Age | Commit message (Collapse) | Author | |
---|---|---|---|
2015-11-09 | update some client/server info; from jan klemkow | Jason McIntyre | |
ok jsing | |||
2015-11-02 | bump minors after adding EVP_aead_chacha20_poly1305_ietf() | Reyk Floeter | |
OK jsing@ | |||
2015-10-16 | Put tls_config_verify_client_optional() in the right place. | Joel Sing | |
2015-10-16 | Fix tpyo. | Joel Sing | |
2015-10-09 | fix a gotcha in the connect refactoring, that could result in dropping | Theo de Raadt | |
through and trying to bind failed v6 connects. ok guenther | |||
2015-10-08 | If getaddrinfo() succeeds, then don't try look ups with other flags, even | Philip Guenther | |
if the connect()s failed. In concert with some resolver fixes in libc, this lets ntpd be tame()ed problem isolated by theo, who had fun untangling the libc and libtls behaviors to place blame for not being able to tame ntpd ok beck@ deraadt@ jsing@ | |||
2015-10-08 | trailing whitespace; | Jason McIntyre | |
2015-10-07 | Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer ↵ | Bob Beck | |
certificate validity times for tls connections. ok jsing@ | |||
2015-10-07 | Allow us to get cipher and version even if there is not a peer certificate. | Bob Beck | |
ok doug@ | |||
2015-10-01 | include <sys/types.h> for ssize_t | Brent Cook | |
ok jsing@, deraadt@ | |||
2015-09-29 | Instead of declaring a union in multiple places, move it to tls_internal.h. | Joel Sing | |
ok deraadt@ | |||
2015-09-29 | clean some ugly intendation warts | Theo de Raadt | |
2015-09-28 | Explicit NULL checks and style(9) tweaks. | Joel Sing | |
2015-09-14 | tweak previous; | Jason McIntyre | |
2015-09-14 | Provide tls_config_insecure_noverifytime() in order to be able to disable | Joel Sing | |
certificate validity checking. ok beck@ | |||
2015-09-14 | Remove useless quoting from .Fo and .Fn function names, to prevent | Ingo Schwarze | |
development of a cargo cult in case people look at existing files for examples. This achieves a consistent .Fo and .Fn quoting style across the whole tree. | |||
2015-09-14 | some conn_version and conn_cipher bits; | Jason McIntyre | |
2015-09-14 | Expose EOF without close-notify via tls_close(). | Joel Sing | |
Make tls_read(3)/tls_write(3) follow read(2)/write(2) like semantics and return 0 on EOF with and without close-notify. However, if we saw an EOF from the underlying file descriptors without getting a close-notify, save this and make it visible when tls_close(3) is called. This keeps the semantics we want, but makes it possible to detect truncation at higher layers, if necessary. ok beck@ guenther@ | |||
2015-09-14 | Return an error if tls_handshake() or tls_close() is called on a context | Joel Sing | |
for which they are not valid operations. ok beck@ | |||
2015-09-14 | add missing function return types | Ingo Schwarze | |
2015-09-13 | Crank major version due to removal of SHA-0 and MD4 from libcrypto. | Doug Hogan | |
2015-09-13 | work around the stupid semantics of SSL_read and SSL_write to make sure | Bob Beck | |
we can indicate an EOF properly on tls_read and tls_write ok jsing@ | |||
2015-09-13 | Don't leak conninfo - spotted by marko kreen. | Bob Beck | |
ok jsing@ | |||
2015-09-13 | Mechanical minor bump to follow libcrypto. | Miod Vallat | |
2015-09-13 | add visibility of ciper and connection version strings | Bob Beck | |
ok jsing@ | |||
2015-09-12 | Move connection info into it's own private structure allocated and filled in | Bob Beck | |
at handshake time. change accessors to return const char * to remove need for caller to free memory. ok jsing@ | |||
2015-09-12 | Ensure that we clear the libssl error stack before we make a function call | Joel Sing | |
that we will pass the result through tls_ssl_error() on failure. Otherwise we can end up reporting spurious errors due to their being unrelated errors already on the error stack. Spotted by Marko Kreen. ok beck@ | |||
2015-09-12 | Put tls_peer_cert* functions in the same place. | Joel Sing | |
2015-09-11 | typo | Theo de Raadt | |
2015-09-11 | more for NAME; | Jason McIntyre | |
2015-09-11 | more cleanup; | Jason McIntyre | |
2015-09-11 | update NAME; various cleanup | Jason McIntyre | |
2015-09-11 | document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hash | Bob Beck | |
ok jsing@ | |||
2015-09-11 | != -> == that I broke while bikeshedding | Bob Beck | |
2015-09-11 | Do not match a wildcard against a name with no host part. | Bob Beck | |
ok jsing@ | |||
2015-09-11 | add tls_peer functions for checking names and issuers of peer certificates. | Bob Beck | |
ok jsing@ | |||
2015-09-11 | Provide tls_peer_cert_hash() which returns a hash of the raw certificate | Joel Sing | |
that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@ | |||
2015-09-11 | Store a reference to the peer certificate (if any) upon completion of the | Joel Sing | |
handshake. Free the reference when we reset the TLS context. ok beck@ | |||
2015-09-11 | specify what is permitted as an argument to tls_config_set_ciphers() | Bob Beck | |
2015-09-11 | actually set return value to 0 on success. | Bob Beck | |
ok jsing@ who wears the cone of shame. | |||
2015-09-11 | - add some missing NAME entries | Jason McIntyre | |
- zap trailing whitespace - avoid "can not" | |||
2015-09-11 | sort MLINKS into the same order as the man page; | Jason McIntyre | |
2015-09-10 | Call tls_set_errorx() instead of tls_set_error() in | Joel Sing | |
tls_configure_ssl_verify(). Also tweak an error message and unwrap a line. | |||
2015-09-10 | improve examples, | Theo de Raadt | |
1. hoist pollfd fields which don't change upwards 2. show ret as ssize_t, it MUST BE, or there will be lots of crying 3. on first pass, must check for either POLLIN|POLLOUT ok millert beck | |||
2015-09-10 | document client side certificate verification functionality. | Bob Beck | |
ok jsing@ | |||
2015-09-10 | document changed tls_read and tls_write semantics. | Bob Beck | |
document functions that clear errno. change examples to provide demonstration of both the blocking and non-blocking cases. ok jsing@, bluhm@ | |||
2015-09-10 | mlink tls_handshake; | Jason McIntyre | |
2015-09-10 | tweak previous; | Jason McIntyre | |
2015-09-10 | Correctly document the behaviour of tls_close() - the caller is responsible | Joel Sing | |
for closing the file descriptors unless libtls allocated them. ok beck@ | |||
2015-09-10 | Replace TLS_{READ,WRITE}_AGAIN with TLS_WANT_POLL{IN,OUT} and correctly | Joel Sing | |
document the calling requirements. ok beck@ |