openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Be consistent with the goto label names used in libtls code.	jsing	2018-02-05	1	-7/+7
\| \| \| \|	No change to generated assembly.
*	Rework name verification code so that a match is indicated via an argument,	jsing	2017-04-10	1	-33/+51
\| \| \| \| \| \| \| \| \| \|	rather than return codes. More strictly follow RFC 6125, in particular only check the CN if there are no SAN identifiers present in the certificate (per section 6.4.4). Previous behaviour questioned by Daniel Stenberg <daniel at haxx dot se>. ok beck@ jca@
*	Avoid signed vs unsigned comparisons.	jsing	2016-11-04	1	-3/+4
\| \| \| \|	ok miod@
*	Add callback-based interface to libtls.	bcook	2016-09-04	1	-1/+2
\| \| \| \| \| \| \|	This allows working with buffers and callback functions instead of directly on sockets or file descriptors. Original patch from Tobias Pape <tobias_at_netshed.de>. ok beck@
*	Revert previous since it adds new symbols.	jsing	2016-08-02	1	-2/+1
\| \| \| \|	Requested by deraadt@
*	Instead of declaring a union in multiple places, move it to tls_internal.h.	jsing	2015-09-29	1	-9/+3
\| \| \| \|	ok deraadt@
*	clean some ugly intendation warts	deraadt	2015-09-29	1	-3/+9
\|
*	Do not match a wildcard against a name with no host part.	beck	2015-09-11	1	-1/+4
\| \| \| \|	ok jsing@
*	add tls_peer functions for checking names and issuers of peer certificates.	beck	2015-09-11	1	-4/+4
\| \| \| \|	ok jsing@
*	Indent labels with a space so that diff -p is more friendly.	jsing	2015-09-09	1	-2/+2
\| \| \| \|	Requested by bluhm@
*	Improve libtls error messages.	jsing	2015-08-27	1	-4/+4
\| \| \| \| \| \| \| \| \| \| \| \|	The tls_set_error() function previously stored the errno but did nothing with it. Change tls_set_error() to append the strerror(3) of the stored errno so that we include useful information regarding failures. Provide a tls_set_errorx() function that does not store the errno or include strerror(3) in the error message. Call this function instead of tls_set_error() for errors where the errno value has no useful meaning. With feedback from and ok doug@
*	Make functions that are internal to tls verify static.	jsing	2015-08-27	1	-7/+8
\| \| \| \| \| \|	Spotted by Marko Kreen. Rides libtls major bump.
*	Reject dNSName of " " for subjectAltName extension.	doug	2015-04-29	1	-1/+20
\| \| \| \| \| \|	RFC 5280 says " " must not be used as a dNSName. ok jsing@ jca@
*	Be consistent with naming - only use "host" and "hostname" when referring	jsing	2015-02-11	1	-32/+32
\| \| \| \| \| \| \| \| \| \|	to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
*	Add size_t to int checks for SSL functions.	doug	2014-12-17	1	-5/+13
\| \| \| \| \| \| \| \| \| \|	libtls accepts size_t for lengths but libssl accepts int. This verifies that the input does not exceed INT_MAX. It also avoids truncating size_t when comparing with int and adds printf-style attributes for tls_set_error(). with input from deraadt@ and tedu@ ok tedu@
*	Allow specific libtls hostname validation errors to propagate.	bcook	2014-12-07	1	-15/+20
\| \| \| \| \| \| \| \|	Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
*	Fix a memory leak in tls_check_subject_altname() by calling	jsing	2014-12-07	1	-2/+2
\| \| \| \| \| \| \|	sk_GENERAL_NAME_pop_free() instead of sk_GENERAL_NAME_free(). The latter only frees the stack itself and does not free the items. From Basskrapfen on github.
*	revert previous change for now, adjusting based on comments from jsing@	bcook	2014-12-07	1	-17/+18
\|
*	Allow specific libtls hostname validation errors to propagate.	bcook	2014-12-07	1	-18/+17
\| \| \| \| \| \| \| \| \| \| \| \| \|	Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). The semantics of tls_error() are changed slightly: the last error message is not necessarily preserved between subsequent calls into the library. When the previous call to libtls succeeds, client programs should treat the return value of tls_error() as undefined. ok tedu@
*	Rename libressl to libtls to avoid confusion and to make it easier to	jsing	2014-10-31	1	-0/+225
	distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.