summaryrefslogtreecommitdiff
path: root/src/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* bump minor for ocsp api additionsbeck2016-11-021-1/+1
|
* Add OCSP client side support to libtls.beck2016-11-027-8/+604
| | | | | | | | | | | | | - Provide access to certificate OCSP URL - Provide ability to check a raw OCSP reply against an established TLS ctx - Check and validate OCSP stapling info in the TLS handshake if a stapled OCSP response is provided.` Add example code to show OCSP URL and stapled info into netcat. ok jsing@
* use the same type for buf as the return type in tls_load_filebcook2016-10-031-2/+3
| | | | ok tedu@, noted by kinichiro
* Update ld search path for libssl/libcrypto, fixes cross-build after source ↵bcook2016-09-191-3/+3
| | | | | | moved. from Patrick Wildt
* Set callbacks on the right tls ctx on accept.bcook2016-09-141-2/+2
| | | | From Tobias Pape
* Handle the FLUSH BIO cntl, that happens at the end of SSL handshakes.bcook2016-09-141-1/+2
| | | | from Tobias Pape
* Allow callback read/write functions to set TLS_WANT_POLLOUT/POLLIN.bcook2016-09-141-3/+21
| | | | from Tobias Pape
* add a little more typing to the first callback argument.tedu2016-09-132-7/+7
| | | | it's always a tls context.
* minor tweaks;jmc2016-09-041-7/+7
|
* Bump TLS_API for addition of callbacks.jsing2016-09-041-2/+2
|
* Maintain consistency with function naming.jsing2016-09-042-8/+8
|
* Sort headers and use the installed tls.h, rather than the local one.jsing2016-09-041-5/+5
|
* $OpenBSD$ tagjsing2016-09-041-1/+1
|
* New sentence, new line. Also wrap at 80 chars.jsing2016-09-041-3/+7
|
* Add callback-based interface to libtls.bcook2016-09-0410-37/+371
| | | | | | | This allows working with buffers and callback functions instead of directly on sockets or file descriptors. Original patch from Tobias Pape <tobias_at_netshed.de>. ok beck@
* State that libtls functions apply to both clients and servers, unlessjsing2016-09-041-47/+16
| | | | | | | | | | noted otherwise. Remove all of the now redundant "client and server" notations and change the client and server notations to "client only" and "server only". With input from jmc@. ok beck@ jmc@
* Crank minor due to API additionbeck2016-08-311-1/+1
|
* Various clean up and reorganisation of the connection info handling code.jsing2016-08-223-69/+97
| | | | | | | | | In particular, rename tls_free_conninfo() to tls_conninfo_free() and make it a real free function. Rename tls_get_conninfo() to tls_conninfo_populate() and have it allocate the struct tls_conninfo (after freeing any existing one). ok beck@
* Stick with the usual 'if NULL return NULL' idiom.jsing2016-08-221-10/+10
| | | | ok beck@
* Bump TLS_API due to the addition of server side SNI functions.jsing2016-08-221-2/+2
|
* Bump libtls minor due to the addition of symbols.jsing2016-08-221-1/+1
|
* Provide an API that enables server side SNI support - add the ability tojsing2016-08-225-6/+107
| | | | | | | | provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and allow the server to determine what servername the client requested (via tls_conn_servername()). ok beck@
* Create contexts for server side SNI - these include the additional SSL_CTXjsing2016-08-223-3/+174
| | | | | | | | | that is required for certificate switching with libssl and the certificate itself so that we can match against the subject and SANs. Hook up the servername callback and switch to the appropriate SSL_CTX if we find a matching certificate. ok beck@
* Split out the TLS server SSL_CTX allocation and configuration code, sojsing2016-08-181-19/+37
| | | | | | that it can be reused to allocate the additional SSL_CTXs needed for SNI. ok reyk@
* Rework parts of the libtls man page for clarity. Split out the connectionjsing2016-08-181-45/+35
| | | | | | | information related functions under their own heading and dedup the text relating to when these functions can be called. With input from and ok jmc@
* The tls_conninfo serial is also unused.jsing2016-08-151-2/+1
|
* Group conninfo fields by connection and peer cert based information,jsing2016-08-151-5/+6
| | | | sort and remove unused fingerprint.
* Fix some style(9) issues.jsing2016-08-151-3/+6
|
* Explicitly pass in an SSL_CTX * to the functions that operate on one,jsing2016-08-154-37/+38
| | | | | | | | | | | instead of assuming that they should use the one associated with the TLS context. This allows these functions to be used with the additional SSL contexts that are needed to support server-side SNI. Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that these functions have a common prefix. ok reyk@
* Avoid leaking memory if tls_config_set_alpn() is called multiple timesjsing2016-08-131-4/+5
| | | | (this was in the original commit, but got reverted in the recommit).
* Load CA, certificate and key files into memory when the appropriatejsing2016-08-133-44/+98
| | | | | | | | | | tls_config_set_*_file() function is called. This allows us to immediately propagate useful error messages, play more nicely with privsep/pledge and have a single code path. Instead of always loading the default CA when tls_config_new() is called, defer and only load the default CA when tls_configure() is invoked, if a CA has not already been specified. ok beck@ bluhm@
* Bump libtls minor due to symbol additions.jsing2016-08-121-1/+1
|
* Add ALPN support to libtls.jsing2016-08-127-16/+168
| | | | ok beck@ doug@
* Revert previous since it adds new symbols.jsing2016-08-028-170/+16
| | | | Requested by deraadt@
* Bump TLS_API for addition of ALPN support.jsing2016-08-011-2/+2
|
* Add ALPN support to libtls.jsing2016-08-017-15/+168
| | | | ok beck@ doug@
* Split the existing TLS cipher suite groups into four:jsing2016-07-133-11/+22
| | | | | | | | | | | | "secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@
* Revert previous - it introduces problems with a common privsep use case.jsing2016-07-073-72/+35
|
* Check that the given ciphers string is syntactically valid and results injsing2016-07-061-1/+17
| | | | | | at least one matching cipher suite. ok doug@
* Always load CA, key and certificate files at the time the configurationjsing2016-07-063-35/+72
| | | | | | | | | | function is called. This simplifies code and results in a single memory based code path being used to provide data to libssl. Errors that occur when accessing the specified file are now detected and propagated immediately. Since the file access now occurs when the configuration function is called, we now play nicely with privsep/pledge. ok beck@ bluhm@ doug@
* Correctly handle an EOF that occurs prior to the TLS handshake completing.jsing2016-07-061-3/+6
| | | | | | Reported by Vasily Kolobkov, based on a diff from Marko Kreen. ok beck@
* Rename some of the internal error setting functions to more closely followjsing2016-05-273-14/+48
| | | | | | existing naming standards. Also provide functions for setting a struct tls_error * directly (rather than having to have a struct tls * or a struct tls_config *).
* Avoid leaking ca_mem when freeing a tls_config.jsing2016-05-271-1/+2
|
* Fix function parameters that do not have an underscore prefix.jsing2016-05-271-10/+10
|
* typo fixes; Anthony Coultersthen2016-05-271-3/+3
|
* Fix mangled function signatures.jsing2016-05-091-5/+5
| | | | From Carlin Bingham <cb at viennan dot net>, thanks!
* spelling fix;jmc2016-04-281-2/+2
|
* Crank majors for lib{crypto,ssl,tls} due to symbol removals, symboljsing2016-04-281-1/+1
| | | | additions and functionality changes.
* Factor our the keypair handling in libtls. This results in more readablejsing2016-04-287-52/+164
| | | | | | | | | and self-contained code, while preparing for the ability to handle multiple keypairs. Also provide two additional functions that allow a public certificate and private key to be set with a single function call. ok beck@
* Rework the error handling in libtls so that we can associate errors withjsing2016-04-285-28/+90
| | | | | | | | | | | both configuration and contexts. This allows us to propagate errors that occur during configuration, rather than either just failing with no reason or delaying the failure until it can be propagated via the tls context. Also provide a tls_config_error() function for retrieving the last error from a tls_config *. ok bcook@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-31 00:00:54 +0000