summaryrefslogtreecommitdiff
path: root/src/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* whitespacederaadt2017-01-131-3/+3
|
* Inline strlen() call to reduce/simplify code.jsing2017-01-121-5/+2
|
* Inline tls_get_new_cb_bio() from the only place that it gets called,jsing2017-01-121-22/+11
| | | | | simplifying the code. Also check the provided read and write callbacks before assigning to the context.
* If tls_set_cbs() fails an error will already be specified, so do notjsing2017-01-122-8/+4
| | | | replace it with a less specific one.
* Simplify the TLS callback BIO code - a pointer to the tls context can bejsing2017-01-121-66/+7
| | | | | | | stored directly in bio->ptr, rather than allocating and deallocating an intermediate struct. Diff from Marko Kreen <markokr at gmail dot com> - thanks!
* If tls_get_new_cb_bio() fails, an error will already be set.jsing2017-01-121-5/+2
|
* If no callbacks are specified, return after setting an error rather thanjsing2017-01-121-2/+4
| | | | | | continuing on. Also noticed by Marko Kreen.
* Avoid leaking conninfo servername.jsing2017-01-091-1/+3
| | | | Issue found by and fix from Shuo Chen <chenshuo at chenshuo dot com>.
* If certificate verification has been disabled, do not attempt to load ajsing2017-01-031-5/+9
| | | | | | | CA chain or specify CA paths. This prevents attempts to access the file system, which may fail due to pledge. ok bluhm@
* Revert previous - the original code was correct since X509_verify_cert()jsing2017-01-031-5/+5
| | | | | | | | | | | should not have changed the X509_STORE_CTX error value on success and it was initialised to X509_V_OK by X509_STORE_CTX_init(). Other software also depends on this behaviour. Previously X509_verify_cert() was mishandling the X509_STORE_CTX error value when validating alternate chains. This has been fixed and further changes now explicitly ensure that the error value will be set to X509_V_OK if X509_verify_cert() returns success.
* fix cert verify. a cert with an alt chain may verify but leave an errortedu2017-01-021-5/+5
| | | | | | in the context. don't look for errors in case of success. fixes spurious verify errors. guilty change tracked and fix tested by sthen
* Hook up a certificate verify callback so that we can set user friendlyjsing2016-12-262-8/+31
| | | | | | | | | | | | | | | | | | error messages, instead of libssl error strings. This gives us messages like: certificate verification failed: certificate has expired Instead of: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed This also lets us always enable peer verification since the no verification case is now handled via the callback. Tested by tedu@ ok beck@
* Bump libcrypto/libssl/libtls majors due to libcrypto symbol removal andjsing2016-12-211-1/+1
| | | | changes to libssl non-opaque structs.
* Bump TLS_API due to recent feature additions and changes.jsing2016-11-111-2/+2
|
* Change the return value of tls_config_set_protocols() andjsing2016-11-113-12/+18
| | | | | | | | | | tls_config_set_verify_depth() from void to int. This makes them consistent with all other tls_config_set_* functions and will allow for call time validation to be implemented. Rides libtls major bump. ok beck@
* Disable ec assembly for amd64 pending fixes for ssh, and bumpbeck2016-11-111-2/+2
| | | | majors appropriately
* Set the callback on the correct ssl_ctx for the SNI case, instead ofbeck2016-11-061-2/+2
| | | | | the master only. ok jsing@
* fix misplaced quote by tls_peer_ocsp_this_updatebcook2016-11-051-2/+2
|
* tweak previous;jmc2016-11-051-6/+6
|
* bump minors for symbol addition for ocsp and x25519 symbol additionsbeck2016-11-051-1/+1
|
* Add support for server side OCSP stapling to libtls.beck2016-11-057-12/+79
| | | | Add support for server side OCSP stapling to netcat.
* rename ocsp_ctx to ocspbeck2016-11-053-68/+68
| | | | ok jsing@
* Remove generated Symbols.map on make clean.jsing2016-11-051-1/+3
| | | | ok guenther@
* Build with WARNINGS=Yes.jsing2016-11-041-1/+3
|
* Avoid shadowing the socket global.jsing2016-11-041-3/+3
| | | | ok miod@
* Make the tls_keypair_new() function a valid prototype.jsing2016-11-041-2/+2
|
* Avoid another signed vs unsigned comparison.jsing2016-11-041-2/+6
| | | | ok miod@
* Add an explict list of exported symbols with just the functions declaredguenther2016-11-043-2/+85
| | | | | | | in <tls.h>, and use __{BEGIN,END}_HIDDEN_DECLS in tls_internal.h to optimize internal functions ok jsing@
* make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hiddenbeck2016-11-044-10/+7
| | | | | | functions.. document with a man page. bump majors on libtls, libssl, libcrypto ok jsing@ guenther@
* Address some signed vs unsigned warnings and check that an integer valuejsing2016-11-041-4/+14
| | | | | | | | | is positive before passing it to several functions as a size_t. Additionally, in tls_load_file() there is not much point using calloc(), when we're immediately reading into the buffer (having an extra byte for NUL termination seems pointless given the API). ok beck@ miod@
* Assign and test, as is consistent with the rest of the libtls code.jsing2016-11-041-7/+4
|
* Use a consistent name for struct bio_cb * variables.jsing2016-11-041-6/+6
|
* Rename struct bio_cb_st to struct bio_cb.jsing2016-11-041-8/+8
|
* Do not cast a pointer to a struct, to a char * when assigning to a void *.jsing2016-11-041-2/+2
|
* Use a consistent name for a BIO *, rather than having four different namesjsing2016-11-041-49/+51
| | | | in the same file.
* Avoid signed vs unsigned comparisons.jsing2016-11-041-3/+4
| | | | ok miod@
* There's not much point having three static functions that do a cast andjsing2016-11-041-33/+6
| | | | | assign a pointer, when we can just inline the three and do one cast followed by three pointer assignments.
* Do not mix declarations and code.jsing2016-11-041-3/+7
|
* Rename the internal bio related functions so that they have a commonjsing2016-11-041-22/+22
| | | | prefix. Makes the code more readable and removes shadowing.
* There's not much point in casting a void * to a specific type just beforejsing2016-11-041-4/+2
| | | | | | calling free(). ok beck@ ingo@
* bump minor for ocsp_require_stapling additionbeck2016-11-041-1/+1
|
* Add ocsp_require_stapling config option for tls - allows a connectionbeck2016-11-045-6/+25
| | | | | | to indicate that it requires the peer to provide a stapled OCSP response with the handshake. Provide a "-T muststaple" for nc that uses it. ok jsing@, guenther@
* Don't do OCSP validation when we have disabled certificate verificationbeck2016-11-032-5/+8
| | | | | or certificate validation. ok jsing@
* Only set an error from libssl related code, if an error has not alreadyjsing2016-11-032-7/+47
| | | | | | | | been set by libtls code. This avoids the situation where a libtls callback has set an error, only to have it replaced by a less useful libssl based error. ok beck@
* Fix handshake failures:beck2016-11-031-20/+26
| | | | | split out internals of OCSP verification to allow callback to verify before TLS handshake is complete
* bit more cleanup;jmc2016-11-021-9/+9
|
* fix shadow declaration of time in parameter list.beck2016-11-021-2/+2
| | | | ok jsing@
* Ensure handshake is complete before processing an ocsp response for a ctxbeck2016-11-021-0/+3
| | | | ok jsing@
* tweak previous;jmc2016-11-021-32/+26
|
* bump minor for ocsp api additionsbeck2016-11-021-1/+1
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 00:50:30 +0000