date:20151227

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

2015-12-27 Thread Matt Caswell

The branch OpenSSL_1_0_1-stable has been updated
   via  968bccee468dc8edee4388fe661f761c5179aa70 (commit)
   via  604f67f52109383f6aefc7c5bf2befaf7182eb98 (commit)
   via  a7316aace3871b637b8099a2efe30af38f988ad4 (commit)
  from  1967199f9f8ed3faf376ddbb077f41551541f08a (commit)


- Log -
commit 968bccee468dc8edee4388fe661f761c5179aa70
Author: Matt Caswell 
Date:   Mon Nov 30 16:04:51 2015 +

Add some documentation for the OCSP callback functions

Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit c52c3b5e11253afabaa62739a8ee1c4c4bddcd53)

commit 604f67f52109383f6aefc7c5bf2befaf7182eb98
Author: Matt Caswell 
Date:   Mon Nov 30 13:29:41 2015 +

Ensure we don't call the OCSP callback if resuming a session

It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 0ac6239955965f58f9dddb4229e8cd58e0dba20d)

commit a7316aace3871b637b8099a2efe30af38f988ad4
Author: Matt Caswell 
Date:   Thu Nov 5 14:52:27 2015 +

Fix error when server does not send CertificateStatus message

If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 905943af3b43116b64ae815db1a6b9c2f15e0356)

---

Summary of changes:
 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 73 
 ssl/s3_clnt.c| 61 ++
 ssl/t1_lib.c | 14 +++---
 3 files changed, 113 insertions(+), 35 deletions(-)
 create mode 100644 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod

diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod 
b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
new file mode 100644
index 000..b8147ba
--- /dev/null
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -0,0 +1,73 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg,
+SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp,
+SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
+
+=head1 SYNOPSIS
+
+ #include 
+
+ long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,
+   int (*callback)(SSL *, void *));
+ long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
+
+ long SSL_set_tlsext_status_type(SSL *s, int type);
+
+ long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
+ long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
+
+=head1 DESCRIPTION
+
+A client application may request that a server send back an OCSP status 
response
+(also known as OCSP stapling). To do so the client should call the
+SSL_set_tlsext_status_type() function prior to the start of the handshake.
+Currently the only supported type is B. This value
+should be passed in the B argument. The client should additionally 
provide
+a callback function to decide what to do with the returned OCSP response by
+calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine
+whether the returned OCSP response is acceptable or not. The callback will be
+passed as an argument the value previously set via a call to
+SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in
+the event of a handshake where session resumption occurs (because there are no
+Certificates exchanged in such a handshake).
+
+The response returned by the server can be obtained via a call to
+SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
+to the OCSP response data and the return value will be the length of that data.
+Typically a callback would obtain an OCSP_RESPONSE object from this data via a
+call to the d2i_OCSP_RESPONSE() function. If the server has not provided any
+response data then B<*resp> will be NULL and the return value from
+SSL_get_tlsext_status_ocsp_resp() will be -1.
+
+A server application must also call the SSL_CTX_set_tlsext_status_cb() function
+if it wants to be able to provide clients with OCSP Certificate Status
+responses. Typically the server callback would obtain the server certificate
+that is being sent back to the client via a call to SSL_get_certificate();
+obtain the OCSP response to be sent back; and then set that response data by
+calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data 
should
+be

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2015-12-27 Thread Matt Caswell

The branch OpenSSL_1_0_2-stable has been updated
   via  c52c3b5e11253afabaa62739a8ee1c4c4bddcd53 (commit)
   via  0ac6239955965f58f9dddb4229e8cd58e0dba20d (commit)
   via  905943af3b43116b64ae815db1a6b9c2f15e0356 (commit)
  from  155a1623d005297626008efb4f71714dd023de25 (commit)


- Log -
commit c52c3b5e11253afabaa62739a8ee1c4c4bddcd53
Author: Matt Caswell 
Date:   Mon Nov 30 16:04:51 2015 +

Add some documentation for the OCSP callback functions

Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni 

commit 0ac6239955965f58f9dddb4229e8cd58e0dba20d
Author: Matt Caswell 
Date:   Mon Nov 30 13:29:41 2015 +

Ensure we don't call the OCSP callback if resuming a session

It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni 

commit 905943af3b43116b64ae815db1a6b9c2f15e0356
Author: Matt Caswell 
Date:   Thu Nov 5 14:52:27 2015 +

Fix error when server does not send CertificateStatus message

If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 73 
 ssl/s3_clnt.c| 61 ++
 ssl/t1_lib.c | 14 +++---
 3 files changed, 113 insertions(+), 35 deletions(-)
 create mode 100644 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod

diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod 
b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
new file mode 100644
index 000..b8147ba
--- /dev/null
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -0,0 +1,73 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg,
+SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp,
+SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
+
+=head1 SYNOPSIS
+
+ #include 
+
+ long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,
+   int (*callback)(SSL *, void *));
+ long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
+
+ long SSL_set_tlsext_status_type(SSL *s, int type);
+
+ long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
+ long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
+
+=head1 DESCRIPTION
+
+A client application may request that a server send back an OCSP status 
response
+(also known as OCSP stapling). To do so the client should call the
+SSL_set_tlsext_status_type() function prior to the start of the handshake.
+Currently the only supported type is B. This value
+should be passed in the B argument. The client should additionally 
provide
+a callback function to decide what to do with the returned OCSP response by
+calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine
+whether the returned OCSP response is acceptable or not. The callback will be
+passed as an argument the value previously set via a call to
+SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in
+the event of a handshake where session resumption occurs (because there are no
+Certificates exchanged in such a handshake).
+
+The response returned by the server can be obtained via a call to
+SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
+to the OCSP response data and the return value will be the length of that data.
+Typically a callback would obtain an OCSP_RESPONSE object from this data via a
+call to the d2i_OCSP_RESPONSE() function. If the server has not provided any
+response data then B<*resp> will be NULL and the return value from
+SSL_get_tlsext_status_ocsp_resp() will be -1.
+
+A server application must also call the SSL_CTX_set_tlsext_status_cb() function
+if it wants to be able to provide clients with OCSP Certificate Status
+responses. Typically the server callback would obtain the server certificate
+that is being sent back to the client via a call to SSL_get_certificate();
+obtain the OCSP response to be sent back; and then set that response data by
+calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data 
should
+be provided in the B argument, and the length of that data should be in
+the B argument.
+
+=head1 RETURN VALUES
+
+The callback when used on the client side should return a negative value on
+error; 0 if the response is

[openssl-commits] [openssl] master update

2015-12-27 Thread Matt Caswell

The branch master has been updated
   via  b1931d432f4b53ceb2e2eacec09c2e32e043830b (commit)
   via  43c34894d703e3e5c2fc03bad3a78a1cf10d8ba5 (commit)
   via  80e339fd09ca32680e0c0cbcfa40d73212ea276d (commit)
   via  bb1aaab42880489729aeafea27d3569cce60c20b (commit)
   via  ef96e4a28fa98cdf44246baab9ec8cdb69914fd9 (commit)
  from  b22d71131aa01d371029908e3c2bce332fd77e70 (commit)


- Log -
commit b1931d432f4b53ceb2e2eacec09c2e32e043830b
Author: Matt Caswell 
Date:   Thu Dec 10 10:44:30 2015 +

Simplify calling of the OCSP callback

Move all calls of the OCSP callback into one place, rather than repeating it
in two different places.

Reviewed-by: Viktor Dukhovni 

commit 43c34894d703e3e5c2fc03bad3a78a1cf10d8ba5
Author: Matt Caswell 
Date:   Mon Nov 30 16:04:51 2015 +

Add some documentation for the OCSP callback functions

Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni 

commit 80e339fd09ca32680e0c0cbcfa40d73212ea276d
Author: Matt Caswell 
Date:   Mon Nov 30 13:29:41 2015 +

Ensure we don't call the OCSP callback if resuming a session

It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni 

commit bb1aaab42880489729aeafea27d3569cce60c20b
Author: Matt Caswell 
Date:   Thu Nov 5 14:31:11 2015 +

Fix error when server does not send CertificateStatus message

If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni 

commit ef96e4a28fa98cdf44246baab9ec8cdb69914fd9
Author: Matt Caswell 
Date:   Thu Nov 5 14:08:54 2015 +

Add test for missing CertificateStatus message

If the client sends a status_request extension in the ClientHello
and the server responds with a status_request extension in the
ServerHello then normally the server will also later send a
CertificateStatus message. However this message is *optional* even
if the extensions were sent. This adds a test to ensure that if
the extensions are sent then we can still omit the message.

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod   | 73 ++
 ssl/statem/statem_clnt.c   | 50 ---
 ssl/t1_lib.c   | 27 ++--
 ...test_sslskewith0p.t => 70-test_sslcertstatus.t} | 33 +-
 util/TLSProxy/ClientHello.pm   |  1 +
 5 files changed, 123 insertions(+), 61 deletions(-)
 create mode 100644 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
 copy test/recipes/{70-test_sslskewith0p.t => 70-test_sslcertstatus.t} (80%)

diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod 
b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
new file mode 100644
index 000..b8147ba
--- /dev/null
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -0,0 +1,73 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg,
+SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp,
+SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
+
+=head1 SYNOPSIS
+
+ #include 
+
+ long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,
+   int (*callback)(SSL *, void *));
+ long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
+
+ long SSL_set_tlsext_status_type(SSL *s, int type);
+
+ long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
+ long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
+
+=head1 DESCRIPTION
+
+A client application may request that a server send back an OCSP status 
response
+(also known as OCSP stapling). To do so the client should call the
+SSL_set_tlsext_status_type() function prior to the start of the handshake.
+Currently the only supported type is B. This value
+should be passed in the B argument. The client should additionally 
provide
+a callback function to decide what to do with the returned OCSP response by
+calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine
+whether the returned OCSP response is acceptable or not. The callback will be
+passed as an argument the value previously set via a call to
+SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in
+the

[openssl-commits] [openssl] master update

2015-12-27 Thread Matt Caswell

The branch master has been updated
   via  057b6f797d89964892620fe9980a1ca6872a771f (commit)
  from  b1931d432f4b53ceb2e2eacec09c2e32e043830b (commit)


- Log -
commit 057b6f797d89964892620fe9980a1ca6872a771f
Author: Matt Caswell 
Date:   Wed Dec 23 16:36:59 2015 +

Increase the max size limit for a CertificateRequest message

Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.

RT#4198

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 ssl/statem/statem_clnt.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b14e6ed..536689b 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -696,7 +696,11 @@ unsigned long ossl_statem_client_max_message_size(SSL *s)
 return SERVER_KEY_EXCH_MAX_LENGTH;
 
 case TLS_ST_CR_CERT_REQ:
-return SSL3_RT_MAX_PLAIN_LENGTH;
+/* Set to s->max_cert_list for compatibility with previous 
releases.
+ * In practice these messages can get quite long if servers are
+ * configured to provide a long list of acceptable CAs
+ */
+return s->max_cert_list;
 
 case TLS_ST_CR_SRVR_DONE:
 return SERVER_HELLO_DONE_MAX_LENGTH;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[openssl-commits] [openssl] master update

[openssl-commits] [openssl] master update

4 matches

Site Navigation

Mail list logo

Footer information