| Age | Commit message (Collapse) | Author |
|---|
|
The tls_set_error() function previously stored the errno but did nothing
with it. Change tls_set_error() to append the strerror(3) of the stored
errno so that we include useful information regarding failures.
Provide a tls_set_errorx() function that does not store the errno or
include strerror(3) in the error message. Call this function instead of
tls_set_error() for errors where the errno value has no useful meaning.
With feedback from and ok doug@
|
|
ensure that the temporary state flags get cleared in tls_reset(). Fixes a
bug spotted by Marko Kreen whereby TLS_CONNECTING could remain on reset.
While here, also move the TLS_STATE_CONNECTING check to after the
TLS_CLIENT check - if TLS_STATE_CONNECTING was ever set on any other
context type it would allow a bypass.
ok bluhm@
|
|
Spotted by Marko Kreen.
Rides libtls major bump.
|
|
|
|
|
|
around CRYPTO_set_ex_data(), which can fail. Since this is the case, check
the return value of CRYPTO_set_ex_data^WSSL_set_ex_data^WSSL_set_app_data.
|
|
data (as is already done for server connections).
From Marko Kreen.
|
|
broken by r1.4.
Spotted by Marko Kreen.
|
|
OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.
Also cranked major version in libcrypto, libssl and libtls.
"fine with me" bcook@ miod@
|
|
|
|
changed in an incompatible way regarding partial writes.
OK miod@ deraadt@
|
|
ok beck@
|
|
in libtls. This gives tls_write() a similar short write semantics
as write(2). So implementing daemons with libevent buffers will
be easier and workarounds in syslogd and httpd can be removed.
OK tedu@ beck@ reyk@
|
|
ok miod@ jsing@
|
|
This makes using libtls easier to include by including dependent headers,
making something like this work as expected:
#include <iostream>
#include <tls.h>
int main()
{
std::cout << "tls_init: " << tls_init() << "\n";
}
This also makes building a standalone libtls-portable simpler.
ok doug@, jsing@
|
|
ok mpi@
|
|
|
|
RFC 5280 says " " must not be used as a dNSName.
ok jsing@ jca@
|
|
ensure that outlen is set to zero so that tls_read() has read(2) like
semantics for EOF.
Spotted by doug@
|
|
from the other side and only return TLS_READ_AGAIN/TLS_WRITE_AGAIN if we
failed to send a close notify on a non-blocking socket.
Otherwise be more forceful and always shutdown/close the socket regardless
of other failures. Also do not consider ENOTCONN or ECONNRESET to be a
shutdown failure, since there are various situations where this can occur.
ok doug@ guenther@
|
|
|
|
close the connection. Also correctly handle the error on failure.
Diff from cookieandscream via github.
|
|
Diff from Tim van der Molen.
ok jmc@
|
|
TLS_READ_AGAIN and TLS_WRITE_AGAIN.
Based on a diff from Tim van der Molen.
|
|
|
|
accepted via an existing pair of file descriptors.
Based on a diff from Jan Klemkow.
|
|
for the server, rather than on the context for the connection. This makes
more sense than the current behaviour does.
Issue reported by Tim van der Molen.
|
|
repeated use of tls_connect. ok jsing
|
|
them guaranteed to not conflict per POSIX.
ok espie@ guenther@
|
|
|
|
tls_config_insecure_noverifyname(), so that it is more accurate and keeps
inline with the distinction between DNS hostname and server name.
Requested by tedu@ during s2k15.
|
|
configuration.
|
|
be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that
allows the previous default ciphers to be selected.
Discussed with tedu@ during s2k15.
|
|
|
|
|
|
ok jsing
|
|
|
|
tls_config_set_protocols().
|
|
|
|
to be converted into a libtls protocols value. This allows for things like:
"tlsv1.0,tlsv1.1" (TLSv1.0 and TLSv1.1)
"all,!tlsv1.0" (all protocols except TLSv1.0)
Discussed with tedu@ and reyk@
|
|
Found by reyk@
|
|
that includes all currently supported protocols (TLSv1.0, TLSv1.1 and
TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they
maintain existing behaviour.
Discussed with tedu@ and reyk@.
|
|
as tls_connect(), however allows the name to use for verification to be
explicitly provided, rather than being inferred from the host value.
Requested by reyk@
ok reyk@ tedu@
|
|
to an actual host and use "servername" when referring to the name of the
TLS server that we expect to be indentified in the server certificate.
Likewise, rename verify_host to verify_name and use the term "name"
throughout the verification code (rather than host or hostname).
Requested by and ok tedu@
|
|
IPv4 or IPv6 address before trying to resolve the address with the
AI_ADDRCONFIG flag set. This makes sure that attempts to connect to
numeric IPs or loopback addresses are always possible and not
prevented by AI_ADDRCONFIG.
OK jsing@ tedu@
|
|
to ignore unsupported address families - eg. don't resolv IPv6 on
IPv4-only hosts.
OK jsing@
|
|
|
|
The tls_accept_socket() has been previously removed because the API is
not fixed yet; but it is also already used by httpd(8) and spamd(8) so
it is time to add it again and eventually change it later.
OK tedu@
|
|
into memory. This can be used for tls_config_set_ca_mem(),
tls_config_set_cert_mem() or tls_config_set_key_mem().
With input from jsing@, tedu@ and henning@
OK tedu@
|
|
dance handling code. This means that we get slightly useful messages when
a TLS connection or accept fails.
Requested by reyk@
|
