openbsd/src/lib/libtls, branch libressl-v3.4.2

openbsd/src/lib/libtls, branch libressl-v3.4.2 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.4.2 2021-09-10T15:06:48+00:00 major bump (same type of crank as libssl) 2021-09-10T15:06:48+00:00 tb 2021-09-10T15:06:48+00:00 urn:sha1:02c328e0445bc169bcadcf5b709af79d97133c2b typo in comment 2021-08-16T13:54:38+00:00 tb 2021-08-16T13:54:38+00:00 urn:sha1:04e41504d4c620b934118a8ae9c2129f626a96c1 zap wonky commas; 2021-06-22T20:01:19+00:00 jmc 2021-06-22T20:01:19+00:00 urn:sha1:3650508f3facd1163d6549d6fab59a6f81db17d2 Clarify tls_config_set_*_file() file I/O semantics 2021-06-22T17:59:48+00:00 kn 2021-06-22T17:59:48+00:00 urn:sha1:7464c3881edf2f952d355d3ed4e23a63ef9051fa tls_config_set_*_file(3) do not just set the file paths like tls_config_set_*_path(3) do, they do load the given file(s) into memory directly using tls_config_load_file(). This distinction is important because it means a later tls_connect(3) will not do any file I/O (at least wrt. those files), which is relevant when for example pleding without "[rwc]path" after loading files into memory and before doing tls_connect(3). The manual's current wording made me use the following due to above way of pledging a program: tls_load_file() tls_config_set_ca_mem() tls_unload_file() While in fact a single tls_config_set_ca_file() call does the same. tls_config.c r1.26 (Aug 2016) change the code but forgot to amend the manual as noted by tb, thanks. Feedback OK tb Use SSL_AD_INTERNAL_ERROR 2021-06-14T03:53:59+00:00 tb 2021-06-14T03:53:59+00:00 urn:sha1:31cc980921fb2043cc7798cb3d036980f86800d5 One instance of TLS1_AD_* was missed and broke the tree in the recent switch to using only one version of alert defines internally. Update RFC reference. RFC 4366 was obsoleted by RFC 6066. 2021-06-01T20:26:11+00:00 tb 2021-06-01T20:26:11+00:00 urn:sha1:9b140ddf9f41beb19ba130cb2c39347030e0f6c9 Avoid sending a trailing dot in SNI as a client 2021-06-01T20:14:17+00:00 tb 2021-06-01T20:14:17+00:00 urn:sha1:c71e98774db737758f9fd959db92ae9a73f610db While an FQDN includes a trailing dot for the zero-length label of the root, SNI explicitly does not contain it. Contrary to other TLS implementations, our tlsext_sni_is_valid_hostname() rejects a trailing dot. The result is that LibreSSL TLS servers encountering an SNI with trailing dot abort the connection with an illegal_parameter alert. This fixes an issue reported by danj in nc(1) and by sthen in ftp(1). DNS cluebat from florian. ok jsing Remove unnecessary cast in free. 2021-06-01T19:49:17+00:00 tb 2021-06-01T19:49:17+00:00 urn:sha1:ee817e88df52a4debdacfb18945e17697591ba82 ok jsing give libtls the same bump as libssl 2021-05-10T17:13:51+00:00 tb 2021-05-10T17:13:51+00:00 urn:sha1:66ed11810da21203541160115ac4b486abe62988 Bump minors after symbol addition 2021-03-31T17:02:18+00:00 tb 2021-03-31T17:02:18+00:00 urn:sha1:0c1b885ba6292c3b2d58d343977ac4cab728cc2b