openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer ↵	beck	2015-10-07	1	-1/+4
\| \| \| \| \| \| \|	certificate validity times for tls connections. ok jsing@
*	include <sys/types.h> for ssize_t	bcook	2015-10-01	1	-1/+3
\| \| \| \|	ok jsing@, deraadt@
*	Provide tls_config_insecure_noverifytime() in order to be able to disable	jsing	2015-09-14	1	-1/+2
\| \| \| \| \| \|	certificate validity checking. ok beck@
*	add visibility of ciper and connection version strings	beck	2015-09-13	1	-1/+3
\| \| \| \|	ok jsing@
*	Move connection info into it's own private structure allocated and filled in	beck	2015-09-12	1	-4/+4
\| \| \| \| \| \|	at handshake time. change accessors to return const char * to remove need for caller to free memory. ok jsing@
*	Put tls_peer_cert* functions in the same place.	jsing	2015-09-12	1	-6/+6
\|
*	add tls_peer functions for checking names and issuers of peer certificates.	beck	2015-09-11	1	-1/+6
\| \| \| \|	ok jsing@
*	Provide tls_peer_cert_hash() which returns a hash of the raw certificate	jsing	2015-09-11	1	-1/+3
\| \| \| \| \| \| \| \| \| \| \| \| \|	that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt \| sha256) printf "SHA256:${h}\n" ok beck@
*	change TLS_READ_AGAIN to TLS_WANT_POLLIN and TLS_WRITE_AGAIN to TLS_WANT_POLLOUT	beck	2015-09-10	1	-3/+3
\| \| \| \| \| \| \|	to make it more clear to users of this api what needs to be done in these error cases. Discussed extensively with bluhm@ and jsing@ and others. ok jsing@
*	Change tls_read and tls_write semantics to return an ssize_t to better	beck	2015-09-10	1	-4/+3
\| \| \| \| \| \| \| \|	match read() and write() semantics to make porting existing code using read/write easier.. requested by bluhm@ who convinced jsing and I to break the api ok jsing@ bluhm@
*	Split tls_handshake() out from tls_accept/tls_connect. By doing this the	jsing	2015-09-10	1	-1/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
*	Add support for preferring the server's cipher list or the client's cipher	jsing	2015-09-10	1	-3/+6
\| \| \| \| \| \| \| \|	list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@
*	Add client certificate support. Still needs a few tweaks but this will	beck	2015-09-09	1	-1/+4
\| \| \| \| \|	ride upcoming minor bump ok jsing@
*	Add standard headers, C++ support to tls.h.	bcook	2015-06-19	1	-1/+12
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This makes using libtls easier to include by including dependent headers, making something like this work as expected: #include <iostream> #include <tls.h> int main() { std::cout << "tls_init: " << tls_init() << "\n"; } This also makes building a standalone libtls-portable simpler. ok doug@, jsing@
*	Provide a tls_accept_fds() function, which allows a TLS connection to be	jsing	2015-03-31	1	-1/+3
\| \| \| \| \| \|	accepted via an existing pair of file descriptors. Based on a diff from Jan Klemkow.
*	Prefix function parameter names with underscores in tls.h, since this makes	jsing	2015-02-26	1	-42/+44
\| \| \| \| \| \|	them guaranteed to not conflict per POSIX. ok espie@ guenther@
*	Rename tls_config_insecure_noverifyhost() to	jsing	2015-02-22	1	-2/+2
\| \| \| \| \| \| \|	tls_config_insecure_noverifyname(), so that it is more accurate and keeps inline with the distinction between DNS hostname and server name. Requested by tedu@ during s2k15.
*	Add a tls_config_parse_protocols() function that allows a protocols string	jsing	2015-02-12	1	-1/+3
\| \| \| \| \| \| \| \| \|	to be converted into a libtls protocols value. This allows for things like: "tlsv1.0,tlsv1.1" (TLSv1.0 and TLSv1.1) "all,!tlsv1.0" (all protocols except TLSv1.0) Discussed with tedu@ and reyk@
*	Change TLS_PROTOCOLS_DEFAULT to be TLSv1.2 only. Add a TLS_PROTOCOLS_ALL	jsing	2015-02-12	1	-2/+4
\| \| \| \| \| \| \| \|	that includes all currently supported protocols (TLSv1.0, TLSv1.1 and TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they maintain existing behaviour. Discussed with tedu@ and reyk@.
*	Provide a tls_connect_servername() function that has the same behaviour	jsing	2015-02-11	1	-1/+3
\| \| \| \| \| \| \| \| \|	as tls_connect(), however allows the name to use for verification to be explicitly provided, rather than being inferred from the host value. Requested by reyk@ ok reyk@ tedu@
*	Be consistent with naming - only use "host" and "hostname" when referring	jsing	2015-02-11	1	-3/+3
\| \| \| \| \| \| \| \| \| \|	to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
*	Add tls_load_file() as a helper to load certificates or encrypted keys	reyk	2015-02-07	1	-1/+3
\| \| \| \| \| \| \| \| \|	into memory. This can be used for tls_config_set_ca_mem(), tls_config_set_cert_mem() or tls_config_set_key_mem(). With input from jsing@, tedu@ and henning@ OK tedu@
*	Add tls_config_set_dheparams() to allow specification of the parameters to	jsing	2015-02-07	1	-2/+3
\| \| \| \| \| \| \| \| \|	use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
*	Allow to to load the CA chain directly from memory instead of	reyk	2015-01-22	1	-1/+3
\| \| \| \| \| \| \| \|	specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
*	Add a tls_connect_fds() function that allows a secure connection to be	jsing	2014-11-02	1	-1/+3
\| \| \| \| \| \| \| \| \| \|	established using a pair of existing file descriptors. Based on a diff/request from Jan Klemkow. Rides previous libtls rename/library bump. Discussed with tedu@.
*	Rename libressl to libtls to avoid confusion and to make it easier to	jsing	2014-10-31	1	-0/+74
	distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.