openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Do not match a wildcard against a name with no host part.	beck	2015-09-11	1	-1/+4
\| \| \| \|	ok jsing@
*	add tls_peer functions for checking names and issuers of peer certificates.	beck	2015-09-11	1	-4/+4
\| \| \| \|	ok jsing@
*	Indent labels with a space so that diff -p is more friendly.	jsing	2015-09-09	1	-2/+2
\| \| \| \|	Requested by bluhm@
*	Improve libtls error messages.	jsing	2015-08-27	1	-4/+4
\| \| \| \| \| \| \| \| \| \| \| \|	The tls_set_error() function previously stored the errno but did nothing with it. Change tls_set_error() to append the strerror(3) of the stored errno so that we include useful information regarding failures. Provide a tls_set_errorx() function that does not store the errno or include strerror(3) in the error message. Call this function instead of tls_set_error() for errors where the errno value has no useful meaning. With feedback from and ok doug@
*	Make functions that are internal to tls verify static.	jsing	2015-08-27	1	-7/+8
\| \| \| \| \| \|	Spotted by Marko Kreen. Rides libtls major bump.
*	Reject dNSName of " " for subjectAltName extension.	doug	2015-04-29	1	-1/+20
\| \| \| \| \| \|	RFC 5280 says " " must not be used as a dNSName. ok jsing@ jca@
*	Be consistent with naming - only use "host" and "hostname" when referring	jsing	2015-02-11	1	-32/+32
\| \| \| \| \| \| \| \| \| \|	to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
*	Add size_t to int checks for SSL functions.	doug	2014-12-17	1	-5/+13
\| \| \| \| \| \| \| \| \| \|	libtls accepts size_t for lengths but libssl accepts int. This verifies that the input does not exceed INT_MAX. It also avoids truncating size_t when comparing with int and adds printf-style attributes for tls_set_error(). with input from deraadt@ and tedu@ ok tedu@
*	Allow specific libtls hostname validation errors to propagate.	bcook	2014-12-07	1	-15/+20
\| \| \| \| \| \| \| \|	Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
*	Fix a memory leak in tls_check_subject_altname() by calling	jsing	2014-12-07	1	-2/+2
\| \| \| \| \| \| \|	sk_GENERAL_NAME_pop_free() instead of sk_GENERAL_NAME_free(). The latter only frees the stack itself and does not free the items. From Basskrapfen on github.
*	revert previous change for now, adjusting based on comments from jsing@	bcook	2014-12-07	1	-17/+18
\|
*	Allow specific libtls hostname validation errors to propagate.	bcook	2014-12-07	1	-18/+17
\| \| \| \| \| \| \| \| \| \| \| \| \|	Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). The semantics of tls_error() are changed slightly: the last error message is not necessarily preserved between subsequent calls into the library. When the previous call to libtls succeeds, client programs should treat the return value of tls_error() as undefined. ok tedu@
*	Rename libressl to libtls to avoid confusion and to make it easier to	jsing	2014-10-31	1	-0/+225
	distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.