summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_client.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Instead of declaring a union in multiple places, move it to tls_internal.h.jsing2015-09-291-5/+2
| | | | ok deraadt@
* clean some ugly intendation wartsderaadt2015-09-291-2/+5
|
* Ensure that we clear the libssl error stack before we make a function calljsing2015-09-121-1/+3
| | | | | | | | | | that we will pass the result through tls_ssl_error() on failure. Otherwise we can end up reporting spurious errors due to their being unrelated errors already on the error stack. Spotted by Marko Kreen. ok beck@
* add tls_peer functions for checking names and issuers of peer certificates.beck2015-09-111-2/+2
| | | | ok jsing@
* Split tls_handshake() out from tls_accept/tls_connect. By doing this thejsing2015-09-101-21/+37
| | | | | | | | | | | | | | | tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
* Indent labels with a space so that diff -p is more friendly.jsing2015-09-091-4/+4
| | | | Requested by bluhm@
* Add client certificate support. Still needs a few tweaks but this willbeck2015-09-091-26/+6
| | | | | ride upcoming minor bump ok jsing@
* Only take ownership of a socket if we allocated it within libtls. If we arejsing2015-09-091-3/+3
| | | | | | passed a socket then the caller is responsible for closing it. ok bcook@
* Remove the default HTTPS port from tls_connect() - this is a TLS library,jsing2015-09-081-3/+5
| | | | | | not a HTTPS library. ok beck@
* Improve libtls error messages.jsing2015-08-271-17/+17
| | | | | | | | | | | | The tls_set_error() function previously stored the errno but did nothing with it. Change tls_set_error() to append the strerror(3) of the stored errno so that we include useful information regarding failures. Provide a tls_set_errorx() function that does not store the errno or include strerror(3) in the error message. Call this function instead of tls_set_error() for errors where the errno value has no useful meaning. With feedback from and ok doug@
* Split the persistent/configuration flags from temporary state flags andjsing2015-08-271-7/+7
| | | | | | | | | | | ensure that the temporary state flags get cleared in tls_reset(). Fixes a bug spotted by Marko Kreen whereby TLS_CONNECTING could remain on reset. While here, also move the TLS_STATE_CONNECTING check to after the TLS_CLIENT check - if TLS_STATE_CONNECTING was ever set on any other context type it would allow a bypass. ok bluhm@
* SSL_set_app_data is a macro for SSL_set_ex_data(), which is a wrapperjsing2015-08-221-3/+5
| | | | | around CRYPTO_set_ex_data(), which can fail. Since this is the case, check the return value of CRYPTO_set_ex_data^WSSL_set_ex_data^WSSL_set_app_data.
* Store a reference to the libtls context in the SSL client connection appjsing2015-08-221-1/+3
| | | | | | data (as is already done for server connections). From Marko Kreen.
* Store errors that occur during a tls_accept_socket() call on the contextjsing2015-03-311-2/+2
| | | | | | | for the server, rather than on the context for the connection. This makes more sense than the current behaviour does. Issue reported by Tim van der Molen.
* free the server certificate in tls_connect_fds(); fixes a memory leak withsthen2015-03-211-1/+2
| | | | repeated use of tls_connect. ok jsing
* Provide a tls_connect_servername() function that has the same behaviourjsing2015-02-111-3/+12
| | | | | | | | | as tls_connect(), however allows the name to use for verification to be explicitly provided, rather than being inferred from the host value. Requested by reyk@ ok reyk@ tedu@
* Be consistent with naming - only use "host" and "hostname" when referringjsing2015-02-111-15/+15
| | | | | | | | | | to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
* When parsing the host in tls_connect(), first check if it is a numericreyk2015-02-091-29/+49
| | | | | | | | | IPv4 or IPv6 address before trying to resolve the address with the AI_ADDRCONFIG flag set. This makes sure that attempts to connect to numeric IPs or loopback addresses are always possible and not prevented by AI_ADDRCONFIG. OK jsing@ tedu@
* Use the AI_ADDRCONFIG flag in tls_connect(). This tells the resolverreyk2015-02-081-1/+2
| | | | | | | to ignore unsupported address families - eg. don't resolv IPv6 on IPv4-only hosts. OK jsing@
* Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL errorjsing2015-02-071-12/+6
| | | | | | | dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
* Make the TLS connect and accept error messages consistent.bluhm2015-01-301-2/+2
| | | | OK jsing@
* Allow to to load the CA chain directly from memory instead ofreyk2015-01-221-2/+15
| | | | | | | | specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
* For non-blocking sockets tls_connect_fds() could fail with EAGAIN.bluhm2015-01-131-5/+19
| | | | | | | | Use the same logic from the read, write, accept functions to inform the caller wether a readable or writable socket is needed. After that event, the connect function must be called again. All the checks before connecting are done only once. OK tedu@
* Rename the tls_connect_socket() parameter 'socket' to 's' to avoidbluhm2015-01-021-4/+4
| | | | | a compiler warning about shadowing a global declaration. OK jsing@
* include netinet/in.h to define struct in6_addr.bcook2014-12-271-1/+2
| | | | Noticed while testing libtls on FreeBSD.
* Allow specific libtls hostname validation errors to propagate.bcook2014-12-071-4/+5
| | | | | | | | Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
* revert previous change for now, adjusting based on comments from jsing@bcook2014-12-071-6/+4
|
* Allow specific libtls hostname validation errors to propagate.bcook2014-12-071-4/+6
| | | | | | | | | | | | | Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). The semantics of tls_error() are changed slightly: the last error message is not necessarily preserved between subsequent calls into the library. When the previous call to libtls succeeds, client programs should treat the return value of tls_error() as undefined. ok tedu@
* Add a tls_connect_fds() function that allows a secure connection to bejsing2014-11-021-3/+16
| | | | | | | | | | established using a pair of existing file descriptors. Based on a diff/request from Jan Klemkow. Rides previous libtls rename/library bump. Discussed with tedu@.
* Rename libressl to libtls to avoid confusion and to make it easier tojsing2014-10-311-0/+212
distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-31 23:36:01 +0000