1 files changed, 35 insertions, 45 deletions
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index e7f10ef556..cd98450035 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.65 2016/08/12 15:10:59 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.66 2016/08/18 15:43:12 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 12 2016 $
+.Dd $Mdocdate: August 18 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -271,7 +271,7 @@ The
 function initializes global data structures.
 It should be called once before any other functions.
 .Pp
-The following functions create and free configuration objects.
+The following functions create and free configuration objects:
 .Bl -bullet -offset four
 .It
 .Fn tls_config_new
@@ -297,8 +297,8 @@ If a value has a negative prefix (in the form of a leading exclamation mark)
 then it is removed from the list of available protocols, rather than being
 added to it.
 .Pp
-The following functions modify a configuration by setting parameters.
+The following functions modify a configuration by setting parameters (the
-Configuration options may apply to only clients or only servers or both.
+configuration options may only apply to clients, to servers or to both):
 .Bl -bullet -offset four
 .It
 .Fn tls_config_set_alpn
@@ -425,13 +425,35 @@ a certificate.
 enables client certificate verification, without requiring the client
 to send a certificate.
 .Em (Server)
+.El
+.Pp
+The following functions return information about a TLS connection and will only
+succeed after the handshake is complete (the connection information may only
+apply to clients, to servers or to both):
+.Bl -bullet -offset four
+.It
+.Fn tls_conn_alpn_selected
+returns a string that specifies the ALPN protocol selected for use with the peer
+connected to
+.Ar ctx .
+If no protocol was selected then NULL is returned.
+.Em (Server and Client)
+.It
+.Fn tls_conn_cipher
+returns a string corresponding to the cipher suite negotiated with the peer
+connected to
+.Ar ctx .
+.Em (Server and client)
+.It
+.Fn tls_conn_version
+returns a string corresponding to a TLS version negotiated with the peer
+connected to
+.Ar ctx .
 .It
 .Fn tls_peer_cert_provided
 checks if the peer of
 .Ar ctx
 has provided a certificate.
-.Fn tls_peer_cert_provided
-can only succeed after the handshake is complete.
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_contains_name
@@ -440,24 +462,18 @@ checks if the peer of a TLS
 has provided a certificate that contains a
 SAN or CN that matches
 .Ar name .
-.Fn tls_peer_cert_contains_name
-can only succeed after the handshake is complete.
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_subject
 returns a string
 corresponding to the subject of the peer certificate from
 .Ar ctx .
-.Fn tls_peer_cert_subject
-will only succeed after the handshake is complete.
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_issuer
 returns a string
 corresponding to the issuer of the peer certificate from
 .Ar ctx .
-.Fn tls_peer_cert_issuer
-will only succeed after the handshake is complete.
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_hash
@@ -479,43 +495,17 @@ printf "SHA256:${h}\\n"
 returns the time corresponding to the start of the validity period of
 the peer certificate from
 .Ar ctx .
-.Fn tls_peer_cert_notbefore
-will only succeed after the handshake is complete.
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_notafter
 returns the time corresponding to the end of the validity period of
 the peer certificate from
 .Ar ctx .
-.Fn tls_peer_cert_notafter
-will only succeed after the handshake is complete.
 .Em (Server and client)
-.It
+.El
-.Fn tls_conn_alpn_selected
+.Pp
-returns a string that specifies the ALPN protocol selected for use with the peer
+The following are TLS related utility functions:
-connected to
+.Bl -bullet -offset four
-.Ar ctx .
-If no protocol was selected then NULL is returned.
-.Fn tls_conn_alpn_selected
-will only succeed after the handshake is complete.
-.Em (Server and Client)
-.It
-.Fn tls_conn_cipher
-returns a string
-corresponding to the cipher suite negotiated with the peer
-connected to
-.Ar ctx .
-.Fn tls_conn_cipher
-will only succeed after the handshake is complete.
-.Em (Server and client)
-.It
-.Fn tls_conn_version
-returns a string
-corresponding to a TLS version negotiated with the peer
-connected to
-.Ar ctx .
-.Fn tls_conn_version
-will only succeed after the handshake is complete.
 .It
 .Fn tls_load_file
 loads a certificate or key from disk into memory to be loaded with
@@ -529,7 +519,7 @@ argument is specified.
 .Em (Client and server)
 .El
 .Pp
-The following functions create, prepare, and free a connection context.
+The following functions create, prepare, and free a connection context:
 .Bl -bullet -offset four
 .It
 .Fn tls_client
@@ -547,7 +537,7 @@ frees a TLS context after use.
 .El
 .Pp
 The following functions initiate a connection and perform input and output
-operations.
+operations:
 .Bl -bullet -offset four
 .It
 .Fn tls_connect

diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index e7f10ef556..cd98450035 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: tls_init.3,v 1.65 2016/08/12 15:10:59 jsing Exp $	1	.\" $OpenBSD: tls_init.3,v 1.66 2016/08/18 15:43:12 jsing Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: August 12 2016 $	17	.Dd $Mdocdate: August 18 2016 $
18	.Dt TLS_INIT 3	18	.Dt TLS_INIT 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -271,7 +271,7 @@ The
271	function initializes global data structures.	271	function initializes global data structures.
272	It should be called once before any other functions.	272	It should be called once before any other functions.
273	.Pp	273	.Pp
274	The following functions create and free configuration objects.	274	The following functions create and free configuration objects:
275	.Bl -bullet -offset four	275	.Bl -bullet -offset four
276	.It	276	.It
277	.Fn tls_config_new	277	.Fn tls_config_new
@@ -297,8 +297,8 @@ If a value has a negative prefix (in the form of a leading exclamation mark)
297	then it is removed from the list of available protocols, rather than being	297	then it is removed from the list of available protocols, rather than being
298	added to it.	298	added to it.
299	.Pp	299	.Pp
300	The following functions modify a configuration by setting parameters.	300	The following functions modify a configuration by setting parameters (the
301	Configuration options may apply to only clients or only servers or both.	301	configuration options may only apply to clients, to servers or to both):
302	.Bl -bullet -offset four	302	.Bl -bullet -offset four
303	.It	303	.It
304	.Fn tls_config_set_alpn	304	.Fn tls_config_set_alpn
@@ -425,13 +425,35 @@ a certificate.
425	enables client certificate verification, without requiring the client	425	enables client certificate verification, without requiring the client
426	to send a certificate.	426	to send a certificate.
427	.Em (Server)	427	.Em (Server)
		428	.El
		429	.Pp
		430	The following functions return information about a TLS connection and will only
		431	succeed after the handshake is complete (the connection information may only
		432	apply to clients, to servers or to both):
		433	.Bl -bullet -offset four
		434	.It
		435	.Fn tls_conn_alpn_selected
		436	returns a string that specifies the ALPN protocol selected for use with the peer
		437	connected to
		438	.Ar ctx .
		439	If no protocol was selected then NULL is returned.
		440	.Em (Server and Client)
		441	.It
		442	.Fn tls_conn_cipher
		443	returns a string corresponding to the cipher suite negotiated with the peer
		444	connected to
		445	.Ar ctx .
		446	.Em (Server and client)
		447	.It
		448	.Fn tls_conn_version
		449	returns a string corresponding to a TLS version negotiated with the peer
		450	connected to
		451	.Ar ctx .
428	.It	452	.It
429	.Fn tls_peer_cert_provided	453	.Fn tls_peer_cert_provided
430	checks if the peer of	454	checks if the peer of
431	.Ar ctx	455	.Ar ctx
432	has provided a certificate.	456	has provided a certificate.
433	.Fn tls_peer_cert_provided
434	can only succeed after the handshake is complete.
435	.Em (Server and client)	457	.Em (Server and client)
436	.It	458	.It
437	.Fn tls_peer_cert_contains_name	459	.Fn tls_peer_cert_contains_name
@@ -440,24 +462,18 @@ checks if the peer of a TLS
440	has provided a certificate that contains a	462	has provided a certificate that contains a
441	SAN or CN that matches	463	SAN or CN that matches
442	.Ar name .	464	.Ar name .
443	.Fn tls_peer_cert_contains_name
444	can only succeed after the handshake is complete.
445	.Em (Server and client)	465	.Em (Server and client)
446	.It	466	.It
447	.Fn tls_peer_cert_subject	467	.Fn tls_peer_cert_subject
448	returns a string	468	returns a string
449	corresponding to the subject of the peer certificate from	469	corresponding to the subject of the peer certificate from
450	.Ar ctx .	470	.Ar ctx .
451	.Fn tls_peer_cert_subject
452	will only succeed after the handshake is complete.
453	.Em (Server and client)	471	.Em (Server and client)
454	.It	472	.It
455	.Fn tls_peer_cert_issuer	473	.Fn tls_peer_cert_issuer
456	returns a string	474	returns a string
457	corresponding to the issuer of the peer certificate from	475	corresponding to the issuer of the peer certificate from
458	.Ar ctx .	476	.Ar ctx .
459	.Fn tls_peer_cert_issuer
460	will only succeed after the handshake is complete.
461	.Em (Server and client)	477	.Em (Server and client)
462	.It	478	.It
463	.Fn tls_peer_cert_hash	479	.Fn tls_peer_cert_hash
@@ -479,43 +495,17 @@ printf "SHA256:${h}\\n"
479	returns the time corresponding to the start of the validity period of	495	returns the time corresponding to the start of the validity period of
480	the peer certificate from	496	the peer certificate from
481	.Ar ctx .	497	.Ar ctx .
482	.Fn tls_peer_cert_notbefore
483	will only succeed after the handshake is complete.
484	.Em (Server and client)	498	.Em (Server and client)
485	.It	499	.It
486	.Fn tls_peer_cert_notafter	500	.Fn tls_peer_cert_notafter
487	returns the time corresponding to the end of the validity period of	501	returns the time corresponding to the end of the validity period of
488	the peer certificate from	502	the peer certificate from
489	.Ar ctx .	503	.Ar ctx .
490	.Fn tls_peer_cert_notafter
491	will only succeed after the handshake is complete.
492	.Em (Server and client)	504	.Em (Server and client)
493	.It	505	.El
494	.Fn tls_conn_alpn_selected	506	.Pp
495	returns a string that specifies the ALPN protocol selected for use with the peer	507	The following are TLS related utility functions:
496	connected to	508	.Bl -bullet -offset four
497	.Ar ctx .
498	If no protocol was selected then NULL is returned.
499	.Fn tls_conn_alpn_selected
500	will only succeed after the handshake is complete.
501	.Em (Server and Client)
502	.It
503	.Fn tls_conn_cipher
504	returns a string
505	corresponding to the cipher suite negotiated with the peer
506	connected to
507	.Ar ctx .
508	.Fn tls_conn_cipher
509	will only succeed after the handshake is complete.
510	.Em (Server and client)
511	.It
512	.Fn tls_conn_version
513	returns a string
514	corresponding to a TLS version negotiated with the peer
515	connected to
516	.Ar ctx .
517	.Fn tls_conn_version
518	will only succeed after the handshake is complete.
519	.It	509	.It
520	.Fn tls_load_file	510	.Fn tls_load_file
521	loads a certificate or key from disk into memory to be loaded with	511	loads a certificate or key from disk into memory to be loaded with
@@ -529,7 +519,7 @@ argument is specified.
529	.Em (Client and server)	519	.Em (Client and server)
530	.El	520	.El
531	.Pp	521	.Pp
532	The following functions create, prepare, and free a connection context.	522	The following functions create, prepare, and free a connection context:
533	.Bl -bullet -offset four	523	.Bl -bullet -offset four
534	.It	524	.It
535	.Fn tls_client	525	.Fn tls_client
@@ -547,7 +537,7 @@ frees a TLS context after use.
547	.El	537	.El
548	.Pp	538	.Pp
549	The following functions initiate a connection and perform input and output	539	The following functions initiate a connection and perform input and output
550	operations.	540	operations:
551	.Bl -bullet -offset four	541	.Bl -bullet -offset four
552	.It	542	.It
553	.Fn tls_connect	543	.Fn tls_connect