summaryrefslogtreecommitdiff
path: root/lib/libtls
AgeCommit message (Collapse)Author
2015-11-09update some client/server info; from jan klemkowJason McIntyre
ok jsing
2015-11-02bump minors after adding EVP_aead_chacha20_poly1305_ietf()Reyk Floeter
OK jsing@
2015-10-16Put tls_config_verify_client_optional() in the right place.Joel Sing
2015-10-16Fix tpyo.Joel Sing
2015-10-09fix a gotcha in the connect refactoring, that could result in droppingTheo de Raadt
through and trying to bind failed v6 connects. ok guenther
2015-10-08If getaddrinfo() succeeds, then don't try look ups with other flags, evenPhilip Guenther
if the connect()s failed. In concert with some resolver fixes in libc, this lets ntpd be tame()ed problem isolated by theo, who had fun untangling the libc and libtls behaviors to place blame for not being able to tame ntpd ok beck@ deraadt@ jsing@
2015-10-08trailing whitespace;Jason McIntyre
2015-10-07Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer ↵Bob Beck
certificate validity times for tls connections. ok jsing@
2015-10-07Allow us to get cipher and version even if there is not a peer certificate.Bob Beck
ok doug@
2015-10-01include <sys/types.h> for ssize_tBrent Cook
ok jsing@, deraadt@
2015-09-29Instead of declaring a union in multiple places, move it to tls_internal.h.Joel Sing
ok deraadt@
2015-09-29clean some ugly intendation wartsTheo de Raadt
2015-09-28Explicit NULL checks and style(9) tweaks.Joel Sing
2015-09-14tweak previous;Jason McIntyre
2015-09-14Provide tls_config_insecure_noverifytime() in order to be able to disableJoel Sing
certificate validity checking. ok beck@
2015-09-14Remove useless quoting from .Fo and .Fn function names, to preventIngo Schwarze
development of a cargo cult in case people look at existing files for examples. This achieves a consistent .Fo and .Fn quoting style across the whole tree.
2015-09-14some conn_version and conn_cipher bits;Jason McIntyre
2015-09-14Expose EOF without close-notify via tls_close().Joel Sing
Make tls_read(3)/tls_write(3) follow read(2)/write(2) like semantics and return 0 on EOF with and without close-notify. However, if we saw an EOF from the underlying file descriptors without getting a close-notify, save this and make it visible when tls_close(3) is called. This keeps the semantics we want, but makes it possible to detect truncation at higher layers, if necessary. ok beck@ guenther@
2015-09-14Return an error if tls_handshake() or tls_close() is called on a contextJoel Sing
for which they are not valid operations. ok beck@
2015-09-14add missing function return typesIngo Schwarze
2015-09-13Crank major version due to removal of SHA-0 and MD4 from libcrypto.Doug Hogan
2015-09-13work around the stupid semantics of SSL_read and SSL_write to make sureBob Beck
we can indicate an EOF properly on tls_read and tls_write ok jsing@
2015-09-13Don't leak conninfo - spotted by marko kreen.Bob Beck
ok jsing@
2015-09-13Mechanical minor bump to follow libcrypto.Miod Vallat
2015-09-13add visibility of ciper and connection version stringsBob Beck
ok jsing@
2015-09-12Move connection info into it's own private structure allocated and filled inBob Beck
at handshake time. change accessors to return const char * to remove need for caller to free memory. ok jsing@
2015-09-12Ensure that we clear the libssl error stack before we make a function callJoel Sing
that we will pass the result through tls_ssl_error() on failure. Otherwise we can end up reporting spurious errors due to their being unrelated errors already on the error stack. Spotted by Marko Kreen. ok beck@
2015-09-12Put tls_peer_cert* functions in the same place.Joel Sing
2015-09-11typoTheo de Raadt
2015-09-11more for NAME;Jason McIntyre
2015-09-11more cleanup;Jason McIntyre
2015-09-11update NAME; various cleanupJason McIntyre
2015-09-11document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hashBob Beck
ok jsing@
2015-09-11!= -> == that I broke while bikesheddingBob Beck
2015-09-11Do not match a wildcard against a name with no host part.Bob Beck
ok jsing@
2015-09-11add tls_peer functions for checking names and issuers of peer certificates.Bob Beck
ok jsing@
2015-09-11Provide tls_peer_cert_hash() which returns a hash of the raw certificateJoel Sing
that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@
2015-09-11Store a reference to the peer certificate (if any) upon completion of theJoel Sing
handshake. Free the reference when we reset the TLS context. ok beck@
2015-09-11specify what is permitted as an argument to tls_config_set_ciphers()Bob Beck
2015-09-11actually set return value to 0 on success.Bob Beck
ok jsing@ who wears the cone of shame.
2015-09-11- add some missing NAME entriesJason McIntyre
- zap trailing whitespace - avoid "can not"
2015-09-11sort MLINKS into the same order as the man page;Jason McIntyre
2015-09-10Call tls_set_errorx() instead of tls_set_error() inJoel Sing
tls_configure_ssl_verify(). Also tweak an error message and unwrap a line.
2015-09-10improve examples,Theo de Raadt
1. hoist pollfd fields which don't change upwards 2. show ret as ssize_t, it MUST BE, or there will be lots of crying 3. on first pass, must check for either POLLIN|POLLOUT ok millert beck
2015-09-10document client side certificate verification functionality.Bob Beck
ok jsing@
2015-09-10document changed tls_read and tls_write semantics.Bob Beck
document functions that clear errno. change examples to provide demonstration of both the blocking and non-blocking cases. ok jsing@, bluhm@
2015-09-10mlink tls_handshake;Jason McIntyre
2015-09-10tweak previous;Jason McIntyre
2015-09-10Correctly document the behaviour of tls_close() - the caller is responsibleJoel Sing
for closing the file descriptors unless libtls allocated them. ok beck@
2015-09-10Replace TLS_{READ,WRITE}_AGAIN with TLS_WANT_POLL{IN,OUT} and correctlyJoel Sing
document the calling requirements. ok beck@