives + +=head1 SYNOPSIS + + #include <openssl/srp.h> + + char *SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, + BIGNUM **verifier, const BIGNUM *N, const BIGNUM *g); + char *SRP_create_verifier(const char *user, const char *pass, char **salt, + char **verifier, const char *N, const char *g); + + char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N); + SRP_gN *SRP_get_default_gN(const char *id); + +=head1 DESCRIPTION + +The SRP_create_verifier_BN() function creates an SRP password verifier from +the supplied parameters as defined in section 2.4 of RFC 5054. +On successful exit B<*verifier> will point to a newly allocated BIGNUM containing +the verifier and (if a salt was not provided) B<*salt> will be populated with a +newly allocated BIGNUM containing a random salt. If B<*salt> is not NULL then +the provided salt is used instead. +The caller is responsible for freeing the allocated B<*salt> and B<*verifier> +BIGNUMS (use L<BN_free(3)>). + +The SRP_create_verifier() function is similar to SRP_create_verifier_BN() but +all numeric parameters are in a non-standard base64 encoding originally designed +for compatibility with libsrp. This is mainly present for historical compatibility +and its use is discouraged. +It is possible to pass NULL as B<N> and an SRP group id as B<g> instead to +load the appropriate gN values (see SRP_get_default_gN()). +If both B<N> and B<g> are NULL the 8192-bit SRP group parameters are used. +The caller is responsible for freeing the allocated B<*salt> and B<*verifier> +(use L<OPENSSL_free(3)>). + +The SRP_check_known_gN_param() function checks that B<g> and B<N> are valid +SRP group parameters from RFC 5054 appendix A. + +The SRP_get_default_gN() function returns the gN parameters for the RFC 5054 B<id> +SRP group size. +The known ids are "1024", "1536", "2048", "3072", "4096", "6144" and "8192". + +=head1 RETURN VALUES + +SRP_create_verifier_BN() returns 1 on success and 0 on failure. + +SRP_create_verifier() returns NULL on failure and a non-NULL value on success: +"*" if B<N> is not NULL, the selected group id otherwise. This value should +not be freed. + +SRP_check_known_gN_param() returns the text representation of the group id +(ie. the prime bit size) or NULL if the arguments are not valid SRP group parameters. +This value should not be freed. + +SRP_get_default_gN() returns NULL if B<id> is not a valid group size, +or the 8192-bit group parameters if B<id> is NULL. + +=head1 EXAMPLES + +Generate and store a 8192 bit password verifier (error handling +omitted for clarity): + + #include <openssl/bn.h> + #include <openssl/srp.h> + + const char *username = "username"; + const char *password = "password"; + + SRP_VBASE *srpData = SRP_VBASE_new(NULL); + + SRP_gN *gN = SRP_get_default_gN("8192"); + + BIGNUM *salt = NULL, *verifier = NULL; + SRP_create_verifier_BN(username, password, &salt, &verifier, gN->N, gN->g); + + SRP_user_pwd *pwd = SRP_user_pwd_new(); + SRP_user_pwd_set1_ids(pwd, username, NULL); + SRP_user_pwd_set0_sv(pwd, salt, verifier); + SRP_user_pwd_set_gN(pwd, gN->g, gN->N); + + SRP_VBASE_add0_user(srpData, pwd); + +=head1 SEE ALSO + +L<srp(1)>, +L<SRP_VBASE_new(3)>, +L<SRP_user_pwd_new(3)> + +=head1 HISTORY + +These functions were first added to OpenSSL 1.0.1. + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/SRP_user_pwd_new.pod b/doc/man3/SRP_user_pwd_new.pod new file mode 100644 index 0000000..4f631a1 --- /dev/null +++ b/doc/man3/SRP_user_pwd_new.pod @@ -0,0 +1,70 @@ +=pod + +=head1 NAME + +SRP_user_pwd_new, +SRP_user_pwd_free, +SRP_user_pwd_set1_ids, +SRP_user_pwd_set_gN, +SRP_user_pwd_set0_sv +- Functions to create a record of SRP user verifier information + +=head1 SYNOPSIS + + #include <openssl/srp.h> + + SRP_user_pwd *SRP_user_pwd_new(void); + void SRP_user_pwd_free(SRP_user_pwd *user_pwd); + + int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, const char *info); + void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *N); + int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v); + +=head1 DESCRIPTION + +The SRP_user_pwd_new() function allocates a structure to store a user verifier +record. + +The SRP_user_pwd_free() function frees up the B<user_pwd> structure. +If B<user_pwd> is NULL, nothing is done. + +The SRP_user_pwd_set1_ids() function sets the username to B<id> and the optional +user info to B<info> for B<user_pwd>. +The library allocates new copies of B<id> and B<info>, the caller still +owns the original memory. + +The SRP_user_pwd_set0_sv() function sets the user salt to B<s> and the verifier +to B<v> for B<user_pwd>. +The library takes ownership of the values, they should not be freed by the caller. + +The SRP_user_pwd_set_gN() function sets the SRP group parameters for B<user_pwd>. +The memory is not freed by SRP_user_pwd_free(), the caller must make sure it is +freed once it is no longer used. + +=head1 RETURN VALUES + +SRP_user_pwd_set1_ids() returns 1 on success and 0 on failure or if B<id> was NULL. + +SRP_user_pwd_set0_sv() returns 1 if both B<s> and B<v> are not NULL, 0 otherwise. + +=head1 SEE ALSO + +L<srp(1)>, +L<SRP_create_verifier(3)>, +L<SRP_VBASE_new(3)>, +L<SSL_CTX_set_srp_password(3)> + +=head1 HISTORY + +These functions were made public in OpenSSL 1.2.0. + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/SSL_CTX_add_extra_chain_cert.pod b/doc/man3/SSL_CTX_add_extra_chain_cert.pod index 05d17f8..b8f11b3 100644 --- a/doc/man3/SSL_CTX_add_extra_chain_cert.pod +++ b/doc/man3/SSL_CTX_add_extra_chain_cert.pod @@ -2,14 +2,19 @@ =head1 NAME -SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs - add or clear -extra chain certificates +SSL_CTX_add_extra_chain_cert, +SSL_CTX_get_extra_chain_certs, +SSL_CTX_get_extra_chain_certs_only, +SSL_CTX_clear_extra_chain_certs +- add, get or clear extra chain certificates =head1 SYNOPSIS #include <openssl/ssl.h> long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509); + long SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **sk); + long SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **sk); long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx); =head1 DESCRIPTION @@ -18,6 +23,15 @@ SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the extra chain certificates associated with B<ctx>. Several certificates can be added one after another. +SSL_CTX_get_extra_chain_certs() retrieves the extra chain certificates +associated with B<ctx>, or the chain associated with the current certificate +of B<ctx> if the extra chain is empty. +The returned stack should not be freed by the caller. + +SSL_CTX_get_extra_chain_certs_only() retrieves the extra chain certificates +associated with B<ctx>. +The returned stack should not be freed by the caller. + SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates associated with B<ctx>. @@ -70,7 +84,7 @@ L<SSL_build_cert_chain(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_srp_password.pod b/doc/man3/SSL_CTX_set_srp_password.pod new file mode 100644 index 0000000..6f33230 --- /dev/null +++ b/doc/man3/SSL_CTX_set_srp_password.pod @@ -0,0 +1,216 @@ +=pod + +=head1 NAME + +SSL_CTX_set_srp_username, +SSL_CTX_set_srp_password, +SSL_CTX_set_srp_strength, +SSL_CTX_set_srp_cb_arg, +SSL_CTX_set_srp_username_callback, +SSL_CTX_set_srp_client_pwd_callback, +SSL_CTX_set_srp_verify_param_callback, +SSL_set_srp_server_param, +SSL_set_srp_server_param_pw, +SSL_get_srp_g, +SSL_get_srp_N, +SSL_get_srp_username, +SSL_get_srp_userinfo +- SRP control operations + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); + int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); + int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength); + int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg); + int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, + int (*cb) (SSL *s, int *ad, void *arg)); + int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, + char *(*cb) (SSL *s, void *arg)); + int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, + int (*cb) (SSL *s, void *arg)); + + int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, + BIGNUM *sa, BIGNUM *v, char *info); + int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, + const char *grp); + + BIGNUM *SSL_get_srp_g(SSL *s); + BIGNUM *SSL_get_srp_N(SSL *s); + + char *SSL_get_srp_username(SSL *s); + char *SSL_get_srp_userinfo(SSL *s); + +=head1 DESCRIPTION + +These functions provide access to SRP (Secure Remote Password) parameters, +an alternate authentication mechanism for TLS. SRP allows the use of user names +and passwords over unencrypted channels without revealing the password to an +eavesdropper. SRP also supplies a shared secret at the end of the authentication +sequence that can be used to generate encryption keys. + +The SRP protocol, version 3 is specified in RFC 2945. SRP version 6 is described +in RFC 5054 with applications to TLS authentication. + +The SSL_CTX_set_srp_username() function sets the SRP username for B<ctx>. This +should be called on the client prior to creating a connection to the server. +The length of B<name> must be shorter or equal to 255 characters. + +The SSL_CTX_set_srp_password() function sets the SRP password for B<ctx>. This +may be called on the client prior to creating a connection to the server. +This overrides the effect of SSL_CTX_set_srp_client_pwd_callback(). + +The SSL_CTX_set_srp_strength() function sets the SRP strength for B<ctx>. This +is the minimal length of the SRP prime in bits. If not specified 1024 is used. +If not satisfied by the server key exchange the connection will be rejected. + +The SSL_CTX_set_srp_cb_arg() function sets an extra parameter that will +be passed to all following callbacks as B<arg>. + +The SSL_CTX_set_srp_username_callback() function sets the server side callback +that is invoked when an SRP username is found in a ClientHello. +The callback parameters are the SSL connection B<s>, a writable error flag B<ad> +and the extra argument B<arg> set by SSL_CTX_set_srp_cb_arg(). +This callback should setup the server for the key exchange by calling +SSL_set_srp_server_param() with the appropriate parameters for the received +username. The username can be obtained by calling SSL_get_srp_username(). +See L<SRP_VBASE_init(3)> to parse the verifier file created by L<srp(1)> or +L<SRP_create_verifier(3)> to generate it. +The callback should return B<SSL_ERROR_NONE> to proceed with the server key exchange, +B<SSL3_AL_FATAL> for a fatal error or any value < 0 for a retryable error. +In the event of a B<SSL3_AL_FATAL> the alert flag given by B<*al> will be sent +back. By default this will be B<SSL_AD_UNKOWN_PSK_IDENTITY>. + +The SSL_CTX_set_srp_client_pwd_callback() function sets the client password +callback on the client. +The callback parameters are the SSL connection B<s> and the extra argument B<arg> +set by SSL_CTX_set_srp_cb_arg(). +The callback will be called as part of the generation of the client secrets. +It should return the client password in text form or NULL to abort the connection. +The resulting memory will be freed by the library as part of the callback resolution. +This overrides the effect of SSL_CTX_set_srp_password(). + +The SSL_CTX_set_srp_verify_param_callback() sets the SRP gN parameter verification +callback on the client. This allows the client to perform custom verification when +receiving the server SRP proposed parameters. +The callback parameters are the SSL connection B<s> and the extra argument B<arg> +set by SSL_CTX_set_srp_cb_arg(). +The callback should return a positive value to accept the server parameters. +Returning 0 or a negative value will abort the connection. The server parameters +can be obtained by calling SSL_get_srp_N() and SSL_get_srp_g(). +Sanity checks are already performed by the library after the handshake +(B % N non zero, check against the strength parameter) and are not necessary. +If no callback is set the g and N parameters will be checked against +known RFC 5054 values. + +The SSL_set_srp_server_param() function sets all SRP parameters for +the connection B<s>. B<N> and B<g> are the SRP group parameters, B<sa> is the +user salt, B<v> the password verifier and B<info> is the optional user info. + +The SSL_set_srp_server_param_pw() function sets all SRP parameters for the +connection B<s> by generating a random salt and a password verifier. +B<user> is the username, B<pass> the password and B<grp> the SRP group paramters +identifier for L<SRP_get_default_gN(3)>. + +The SSL_get_srp_g() function returns the SRP group generator for B<s>, or from +the underlying SSL_CTX if it is NULL. + +The SSL_get_srp_N() function returns the SRP prime for B<s>, or from +the underlying SSL_CTX if it is NULL. + +The SSL_get_srp_username() function returns the SRP username for B<s>, or from +the underlying SSL_CTX if it is NULL. + +The SSL_get_srp_userinfo() function returns the SRP user info for B<s>, or from +the underlying SSL_CTX if it is NULL. + +=head1 RETURN VALUES + +All SSL_CTX_set_* functions return 1 on success and 0 on failure. + +SSL_set_srp_server_param() returns 1 on success and -1 on failure. + +The SSL_get_SRP_* functions return a pointer to the requested data, the memory +is owned by the library and should not be freed by the caller. + +=head1 EXAMPLES + +Setup SRP parameters on the client: + + #include <openssl/ssl.h> + + const char *username = "username"; + const char *password = "password"; + + SSL_CTX *ctx = SSL_CTX_new(TLS_client_method()); + if (!ctx) + /* Error */ + if (!SSL_CTX_set_srp_username(ctx, username)) + /* Error */ + if (!SSL_CTX_set_srp_password(ctx, password)) + /* Error */ + +Setup SRP server with verifier file: + + #include <openssl/srp.h> + #include <openssl/ssl.h> + + const char *srpvfile = "password.srpv"; + + int srpServerCallback(SSL *s, int *ad, void *arg) + { + SRP_VBASE *srpData = (SRP_VBASE*) arg; + char *username = SSL_get_srp_username(s); + + SRP_user_pwd *user_pwd = SRP_VBASE_get1_by_user(srpData, username); + if (!user_pwd) + /* Error */ + return SSL3_AL_FATAL; + + if (SSL_set_srp_server_param(s, user_pwd->N, user_pwd->g, + user_pwd->s, user_pwd->v, user_pwd->info) < 0) + /* Error */ + + SRP_user_pwd_free(user_pwd); + return SSL_ERROR_NONE; + } + + SSL_CTX *ctx = SSL_CTX_new(TLS_server_method()); + if (!ctx) + /* Error */ + + /* + * seedKey should contain a NUL terminated sequence + * of random non NUL bytes + */ + const char *seedKey; + + SRP_VBASE *srpData = SRP_VBASE_new(seedKey); + if (SRP_VBASE_init(srpData, (char*) srpvfile) != SRP_NO_ERROR) + /* Error */ + + SSL_CTX_set_srp_cb_arg(ctx, srpData); + SSL_CTX_set_srp_username_callback(ctx, srpServerCallback); + +=head1 SEE ALSO + +L<srp(1)>, +L<SRP_VBASE_new(3)>, +L<SRP_create_verifier(3)> + +=head1 HISTORY + +These functions were first added to OpenSSL 1.0.1. + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/SSL_CTX_set_tmp_ecdh.pod b/doc/man3/SSL_CTX_set_tmp_ecdh.pod new file mode 100644 index 0000000..398fcbf --- /dev/null +++ b/doc/man3/SSL_CTX_set_tmp_ecdh.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto +- handle ECDH keys for ephemeral key exchange + +=head1 SYNOPSIS + +#include <openssl/ssl.h> + +long SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ecdh); +long SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ecdh); + +long SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state); +long SSL_set_ecdh_auto(SSL *ssl, int state); + +=head1 DESCRIPTION + +SSL_CTX_set_tmp_ecdh() sets ECDH parameters to be used to be B<ecdh>. +The key is inherited by all B<ssl> objects created from B<ctx>. +This macro is deprecated in favor of L<SSL_CTX_set1_groups(3)>. + +SSL_set_tmp_ecdh() sets the parameters only for B<ssl>. +This macro is deprecated in favor of L<SSL_set1_groups(3)>. + +SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and +have no effect. + +=head1 RETURN VALUES + +SSL_CTX_set_tmp_ecdh() and SSL_set_tmp_ecdh() return 1 on success and 0 +on failure. + +=head1 SEE ALSO + +L<ssl(7)>, L<SSL_CTX_set1_curves(3)>, L<SSL_CTX_set_cipher_list(3)>, +L<SSL_CTX_set_options(3)>, L<SSL_CTX_set_tmp_dh_callback(3)>, +L<ciphers(1)>, L<ecparam(1)> + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man7/ssl.pod b/doc/man7/ssl.pod index d439860..60b1834 100644 --- a/doc/man7/ssl.pod +++ b/doc/man7/ssl.pod @@ -254,6 +254,10 @@ protocol context defined in the B<SSL_CTX> structure. =item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void)) +=item long B<SSL_CTX_get_extra_chain_certs>(SSL_CTX *ctx, STACK_OF(X509) **sk); + +=item long B<SSL_CTX_get_extra_chain_certs_only>(SSL_CTX *ctx, STACK_OF(X509) **sk); + =item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret); =item int B<SSL_CTX_get_quiet_shutdown>(const SSL_CTX *ctx); @@ -371,6 +375,20 @@ Use the file path to locate trusted CA certificates. =item void B<SSL_CTX_set_session_cache_mode>(SSL_CTX *ctx, int mode); +=item int B<SSL_CTX_set_srp_cb_arg>(SSL_CTX *ctx, void *arg); + +=item int B<SSL_CTX_set_srp_client_pwd_callback>(SSL_CTX *ctx, char *(*cb)(SSL *ssl, void *arg)); + +=item int B<SSL_CTX_set_srp_password>(SSL_CTX *ctx, char *password); + +=item int B<SSL_CTX_set_srp_strength>(SSL_CTX *ctx, int strength); + +=item int B<SSL_CTX_set_srp_username>(SSL_CTX *ctx, char *name); + +=item int B<SSL_CTX_set_srp_username_callback>(SSL_CTX *ctx, int (*cb)(SSL *ssl, int *ad, void *arg)); + +=item int B<SSL_CTX_set_srp_verify_param_callback>(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg)); + =item int B<SSL_CTX_set_ssl_version>(SSL_CTX *ctx, const SSL_METHOD *meth); =item void B<SSL_CTX_set_timeout>(SSL_CTX *ctx, long t); @@ -379,6 +397,8 @@ Use the file path to locate trusted CA certificates. =item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void)); +=item long B<SSL_CTX_set_tmp_ecdh>(SSL_CTX* ctx, const EC_KEY *ecdh); + =item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void)) =item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey); @@ -576,6 +596,14 @@ fresh handle for each connection. =item int B<SSL_get_shutdown>(const SSL *ssl); +=item BIGNUM *B<SSL_get_srp_g>(SSL *ssl); + +=item BIGNUM *B<SSL_get_srp_N>(SSL *ssl); + +=item char *B<SSL_get_srp_userinfo>(SSL *ssl); + +=item char *B<SSL_get_srp_username>(SSL *ssl); + =item const SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl); =item int B<SSL_get_state>(const SSL *ssl); @@ -668,12 +696,22 @@ fresh handle for each connection. =item void B<SSL_set_shutdown>(SSL *ssl, int mode); +=item int B<SSL_set_srp_server_param>(SSL *ssl, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info); + +=item int B<SSL_set_srp_server_param_pw>(SSL *ssl, const char *user, const char *pass, const char *grp); + =item int B<SSL_set_ssl_method>(SSL *ssl, const SSL_METHOD *meth); =item void B<SSL_set_time>(SSL *ssl, long t); =item void B<SSL_set_timeout>(SSL *ssl, long t); +=item long B<SSL_set_tmp_dh>(SSL *ssl, DH *dh); + +=item long B<SSL_set_tmp_dh_callback>(SSL *ssl, DH *(*cb)(void)); + +=item long B<SSL_set_tmp_ecdh>(SSL *ssl, const EC_KEY *ecdh); + =item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void)) =item void B<SSL_set_verify_result>(SSL *ssl, long arg); @@ -778,9 +816,11 @@ L<SSL_CTX_set_read_ahead(3)>, L<SSL_CTX_set_security_level(3)>, L<SSL_CTX_set_session_cache_mode(3)>, L<SSL_CTX_set_session_id_context(3)>, +L<SSL_CTX_set_srp_password(3)>, L<SSL_CTX_set_ssl_version(3)>, L<SSL_CTX_set_timeout(3)>, L<SSL_CTX_set_tmp_dh_callback(3)>, +L<SSL_CTX_set_tmp_ecdh(3)>, L<SSL_CTX_set_verify(3)>, L<SSL_CTX_use_certificate(3)>, L<SSL_alert_type_string(3)>, diff --git a/include/openssl/srp.h b/include/openssl/srp.h index aaf1355..86fe6f4 100644 --- a/include/openssl/srp.h +++ b/include/openssl/srp.h @@ -47,8 +47,13 @@ typedef struct SRP_user_pwd_st { char *info; } SRP_user_pwd; +SRP_user_pwd *SRP_user_pwd_new(void); void SRP_user_pwd_free(SRP_user_pwd *user_pwd); +void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *N); +int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, const char *info); +int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v); + DEFINE_STACK_OF(SRP_user_pwd) typedef struct SRP_VBASE_st { @@ -75,6 +80,7 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key); void SRP_VBASE_free(SRP_VBASE *vb); int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file); +int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd); /* This method ignores the configured seed and fails for an unknown user. */ DEPRECATEDIN_1_1_0(SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username)) /* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index cceb2d4..1e9e8d5 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1307,16 +1307,18 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL) # define SSL_CTX_set_tmp_dh(ctx,dh) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh)) -# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh)) # define SSL_CTX_set_dh_auto(ctx, onoff) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL) # define SSL_set_dh_auto(s, onoff) \ SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL) # define SSL_set_tmp_dh(ssl,dh) \ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh)) -# define SSL_set_tmp_ecdh(ssl,ecdh) \ +# if OPENSSL_API_COMPAT < 0x10200000L +# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh)) +# define SSL_set_tmp_ecdh(ssl,ecdh) \ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh)) +# endif # define SSL_CTX_add_extra_chain_cert(ctx,x509) \ SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)(x509)) # define SSL_CTX_get_extra_chain_certs(ctx,px509) \ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 866ca4d..4b9906f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3414,7 +3414,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *pkdh = NULL; if (dh == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); - return ret; + return 0; } pkdh = ssl_dh_to_pkey(dh); if (pkdh == NULL) { @@ -3425,11 +3425,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return ret; + return 0; } EVP_PKEY_free(s->cert->dh_tmp); s->cert->dh_tmp = pkdh; - ret = 1; + return 1; } break; case SSL_CTRL_SET_TMP_DH_CB: @@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return 1; + return 0; } EVP_PKEY_free(ctx->cert->dh_tmp); ctx->cert->dh_tmp = pkdh; diff --git a/util/libcrypto.num b/util/libcrypto.num index c6de172..f7d6cb5 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4598,3 +4598,8 @@ EVP_MAC_do_all_sorted 4551 1_1_2 EXIST::FUNCTION: EVP_str2ctrl 4552 1_1_2 EXIST::FUNCTION: EVP_hex2ctrl 4553 1_1_2 EXIST::FUNCTION: EVP_PKEY_supports_digest_nid 4554 1_1_2 EXIST::FUNCTION: +SRP_VBASE_add0_user 4555 1_1_2 EXIST::FUNCTION:SRP +SRP_user_pwd_new 4556 1_1_2 EXIST::FUNCTION:SRP +SRP_user_pwd_set_gN 4557 1_1_2 EXIST::FUNCTION:SRP +SRP_user_pwd_set1_ids 4558 1_1_2 EXIST::FUNCTION:SRP +SRP_user_pwd_set0_sv 4559 1_1_2 EXIST::FUNCTION:SRP diff --git a/util/private.num b/util/private.num index c5f3431..d6724ed 100644 --- a/util/private.num +++ b/util/private.num @@ -324,6 +324,8 @@ SSL_CTX_disable_ct define SSL_CTX_generate_session_ticket_fn define SSL_CTX_get0_chain_certs define SSL_CTX_get_default_read_ahead define +SSL_CTX_get_extra_chain_certs define +SSL_CTX_get_extra_chain_certs_only define SSL_CTX_get_max_cert_list define SSL_CTX_get_max_proto_version define SSL_CTX_get_min_proto_version define @@ -363,6 +365,7 @@ SSL_CTX_set1_sigalgs define SSL_CTX_set1_sigalgs_list define SSL_CTX_set1_verify_cert_store define SSL_CTX_set_current_cert define +SSL_CTX_set_ecdh_auto define SSL_CTX_set_max_cert_list define SSL_CTX_set_max_pipelines define SSL_CTX_set_max_proto_version define @@ -380,6 +383,7 @@ SSL_CTX_set_tlsext_status_cb define SSL_CTX_set_tlsext_status_type define SSL_CTX_set_tlsext_ticket_key_cb define SSL_CTX_set_tmp_dh define +SSL_CTX_set_tmp_ecdh define SSL_add0_chain_cert define SSL_add1_chain_cert define SSL_build_cert_chain define @@ -431,6 +435,7 @@ SSL_set1_sigalgs define SSL_set1_sigalgs_list define SSL_set1_verify_cert_store define SSL_set_current_cert define +SSL_set_ecdh_auto define SSL_set_max_cert_list define SSL_set_max_pipelines define SSL_set_max_proto_version define @@ -446,6 +451,7 @@ SSL_set_tlsext_host_name define SSL_set_tlsext_status_ocsp_resp define SSL_set_tlsext_status_type define SSL_set_tmp_dh define +SSL_set_tmp_ecdh define SSL_want_async define SSL_want_async_job define SSL_want_client_hello_cb define _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits