summaryrefslogtreecommitdiff
path: root/src/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Use SSL_AD_INTERNAL_ERRORtb2021-06-141-2/+2
| | | | | One instance of TLS1_AD_* was missed and broke the tree in the recent switch to using only one version of alert defines internally.
* Update RFC reference. RFC 4366 was obsoleted by RFC 6066.tb2021-06-011-2/+2
|
* Avoid sending a trailing dot in SNI as a clienttb2021-06-011-6/+19
| | | | | | | | | | | | | While an FQDN includes a trailing dot for the zero-length label of the root, SNI explicitly does not contain it. Contrary to other TLS implementations, our tlsext_sni_is_valid_hostname() rejects a trailing dot. The result is that LibreSSL TLS servers encountering an SNI with trailing dot abort the connection with an illegal_parameter alert. This fixes an issue reported by danj in nc(1) and by sthen in ftp(1). DNS cluebat from florian. ok jsing
* Remove unnecessary cast in free.tb2021-06-011-2/+2
| | | | ok jsing
* give libtls the same bump as libssltb2021-05-101-2/+2
|
* Bump minors after symbol additiontb2021-03-311-1/+1
|
* OCSP_basic_verify() doesn't set errno, so use tls_set_errorx()tb2021-03-231-2/+2
| | | | ok inoguchi
* Use "EC/RSA key setup failure" to align error with otherstb2021-02-011-3/+3
| | | | ok eric jsing
* Move private key setup to a helper function with proper erroreric2021-01-261-10/+47
| | | | | | | checking. Only install the hash on the key if fake key is used, and do it for EC keys too. ok tb@ jsing@
* when using fake keys, skip the private key checkeric2021-01-211-1/+2
| | | | ok tb@
* return -1 on error for consistencyeric2021-01-211-2/+2
| | | | ok tb@
* minor bump after symbol additioneric2021-01-211-1/+1
|
* Allow setting a keypair on a tls context without specifying the privateeric2021-01-214-26/+77
| | | | | | | | key, and fake it internally with the certificate public key instead. It makes it easier for privsep engines like relayd that don't have to use bogus keys anymore. ok beck@ tb@ jsing@
* Fix indent.jsing2021-01-051-2/+2
|
* Remove memset that was made redundant with the ASN1_time_parse()tb2021-01-051-4/+1
| | | | | | fix in libcrypto/asn1/a_time_tm.c r1.16. Suggested by jsing
* Tweak previous:schwarze2021-01-021-19/+34
| | | | | | | * Do not abuse .Bl -tag for lists without bodies, use .Bl -item instead. * In tagged lists, put bodies into bodies, not into heads. * Add a few missing macros. * Drop some useless quoting.
* Make list of DHE parameters more prominentkn2021-01-021-6/+19
| | | | | | | Follow the previous commit and complete the manual page for consistency; better readable and tags for free. OK tb
* Make the list of supported protocols more prominentkn2020-12-301-5/+15
| | | | | | | | | | Manuals like httpd.conf(5) refer to this for valid protocol strings, but elements inlined into sentences are hard find to spot. Use a list as already done elsewhere in this manual. OK jmc on earlier version Feeback OK tb
* Destroy the mutex in tls_config objects when tls_config_free is called.bcook2020-12-221-1/+3
| | | | | | Add a stub for pthread_mutex_destroy() for installers. ok tb@
* Revert call to pthread_mutex_destroy until installers have a stub.bcook2020-12-221-3/+1
| | | | noted by deraadt@
* Destroy the mutex in a tls_config object when tls_config_free is called.bcook2020-12-211-1/+3
| | | | ok inoguchi@
* Fix return value variable type in tls_keypair_load_certinoguchi2020-12-151-2/+2
| | | | | | | ERR_peek_error() returns unsigned long. Reported by github issue by @rozhuk-im. ok bcook@ jsing@
* The check_includes step is incorrect dependency management model forderaadt2020-06-091-11/+1
| | | | | | how our tree gets built. If this was done in all the libraries (imagine sys/dev), it would disrupt the development process hugely. So it should not be done here either. use 'make includes' by hand instead.
* Clear SSL_MODE_AUTO_RETRY in libtls, since we handle WANT_POLLIN correctly.jsing2020-05-241-1/+3
|
* Correct includes check for libtls.jsing2020-01-221-2/+2
|
* Add checks to ensure that lib{crypto,ssl,tls} public headers have actuallyjsing2020-01-221-1/+11
| | | | | | been installed prior to building. Requested by and ok tb@
* Note in the man page that the default protocols list includes 1.3beck2020-01-221-4/+4
| | | | ok jsing@
* Enable TLS version 1.3 in the default protocols for libtls.beck2020-01-221-2/+2
| | | | | | | This will as yet not do anything, until we turn it on in the lower level libraries. ok jsing@
* Add support for TLSv1.3 as a protocol to libtls.jsing2020-01-204-11/+20
| | | | | | | This makes tls_config_parse_protocols() recognise and handle "tlsv1.3". If TLSv1.3 is enabled libtls will also request libssl to enable it. ok beck@ tb@
* Add missing RCS tag.tb2019-12-031-0/+1
|
* Allow 1.3 ciphers in libtls.beck2019-11-161-2/+2
| | | | ok jsing@
* Allow portable to override the default CA bundle locationbeck2019-11-162-3/+7
| | | | ok kinichiro@ jsing@
* Bump libcrypto, libssl and libtls minors due to symbol additions.jsing2019-11-021-1/+1
|
* Document tls_conn_cipher_strength().jsing2019-11-021-2/+14
| | | | ok schwarze@
* Provide tls_conn_cipher_strength().jsing2019-11-024-3/+15
| | | | | | | | | This returns the strength in bits of the symmetric cipher used for the connection. Diff from gilles@ ok tb@
* Bump libcrypto, libssl and libtls majors due to changes in struct sizesjsing2019-10-241-2/+2
| | | | and symbol addition.
* Group tls_{handshake,read,write,close}() return values documentation.jsing2019-07-091-21/+21
| | | | | | | | | | Move the documentation for tls_error() down so that both the special return values for tls_{handshake,read,write,close}() directly follow the standard return values for the same functions. Prompted by deraadt@. ok deraadt@ schwarze@
* tls_read() & tls_write() return 4 possible values: TLS_WANT_POLLOUT,deraadt2019-06-201-4/+4
| | | | | | TLS_WANT_POLLIN, -1, or 0. After handling the first two, check for -1 rather than vaguely "< 0". ok jsing
* provide getters and setters for the RSA_METHOD interfacegilles2019-06-051-1/+1
| | | | ok tb@, jsing@, sthen@
* Acquire mutex before incrementing the refcount. Fixes COV-186144bcook2019-05-131-1/+3
| | | | ok tb@
* Null out pointers on asprintf() failure.tb2019-04-131-3/+7
| | | | | | | | These pointers will be passed to free. According to asprintf(3), "on OpenBSD, ret will be set to the null pointer, but this behavior should not be relied upon." ok jsing
* Only assign destlen when src is non-NULL.jsing2019-04-041-3/+4
| | | | This avoids ever having a non-zero len with a NULL pointer.
* Switch to pthread_mutex_init().jsing2019-04-041-3/+5
| | | | | | | While PTHREAD_MUTEX_INITIALIZER can be used on OpenBSD, some other platforms do not like it. Noted by bcook@
* Bump libssl/libtls minors due to symbol addition.jsing2019-04-041-1/+1
|
* Add a mutex to guard reference counting for tls_config.jsing2019-04-013-4/+16
| | | | | | | | This makes libtls more friendly for multithreaded use - otherwise we can end up with incorrect refcounts and end up freeing when we should not be (or not freeing when we should be). ok beck@
* remove duplicate set key file call. from alf.tedu2019-03-271-3/+1
| | | | ok jsing
* fix examples (libtls uses its own error reporting mechanism)espie2019-03-201-4/+4
| | | | okay tb@
* bump minors after symbol additiontb2019-03-171-1/+1
|
* bump minors after symbol additiontb2019-01-221-1/+1
|
* bump minors after symbol additiontb2019-01-191-1/+1
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 00:42:14 +0000