summaryrefslogtreecommitdiff
path: root/src/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove OpenSSL engine RSAX.doug2015-07-191-1/+1
| | | | | | | | | OpenSSL stopped building it last year and removed it this year. Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1. Also cranked major version in libcrypto, libssl and libtls. "fine with me" bcook@ miod@
* tweak previous; ok dougjmc2015-07-191-4/+4
|
* Crank the major of libtls: the behaviour of tls_write() has beenreyk2015-07-191-1/+1
| | | | | | changed in an incompatible way regarding partial writes. OK miod@ deraadt@
* Add documentation on how to use TLS_{READ,WRITE}_AGAIN.doug2015-07-191-2/+29
| | | | ok beck@
* Set SSL_MODE_ENABLE_PARTIAL_WRITE and SSL_MODE_ACCEPT_MOVING_WRITE_BUFFERbluhm2015-07-181-1/+4
| | | | | | | in libtls. This gives tls_write() a similar short write semantics as write(2). So implementing daemons with libevent buffers will be easier and workarounds in syslogd and httpd can be removed. OK tedu@ beck@ reyk@
* Crank major for libcrypto, ssl and tls due to MDC-2DES removal.doug2015-06-201-2/+2
| | | | ok miod@ jsing@
* Add standard headers, C++ support to tls.h.bcook2015-06-191-1/+12
| | | | | | | | | | | | | | | | | This makes using libtls easier to include by including dependent headers, making something like this work as expected: #include <iostream> #include <tls.h> int main() { std::cout << "tls_init: " << tls_init() << "\n"; } This also makes building a standalone libtls-portable simpler. ok doug@, jsing@
* Link ssl and crypto via BSDOBJDIR, works with native and cross buildstobiasu2015-06-051-3/+3
| | | | ok mpi@
* Record inter-library dependencies between libcrypto, libssl and libtlskettenis2015-05-171-1/+4
|
* Reject dNSName of " " for subjectAltName extension.doug2015-04-291-1/+20
| | | | | | RFC 5280 says " " must not be used as a dNSName. ok jsing@ jca@
* Treat SSL_ERROR_ZERO_RETURN as a success, rather than a failure. Alsojsing2015-04-151-5/+6
| | | | | | | ensure that outlen is set to zero so that tls_read() has read(2) like semantics for EOF. Spotted by doug@
* Make tls_close() more robust - do not rely on a close notify being receivedjsing2015-04-151-13/+17
| | | | | | | | | | | from the other side and only return TLS_READ_AGAIN/TLS_WRITE_AGAIN if we failed to send a close notify on a non-blocking socket. Otherwise be more forceful and always shutdown/close the socket regardless of other failures. Also do not consider ENOTCONN or ECONNRESET to be a shutdown failure, since there are various situations where this can occur. ok doug@ guenther@
* comma fix;jmc2015-04-031-3/+3
|
* Handle the case where multiple calls to SSL_shutdown() are required tojsing2015-04-022-8/+14
| | | | | | close the connection. Also correctly handle the error on failure. Diff from cookieandscream via github.
* Correct man page title.jsing2015-04-021-2/+2
| | | | | | Diff from Tim van der Molen. ok jmc@
* Document the fact that the tls_accept_*() functions can returnjsing2015-04-021-7/+11
| | | | | | TLS_READ_AGAIN and TLS_WRITE_AGAIN. Based on a diff from Tim van der Molen.
* Bump libtls minor due to API addition.jsing2015-03-311-1/+1
|
* Provide a tls_accept_fds() function, which allows a TLS connection to bejsing2015-03-314-9/+39
| | | | | | accepted via an existing pair of file descriptors. Based on a diff from Jan Klemkow.
* Store errors that occur during a tls_accept_socket() call on the contextjsing2015-03-314-11/+12
| | | | | | | for the server, rather than on the context for the connection. This makes more sense than the current behaviour does. Issue reported by Tim van der Molen.
* free the server certificate in tls_connect_fds(); fixes a memory leak withsthen2015-03-211-1/+2
| | | | repeated use of tls_connect. ok jsing
* Prefix function parameter names with underscores in tls.h, since this makesjsing2015-02-261-42/+44
| | | | | | them guaranteed to not conflict per POSIX. ok espie@ guenther@
* Bump libtls major due to symbol removal.jsing2015-02-221-3/+2
|
* Rename tls_config_insecure_noverifyhost() tojsing2015-02-224-21/+20
| | | | | | | tls_config_insecure_noverifyname(), so that it is more accurate and keeps inline with the distinction between DNS hostname and server name. Requested by tedu@ during s2k15.
* Check return values when setting dheparams and ecdhecurve for the defaultjsing2015-02-221-11/+14
| | | | configuration.
* In the interests of being secure by default, make the default TLS ciphersjsing2015-02-222-2/+17
| | | | | | | be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that allows the previous default ciphers to be selected. Discussed with tedu@ during s2k15.
* explain how tls_accept_socket works.tedu2015-02-211-2/+9
|
* tls_config_set_protocols is really void. Greg Martin.tedu2015-02-211-3/+3
|
* fill out docs a bit more, notably the read/write again behaviors.tedu2015-02-211-3/+27
| | | | ok jsing
* s/tls_load_keys/tls_load_file/jsing2015-02-151-2/+2
|
* Document tls_config_parse_protocols() and update documentation forjsing2015-02-152-5/+27
| | | | tls_config_set_protocols().
* bump minor for TLS_PROTOCOLS_ALL. OK jsing@reyk2015-02-121-1/+1
|
* Add a tls_config_parse_protocols() function that allows a protocols stringjsing2015-02-122-2/+63
| | | | | | | | | to be converted into a libtls protocols value. This allows for things like: "tlsv1.0,tlsv1.1" (TLSv1.0 and TLSv1.1) "all,!tlsv1.0" (all protocols except TLSv1.0) Discussed with tedu@ and reyk@
* Fix handling of "legacy" mode for tls_config_set_dheparams().jsing2015-02-121-2/+2
| | | | Found by reyk@
* Change TLS_PROTOCOLS_DEFAULT to be TLSv1.2 only. Add a TLS_PROTOCOLS_ALLjsing2015-02-121-2/+4
| | | | | | | | that includes all currently supported protocols (TLSv1.0, TLSv1.1 and TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they maintain existing behaviour. Discussed with tedu@ and reyk@.
* Provide a tls_connect_servername() function that has the same behaviourjsing2015-02-114-6/+27
| | | | | | | | | as tls_connect(), however allows the name to use for verification to be explicitly provided, rather than being inferred from the host value. Requested by reyk@ ok reyk@ tedu@
* Be consistent with naming - only use "host" and "hostname" when referringjsing2015-02-116-60/+61
| | | | | | | | | | to an actual host and use "servername" when referring to the name of the TLS server that we expect to be indentified in the server certificate. Likewise, rename verify_host to verify_name and use the term "name" throughout the verification code (rather than host or hostname). Requested by and ok tedu@
* When parsing the host in tls_connect(), first check if it is a numericreyk2015-02-091-29/+49
| | | | | | | | | IPv4 or IPv6 address before trying to resolve the address with the AI_ADDRCONFIG flag set. This makes sure that attempts to connect to numeric IPs or loopback addresses are always possible and not prevented by AI_ADDRCONFIG. OK jsing@ tedu@
* Use the AI_ADDRCONFIG flag in tls_connect(). This tells the resolverreyk2015-02-081-1/+2
| | | | | | | to ignore unsupported address families - eg. don't resolv IPv6 on IPv4-only hosts. OK jsing@
* Added tls_load_file()reyk2015-02-071-1/+2
|
* Add manpage bits for tls_load_file() and tls_accept_socket().reyk2015-02-072-2/+28
| | | | | | | | The tls_accept_socket() has been previously removed because the API is not fixed yet; but it is also already used by httpd(8) and spamd(8) so it is time to add it again and eventually change it later. OK tedu@
* Add tls_load_file() as a helper to load certificates or encrypted keysreyk2015-02-072-2/+92
| | | | | | | | | into memory. This can be used for tls_config_set_ca_mem(), tls_config_set_cert_mem() or tls_config_set_key_mem(). With input from jsing@, tedu@ and henning@ OK tedu@
* Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL errorjsing2015-02-074-26/+16
| | | | | | | dance handling code. This means that we get slightly useful messages when a TLS connection or accept fails. Requested by reyk@
* Add tls_config_set_dheparams() to allow specification of the parameters tojsing2015-02-077-22/+53
| | | | | | | | | use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
* Attempt to implement the OpenSSL error dance so that TLS read/writejsing2015-02-071-29/+61
| | | | | | failures return something that is actually useful to the caller. ok reyk@
* Rename SSL_CTX_use_certificate_chain() to SSL_CTX_use_certificate_chain_mem().reyk2015-02-061-2/+2
| | | | | As discussed with beck@ jsing@ and others OK beck@
* Make the TLS connect and accept error messages consistent.bluhm2015-01-302-5/+4
| | | | OK jsing@
* last entry in NAME should not have a trailing comma;jmc2015-01-221-2/+2
|
* Add MLINK for tls_config_set_ca_mem()reyk2015-01-221-1/+2
|
* Allow to to load the CA chain directly from memory instead ofreyk2015-01-226-8/+39
| | | | | | | | specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
* The SSL/TLS session Id context is limited to 32 bytes. Instead ofreyk2015-01-161-1/+13
| | | | | | | | using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 04:01:18 +0000