563754fb08
Add SslContextBuilder::set_tmp_{ec,}dh_callback
2016-11-12 12:43:44 +00:00
9b5c62b053
Add PKey::bits
2016-11-12 11:00:15 +00:00
7c9afd8c99
Fix function signature
2016-11-12 10:29:31 +00:00
26a3358a2b
Add basic X509_STORE access
...
There's more to do here, but this enabled addition of trusted CAs from
X509 objects.
Closes #394
2016-11-12 00:24:12 +00:00
6b7279eb52
Consistently support both PEM and DER encodings
...
Closes #500
2016-11-11 20:10:10 +00:00
15490a43e3
Add EcKey <-> PKey conversions
...
Closes #499
2016-11-11 19:17:38 +00:00
32cbed0782
PKey <-> DH conversions
...
Closes #498
2016-11-11 19:04:54 +00:00
609a09ebb9
Add PKey::dsa
...
Closes #501
2016-11-11 18:52:37 +00:00
0d2d4865e5
Release v0.9.1
2016-11-11 16:45:22 +00:00
203a02c3e6
Actually support AES GCM
...
This is an AEAD cipher, so we need some extra functionality. As another
bonus, we no longer panic if provided an IV with a different length than
the cipher's default.
2016-11-08 20:35:21 +00:00
d78acc729b
Add an X509ReqBuilder
2016-11-07 20:42:43 +00:00
597d05b8f8
Add stack creation and push
2016-11-06 23:46:42 -08:00
5f18ffa4b3
Start of extension support
2016-11-06 21:58:43 -08:00
1939e6fd78
Add conf module
2016-11-06 14:49:26 -08:00
b83edbad0d
Start on an X509Builder
2016-11-06 14:07:34 -08:00
1edb6f682e
Support client CA advertisement
2016-11-06 12:17:14 -08:00
a4e0581e4f
Fix build on 1.0.1
2016-11-06 11:57:50 -08:00
bcb7b3f5dc
Add accessors for cert and private key
...
Closes #340
2016-11-06 10:46:38 -08:00
c2bf8acad8
Provide a tailored error message on Linux
...
I just ran into a case where I installed OpenSSL in a docker container but I
forgot to install pkg-config. Right now openssl-sys relies on pkg-config, so
print out a nice error about this.
2016-11-05 22:55:25 -07:00
72ac2a0105
Release v0.9.0
2016-11-05 20:05:50 -07:00
fb9420fc91
Always dump openssl confs
2016-11-04 21:15:07 -07:00
91fd58b4c2
More buildscript tweaks
2016-11-04 21:10:49 -07:00
9198bcda3a
Improve buildscript logic
2016-11-04 21:08:34 -07:00
62a9f89fce
Avoid lhash weirdness
2016-11-03 20:38:51 -07:00
7f308aa5e1
Fix signature
2016-11-02 08:26:18 -07:00
aa0040125b
Use built in DH parameters when available
...
Fall back to a hardcoded PEM blob on 1.0.1, but serialized from
DH_get_2048_256.
2016-11-01 22:50:22 -07:00
176348630a
Don't clear BigNums in destructor
...
Instead add a clear method.
2016-11-01 21:59:07 -07:00
343ce159ec
Fix stack signatures
2016-11-01 19:51:55 -07:00
c776534ad4
Clean up stack
2016-11-01 19:25:40 -07:00
77b76ed8a8
Merge pull request #506 from simias/stack
...
Implemented a generic Stack API and use it to deal with StackOf(X509) and StackOf(GENERAL_NAME)
2016-11-01 18:59:35 -07:00
8d0090faec
Implement X509StoreContextRef::get_chain
2016-11-01 21:23:18 +01:00
3bdefa987a
Implement a generic Stack API to deal with OpenSSL stacks
2016-11-01 21:23:13 +01:00
9ea27c12b9
Add method to encode a public key as a DER blob
2016-11-01 17:34:21 +01:00
dc4098bdd8
Clean up x509 name entries
2016-10-31 22:43:05 -07:00
cd7fa9fca2
Update x509
2016-10-31 20:54:34 -07:00
16e398e005
Update verify
2016-10-31 20:19:59 -07:00
558124b755
Expose SSL_MODEs
2016-10-30 22:02:26 -07:00
677718f8da
Configure ECDH parameters in connector
2016-10-30 13:38:09 -07:00
8c58ecc2fa
Implement EcKey
...
cc #499
2016-10-30 13:17:20 -07:00
781417d50f
Add a macro definition
2016-10-27 19:12:55 -07:00
bea53bb39b
Support AES GCM
...
Closes #326
2016-10-25 20:59:33 -07:00
39279455c8
Add a shutdown method
2016-10-25 20:40:18 -07:00
04fc853ee3
Remove NIDs only defined in 1.0.2+
2016-10-23 09:16:20 -07:00
2fd201d9c3
De-enumify Nid
2016-10-22 10:08:32 -07:00
5ab037f056
Allow the X509 verify error to be read from an SslRef
2016-10-18 22:21:06 -07:00
cfd5192a7d
De-enumify X509ValidationError
...
Also make it an Error.
Closes #352 .
2016-10-18 22:10:37 -07:00
c4459c37d9
Callback cleanup
2016-10-18 21:13:13 -07:00
6609a81685
Migrate DSA sign/verify to EVP APIs
2016-10-15 15:02:02 -07:00
228b8fbc5b
Correctly bind BIO_new_mem_buf
2016-10-15 13:39:47 -07:00
bb23b33829
Fix signature of EVP_DigestVerifyFinal on 1.0.1
2016-10-15 12:24:20 -07:00
6ae472487f
Support HMAC PKeys and remove hmac module
2016-10-15 11:06:11 -07:00
b564cb5db7
Add digest signature methods
2016-10-15 09:48:34 -07:00
64b8e5e553
Merge pull request #471 from sfackler/no-comp
...
Handle OPENSSL_NO_COMP
2016-10-14 23:09:11 -07:00
ba997c590e
Prefer 1.1 when looking for Homebrew installs
2016-10-14 22:55:44 -07:00
7ac0599638
Fix test_alpn_server_select_none
...
In OpenSSL 1.1, a failure to negotiate a protocol is a fatal error, so
fork that test. This also popped up an issue where we assumed all errors
had library, function, and reason strings which is not necessarily the
case.
While we're in here, adjust the Display impl to match what OpenSSL
prints out.
Closes #465
2016-10-14 22:01:21 -07:00
f520aa2860
Handle OPENSSL_NO_COMP
...
Closes #459
2016-10-14 20:50:45 -07:00
d7a433bdef
Respect osslconf in systest
...
Also cfg off SSLv3_method, since it's disabled in the OpenSSL that ships
with Arch Linux. More such flags can be added on demand - it doesn't
seem worth auditing everything for them.
2016-10-14 19:16:08 -07:00
d976b8f595
Enable hostname verification on 1.0.2
2016-10-14 18:56:15 -07:00
af51b263b1
Support hostname verification
...
Closes #206
2016-10-14 17:39:31 -07:00
ae282a78e2
Remove link_name usage
2016-10-14 16:15:50 -07:00
b610e01793
Flag off dtls and mask ssl_ops
...
Also un-feature gate npn as it ships with 1.0.1
2016-10-13 19:06:53 -07:00
af3e06d3e8
Add remaining SSL_OP constants
2016-10-12 22:50:08 -07:00
43c951f743
Add support for OpenSSL 1.1.0
...
This commit is relatively major refactoring of the `openssl-sys` crate as well
as the `openssl` crate itself. The end goal here was to support OpenSSL 1.1.0,
and lots of other various tweaks happened along the way. The major new features
are:
* OpenSSL 1.1.0 is supported
* OpenSSL 0.9.8 is no longer supported (aka all OSX users by default)
* All FFI bindings are verified with the `ctest` crate (same way as the `libc`
crate)
* CI matrixes are vastly expanded to include 32/64 of all platforms, more
OpenSSL version coverage, as well as ARM coverage on Linux
* The `c_helpers` module is completely removed along with the `gcc` dependency.
* The `openssl-sys` build script was completely rewritten
* Now uses `OPENSSL_DIR` to find the installation, not include/lib env vars.
* Better error messages for mismatched versions.
* Better error messages for failing to find OpenSSL on a platform (more can be
done here)
* Probing of OpenSSL build-time configuration to inform the API of the `*-sys`
crate.
* Many Cargo features have been removed as they're now enabled by default.
As this is a breaking change to both the `openssl` and `openssl-sys` crates this
will necessitate a major version bump of both. There's still a few more API
questions remaining but let's hash that out on a PR!
Closes #452
2016-10-12 22:49:55 -07:00
44ed665f02
Add RAND_status()
...
RAND_status() returns 1 if the PRNG has been seeded with enough data, 0 otherwise.
2016-10-01 13:42:13 +02:00
4cc55b65e0
Add RSA_*_PADDING constants
2016-10-01 13:39:33 +02:00
4718a88e04
Release openssl-sys v0.7.17, openssl v0.8.2
2016-08-18 12:59:22 -07:00
cd69343d67
Fix SslContext::add_extra_chain_cert
...
SSL_CTX_add_extra_chain_cert assumes ownership of the certificate, so
the method really needs to take an X509 by value. Work around this by
manually cloning the cert.
This method has been around for over a year but I'm guessing nobody
actually used it since it produces a nice double free into segfault!
2016-08-17 19:30:57 -07:00
96b1ef829c
Add `"x509_expiry"` feature flag
...
- fix return of `ASN1_TIME_print`
- assert on null `date`
2016-08-17 01:23:54 -04:00
f9cd4bff1f
Progress on asn1 expiry
...
- Use MemBio and implement `Display` for Asn1Time
- Tweak doc for asn1 `not_before`, `not_after`
2016-08-17 01:23:54 -04:00
629f638f08
Release openssl-sys v0.7.16, openssl v0.8.1
2016-08-15 18:44:57 -07:00
912f7499cd
Initialize algorithms in init
...
Required to deserialize PKCS12 on 0.9.8, looks like
2016-08-14 12:51:33 -07:00
e5299fd7c9
Fix memory leak in general name stack
2016-08-14 11:16:53 -07:00
6b12a0cdde
PKCS #12 support
2016-08-14 11:11:26 -07:00
773a6f0735
Start on PKCS #12 support
2016-08-14 10:11:38 -07:00
2e8f19ca2f
Release openssl-sys v0.7.15, openssl v0.8.0
2016-08-11 21:00:43 -07:00
207d8e6b30
Undelete bogus extern declaration
...
Old rust-openssl versions rely on it being there
2016-08-10 22:16:58 -07:00
0cc863e857
Use new target syntax for windows stuff
2016-08-10 22:13:17 -07:00
35c79d1768
Fix build
2016-08-09 23:13:56 -07:00
67b5b4d814
Make hmac support optional and remove openssl-sys-extras
...
rust-openssl no longer requires headers for the default feature set.
2016-08-09 22:52:12 -07:00
a8224d199b
symm reform
2016-08-08 23:10:03 -07:00
522447378e
Copy over getter macros
2016-08-08 20:37:48 -07:00
bf07dd9a4e
Remove symm_internal
2016-08-08 20:26:04 -07:00
6b1016c86e
Add PKey::from_rsa
2016-08-07 22:56:44 -07:00
2a3e9a2856
Add RSA::generate
2016-08-07 22:35:37 -07:00
7855f428aa
PKey reform
...
This deletes the vast majority of PKey's API, since it was weirdly tied
to RSA and super broken.
2016-08-07 20:38:46 -07:00
7ca5ccf064
Hash reform
...
Closes #430
2016-08-07 16:29:36 -07:00
c47be8b14b
Move SSL_CTX_set_ecdh_auto to -sys
2016-08-04 22:52:40 -07:00
ee67ea8ea0
Mvoe SSL_CTX_add_extra_chain_cert to -sys
2016-08-04 22:46:47 -07:00
378b86326c
Move SSL_CTX_set_tmp_dh to -sys
2016-08-04 22:43:24 -07:00
7fb7f4671d
Move SSL_CTX_set_read_ahead to -sys
2016-08-04 22:40:01 -07:00
77dbab2cad
Move SSL_CTX_set_tlsext_servername_callback to -sys
2016-08-04 22:37:39 -07:00
c2a7c5b7f0
Move SSL_set_tlsext_host_name to -sys
2016-08-04 22:28:33 -07:00
b29ea62491
Move BIO macros into -sys
2016-08-04 22:22:55 -07:00
17474520bc
Support basic SSL options without C shims
2016-08-04 22:14:18 -07:00
abacc8bb18
Define SSL_CTX_set_mode in openssl-sys
2016-08-02 22:14:44 -07:00
08e27f31ed
Restructure PEM input/output methods
...
Dealing with byte buffers directly avoids error handling weirdness and
we were loading it all into memory before anyway.
2016-08-02 20:49:28 -07:00
3539be3366
Add MidHandshakeSslStream
...
Allows recognizing when a stream is still in handshake mode and can gracefully
transition when ready. The blocking usage of the API should still be the same,
just helps nonblocking implementations!
2016-07-31 16:01:06 -07:00
df30e9e700
Merge pull request #402 from bbatha/feat/dsa-ffi
...
DSA bindings
2016-07-29 22:35:50 -07:00
a3a602be51
add low level dsa primitives
2016-07-29 19:04:37 -04:00
5ed77df197
Implement save_der for X509 and X509Req
2016-07-29 12:14:49 +03:00
722a2bd673
Set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag
2016-07-24 20:55:15 +02:00
5135fca87f
Release v0.7.14
2016-07-01 18:43:39 -04:00
121169c1f5
Set auto retry
...
SSL_read returns a WANT_READ after a renegotiation by default which ends
up bubbling up as a weird BUG error. Tell OpenSSL to just do the read
again.
2016-07-01 18:31:47 -04:00
f6b612df5f
Release v0.7.13
2016-05-20 15:57:57 -07:00
ed969d5d8a
Update user32-sys and gdi32-sys to 0.2
2016-05-19 22:00:14 +02:00
95051b060d
Release v0.7.12
2016-05-16 23:04:03 -07:00
dce59a63c5
Merge pull request #389 from cmsd2/master
...
expose rsa from raw private key and rsa sign and verify
2016-05-06 15:12:19 -07:00
f82a1c4f75
add rsa signature tests
2016-05-05 23:41:55 +01:00
78122a9d68
Release v0.7.11
2016-05-05 13:32:27 -07:00
7b73003b67
Add X509StoreContext::error_depth
2016-04-30 09:27:50 -07:00
62a7dd10e5
Add Ssl::set_verify
...
It also uses a better, closure based API than the existing callback
methods.
2016-04-30 08:09:12 -07:00
a7bade104c
Merge pull request #381 from chaaz/master
...
Add 1DES symm ciphers (des-cbc, des-ecb, des-cfb, des-ofb)
2016-04-29 21:17:17 -07:00
32722e1850
Add accessors for x509 subject alt names
2016-04-29 21:15:32 -07:00
caf9272c85
Start on GeneralName
2016-04-28 22:16:29 -07:00
5682c04469
Remove des_cfb and des_ofb, since they appear on limit platforms
2016-04-19 17:28:19 -06:00
54fc1df712
Release v0.7.10
2016-04-16 20:57:12 -07:00
c2e72f6641
Add SslContext::set_default_verify_paths
2016-04-16 20:47:32 -07:00
2062d48dd2
Add 1DES symm ciphers (des-cbc, des-ecb, des-cfb, des-ofb)
...
1DES is well and truly dead for actual sensitive information, (its
keysize is too small for modern purposes), but it can still find use in
backwards compatiblity or educational applications.
2016-04-14 03:44:43 -06:00
9511a9bc19
Merge pull request #380 from Yoric/master
...
Resolves #378 - Module version with the version information
2016-04-13 14:45:49 -07:00
0c48f9a0e0
Resolves #378 - Module version with the version information
2016-04-13 23:29:25 +02:00
00282de2a5
Add ability to set session ID context on an SSL context
...
This is necessary to make authentication with client certificates work
without session restarts.
2016-04-13 21:38:23 +02:00
d143203f88
Release v0.7.9
2016-04-06 21:34:20 -07:00
4016edd4de
add EVP_PKEY_copy_parameters to FFI
...
copy EVP_PKEY params in PKey::clone
test that PKey::clone creates a copy
2016-04-06 19:39:50 -04:00
e0412850ec
Release v0.7.8
2016-03-18 08:54:12 -07:00
a569df29f4
Release v0.7.7
2016-03-17 09:04:23 -07:00
23fd427900
Merge pull request #353 from bluejekyll/master
...
adding functionality to directly get and set RSA public key material
2016-03-05 13:57:53 -08:00
04cbf049c0
Add SSL_get_version
2016-02-29 20:14:48 +00:00
ef95223d26
adding functionality to directly get and set RSA key material
2016-02-17 23:18:42 -08:00
1e9667ea89
Add support for SSL_CIPHER
2016-02-17 22:38:32 +00:00
3df4c479c9
Release v0.7.6
2016-02-10 09:36:00 -08:00
18e7e2455c
Merge pull request #330 from esclear/master
...
Add a interface to RSA structs
2016-01-22 19:07:38 -08:00
2ece5b1039
Release v0.7.5
2016-01-22 15:57:21 -08:00
d30d1aa277
Remove raw_pointer_derive lint.
2016-01-22 04:45:52 -08:00
74db7db560
Merge branch 'master' of https://github.com/sfackler/rust-openssl
2016-01-20 19:59:41 +00:00
6ae8298f2c
Make all ffi structs' fields public
2016-01-12 17:46:35 +00:00
c0b9a4c8ec
Added tests for private_rsa_key_from_pem() and public_rsa_key_from_pem()
2016-01-09 14:36:01 -05:00
be23ff3dce
Added PEM_read_bio_RSAPrivateKey and PEM_read_bio_RSA_PUBKEY
2016-01-05 11:23:14 -05:00
5813ca371d
Add RSA structs
2016-01-01 19:33:49 +00:00
926c8167be
Release v0.7.4
2015-12-18 22:41:46 -08:00
9436027866
Fix Cargo.toml to actually depend on gdi32-sys and user32-sys
2015-12-18 23:18:03 +02:00
5fa46d428d
Release v0.7.3
2015-12-17 21:25:48 -08:00
13f7cfd9d8
Release v0.7.2
2015-12-15 19:41:57 -08:00
167008d247
Merge pull request #320 from uasi/add-variations-of-pbkdf2
...
Add PBKDF2-HMAC-SHA256 and -SHA512 functions
2015-12-15 19:30:57 -08:00
514c5ec415
Merge pull request #309 from Geal/master
...
Add support for Server Name indication (SNI) on the server's side
2015-12-15 19:22:39 -08:00
b6647cc610
Put pbkdf2_hmac_{256,512}() behind feature gate
...
PKCS5_PBKDF2_HMAC is not available with openssl-0.9.8 on os x
2015-12-10 23:00:49 +09:00
e9b8627af2
Add PBKDF2-HMAC-SHA256 and -SHA512 functions
2015-12-10 20:29:52 +09:00
91f8c542f7
Replace SslStream implementation!
2015-12-09 23:30:29 -08:00
9ee6f1c578
IT LIVES
2015-12-09 21:43:02 -08:00
4d883d488e
Custom BIO infrastructure
2015-12-08 23:02:38 -08:00
f79fd8cea9
Add BIO type definitions
2015-12-07 23:28:28 -08:00
fce7cf4d36
Release v0.7.1
2015-11-28 16:14:58 -08:00
fcc6be2b01
Avoid empty include paths (i.e. cc -I "" ) as they are not supported by GCC. Fix #311
2015-11-28 16:26:58 +01:00
7835ea1c90
Make shims for SSL_CTX_ctrl and SSL_CTX_callback_ctrl macro wrappers
2015-11-25 08:10:36 +01:00
dba3a0ced2
implement get/set ssl context
2015-11-24 17:11:00 +01:00
cb4263f91e
test SNI support
2015-11-24 17:11:00 +01:00
3c6c4a7b3d
Fix a leak when using `EVP_PKEY_get1_RSA`.
...
`EVP_PKEY_get1_RSA` returns a RSA structure with its reference count
increased by 1 and therefore we need to call `RSA_free` after finishing
using that value.
2015-11-18 11:36:34 +08:00
c0a0b80020
Remove unecessary build dependency
2015-11-16 22:28:56 -08:00
82547f53d7
Release v0.7.0
2015-11-16 21:10:50 -08:00
9ebf094437
Mention why the windows deps are there
2015-11-16 21:03:42 -08:00
be7171ee10
Don't depend on wildcard windows deps
2015-11-16 21:02:23 -08:00
b82b93b813
Merge pull request #297 from retep998/patch-1
...
Explicitly depend on gdi32 and user32 on Windows
2015-11-17 00:01:21 -05:00
f36f610d07
Move HMAC_CTX_copy to sys-extras
2015-11-16 20:16:01 -08:00
a8a10e64ad
Split stuff requiring a shim out to a separate crate
2015-11-16 20:16:01 -08:00
309b6d9f46
Switch to libc 0.2
2015-11-16 20:16:01 -08:00
be2cbabdb7
Revert "Revert "Merge pull request #280 from ltratt/libressl_build""
...
This reverts commit ae3d0e36d7
2015-11-16 20:16:01 -08:00
11e3b1b563
Provide public_decrypt, private_encrypt for PKEY
2015-10-28 18:15:55 +00:00
613a9ff721
Explicitly depend on gdi32 and user32 on Windows
...
Since openssl ends up depending on functions from these system libraries, depend on -sys crates that provide these system libraries.
2015-10-25 05:11:23 -04:00
c37767df8f
Nonblocking streams support.
2015-10-20 23:14:26 -07:00
214c3a60f0
Expose RSA_generate_key_ex.
2015-10-15 08:54:46 -07:00
f318a2c84c
Release v0.6.7
2015-10-14 22:25:35 -04:00
f1e19c9a55
Merge pull request #288 from alexcrichton/include
...
Add metadata for the include dir of openssl
2015-10-14 21:59:10 -04:00
ae3d0e36d7
Revert "Merge pull request #280 from ltratt/libressl_build"
...
This reverts commit aad933e50760ee731408
2015-10-14 21:51:32 -04:00
d341a6efeb
Update OpenSSL version checks to 1.0 numbers instead of 0.10 numbers
2015-10-14 19:39:40 -05:00
8ed840cdf5
Add metadata for the include dir of openssl
...
If OpenSSL is installed at a nonstandard location dependencies on OpenSSL may
want to know where it was found to be installed at.
2015-10-13 15:58:45 -07:00
8f5b67fed4
Merge pull request #286 from jedisct1/use_certificate_chain
...
Add set_certificate_chain_file()
2015-10-13 09:26:18 -04:00
81bc1edb61
Merge pull request #284 from bheart/cfb-mode
...
AES CFB-mode feature
2015-10-12 21:18:27 -04:00
3ca5ecac74
Add certs.pem in cert probe list
...
It turns out that some distributions use /etc/ssl/certs.pem, which was causing some troubles.
Related issue https://github.com/rust-lang/cargo/issues/1978#issuecomment-147515236
2015-10-12 23:20:33 +02:00
a28253ee7d
Add set_certificate_chain_file()
...
SSL_CTX_use_certificate_chain_file() is preferred over
SSL_CTX_use_certificate_file().
It allows the use of complete certificate chains instead of loading
only the first certificate in a PEM file.
2015-10-12 20:54:00 +02:00
acbcb49414
AES CFB{1,8,128} mode support
2015-10-11 20:09:36 +02:00
aad933e507
Merge pull request #280 from ltratt/libressl_build
...
Fix build on LibreSSL.
2015-10-10 21:56:20 -04:00
60ee731408
Merge pull request #277 from nixpulvis/read_public_pem
...
Add public key PEM read function.
2015-10-10 21:55:37 -04:00
677ed6ad1b
Release v0.6.6
2015-10-05 22:34:32 +01:00
0ca71a98ff
Clean up init stuff
2015-10-05 22:05:58 +01:00
6c810e7f9c
Set threadid_func on linux/osx ( fixes #281 )
2015-10-05 21:43:49 +05:30
d7342a09a7
Fix build on LibreSSL.
...
LibreSSL has deprecated SSLv3_method, so this commit makes that a compile-time
feature.
It also removes a test referencing SSL_OP_CISCO_ANYCONNECT, as the LibreSSL
header says it is amongst "Obsolete flags kept for compatibility. No sane code
should use them."
2015-10-03 17:25:38 +00:59
ffa9d330fd
Add public key PEM read function.
2015-10-01 20:33:12 -04:00
28320a65a7
Add SSL::set_ecdh_auto()
...
This sets automatic curve selection and enables ECDH support.
Requires LibreSSL or OpenSSL >= 1.0.2, so behind a feature gate.
2015-09-25 13:15:37 +02:00
b1b76f7913
Merge pull request #266 from jmesmon/alpn
...
ssl/npn+alpn: adjust protocol selection to fail if no protocols match
2015-09-16 11:51:45 -07:00
6666a1818a
Add DH::from_pem() to load DH parameters from a file
2015-09-13 12:44:50 +02:00
50c5042c70
ssl/npn+alpn: adjust protocol selection to fail if no protocols match
...
The current behavior causes a server written using rust-openssl to (if
it cannot negotiate a protocol) fallback to the first protocol it has
avaliable.
This makes it impossible to detect protocol mismatches.
This updates our selection to be more similar to how openssl's
s_server behaves: non-matching protocols are not supplied with a
fallback.
Note that some setups may actually want a fallback protocol supplied
via ALPN. To support those cases, we should consider adding a generic
callback that allows protocol selection to be entirely controlled by
the programmer.
For the purposes of having a sane default, however, not supplying a
default (and mimicing s_server's behavior) is the best choice.
2015-09-01 17:14:04 -04:00
bf16c19f31
Swap order of linking ssl/crypto
...
GNU linkers will sometimes aggressively try to strip objects and archives from a
linker command line in a left-to-right fashion. When a linker hits an object
file that doesn't satisfy any unresolved symbols, it will discard the object and
not re-visit it. This means that currently if symbols are depended upon in
libssl then some of the dependencies of libssl (in libcrypto) may have already
been stripped, causing a link error.
By swapping the order of what's linked it reflects the natural flow of
dependencies and the linker should figure everything out for us.
2015-09-01 11:24:32 -07:00
e28b73e1f6
Merge pull request #259 from jedisct1/dh
...
Add support for DHE for forward secrecy
2015-09-01 00:10:03 -04:00
7b0b70bd13
Release v0.6.5
2015-08-31 19:10:27 -07:00
9add4e1001
Add support for set_tmp_dh() and RFC5114 DH parameters for forward secrecy.
...
rust-openssl didn't support forward secrecy at all.
This adds support for DHE, by exposing set_tmp_dh() as well as the RFC5114
parameters, which are conveniently exposed since OpenSSL 1.0.2.
With OpenSSL >= 1.0.2, and the rfc5114 feature gate, enabling DHE is as simple
as (here for 2048-bit MODP group with 256-bit prime order subgroup):
use openssl::dh::DH;
let dh = DH::get_2048_256().unwrap();
ctx.set_tmp_dh(dh).unwrap();
With OpenSSL < 1.0.2, DH::from_params() can be used to manually specify the
DH parameters (here for 2048-bit MODP group with 256-bit prime order subgroup):
use openssl::bn::BigNum;
use openssl::dh::DH;
let p = BigNum::from_hex_str("87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597").unwrap();
let g = BigNum::from_hex_str("3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659").unwrap();
let q = BigNum::from_hex_str("8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3").unwrap();
let dh = DH::from_params(p, g, q).unwrap();
ctx.set_tmp_dh(dh).unwrap();
2015-08-31 23:12:57 +02:00
dc8cba4822
Merge pull request #251 from ebarnard/evp_bytestokey
...
Expose EVP_BytesToKey
2015-08-23 13:37:55 -04:00
8067565707
Expose EVP_BytesToKey
...
This is based on work by pyrho.
Closes #88
2015-08-23 17:08:18 +07:00
4cb68efd99
Merge pull request #253 from manuels/master
...
Add get_state_string()
2015-08-19 02:31:15 -04:00
3fe3d57976
Add get_state_string()
2015-08-17 19:01:43 +02:00
769b8312d8
Merge pull request #240 from jethrogb/topic/x509_req_extension
...
Implement certificate extensions for certificate requests
2015-08-15 16:04:42 -04:00
a10604e15d
Merge pull request #243 from manuels/master
...
Fix probelms with DTLS when no packets are pending.
2015-08-02 22:27:19 -04:00
Steven Fackler