summaryrefslogtreecommitdiff
path: root/src/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* tweak previous;jmc2015-09-141-2/+2
|
* Provide tls_config_insecure_noverifytime() in order to be able to disablejsing2015-09-146-6/+29
| | | | | | certificate validity checking. ok beck@
* Remove useless quoting from .Fo and .Fn function names, to preventschwarze2015-09-141-4/+4
| | | | | | development of a cargo cult in case people look at existing files for examples. This achieves a consistent .Fo and .Fn quoting style across the whole tree.
* some conn_version and conn_cipher bits;jmc2015-09-142-9/+10
|
* Expose EOF without close-notify via tls_close().jsing2015-09-142-6/+14
| | | | | | | | | | | Make tls_read(3)/tls_write(3) follow read(2)/write(2) like semantics and return 0 on EOF with and without close-notify. However, if we saw an EOF from the underlying file descriptors without getting a close-notify, save this and make it visible when tls_close(3) is called. This keeps the semantics we want, but makes it possible to detect truncation at higher layers, if necessary. ok beck@ guenther@
* Return an error if tls_handshake() or tls_close() is called on a contextjsing2015-09-141-2/+13
| | | | | | for which they are not valid operations. ok beck@
* add missing function return typesschwarze2015-09-141-2/+3
|
* Crank major version due to removal of SHA-0 and MD4 from libcrypto.doug2015-09-131-2/+2
|
* work around the stupid semantics of SSL_read and SSL_write to make surebeck2015-09-131-3/+3
| | | | | we can indicate an EOF properly on tls_read and tls_write ok jsing@
* Don't leak conninfo - spotted by marko kreen.beck2015-09-131-2/+3
| | | | ok jsing@
* Mechanical minor bump to follow libcrypto.miod2015-09-131-1/+1
|
* add visibility of ciper and connection version stringsbeck2015-09-134-6/+56
| | | | ok jsing@
* Move connection info into it's own private structure allocated and filled inbeck2015-09-127-120/+208
| | | | | | at handshake time. change accessors to return const char * to remove need for caller to free memory. ok jsing@
* Ensure that we clear the libssl error stack before we make a function calljsing2015-09-123-5/+12
| | | | | | | | | | that we will pass the result through tls_ssl_error() on failure. Otherwise we can end up reporting spurious errors due to their being unrelated errors already on the error stack. Spotted by Marko Kreen. ok beck@
* Put tls_peer_cert* functions in the same place.jsing2015-09-121-6/+6
|
* typoderaadt2015-09-111-2/+2
|
* more for NAME;jmc2015-09-111-1/+4
|
* more cleanup;jmc2015-09-111-16/+15
|
* update NAME; various cleanupjmc2015-09-111-20/+20
|
* document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hashbeck2015-09-112-3/+58
| | | | ok jsing@
* != -> == that I broke while bikesheddingbeck2015-09-111-2/+2
|
* Do not match a wildcard against a name with no host part.beck2015-09-111-1/+4
| | | | ok jsing@
* add tls_peer functions for checking names and issuers of peer certificates.beck2015-09-117-13/+95
| | | | ok jsing@
* Provide tls_peer_cert_hash() which returns a hash of the raw certificatejsing2015-09-113-2/+92
| | | | | | | | | | | | | that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@
* Store a reference to the peer certificate (if any) upon completion of thejsing2015-09-112-2/+8
| | | | | | handshake. Free the reference when we reset the TLS context. ok beck@
* specify what is permitted as an argument to tls_config_set_ciphers()beck2015-09-111-1/+11
|
* actually set return value to 0 on success.beck2015-09-111-1/+2
| | | | ok jsing@ who wears the cone of shame.
* - add some missing NAME entriesjmc2015-09-111-6/+8
| | | | | - zap trailing whitespace - avoid "can not"
* sort MLINKS into the same order as the man page;jmc2015-09-111-4/+4
|
* Call tls_set_errorx() instead of tls_set_error() injsing2015-09-101-5/+5
| | | | tls_configure_ssl_verify(). Also tweak an error message and unwrap a line.
* improve examples,deraadt2015-09-101-8/+11
| | | | | | | 1. hoist pollfd fields which don't change upwards 2. show ret as ssize_t, it MUST BE, or there will be lots of crying 3. on first pass, must check for either POLLIN|POLLOUT ok millert beck
* document client side certificate verification functionality.beck2015-09-102-3/+19
| | | | ok jsing@
* document changed tls_read and tls_write semantics.beck2015-09-101-15/+58
| | | | | | | document functions that clear errno. change examples to provide demonstration of both the blocking and non-blocking cases. ok jsing@, bluhm@
* mlink tls_handshake;jmc2015-09-101-1/+2
|
* tweak previous;jmc2015-09-101-3/+3
|
* Correctly document the behaviour of tls_close() - the caller is responsiblejsing2015-09-101-5/+6
| | | | | | for closing the file descriptors unless libtls allocated them. ok beck@
* Replace TLS_{READ,WRITE}_AGAIN with TLS_WANT_POLL{IN,OUT} and correctlyjsing2015-09-101-20/+13
| | | | | | document the calling requirements. ok beck@
* Update libtls man page to reflect tls_handshake() related changes.jsing2015-09-101-35/+37
| | | | ok beck@
* revert accidental commitbeck2015-09-101-4/+4
|
* comment for errno clobbering, to indicate why we do this.beck2015-09-102-5/+9
| | | | ok deraadt@ jsing@
* bump majorbeck2015-09-101-1/+1
| | | | ok jsing@
* change TLS_READ_AGAIN to TLS_WANT_POLLIN and TLS_WRITE_AGAIN to TLS_WANT_POLLOUTbeck2015-09-102-7/+7
| | | | | | | to make it more clear to users of this api what needs to be done in these error cases. Discussed extensively with bluhm@ and jsing@ and others. ok jsing@
* Change tls_read and tls_write semantics to return an ssize_t to betterbeck2015-09-102-21/+14
| | | | | | | | match read() and write() semantics to make porting existing code using read/write easier.. requested by bluhm@ who convinced jsing and I to break the api ok jsing@ bluhm@
* Split tls_handshake() out from tls_accept/tls_connect. By doing this thejsing2015-09-105-59/+120
| | | | | | | | | | | | | | | tls_accept/tls_connect functions can be guaranteed to succeed or fail and will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves the semantics of tls_accept_*. The tls_handshake() function now does I/O and can return TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will trigger the handshake if it has not already completed, meaning that in many cases existing code will continue to work. Discussed over many coffees at l2k15. ok beck@ bluhm@
* add MLINKS for _prefer_ciphers_*jmc2015-09-101-1/+3
|
* Add support for preferring the server's cipher list or the client's cipherjsing2015-09-105-8/+47
| | | | | | | | list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@
* Indent labels with a space so that diff -p is more friendly.jsing2015-09-096-18/+18
| | | | Requested by bluhm@
* Add client certificate support. Still needs a few tweaks but this willbeck2015-09-096-34/+76
| | | | | ride upcoming minor bump ok jsing@
* always clear errno when coming back from tls_read tls_write, and tls_close.beck2015-09-091-9/+20
| | | | | | | this avoids the problem of people checking for return values < 0 and then checking for errno before checking for TLS_READ_AGAIN TLS_WRITE_AGAIN - since we can not guarantee what errno will be set to from the underlying library calls
* nuke trailing whitespacebeck2015-09-091-4/+3
| | | | ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-18 22:07:47 +0000