SCRIPTS=CA.pl tsget
EXE= openssl$(EXE_EXT)
+CONFS=openssl.cnf ct_log_list.cnf
COMMANDS= \
asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \
cp $$i $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new $(DESTDIR)$(OPENSSLDIR)/misc/$$i ); \
- done
- @cp openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
- mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+ done;
+ @set -e; for i in $(CONFS); \
+ do \
+ (echo installing $$i; \
+ cp $$i $(DESTDIR)$(OPENSSLDIR)/$$i.new; \
+ chmod 644 $(DESTDIR)$(OPENSSLDIR)/$$i.new; \
+ mv -f $(DESTDIR)$(OPENSSLDIR)/$$i.new $(DESTDIR)$(OPENSSLDIR)/$$i ); \
+ done;
uninstall:
@set -e; for i in $(EXE); \
do \
echo $(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
- done
- $(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+ done;
+ @set -e; for i in $(CONFS); \
+ do \
+ echo $(RM) $(DESTDIR)$(OPENSSLDIR)/$$i; \
+ $(RM) $(DESTDIR)$(OPENSSLDIR)/$$i; \
+ done;
generate: openssl-vms.cnf progs.h
return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
}
+int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
+{
+ if (path == NULL) {
+ if (SSL_CTX_set_default_ctlog_list_file(ctx) <= 0) {
+ BIO_puts(bio_err, "Failed to load default Certificate Transparency "
+ "log list\n");
+ }
+ return 1; /* Do not treat failure to load the default as an error */
+ }
+
+ return SSL_CTX_set_ctlog_list_file(ctx, path);
+}
+
int dump_cert_text(BIO *out, X509 *x)
{
char *p;
int noCAfile, int noCApath);
int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath, int noCAfile, int noCApath);
+int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
+
# ifdef OPENSSL_NO_ENGINE
# define setup_engine(engine, debug) NULL
# else
--- /dev/null
+enabled_logs=pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi
+
+[pilot]
+description = Google Pilot Log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl/fHTDM0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFMoA==
+
+[aviator]
+description = Google Aviator log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/TMabLkDpCjiupacAlP7xNi0I1JYP8bQFAHDG1xhtolSY1l4QgNRzRrvSe8liE+NPWHdjGxfx3JhTsN9x8/6Q==
+
+[rocketeer]
+description = Google Rocketeer log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFsYyDzBi7MxCAC/oJBXK7dHjG+1aLCOkHjpoHPqTyghLpzA9BYbqvnV16mAw04vUjyYASVGJCUoI3ctBcJAeg==
+
+[digicert]
+description = DigiCert Log Server
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAkbFvhu7gkAW6MHSrBlpE1n4+HCFRkC5OLAjgqhkTH+/uzSfSl8ois8ZxAD2NgaTZe1M9akhYlrYkes4JECs6A==
+
+[certly]
+description = Certly.IO log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECyPLhWKYYUgEc+tUXfPQB4wtGS2MNvXrjwFCCnyYJifBtd2Sk7Cu+Js9DNhMTh35FftHaHu6ZrclnNBKwmbbSA==
+
+[izempe]
+description = Izempe log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ2Q5DC3cUBj4IQCiDu0s6j51up+TZAkAEcQRF6tczw90rLWXkJMAW7jr9yc92bIKgV8vDXU4lDeZHvYHduDuvg==
+
+[symantec]
+description = Symantec log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY4r87xNuroPS2bMBTP01CEDPwWJePa75y9CrsHEKqAy8afig1dpkIPSEUhg==
+
+[venafi]
+description = Venafi log
+key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolpIHxdSlTXLo1s6H1OCdpSj/4DyHDc8wLG9wVmLqy1lk9fz4ATVmm+/1iN2Nk8jmctUKK2MFUtlWXZBSpym97M7frGlSaQXUWyA3CqQUEuIJOmlEjKTBEiQAvpfDjCHjlV2Be4qTM6jamkJbiWtgnYPhJL6ONaGTiSPm7Byy57iaz/hbckldSOIoRhYBiMzeNoA0DiRZ9KmfSeXZ1rB8y8X5urSW+iBzf2SaOfzBvDpcoTuAaWx2DPazoOl28fP1hZ+kHUYvxbcMjttjauCFx+JII0dmuZNIwjfeG/GBb9frpSX219k1O4Wi6OEbHEr8at/XQ0y7gTikOxBn/s5wQIDAQAB
+
{"heartbeat", TLSEXT_TYPE_heartbeat},
{"session ticket", TLSEXT_TYPE_session_ticket},
{"renegotiation info", TLSEXT_TYPE_renegotiate},
+ {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
{"TLS padding", TLSEXT_TYPE_padding},
#ifdef TLSEXT_TYPE_next_proto_neg
{"next protocol", TLSEXT_TYPE_next_proto_neg},
#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>
#endif
+#ifndef OPENSSL_NO_CT
+# include <openssl/ct.h>
+#endif
#include "s_apps.h"
#include "timeouts.h"
OPT_X_ENUM,
OPT_S_ENUM,
OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN,
+#ifndef OPENSSL_NO_CT
+ OPT_NOCT, OPT_REQUESTCT, OPT_REQUIRECT, OPT_CTLOG_FILE,
+#endif
OPT_DANE_TLSA_RRDATA
} OPTION_CHOICE;
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
"Specify engine to be used for client certificate operations"},
+#endif
+#ifndef OPENSSL_NO_CT
+ {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
+ {"requestct", OPT_REQUESTCT, '-', "Request SCTs (enables OCSP stapling)"},
+ {"requirect", OPT_REQUIRECT, '-', "Require at least 1 SCT (enables OCSP stapling)"},
+ {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
#endif
{NULL}
};
int srp_lateuser = 0;
SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
#endif
+#ifndef OPENSSL_NO_CT
+ char *ctlog_file = NULL;
+ ct_validation_cb ct_validation = NULL;
+#endif
FD_ZERO(&readfds);
FD_ZERO(&writefds);
case OPT_NOCAFILE:
noCAfile = 1;
break;
+#ifndef OPENSSL_NO_CT
+ case OPT_NOCT:
+ ct_validation = NULL;
+ break;
+ case OPT_REQUESTCT:
+ ct_validation = CT_verify_no_bad_scts;
+ break;
+ case OPT_REQUIRECT:
+ ct_validation = CT_verify_at_least_one_good_sct;
+ break;
+ case OPT_CTLOG_FILE:
+ ctlog_file = opt_arg();
+ break;
+#endif
case OPT_CHAINCAFILE:
chCAfile = opt_arg();
break;
if (state)
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+#ifndef OPENSSL_NO_CT
+ if (!SSL_CTX_set_ct_validation_callback(ctx, ct_validation, NULL)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (ctx_set_ctlog_list_file(ctx, ctlog_file) <= 0) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+#endif
+
SSL_CTX_set_verify(ctx, verify, verify_callback);
if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
const COMP_METHOD *comp, *expansion;
#endif
unsigned char *exportedkeymat;
+#ifndef OPENSSL_NO_CT
+ const STACK_OF(SCT) *scts;
+#endif
if (full) {
int got_a_chain = 0;
ssl_print_sigalgs(bio, s);
ssl_print_tmp_key(bio, s);
+#ifndef OPENSSL_NO_CT
+ scts = SSL_get0_peer_scts(s);
+ BIO_printf(bio, "---\nSCTs present (%i)\n---\n",
+ scts ? sk_SCT_num(scts) : 0);
+ SCT_LIST_print(scts, bio, 0, "\n---\n");
+ BIO_printf(bio, "\n");
+ if (SSL_get_ct_validation_callback(s) == NULL) {
+ BIO_printf(bio, "---\nWarning: CT validation is disabled, so not all "
+ "SCTs may be displayed. Re-run with \"-requestct\".\n");
+ }
+#endif
+
BIO_printf(bio,
"---\nSSL handshake has read %"PRIu64" bytes and written %"PRIu64" bytes\n",
BIO_number_read(SSL_get_rbio(s)),
my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
$no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2,
- $no_dtls, $no_dtls1, $no_dtls1_2) =
+ $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =
anydisabled qw/rsa dsa dh ec srp psk
ssl3 tls1 tls1_1 tls1_2
- dtls dtls1 dtls1_2/;
+ dtls dtls1 dtls1_2 ct/;
my $no_anytls = alldisabled(available_protocols("tls"));
my $no_anydtls = alldisabled(available_protocols("dtls"));
plan tests =>
1 # For testss
+ 1 # For ssltest -test_cipherlist
- + 10 # For the first testssl
+ + 11 # For the first testssl
+ 16 # For the first testsslproxy
+ 16 # For the second testsslproxy
;
}
- # plan tests => 10;
+ # plan tests => 11;
subtest 'standard SSL tests' => sub {
######################################################################
ok($ok);
}}}}}
};
+
+ subtest 'Certificate Transparency tests' => sub {
+ ######################################################################
+
+ plan tests => 3;
+
+ SKIP: {
+ skip "Certificate Transparency is not supported by this OpenSSL build", 3
+ if $no_ct;
+ skip "TLSv1.0 is not supported by this OpenSSL build", 3
+ if $no_tls1;
+
+ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
+ ok(run(test([@ssltest, "-bio_pair", "-tls1", "-noct"])));
+ ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requestct"])));
+ # No SCTs provided, so this should fail.
+ ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requirect",
+ "-should_negotiate", "fail-client"])));
+ }
+ };
+
}
sub testsslproxy {
# include <openssl/srp.h>
#endif
#include <openssl/bn.h>
+#ifndef OPENSSL_NO_CT
+# include <openssl/ct.h>
+#endif
#include "../ssl/ssl_locl.h"
return -1;
}
-#define SCT_EXT_TYPE 18
-
/*
* WARNING : below extension types are *NOT* IETF assigned, and could
* conflict if these types are reassigned and handled specially by OpenSSL
const unsigned char *in, size_t inlen,
int *al, void *arg)
{
- if (ext_type == SCT_EXT_TYPE)
+ if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
serverinfo_sct_seen++;
else if (ext_type == TACK_EXT_TYPE)
serverinfo_tack_seen++;
fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
+#ifndef OPENSSL_NO_CT
+ fprintf(stderr, " -noct - no certificate transparency\n");
+ fprintf(stderr, " -requestct - request certificate transparency\n");
+ fprintf(stderr, " -requirect - require certificate transparency\n");
+#endif
}
static void print_key_details(BIO *out, EVP_PKEY *key)
#endif
int no_protocol;
+#ifndef OPENSSL_NO_CT
+ /*
+ * Disable CT validation by default, because it will interfere with
+ * anything using custom extension handlers to deal with SCT extensions.
+ */
+ ct_validation_cb ct_validation = NULL;
+#endif
+
SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
STACK_OF(OPENSSL_STRING) *conf_args = NULL;
char *arg = NULL, *argn = NULL;
} else if (strcmp(*argv, "-time") == 0) {
print_time = 1;
}
+#ifndef OPENSSL_NO_CT
+ else if (strcmp(*argv, "-noct") == 0) {
+ ct_validation = NULL;
+ }
+ else if (strcmp(*argv, "-requestct") == 0) {
+ ct_validation = CT_verify_no_bad_scts;
+ }
+ else if (strcmp(*argv, "-requirect") == 0) {
+ ct_validation = CT_verify_at_least_one_good_sct;
+ }
+#endif
#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv, "-zlib") == 0) {
comp = COMP_ZLIB;
}
}
+#ifndef OPENSSL_NO_CT
+ if (!SSL_CTX_set_ct_validation_callback(c_ctx, ct_validation, NULL)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+#endif
+
/* Process SSL_CONF arguments */
SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
- (!SSL_CTX_set_default_ctlog_list_file(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(c_ctx)) ||
- (!SSL_CTX_set_default_ctlog_list_file(c_ctx))) {
+ (!SSL_CTX_set_default_verify_paths(c_ctx))) {
/* fprintf(stderr,"SSL_load_verify_locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
+ if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
+ !SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
+ ERR_print_errors(bio_err);
+ }
+
if (client_auth) {
printf("client authentication\n");
SSL_CTX_set_verify(s_ctx,
#endif
if (serverinfo_sct) {
- if (!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
- NULL, NULL, NULL,
- serverinfo_cli_parse_cb, NULL)) {
+ if (!SSL_CTX_add_client_custom_ext(c_ctx,
+ TLSEXT_TYPE_signed_certificate_timestamp,
+ NULL, NULL, NULL,
+ serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err, "Error adding SCT extension\n");
goto end;
}
projects / oweals / openssl.git / commitdiff