Age | Commit message (Collapse) | Author | |
---|---|---|---|
2015-09-14 | tweak previous; | Jason McIntyre | |
2015-09-14 | Provide tls_config_insecure_noverifytime() in order to be able to disable | Joel Sing | |
certificate validity checking. ok beck@ | |||
2015-09-14 | Remove useless quoting from .Fo and .Fn function names, to prevent | Ingo Schwarze | |
development of a cargo cult in case people look at existing files for examples. This achieves a consistent .Fo and .Fn quoting style across the whole tree. | |||
2015-09-14 | some conn_version and conn_cipher bits; | Jason McIntyre | |
2015-09-14 | Expose EOF without close-notify via tls_close(). | Joel Sing | |
Make tls_read(3)/tls_write(3) follow read(2)/write(2) like semantics and return 0 on EOF with and without close-notify. However, if we saw an EOF from the underlying file descriptors without getting a close-notify, save this and make it visible when tls_close(3) is called. This keeps the semantics we want, but makes it possible to detect truncation at higher layers, if necessary. ok beck@ guenther@ | |||
2015-09-14 | Return an error if tls_handshake() or tls_close() is called on a context | Joel Sing | |
for which they are not valid operations. ok beck@ | |||
2015-09-14 | add missing function return types | Ingo Schwarze | |
2015-09-13 | Crank major version due to removal of SHA-0 and MD4 from libcrypto. | Doug Hogan | |
2015-09-13 | work around the stupid semantics of SSL_read and SSL_write to make sure | Bob Beck | |
we can indicate an EOF properly on tls_read and tls_write ok jsing@ | |||
2015-09-13 | Don't leak conninfo - spotted by marko kreen. | Bob Beck | |
ok jsing@ | |||
2015-09-13 | Mechanical minor bump to follow libcrypto. | Miod Vallat | |
2015-09-13 | add visibility of ciper and connection version strings | Bob Beck | |
ok jsing@ | |||
2015-09-12 | Move connection info into it's own private structure allocated and filled in | Bob Beck | |
at handshake time. change accessors to return const char * to remove need for caller to free memory. ok jsing@ | |||
2015-09-12 | Ensure that we clear the libssl error stack before we make a function call | Joel Sing | |
that we will pass the result through tls_ssl_error() on failure. Otherwise we can end up reporting spurious errors due to their being unrelated errors already on the error stack. Spotted by Marko Kreen. ok beck@ | |||
2015-09-12 | Put tls_peer_cert* functions in the same place. | Joel Sing | |
2015-09-11 | typo | Theo de Raadt | |
2015-09-11 | more for NAME; | Jason McIntyre | |
2015-09-11 | more cleanup; | Jason McIntyre | |
2015-09-11 | update NAME; various cleanup | Jason McIntyre | |
2015-09-11 | document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hash | Bob Beck | |
ok jsing@ | |||
2015-09-11 | != -> == that I broke while bikeshedding | Bob Beck | |
2015-09-11 | Do not match a wildcard against a name with no host part. | Bob Beck | |
ok jsing@ | |||
2015-09-11 | add tls_peer functions for checking names and issuers of peer certificates. | Bob Beck | |
ok jsing@ | |||
2015-09-11 | Provide tls_peer_cert_hash() which returns a hash of the raw certificate | Joel Sing | |
that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@ | |||
2015-09-11 | Store a reference to the peer certificate (if any) upon completion of the | Joel Sing | |
handshake. Free the reference when we reset the TLS context. ok beck@ | |||
2015-09-11 | specify what is permitted as an argument to tls_config_set_ciphers() | Bob Beck | |
2015-09-11 | actually set return value to 0 on success. | Bob Beck | |
ok jsing@ who wears the cone of shame. | |||
2015-09-11 | - add some missing NAME entries | Jason McIntyre | |
- zap trailing whitespace - avoid "can not" | |||
2015-09-11 | sort MLINKS into the same order as the man page; | Jason McIntyre | |
2015-09-10 | Call tls_set_errorx() instead of tls_set_error() in | Joel Sing | |
tls_configure_ssl_verify(). Also tweak an error message and unwrap a line. | |||
2015-09-10 | improve examples, | Theo de Raadt | |
1. hoist pollfd fields which don't change upwards 2. show ret as ssize_t, it MUST BE, or there will be lots of crying 3. on first pass, must check for either POLLIN|POLLOUT ok millert beck | |||
2015-09-10 | document client side certificate verification functionality. | Bob Beck | |
ok jsing@ | |||
2015-09-10 | document changed tls_read and tls_write semantics. | Bob Beck | |
document functions that clear errno. change examples to provide demonstration of both the blocking and non-blocking cases. ok jsing@, bluhm@ | |||
2015-09-10 | mlink tls_handshake; | Jason McIntyre | |
2015-09-10 | tweak previous; | Jason McIntyre | |
2015-09-10 | Correctly document the behaviour of tls_close() - the caller is responsible | Joel Sing | |
for closing the file descriptors unless libtls allocated them. ok beck@ | |||
2015-09-10 | Replace TLS_{READ,WRITE}_AGAIN with TLS_WANT_POLL{IN,OUT} and correctly | Joel Sing | |
document the calling requirements. ok beck@ | |||
2015-09-10 | Update libtls man page to reflect tls_handshake() related changes. | Joel Sing | |
ok beck@ | |||
2015-09-10 | revert accidental commit | Bob Beck | |
2015-09-10 | comment for errno clobbering, to indicate why we do this. | Bob Beck | |
ok deraadt@ jsing@ | |||
2015-09-10 | bump major | Bob Beck | |
ok jsing@ | |||
2015-09-10 | change TLS_READ_AGAIN to TLS_WANT_POLLIN and TLS_WRITE_AGAIN to TLS_WANT_POLLOUT | Bob Beck | |
to make it more clear to users of this api what needs to be done in these error cases. Discussed extensively with bluhm@ and jsing@ and others. ok jsing@ | |||
2015-09-10 | Change tls_read and tls_write semantics to return an ssize_t to better | Bob Beck | |
match read() and write() semantics to make porting existing code using read/write easier.. requested by bluhm@ who convinced jsing and I to break the api ok jsing@ bluhm@ | |||
2015-09-10 | Split tls_handshake() out from tls_accept/tls_connect. By doing this the | Joel Sing | |
tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@ | |||
2015-09-10 | add MLINKS for _prefer_ciphers_* | Jason McIntyre | |
2015-09-10 | Add support for preferring the server's cipher list or the client's cipher | Joel Sing | |
list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@ | |||
2015-09-09 | Indent labels with a space so that diff -p is more friendly. | Joel Sing | |
Requested by bluhm@ | |||
2015-09-09 | Add client certificate support. Still needs a few tweaks but this will | Bob Beck | |
ride upcoming minor bump ok jsing@ | |||
2015-09-09 | always clear errno when coming back from tls_read tls_write, and tls_close. | Bob Beck | |
this avoids the problem of people checking for return values < 0 and then checking for errno before checking for TLS_READ_AGAIN TLS_WRITE_AGAIN - since we can not guarantee what errno will be set to from the underlying library calls | |||
2015-09-09 | nuke trailing whitespace | Bob Beck | |
ok jsing@ |