summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Set SSL_MODE_ENABLE_PARTIAL_WRITE and SSL_MODE_ACCEPT_MOVING_WRITE_BUFFERbluhm2015-07-181-1/+4
| | | | | | | in libtls. This gives tls_write() a similar short write semantics as write(2). So implementing daemons with libevent buffers will be easier and workarounds in syslogd and httpd can be removed. OK tedu@ beck@ reyk@
* Treat SSL_ERROR_ZERO_RETURN as a success, rather than a failure. Alsojsing2015-04-151-5/+6
| | | | | | | ensure that outlen is set to zero so that tls_read() has read(2) like semantics for EOF. Spotted by doug@
* Make tls_close() more robust - do not rely on a close notify being receivedjsing2015-04-151-13/+17
| | | | | | | | | | | from the other side and only return TLS_READ_AGAIN/TLS_WRITE_AGAIN if we failed to send a close notify on a non-blocking socket. Otherwise be more forceful and always shutdown/close the socket regardless of other failures. Also do not consider ENOTCONN or ECONNRESET to be a shutdown failure, since there are various situations where this can occur. ok doug@ guenther@
* Handle the case where multiple calls to SSL_shutdown() are required tojsing2015-04-021-6/+9
| | | | | | close the connection. Also correctly handle the error on failure. Diff from cookieandscream via github.
* Store errors that occur during a tls_accept_socket() call on the contextjsing2015-03-311-5/+5
| | | | | | | for the server, rather than on the context for the connection. This makes more sense than the current behaviour does. Issue reported by Tim van der Molen.
* Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL errorjsing2015-02-071-2/+2
| | | | | | | dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
* Attempt to implement the OpenSSL error dance so that TLS read/writejsing2015-02-071-29/+61
| | | | | | failures return something that is actually useful to the caller. ok reyk@
* Rename SSL_CTX_use_certificate_chain() to SSL_CTX_use_certificate_chain_mem().reyk2015-02-061-2/+2
| | | | | As discussed with beck@ jsing@ and others OK beck@
* Add size_t to int checks for SSL functions.doug2014-12-171-1/+22
| | | | | | | | | | libtls accepts size_t for lengths but libssl accepts int. This verifies that the input does not exceed INT_MAX. It also avoids truncating size_t when comparing with int and adds printf-style attributes for tls_set_error(). with input from deraadt@ and tedu@ ok tedu@
* revert previous change for now, adjusting based on comments from jsing@bcook2014-12-071-10/+3
|
* Allow specific libtls hostname validation errors to propagate.bcook2014-12-071-3/+10
| | | | | | | | | | | | | Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). The semantics of tls_error() are changed slightly: the last error message is not necessarily preserved between subsequent calls into the library. When the previous call to libtls succeeds, client programs should treat the return value of tls_error() as undefined. ok tedu@
* Rename libressl to libtls to avoid confusion and to make it easier tojsing2014-10-311-0/+300
distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 06:33:25 +0000