summaryrefslogtreecommitdiff
path: root/src/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Expose tls_signer_error()jsing2022-01-281-0/+1
| | | | | | | Add tls_signer_error to Symbols.list - this was missed during the last libtls minor bump and can ride along. ok deraadt@
* minor bump after api additiomeric2022-01-251-1/+1
|
* Introduce a signer interface intented to make TLS privsep simplereric2022-01-257-5/+438
| | | | | | | | | | | | | | | | to implement. Add a tls_config_set_sign_cb() function that allows to register a callback for the signing operation on a tls_config. When used, the context installs fake pivate keys internally, and the callback receives the hash of the public key. Add a tls_signer_*() set of functions to manage tls_signer objects. A tls_signer is an opaque structure on which keys are added. It is used to compute signatures with private keys identified by their associated public key hash. Discussed with and ok jsing@ tb@
* Check function return value in libtlsinoguchi2022-01-191-9/+21
| | | | | | | | | | | | EVP_EncryptInit_ex, EVP_DecryptInit_ex and HMAC_Init_ex are possible to fail and return error. Error from these functions will be fatal for the callback, and I choose to return -1. SSL_CTX_set_tlsext_ticket_key_cb.3 explains the return value of callback. This also could fix Coverity CID 345319. ok jsing@ tb@
* bump libcrypto, libssl, libtls majors after struct visibility changestb2022-01-141-1/+1
| | | | and Symbol addition and removal in libcrypto.
* Convert tls_bio_cb for opaque BIOtb2022-01-101-19/+46
| | | | joint with jsing
* contibutions -> contributionsjsg2022-01-011-3/+3
|
* Bump majors after struct visibility changes, symbol removal and symboltb2021-10-311-1/+1
| | | | addition.
* Simplify some code by using X509_STORE_CTX_get_obj_by_subject()tb2021-10-311-8/+8
| | | | ok beck jsing
* libtls: Don't reach into X509_STORE_CTX.tb2021-10-211-12/+20
| | | | ok jsing
* Switch from X509_VERIFY_PARAM_set_flags() to X509_STORE_set_flags().tb2021-10-211-2/+2
| | | | | | This reduces the number of reacharounds into libcrypto internals. ok jsing
* Eliminate a dead assignment and a weird cast. Adjust a comment totb2021-10-211-6/+3
| | | | | | reality while there. ok jsing
* Print uid with %u instead of %i.tb2021-10-211-2/+2
| | | | | | Prompted by a diff by Jonas Termansen, discussed with deraadt, millert ok jsing
* Use *printf %d instead of %itb2021-10-211-2/+2
| | | | ok jsing
* Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.jsing2021-10-021-2/+2
|
* major bump (same type of crank as libssl)tb2021-09-101-1/+1
|
* typo in commenttb2021-08-161-2/+2
|
* zap wonky commas;jmc2021-06-221-5/+5
|
* Clarify tls_config_set_*_file() file I/O semanticskn2021-06-221-13/+11
| | | | | | | | | | | | | | | | | | | | | | | | tls_config_set_*_file(3) do not just set the file paths like tls_config_set_*_path(3) do, they do load the given file(s) into memory directly using tls_config_load_file(). This distinction is important because it means a later tls_connect(3) will not do any file I/O (at least wrt. those files), which is relevant when for example pleding without "[rwc]path" after loading files into memory and before doing tls_connect(3). The manual's current wording made me use the following due to above way of pledging a program: tls_load_file() tls_config_set_ca_mem() tls_unload_file() While in fact a single tls_config_set_ca_file() call does the same. tls_config.c r1.26 (Aug 2016) change the code but forgot to amend the manual as noted by tb, thanks. Feedback OK tb
* Use SSL_AD_INTERNAL_ERRORtb2021-06-141-2/+2
| | | | | One instance of TLS1_AD_* was missed and broke the tree in the recent switch to using only one version of alert defines internally.
* Update RFC reference. RFC 4366 was obsoleted by RFC 6066.tb2021-06-011-2/+2
|
* Avoid sending a trailing dot in SNI as a clienttb2021-06-011-6/+19
| | | | | | | | | | | | | While an FQDN includes a trailing dot for the zero-length label of the root, SNI explicitly does not contain it. Contrary to other TLS implementations, our tlsext_sni_is_valid_hostname() rejects a trailing dot. The result is that LibreSSL TLS servers encountering an SNI with trailing dot abort the connection with an illegal_parameter alert. This fixes an issue reported by danj in nc(1) and by sthen in ftp(1). DNS cluebat from florian. ok jsing
* Remove unnecessary cast in free.tb2021-06-011-2/+2
| | | | ok jsing
* give libtls the same bump as libssltb2021-05-101-2/+2
|
* Bump minors after symbol additiontb2021-03-311-1/+1
|
* OCSP_basic_verify() doesn't set errno, so use tls_set_errorx()tb2021-03-231-2/+2
| | | | ok inoguchi
* Use "EC/RSA key setup failure" to align error with otherstb2021-02-011-3/+3
| | | | ok eric jsing
* Move private key setup to a helper function with proper erroreric2021-01-261-10/+47
| | | | | | | checking. Only install the hash on the key if fake key is used, and do it for EC keys too. ok tb@ jsing@
* when using fake keys, skip the private key checkeric2021-01-211-1/+2
| | | | ok tb@
* return -1 on error for consistencyeric2021-01-211-2/+2
| | | | ok tb@
* minor bump after symbol additioneric2021-01-211-1/+1
|
* Allow setting a keypair on a tls context without specifying the privateeric2021-01-214-26/+77
| | | | | | | | key, and fake it internally with the certificate public key instead. It makes it easier for privsep engines like relayd that don't have to use bogus keys anymore. ok beck@ tb@ jsing@
* Fix indent.jsing2021-01-051-2/+2
|
* Remove memset that was made redundant with the ASN1_time_parse()tb2021-01-051-4/+1
| | | | | | fix in libcrypto/asn1/a_time_tm.c r1.16. Suggested by jsing
* Tweak previous:schwarze2021-01-021-19/+34
| | | | | | | * Do not abuse .Bl -tag for lists without bodies, use .Bl -item instead. * In tagged lists, put bodies into bodies, not into heads. * Add a few missing macros. * Drop some useless quoting.
* Make list of DHE parameters more prominentkn2021-01-021-6/+19
| | | | | | | Follow the previous commit and complete the manual page for consistency; better readable and tags for free. OK tb
* Make the list of supported protocols more prominentkn2020-12-301-5/+15
| | | | | | | | | | Manuals like httpd.conf(5) refer to this for valid protocol strings, but elements inlined into sentences are hard find to spot. Use a list as already done elsewhere in this manual. OK jmc on earlier version Feeback OK tb
* Destroy the mutex in tls_config objects when tls_config_free is called.bcook2020-12-221-1/+3
| | | | | | Add a stub for pthread_mutex_destroy() for installers. ok tb@
* Revert call to pthread_mutex_destroy until installers have a stub.bcook2020-12-221-3/+1
| | | | noted by deraadt@
* Destroy the mutex in a tls_config object when tls_config_free is called.bcook2020-12-211-1/+3
| | | | ok inoguchi@
* Fix return value variable type in tls_keypair_load_certinoguchi2020-12-151-2/+2
| | | | | | | ERR_peek_error() returns unsigned long. Reported by github issue by @rozhuk-im. ok bcook@ jsing@
* The check_includes step is incorrect dependency management model forderaadt2020-06-091-11/+1
| | | | | | how our tree gets built. If this was done in all the libraries (imagine sys/dev), it would disrupt the development process hugely. So it should not be done here either. use 'make includes' by hand instead.
* Clear SSL_MODE_AUTO_RETRY in libtls, since we handle WANT_POLLIN correctly.jsing2020-05-241-1/+3
|
* Correct includes check for libtls.jsing2020-01-221-2/+2
|
* Add checks to ensure that lib{crypto,ssl,tls} public headers have actuallyjsing2020-01-221-1/+11
| | | | | | been installed prior to building. Requested by and ok tb@
* Note in the man page that the default protocols list includes 1.3beck2020-01-221-4/+4
| | | | ok jsing@
* Enable TLS version 1.3 in the default protocols for libtls.beck2020-01-221-2/+2
| | | | | | | This will as yet not do anything, until we turn it on in the lower level libraries. ok jsing@
* Add support for TLSv1.3 as a protocol to libtls.jsing2020-01-204-11/+20
| | | | | | | This makes tls_config_parse_protocols() recognise and handle "tlsv1.3". If TLSv1.3 is enabled libtls will also request libssl to enable it. ok beck@ tb@
* Add missing RCS tag.tb2019-12-031-0/+1
|
* Allow 1.3 ciphers in libtls.beck2019-11-161-2/+2
| | | | ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 00:42:17 +0000