summaryrefslogtreecommitdiff
path: root/lib/libtls
AgeCommit message (Collapse)Author
2016-08-31Crank minor due to API additionBob Beck
2016-08-22Various clean up and reorganisation of the connection info handling code.Joel Sing
In particular, rename tls_free_conninfo() to tls_conninfo_free() and make it a real free function. Rename tls_get_conninfo() to tls_conninfo_populate() and have it allocate the struct tls_conninfo (after freeing any existing one). ok beck@
2016-08-22Stick with the usual 'if NULL return NULL' idiom.Joel Sing
ok beck@
2016-08-22Bump TLS_API due to the addition of server side SNI functions.Joel Sing
2016-08-22Bump libtls minor due to the addition of symbols.Joel Sing
2016-08-22Provide an API that enables server side SNI support - add the ability toJoel Sing
provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and allow the server to determine what servername the client requested (via tls_conn_servername()). ok beck@
2016-08-22Create contexts for server side SNI - these include the additional SSL_CTXJoel Sing
that is required for certificate switching with libssl and the certificate itself so that we can match against the subject and SANs. Hook up the servername callback and switch to the appropriate SSL_CTX if we find a matching certificate. ok beck@
2016-08-18Split out the TLS server SSL_CTX allocation and configuration code, soJoel Sing
that it can be reused to allocate the additional SSL_CTXs needed for SNI. ok reyk@
2016-08-18Rework parts of the libtls man page for clarity. Split out the connectionJoel Sing
information related functions under their own heading and dedup the text relating to when these functions can be called. With input from and ok jmc@
2016-08-15The tls_conninfo serial is also unused.Joel Sing
2016-08-15Group conninfo fields by connection and peer cert based information,Joel Sing
sort and remove unused fingerprint.
2016-08-15Fix some style(9) issues.Joel Sing
2016-08-15Explicitly pass in an SSL_CTX * to the functions that operate on one,Joel Sing
instead of assuming that they should use the one associated with the TLS context. This allows these functions to be used with the additional SSL contexts that are needed to support server-side SNI. Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that these functions have a common prefix. ok reyk@
2016-08-13Avoid leaking memory if tls_config_set_alpn() is called multiple timesJoel Sing
(this was in the original commit, but got reverted in the recommit).
2016-08-13Load CA, certificate and key files into memory when the appropriateJoel Sing
tls_config_set_*_file() function is called. This allows us to immediately propagate useful error messages, play more nicely with privsep/pledge and have a single code path. Instead of always loading the default CA when tls_config_new() is called, defer and only load the default CA when tls_configure() is invoked, if a CA has not already been specified. ok beck@ bluhm@
2016-08-12Bump libtls minor due to symbol additions.Joel Sing
2016-08-12Add ALPN support to libtls.Joel Sing
ok beck@ doug@
2016-08-02Revert previous since it adds new symbols.Joel Sing
Requested by deraadt@
2016-08-01Bump TLS_API for addition of ALPN support.Joel Sing
2016-08-01Add ALPN support to libtls.Joel Sing
ok beck@ doug@
2016-07-13Split the existing TLS cipher suite groups into four:Joel Sing
"secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@
2016-07-07Revert previous - it introduces problems with a common privsep use case.Joel Sing
2016-07-06Check that the given ciphers string is syntactically valid and results inJoel Sing
at least one matching cipher suite. ok doug@
2016-07-06Always load CA, key and certificate files at the time the configurationJoel Sing
function is called. This simplifies code and results in a single memory based code path being used to provide data to libssl. Errors that occur when accessing the specified file are now detected and propagated immediately. Since the file access now occurs when the configuration function is called, we now play nicely with privsep/pledge. ok beck@ bluhm@ doug@
2016-07-06Correctly handle an EOF that occurs prior to the TLS handshake completing.Joel Sing
Reported by Vasily Kolobkov, based on a diff from Marko Kreen. ok beck@
2016-05-27Rename some of the internal error setting functions to more closely followJoel Sing
existing naming standards. Also provide functions for setting a struct tls_error * directly (rather than having to have a struct tls * or a struct tls_config *).
2016-05-27Avoid leaking ca_mem when freeing a tls_config.Joel Sing
2016-05-27Fix function parameters that do not have an underscore prefix.Joel Sing
2016-05-27typo fixes; Anthony CoulterStuart Henderson
2016-05-09Fix mangled function signatures.Joel Sing
From Carlin Bingham <cb at viennan dot net>, thanks!
2016-04-28spelling fix;Jason McIntyre
2016-04-28Crank majors for lib{crypto,ssl,tls} due to symbol removals, symbolJoel Sing
additions and functionality changes.
2016-04-28Factor our the keypair handling in libtls. This results in more readableJoel Sing
and self-contained code, while preparing for the ability to handle multiple keypairs. Also provide two additional functions that allow a public certificate and private key to be set with a single function call. ok beck@
2016-04-28Rework the error handling in libtls so that we can associate errors withJoel Sing
both configuration and contexts. This allows us to propagate errors that occur during configuration, rather than either just failing with no reason or delaying the failure until it can be propagated via the tls context. Also provide a tls_config_error() function for retrieving the last error from a tls_config *. ok bcook@
2016-04-24no more outlen; from remcoJason McIntyre
ok bcook deraadt
2016-04-24typos;Jason McIntyre
2016-03-30for some time now mandoc has not required MLINKS to functionJason McIntyre
correctly - logically complete that now by removing MLINKS from base; authors need only to ensure there is an entry in NAME for any function/ util being added. MLINKS will still work, and remain for perl to ease upgrades; ok nicm (curses) bcook (ssl) ok schwarze, who provided a lot of feedback and assistance ok tb natano jung
2016-01-18Call BIO_sock_init() from tls_init() to ensure sockets are enabled on Windows.Brent Cook
This is of course a no-op on other platforms. Noted by equalsraf from github.
2015-12-09bump the major for libcrypto/ssl/tls for a CRYPTO_chacha_20 ABI changeBrent Cook
ok jsing@, deraadt@, beck@
2015-11-09update some client/server info; from jan klemkowJason McIntyre
ok jsing
2015-11-02bump minors after adding EVP_aead_chacha20_poly1305_ietf()Reyk Floeter
OK jsing@
2015-10-16Put tls_config_verify_client_optional() in the right place.Joel Sing
2015-10-16Fix tpyo.Joel Sing
2015-10-09fix a gotcha in the connect refactoring, that could result in droppingTheo de Raadt
through and trying to bind failed v6 connects. ok guenther
2015-10-08If getaddrinfo() succeeds, then don't try look ups with other flags, evenPhilip Guenther
if the connect()s failed. In concert with some resolver fixes in libc, this lets ntpd be tame()ed problem isolated by theo, who had fun untangling the libc and libtls behaviors to place blame for not being able to tame ntpd ok beck@ deraadt@ jsing@
2015-10-08trailing whitespace;Jason McIntyre
2015-10-07Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer ↵Bob Beck
certificate validity times for tls connections. ok jsing@
2015-10-07Allow us to get cipher and version even if there is not a peer certificate.Bob Beck
ok doug@
2015-10-01include <sys/types.h> for ssize_tBrent Cook
ok jsing@, deraadt@
2015-09-29Instead of declaring a union in multiple places, move it to tls_internal.h.Joel Sing
ok deraadt@
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-01 09:45:56 +0000