summaryrefslogtreecommitdiff
path: root/lib/libtls
AgeCommit message (Collapse)Author
2021-10-02Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.Joel Sing
2021-09-10major bump (same type of crank as libssl)Theo Buehler
2021-08-16typo in commentTheo Buehler
2021-06-22zap wonky commas;Jason McIntyre
2021-06-22Clarify tls_config_set_*_file() file I/O semanticskn
tls_config_set_*_file(3) do not just set the file paths like tls_config_set_*_path(3) do, they do load the given file(s) into memory directly using tls_config_load_file(). This distinction is important because it means a later tls_connect(3) will not do any file I/O (at least wrt. those files), which is relevant when for example pleding without "[rwc]path" after loading files into memory and before doing tls_connect(3). The manual's current wording made me use the following due to above way of pledging a program: tls_load_file() tls_config_set_ca_mem() tls_unload_file() While in fact a single tls_config_set_ca_file() call does the same. tls_config.c r1.26 (Aug 2016) change the code but forgot to amend the manual as noted by tb, thanks. Feedback OK tb
2021-06-14Use SSL_AD_INTERNAL_ERRORTheo Buehler
One instance of TLS1_AD_* was missed and broke the tree in the recent switch to using only one version of alert defines internally.
2021-06-01Update RFC reference. RFC 4366 was obsoleted by RFC 6066.Theo Buehler
2021-06-01Avoid sending a trailing dot in SNI as a clientTheo Buehler
While an FQDN includes a trailing dot for the zero-length label of the root, SNI explicitly does not contain it. Contrary to other TLS implementations, our tlsext_sni_is_valid_hostname() rejects a trailing dot. The result is that LibreSSL TLS servers encountering an SNI with trailing dot abort the connection with an illegal_parameter alert. This fixes an issue reported by danj in nc(1) and by sthen in ftp(1). DNS cluebat from florian. ok jsing
2021-06-01Remove unnecessary cast in free.Theo Buehler
ok jsing
2021-05-10give libtls the same bump as libsslTheo Buehler
2021-03-31Bump minors after symbol additionTheo Buehler
2021-03-23OCSP_basic_verify() doesn't set errno, so use tls_set_errorx()Theo Buehler
ok inoguchi
2021-02-01Use "EC/RSA key setup failure" to align error with othersTheo Buehler
ok eric jsing
2021-01-26Move private key setup to a helper function with proper errorEric Faurot
checking. Only install the hash on the key if fake key is used, and do it for EC keys too. ok tb@ jsing@
2021-01-21when using fake keys, skip the private key checkEric Faurot
ok tb@
2021-01-21return -1 on error for consistencyEric Faurot
ok tb@
2021-01-21minor bump after symbol additionEric Faurot
2021-01-21Allow setting a keypair on a tls context without specifying the privateEric Faurot
key, and fake it internally with the certificate public key instead. It makes it easier for privsep engines like relayd that don't have to use bogus keys anymore. ok beck@ tb@ jsing@
2021-01-05Fix indent.Joel Sing
2021-01-05Remove memset that was made redundant with the ASN1_time_parse()Theo Buehler
fix in libcrypto/asn1/a_time_tm.c r1.16. Suggested by jsing
2021-01-02Tweak previous:Ingo Schwarze
* Do not abuse .Bl -tag for lists without bodies, use .Bl -item instead. * In tagged lists, put bodies into bodies, not into heads. * Add a few missing macros. * Drop some useless quoting.
2021-01-02Make list of DHE parameters more prominentkn
Follow the previous commit and complete the manual page for consistency; better readable and tags for free. OK tb
2020-12-30Make the list of supported protocols more prominentkn
Manuals like httpd.conf(5) refer to this for valid protocol strings, but elements inlined into sentences are hard find to spot. Use a list as already done elsewhere in this manual. OK jmc on earlier version Feeback OK tb
2020-12-22Destroy the mutex in tls_config objects when tls_config_free is called.Brent Cook
Add a stub for pthread_mutex_destroy() for installers. ok tb@
2020-12-22Revert call to pthread_mutex_destroy until installers have a stub.Brent Cook
noted by deraadt@
2020-12-21Destroy the mutex in a tls_config object when tls_config_free is called.Brent Cook
ok inoguchi@
2020-12-15Fix return value variable type in tls_keypair_load_certKinichiro Inoguchi
ERR_peek_error() returns unsigned long. Reported by github issue by @rozhuk-im. ok bcook@ jsing@
2020-06-09The check_includes step is incorrect dependency management model forTheo de Raadt
how our tree gets built. If this was done in all the libraries (imagine sys/dev), it would disrupt the development process hugely. So it should not be done here either. use 'make includes' by hand instead.
2020-05-24Clear SSL_MODE_AUTO_RETRY in libtls, since we handle WANT_POLLIN correctly.Joel Sing
2020-01-22Correct includes check for libtls.Joel Sing
2020-01-22Add checks to ensure that lib{crypto,ssl,tls} public headers have actuallyJoel Sing
been installed prior to building. Requested by and ok tb@
2020-01-22Note in the man page that the default protocols list includes 1.3Bob Beck
ok jsing@
2020-01-22Enable TLS version 1.3 in the default protocols for libtls.Bob Beck
This will as yet not do anything, until we turn it on in the lower level libraries. ok jsing@
2020-01-20Add support for TLSv1.3 as a protocol to libtls.Joel Sing
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3". If TLSv1.3 is enabled libtls will also request libssl to enable it. ok beck@ tb@
2019-12-03Add missing RCS tag.Theo Buehler
2019-11-16Allow 1.3 ciphers in libtls.Bob Beck
ok jsing@
2019-11-16Allow portable to override the default CA bundle locationBob Beck
ok kinichiro@ jsing@
2019-11-02Bump libcrypto, libssl and libtls minors due to symbol additions.Joel Sing
2019-11-02Document tls_conn_cipher_strength().Joel Sing
ok schwarze@
2019-11-02Provide tls_conn_cipher_strength().Joel Sing
This returns the strength in bits of the symmetric cipher used for the connection. Diff from gilles@ ok tb@
2019-10-24Bump libcrypto, libssl and libtls majors due to changes in struct sizesJoel Sing
and symbol addition.
2019-07-09Group tls_{handshake,read,write,close}() return values documentation.Joel Sing
Move the documentation for tls_error() down so that both the special return values for tls_{handshake,read,write,close}() directly follow the standard return values for the same functions. Prompted by deraadt@. ok deraadt@ schwarze@
2019-06-20tls_read() & tls_write() return 4 possible values: TLS_WANT_POLLOUT,Theo de Raadt
TLS_WANT_POLLIN, -1, or 0. After handling the first two, check for -1 rather than vaguely "< 0". ok jsing
2019-06-05provide getters and setters for the RSA_METHOD interfaceGilles Chehade
ok tb@, jsing@, sthen@
2019-05-13Acquire mutex before incrementing the refcount. Fixes COV-186144Brent Cook
ok tb@
2019-04-13Null out pointers on asprintf() failure.Theo Buehler
These pointers will be passed to free. According to asprintf(3), "on OpenBSD, ret will be set to the null pointer, but this behavior should not be relied upon." ok jsing
2019-04-04Only assign destlen when src is non-NULL.Joel Sing
This avoids ever having a non-zero len with a NULL pointer.
2019-04-04Switch to pthread_mutex_init().Joel Sing
While PTHREAD_MUTEX_INITIALIZER can be used on OpenBSD, some other platforms do not like it. Noted by bcook@
2019-04-04Bump libssl/libtls minors due to symbol addition.Joel Sing
2019-04-01Add a mutex to guard reference counting for tls_config.Joel Sing
This makes libtls more friendly for multithreaded use - otherwise we can end up with incorrect refcounts and end up freeing when we should not be (or not freeing when we should be). ok beck@
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-17 11:26:33 +0000