| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2018-02-10 | Tidy/standardise some code. | Joel Sing | |
| 2018-02-10 | Remove NULL check from tls_conninfo_cert_pem() - all of the other conninfo | Joel Sing | |
| functions require the conninfo passed in to be non-NULL. | |||
| 2018-02-10 | Document functions for client-side TLS session support. | Joel Sing | |
| 2018-02-10 | Add support to libtls for client-side TLS session resumption. | Joel Sing | |
| A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. Discussed at length with deraadt@ and tedu@. Rides previous minor bump. ok beck@ | |||
| 2018-02-10 | Bump lib{crypto,ssl,tls} minors due to symbol addition. | Joel Sing | |
| 2018-02-08 | Have tls_keypair_pubkey_hash() call tls_keypair_load_cert() instead of | Joel Sing | |
| rolling its own certificate loading. This also means we get better error reporting on failure. | |||
| 2018-02-08 | Ensure that tls_keypair_clear() clears the OCSP staple and pubkey hash. | Joel Sing | |
| 2018-02-08 | Do not bother NULLing pointers in a struct that is about to be freed. | Joel Sing | |
| 2018-02-08 | Move tls_keypair_pubkey_hash() to the keypair file. | Joel Sing | |
| 2018-02-08 | Avoid a memory leak that results when the same tls_config is reused. | Joel Sing | |
| Reported by and fix from Nate Bessette <openbsd at nate dot sh> - thanks. | |||
| 2018-02-08 | Assert tedu's copyright since some of the code moved here is his. | Joel Sing | |
| 2018-02-08 | Split keypair handling out into its own file - it had already appeared | Joel Sing | |
| in multiple locations. ok beck@ | |||
| 2018-02-05 | Do not bother NULLing pointers in memory that is freed immediately after. | Joel Sing | |
| 2018-02-05 | Be consistent with the goto label names used in libtls code. | Joel Sing | |
| No change to generated assembly. | |||
| 2017-12-09 | Make tls_config_parse_protocols() work correctly when passed a NULL pointer | Joel Sing | |
| for a protocol string. Issue found by semarie@, who also provided the diff. | |||
| 2017-10-08 | hyphenate DER/PEM-encoded, for consistency; | Jason McIntyre | |
| 2017-10-07 | Document tls_peer_cert_chain_pem(). | Joel Sing | |
| ok beck@ | |||
| 2017-09-25 | If tls_config_parse_protocols() is called with a NULL pointer, return the | Joel Sing | |
| default protocols instead of crashing - this makes the behaviour more useful and mirrors what we already do in tls_config_set_ciphers() et al. | |||
| 2017-09-20 | Keep track of which keypair is in use by a TLS context. | Joel Sing | |
| This fixes a bug where by a TLS server with SNI would always only return the OCSP staple for the default keypair, rather than returning the OCSP staple associated with the keypair that was selected via SNI. Issue reported by William Graeber and confirmed by Andreas Bartelt. Fix tested by William Graeber and Andreas Bartelt - thanks! | |||
| 2017-09-20 | Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code. | Joel Sing | |
| 2017-09-20 | Provide a useful error if there are no OCSP URLs in the peer certificate. | Joel Sing | |
| 2017-09-20 | Fix indentation. | Joel Sing | |
| 2017-08-30 | Bump libssl/libtls minors due to symbol (re)addition. | Joel Sing | |
| 2017-08-28 | Bump lib{crypto,ssl,tls} majors due to symbol removals. | Joel Sing | |
| 2017-08-28 | Fix unchecked return nit | Bob Beck | |
| ok bcook@ jsing@ | |||
| 2017-08-27 | Make the symbol for ASN1_time_tm_clamp_notafter visible so libtls | Bob Beck | |
| can get at it, so libtls can also deal with notafter's past the realm of 32 bit time in portable | |||
| 2017-08-13 | Switch to -Werror with clang for libressl. | Doug Hogan | |
| Discussed with beck@ and jsing@ ok beck@ | |||
| 2017-08-12 | Document tls_config_set_dheparams(). | Joel Sing | |
| 2017-08-12 | Document tls_reset(). | Joel Sing | |
| 2017-08-11 | new sentence, new line; | Jason McIntyre | |
| 2017-08-11 | Bump minor due to symbol addition. | Joel Sing | |
| Prompted by jsg@, since I apparently left it sitting in my tree... | |||
| 2017-08-10 | Add a tls_config_set_ecdhecurves() function to libtls, which allows the | Joel Sing | |
| names of the elliptic curves that may be used during client and server key exchange to be specified. This deprecates tls_config_set_ecdhecurve(), which could only be used to specify a single supported curve. ok beck@ | |||
| 2017-08-09 | Don't use tls_cert_hash for the hashing used by the engine offloading magic | Claudio Jeker | |
| for the TLS privsep code. Instead use X509_pubkey_digest() because only the key should be used as identifier. Relayd is rewriting certificates and then the hash would change. Rename the hash is struct tls_keypair to pubkey_hash to make clear what this hash is about. With input and OK jsing@ | |||
| 2017-08-01 | correct function name; | Jason McIntyre | |
| from carlos cardenas | |||
| 2017-07-06 | Document tls_config_set_crl_file() and tls_config_set_crl_mem(). | Joel Sing | |
| Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks! | |||
| 2017-07-06 | Bump minor due to symbol addition. | Joel Sing | |
| 2017-07-06 | Add support for providing CRLs to libtls - once a CRL is provided we | Joel Sing | |
| enable CRL checking for the full certificate chain. Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks! Discussed with beck@ | |||
| 2017-07-05 | RFC 6066 states that IP literals are not permitted in "HostName" for a | Joel Sing | |
| TLS Server Name extension, however seemingly several clients (including Python, Ruby and Safari) violate the RFC. Given that this is a fairly widespread issue, if we receive a TLS Server Name extension that contains an IP literal, pretend that we did not receive the extension rather than causing a handshake failure. Issue raised by jsg@ ok jsg@ | |||
| 2017-06-22 | Use the tls_password_cb() callback with all PEM_read_bio_*() calls, so that | Joel Sing | |
| we can prevent libcrypto from going behind our back and trying to read passwords from standard input (which we may not be permitted to do). Found by jsg@ with httpd and password protected keys. | |||
| 2017-06-22 | Fix incorrect indentation. | Joel Sing | |
| 2017-06-22 | Plug a memory leak in tls_keypair_cert_hash(), introduced in r1.60. | Joel Sing | |
| 2017-06-22 | Remove dead code that has remained hiding since ressl.c r1.14! | Joel Sing | |
| 2017-06-22 | Use the standard `rv' idiom in tls_keypair_load_cert(), rather than | Joel Sing | |
| duplicating clean up code. | |||
| 2017-05-16 | Plug a memory leak. The main_cert needs to be X509_free()ed since | Claudio Jeker | |
| SSL_get_peer_certificate() increases the ref count whereas extra_certs do not because SSL_get_peer_cert_chain() won't increase ref counts. OK beck@ | |||
| 2017-05-07 | Ensure that a client context has been connected before attempting to | Joel Sing | |
| complete a TLS handshake. | |||
| 2017-05-07 | Return an error if tls_handshake() is called on a TLS context that has | Joel Sing | |
| already completed a TLS handshake. | |||
| 2017-05-06 | Use freezero() for the tls_load_file() failure case, since we're | Joel Sing | |
| potentially dealing with key material. Also switch a calloc to malloc, since we immediately copy the same amount of data to the newly allocated buffer. | |||
| 2017-05-06 | BIO_free_all() and EVP_PKEY_free() can be called with NULL. | Joel Sing | |
| 2017-05-06 | Be explicit about when it is safe to call tls_config_free(). | Joel Sing | |
| Discussed with beck@ | |||
| 2017-05-06 | Document tls_unload_file(). | Joel Sing | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |