| Age | Commit message (Collapse) | Author |
|---|
|
No change to generated assembly.
|
|
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers present in the certificate
(per section 6.4.4).
Previous behaviour questioned by Daniel Stenberg <daniel at haxx dot se>.
ok beck@ jca@
|
|
ok miod@
|
|
This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed.de>.
ok beck@
|
|
Requested by deraadt@
|
|
ok deraadt@
|
|
|
|
ok jsing@
|
|
ok jsing@
|
|
Requested by bluhm@
|
|
The tls_set_error() function previously stored the errno but did nothing
with it. Change tls_set_error() to append the strerror(3) of the stored
errno so that we include useful information regarding failures.
Provide a tls_set_errorx() function that does not store the errno or
include strerror(3) in the error message. Call this function instead of
tls_set_error() for errors where the errno value has no useful meaning.
With feedback from and ok doug@
|
|
Spotted by Marko Kreen.
Rides libtls major bump.
|
|
RFC 5280 says " " must not be used as a dNSName.
ok jsing@ jca@
|
|
to an actual host and use "servername" when referring to the name of the
TLS server that we expect to be indentified in the server certificate.
Likewise, rename verify_host to verify_name and use the term "name"
throughout the verification code (rather than host or hostname).
Requested by and ok tedu@
|
|
libtls accepts size_t for lengths but libssl accepts int. This verifies
that the input does not exceed INT_MAX. It also avoids truncating size_t
when comparing with int and adds printf-style attributes for
tls_set_error().
with input from deraadt@ and tedu@
ok tedu@
|
|
Remove direct calls to printf from the tls_check_hostname() path. This allows
NUL byte error messages to bubble up to the caller, to be logged in a
program-appropriate way. It also removes non-portable calls to getprogname().
ok jsing@
|
|
sk_GENERAL_NAME_pop_free() instead of sk_GENERAL_NAME_free(). The latter
only frees the stack itself and does not free the items.
From Basskrapfen on github.
|
|
|
|
Remove direct calls to printf from the tls_check_hostname() path. This allows
NUL byte error messages to bubble up to the caller, to be logged in a
program-appropriate way. It also removes non-portable calls to getprogname().
The semantics of tls_error() are changed slightly: the last error message is
not necessarily preserved between subsequent calls into the library.
When the previous call to libtls succeeds, client programs should treat the
return value of tls_error() as undefined.
ok tedu@
|
|
distinguish between LibreSSL (the project) and libressl (the library).
Discussed with many.
|
