summaryrefslogtreecommitdiff
path: root/lib/libtls
AgeCommit message (Collapse)Author
2015-09-14tweak previous;Jason McIntyre
2015-09-14Provide tls_config_insecure_noverifytime() in order to be able to disableJoel Sing
certificate validity checking. ok beck@
2015-09-14Remove useless quoting from .Fo and .Fn function names, to preventIngo Schwarze
development of a cargo cult in case people look at existing files for examples. This achieves a consistent .Fo and .Fn quoting style across the whole tree.
2015-09-14some conn_version and conn_cipher bits;Jason McIntyre
2015-09-14Expose EOF without close-notify via tls_close().Joel Sing
Make tls_read(3)/tls_write(3) follow read(2)/write(2) like semantics and return 0 on EOF with and without close-notify. However, if we saw an EOF from the underlying file descriptors without getting a close-notify, save this and make it visible when tls_close(3) is called. This keeps the semantics we want, but makes it possible to detect truncation at higher layers, if necessary. ok beck@ guenther@
2015-09-14Return an error if tls_handshake() or tls_close() is called on a contextJoel Sing
for which they are not valid operations. ok beck@
2015-09-14add missing function return typesIngo Schwarze
2015-09-13Crank major version due to removal of SHA-0 and MD4 from libcrypto.Doug Hogan
2015-09-13work around the stupid semantics of SSL_read and SSL_write to make sureBob Beck
we can indicate an EOF properly on tls_read and tls_write ok jsing@
2015-09-13Don't leak conninfo - spotted by marko kreen.Bob Beck
ok jsing@
2015-09-13Mechanical minor bump to follow libcrypto.Miod Vallat
2015-09-13add visibility of ciper and connection version stringsBob Beck
ok jsing@
2015-09-12Move connection info into it's own private structure allocated and filled inBob Beck
at handshake time. change accessors to return const char * to remove need for caller to free memory. ok jsing@
2015-09-12Ensure that we clear the libssl error stack before we make a function callJoel Sing
that we will pass the result through tls_ssl_error() on failure. Otherwise we can end up reporting spurious errors due to their being unrelated errors already on the error stack. Spotted by Marko Kreen. ok beck@
2015-09-12Put tls_peer_cert* functions in the same place.Joel Sing
2015-09-11typoTheo de Raadt
2015-09-11more for NAME;Jason McIntyre
2015-09-11more cleanup;Jason McIntyre
2015-09-11update NAME; various cleanupJason McIntyre
2015-09-11document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hashBob Beck
ok jsing@
2015-09-11!= -> == that I broke while bikesheddingBob Beck
2015-09-11Do not match a wildcard against a name with no host part.Bob Beck
ok jsing@
2015-09-11add tls_peer functions for checking names and issuers of peer certificates.Bob Beck
ok jsing@
2015-09-11Provide tls_peer_cert_hash() which returns a hash of the raw certificateJoel Sing
that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@
2015-09-11Store a reference to the peer certificate (if any) upon completion of theJoel Sing
handshake. Free the reference when we reset the TLS context. ok beck@
2015-09-11specify what is permitted as an argument to tls_config_set_ciphers()Bob Beck
2015-09-11actually set return value to 0 on success.Bob Beck
ok jsing@ who wears the cone of shame.
2015-09-11- add some missing NAME entriesJason McIntyre
- zap trailing whitespace - avoid "can not"
2015-09-11sort MLINKS into the same order as the man page;Jason McIntyre
2015-09-10Call tls_set_errorx() instead of tls_set_error() inJoel Sing
tls_configure_ssl_verify(). Also tweak an error message and unwrap a line.
2015-09-10improve examples,Theo de Raadt
1. hoist pollfd fields which don't change upwards 2. show ret as ssize_t, it MUST BE, or there will be lots of crying 3. on first pass, must check for either POLLIN|POLLOUT ok millert beck
2015-09-10document client side certificate verification functionality.Bob Beck
ok jsing@
2015-09-10document changed tls_read and tls_write semantics.Bob Beck
document functions that clear errno. change examples to provide demonstration of both the blocking and non-blocking cases. ok jsing@, bluhm@
2015-09-10mlink tls_handshake;Jason McIntyre
2015-09-10tweak previous;Jason McIntyre
2015-09-10Correctly document the behaviour of tls_close() - the caller is responsibleJoel Sing
for closing the file descriptors unless libtls allocated them. ok beck@
2015-09-10Replace TLS_{READ,WRITE}_AGAIN with TLS_WANT_POLL{IN,OUT} and correctlyJoel Sing
document the calling requirements. ok beck@
2015-09-10Update libtls man page to reflect tls_handshake() related changes.Joel Sing
ok beck@
2015-09-10revert accidental commitBob Beck
2015-09-10comment for errno clobbering, to indicate why we do this.Bob Beck
ok deraadt@ jsing@
2015-09-10bump majorBob Beck
ok jsing@
2015-09-10change TLS_READ_AGAIN to TLS_WANT_POLLIN and TLS_WRITE_AGAIN to TLS_WANT_POLLOUTBob Beck
to make it more clear to users of this api what needs to be done in these error cases. Discussed extensively with bluhm@ and jsing@ and others. ok jsing@
2015-09-10Change tls_read and tls_write semantics to return an ssize_t to betterBob Beck
match read() and write() semantics to make porting existing code using read/write easier.. requested by bluhm@ who convinced jsing and I to break the api ok jsing@ bluhm@
2015-09-10Split tls_handshake() out from tls_accept/tls_connect. By doing this theJoel Sing
tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
2015-09-10add MLINKS for _prefer_ciphers_*Jason McIntyre
2015-09-10Add support for preferring the server's cipher list or the client's cipherJoel Sing
list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@
2015-09-09Indent labels with a space so that diff -p is more friendly.Joel Sing
Requested by bluhm@
2015-09-09Add client certificate support. Still needs a few tweaks but this willBob Beck
ride upcoming minor bump ok jsing@
2015-09-09always clear errno when coming back from tls_read tls_write, and tls_close.Bob Beck
this avoids the problem of people checking for return values < 0 and then checking for errno before checking for TLS_READ_AGAIN TLS_WRITE_AGAIN - since we can not guarantee what errno will be set to from the underlying library calls
2015-09-09nuke trailing whitespaceBob Beck
ok jsing@