summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_internal.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Be consistent with naming - only use "host" and "hostname" when referringjsing2015-02-111-3/+3
| | | | | | | | | | to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
* Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL errorjsing2015-02-071-1/+2
| | | | | | | dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
* Add tls_config_set_dheparams() to allow specification of the parameters tojsing2015-02-071-2/+3
| | | | | | | | | use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
* Allow to to load the CA chain directly from memory instead ofreyk2015-01-221-1/+3
| | | | | | | | specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
* For non-blocking sockets tls_connect_fds() could fail with EAGAIN.bluhm2015-01-131-2/+3
| | | | | | | | Use the same logic from the read, write, accept functions to inform the caller wether a readable or writable socket is needed. After that event, the connect function must be called again. All the checks before connecting are done only once. OK tedu@
* Add size_t to int checks for SSL functions.doug2014-12-171-2/+4
| | | | | | | | | | libtls accepts size_t for lengths but libssl accepts int. This verifies that the input does not exceed INT_MAX. It also avoids truncating size_t when comparing with int and adds printf-style attributes for tls_set_error(). with input from deraadt@ and tedu@ ok tedu@
* Allow specific libtls hostname validation errors to propagate.bcook2014-12-071-2/+2
| | | | | | | | Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
* revert previous change for now, adjusting based on comments from jsing@bcook2014-12-071-3/+2
|
* Allow specific libtls hostname validation errors to propagate.bcook2014-12-071-2/+3
| | | | | | | | | | | | | Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). The semantics of tls_error() are changed slightly: the last error message is not necessarily preserved between subsequent calls into the library. When the previous call to libtls succeeds, client programs should treat the return value of tls_error() as undefined. ok tedu@
* Rename libressl to libtls to avoid confusion and to make it easier tojsing2014-10-311-0/+72
distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 15:54:05 +0000