IABSD.fr/src/lib/libtls

Branch :


Log

Author Commit Date CI Message
4d97159a 2020-06-09 16:53:52 The check_includes step is incorrect dependency management model for how our tree gets built. If this was done in all the libraries (imagine sys/dev), it would disrupt the development process hugely. So it should not be done here either. use 'make includes' by hand instead.
3c640480 2020-05-24 15:12:54 Clear SSL_MODE_AUTO_RETRY in libtls, since we handle WANT_POLLIN correctly.
bcccd631 2020-01-22 08:00:46 Correct includes check for libtls.
c1fdfe6b 2020-01-22 07:58:27 Add checks to ensure that lib{crypto,ssl,tls} public headers have actually been installed prior to building. Requested by and ok tb@
6f8363ee 2020-01-22 06:46:34 Note in the man page that the default protocols list includes 1.3 ok jsing@
c6bdffd5 2020-01-22 06:44:02 Enable TLS version 1.3 in the default protocols for libtls. This will as yet not do anything, until we turn it on in the lower level libraries. ok jsing@
4c479435 2020-01-20 08:39:21 Add support for TLSv1.3 as a protocol to libtls. This makes tls_config_parse_protocols() recognise and handle "tlsv1.3". If TLSv1.3 is enabled libtls will also request libssl to enable it. ok beck@ tb@
83718595 2019-12-03 14:56:42 Add missing RCS tag.
b10e6c9e 2019-11-16 21:39:52 Allow 1.3 ciphers in libtls. ok jsing@
15dff5ba 2019-11-16 06:44:33 Allow portable to override the default CA bundle location ok kinichiro@ jsing@
26d18ab6 2019-11-02 13:52:54 Bump libcrypto, libssl and libtls minors due to symbol additions.
8e0c7682 2019-11-02 13:43:14 Document tls_conn_cipher_strength(). ok schwarze@
bbf181b7 2019-11-02 13:37:59 Provide tls_conn_cipher_strength(). This returns the strength in bits of the symmetric cipher used for the connection. Diff from gilles@ ok tb@
d2460364 2019-10-24 15:58:38 Bump libcrypto, libssl and libtls majors due to changes in struct sizes and symbol addition.
5719c9cb 2019-07-09 17:58:33 Group tls_{handshake,read,write,close}() return values documentation. Move the documentation for tls_error() down so that both the special return values for tls_{handshake,read,write,close}() directly follow the standard return values for the same functions. Prompted by deraadt@. ok deraadt@ schwarze@
fe1f7dfa 2019-06-20 15:47:44 tls_read() & tls_write() return 4 possible values: TLS_WANT_POLLOUT, TLS_WANT_POLLIN, -1, or 0. After handling the first two, check for -1 rather than vaguely "< 0". ok jsing
bd3f6f9a 2019-06-05 15:41:33 provide getters and setters for the RSA_METHOD interface ok tb@, jsing@, sthen@
565eed69 2019-05-13 22:36:01 Acquire mutex before incrementing the refcount. Fixes COV-186144 ok tb@
0f235647 2019-04-13 18:47:58 Null out pointers on asprintf() failure. These pointers will be passed to free. According to asprintf(3), "on OpenBSD, ret will be set to the null pointer, but this behavior should not be relied upon." ok jsing
a2b2c537 2019-04-04 15:10:10 Only assign destlen when src is non-NULL. This avoids ever having a non-zero len with a NULL pointer.
d7e2296c 2019-04-04 15:09:09 Switch to pthread_mutex_init(). While PTHREAD_MUTEX_INITIALIZER can be used on OpenBSD, some other platforms do not like it. Noted by bcook@
e25f5abf 2019-04-04 15:04:03 Bump libssl/libtls minors due to symbol addition.
bebb943a 2019-04-01 15:58:02 Add a mutex to guard reference counting for tls_config. This makes libtls more friendly for multithreaded use - otherwise we can end up with incorrect refcounts and end up freeing when we should not be (or not freeing when we should be). ok beck@
566f876a 2019-03-27 11:12:10 remove duplicate set key file call. from alf. ok jsing
5030b68b 2019-03-20 14:17:19 fix examples (libtls uses its own error reporting mechanism) okay tb@
8bf23119 2019-03-17 18:19:34 bump minors after symbol addition
c2f29523 2019-01-22 01:19:39 bump minors after symbol addition
e7b14bac 2019-01-19 01:27:06 bump minors after symbol addition
11e8be6b 2018-12-14 20:18:27 Delete a note taken during the rev. 1.1 man page splite that should have been deleted before commit. The cross reference is already present below SEE ALSO. Glitch noticed by jsing@.
e94fe394 2018-11-29 15:51:49 missed adding tls_default_ca_cert_file here. found by sthen
f6b75673 2018-11-29 14:24:23 expose the default cert file as a function, not a define. it's really an internal detail of the library, so the string should live inside it, not in the application code. ok jsing
81105c4b 2018-11-11 07:00:14 bump minors after symbol addition.
44f35d7b 2018-11-06 20:34:54 Define TLS_CA_CERT_FILE rather than having every application create their own define for /etc/ssl/cert.pem. ok beck@ bluhm@ tb@
736a24ae 2018-10-24 18:08:02 Bump libcrypto/libssl/libtls majors due to symbol removals (libcrypto) and changes to struct visibility/sizes (libssl).
f88b52fa 2018-09-12 06:36:15 crank to follow minor crank in libcrypto; ok tb@ jsing@
97b6ed76 2018-08-24 20:33:17 crank majors after symbol addition/modification/removal
5a0149f0 2018-08-21 00:35:55 typo in argument type, from Mario dot Andres dot Campos at gmail dot com
c8cb7e60 2018-07-24 02:01:34 Use the same order in NAME, SYNOPSIS, DESCRIPTION, and RETURN VALUES to improve readability and ease of maintenance. Positive feedback jmc Detailed suggestion & ok schwarze
b8704739 2018-07-23 18:30:29 Document tls_peer_ocsp_result() and use it in place of the non-existent tls_peer_ocsp_result_msg() in the documentation. input & ok jsing Reads fine to jmc and makes sense to schwarze
be2a9af7 2018-07-09 19:51:18 Move a detail on tls_connect(3) to its documentation and be a bit more explicit about the servername argument of tls_connect_servername(3). input & ok jsing, input & ok schwarze on earlier version
9a9971dd 2018-07-09 19:47:20 wording tweak for tls_init() from jsing ok jsing, schwarze
bbc49888 2018-07-08 21:06:40 Simplify and shorten the description of tls_init(3), fixing an awkward wording noticed by tb@. OK tb@
91b2d0d3 2018-05-26 12:35:26 minor markup improvement: .Fa *cctx -> .Pf * Fa cctx
d4c5fc9d 2018-05-26 12:32:59 Quote .Fa arguments containing blanks. Diff from Jack Burton <jack at saosce dot com dot au>.
b3064b8a 2018-04-07 16:35:34 Correct tls_config_clear_keys() behaviour. Previously this incorrectly called tls_keypair_clear(), which results in the private key being cleared, along with the certificate, OCSP staple and pubkey hash. This breaks OCSP stapling if tls_config_clear_keys() is called following tls_configure(), as is done by httpd. Fix this by calling tls_keypair_clear_key() so that only the private key is cleared, leaving the other public data untouched. While here, remove tls_keypair_clear() and fold the necessary parts into tls_keypair_free(). ok beck@
c650228d 2018-04-07 16:30:59 Switch to OPENSSL_init_ssl() and prevent an openssl configuration file from being loaded behind our back, at a later point. ok beck@
1556a9e0 2018-03-20 15:40:10 Avoid potentially calling strchr() on a NULL pointer in tls_config_set_ecdhecurve(). Spotted by Coverity.
5cf45f87 2018-03-20 15:35:09 bump minors after symbol addition
b9573a74 2018-03-19 16:34:47 Automatically handle library initialisation for libtls. Now that we have tls_init() under pthread_once(), automatically initialise libtls from the entry point functions (tls_config(), tls_client() and tls_server()) - this makes an explicit tls_init() call no longer a requirement. ok bcook@ beck@ inoguchi@
c9fefa03 2018-03-17 16:44:44 crank majors req by deraadt
91c5cd95 2018-03-17 16:24:57 Bump minors after symbol addition
cd1f8ab3 2018-03-15 12:35:23 Also bump libtls minor after the addition of SSL_CTX_get_min/max_proto_version cluebat tb@
c029eb32 2018-03-08 16:12:00 un-revert tls_init pthread_once change, now that stub is added so that builds work
d6bdacfd 2018-03-07 19:07:13 backout. diff was not tested comprehensively, resulting in a broken tree.
62f07b25 2018-03-07 17:17:47 Make tls_init() concurrently callable using pthread_once(). ok jsing@ This brings pthread_once usage into libressl, which will need to get dealt with correctly in portable. This sets us up to autoinit libtls, and we will also be using pthread_once to deal with autoinit stuff in libssl and libcrypto
59a5eaec 2018-02-22 17:34:42 Bump lib{crypto,ssl,tls} minors due to symbol additions.
bb6936f0 2018-02-20 18:19:07 Crank lib{crypto,ssl,tls} minors after symbol addition.
b6641ed5 2018-02-18 15:00:36 Bump minor due to symbol addition.
39bca1a9 2018-02-18 13:07:34 Bump libcrypto/libssl/libtls minors due to symbol additions.
32cf9fd7 2018-02-17 15:51:29 Bump libcrypto/libssl/libtls minors due to symbol additions.
24bc253b 2018-02-14 17:16:21 Bump lib{crypto,ssl,tls} minors due to symbol additions.
9a8e282d 2018-02-10 06:07:43 Be more specific about when the session file will be updated.
cda4f3c7 2018-02-10 04:58:08 Bump TLS API version since we've added more functionality.
2974e8f1 2018-02-10 04:57:35 Move the keypair pubkey hash handling code to during config. The keypair pubkey hash was being generated and set in the keypair when the TLS context was being configured. This code should not be messing around with the keypair contents, since it is part of the config (and not the context). Instead, generate the pubkey hash and store it in the keypair when the certificate is configured. This means that we are guaranteed to have the pubkey hash and as a side benefit, we identify bad certificate content when it is provided, instead of during the context configuration. ok beck@
f385e3b3 2018-02-10 04:48:44 Tidy/standardise some code.
5e81c42a 2018-02-10 04:48:17 Remove NULL check from tls_conninfo_cert_pem() - all of the other conninfo functions require the conninfo passed in to be non-NULL.
940f9ff5 2018-02-10 04:43:16 Document functions for client-side TLS session support.
0dd084b9 2018-02-10 04:41:24 Add support to libtls for client-side TLS session resumption. A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. Discussed at length with deraadt@ and tedu@. Rides previous minor bump. ok beck@
536237fb 2018-02-10 04:34:25 Bump lib{crypto,ssl,tls} minors due to symbol addition.
34002f5d 2018-02-08 10:19:31 Have tls_keypair_pubkey_hash() call tls_keypair_load_cert() instead of rolling its own certificate loading. This also means we get better error reporting on failure.
05729e6f 2018-02-08 10:03:19 Ensure that tls_keypair_clear() clears the OCSP staple and pubkey hash.
04d4f269 2018-02-08 10:02:48 Do not bother NULLing pointers in a struct that is about to be freed.
50cd4781 2018-02-08 08:09:10 Move tls_keypair_pubkey_hash() to the keypair file.
0a095d8f 2018-02-08 08:04:12 Avoid a memory leak that results when the same tls_config is reused. Reported by and fix from Nate Bessette <openbsd at nate dot sh> - thanks.
15ba8e50 2018-02-08 07:55:29 Assert tedu's copyright since some of the code moved here is his.
bb4cb1b0 2018-02-08 05:56:49 Split keypair handling out into its own file - it had already appeared in multiple locations. ok beck@
a38d3b9a 2018-02-05 01:47:03 Do not bother NULLing pointers in memory that is freed immediately after.
7add217b 2018-02-05 00:52:24 Be consistent with the goto label names used in libtls code. No change to generated assembly.
568004a5 2017-12-09 16:46:08 Make tls_config_parse_protocols() work correctly when passed a NULL pointer for a protocol string. Issue found by semarie@, who also provided the diff.
74a357a3 2017-10-08 06:56:36 hyphenate DER/PEM-encoded, for consistency;
6bcf209c 2017-10-07 14:41:58 Document tls_peer_cert_chain_pem(). ok beck@
c68c7b49 2017-09-25 18:07:03 If tls_config_parse_protocols() is called with a NULL pointer, return the default protocols instead of crashing - this makes the behaviour more useful and mirrors what we already do in tls_config_set_ciphers() et al.
9ee433b9 2017-09-20 17:05:17 Keep track of which keypair is in use by a TLS context. This fixes a bug where by a TLS server with SNI would always only return the OCSP staple for the default keypair, rather than returning the OCSP staple associated with the keypair that was selected via SNI. Issue reported by William Graeber and confirmed by Andreas Bartelt. Fix tested by William Graeber and Andreas Bartelt - thanks!
f4abe18a 2017-09-20 16:52:37 Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code.
30a2bc87 2017-09-20 16:38:23 Provide a useful error if there are no OCSP URLs in the peer certificate.
97aaf95e 2017-09-20 16:36:45 Fix indentation.
4305c5d6 2017-08-30 16:24:56 Bump libssl/libtls minors due to symbol (re)addition.
33e0c816 2017-08-28 17:49:06 Bump lib{crypto,ssl,tls} majors due to symbol removals.
e4972b9b 2017-08-28 13:58:02 Fix unchecked return nit ok bcook@ jsing@
9fdb873d 2017-08-27 01:39:26 Make the symbol for ASN1_time_tm_clamp_notafter visible so libtls can get at it, so libtls can also deal with notafter's past the realm of 32 bit time in portable
736f6d0b 2017-08-13 19:42:33 Switch to -Werror with clang for libressl. Discussed with beck@ and jsing@ ok beck@
e8bac763 2017-08-12 04:24:49 Document tls_config_set_dheparams().
6e76a016 2017-08-12 03:41:48 Document tls_reset().
a0786738 2017-08-11 10:33:31 new sentence, new line;
928e0665 2017-08-11 05:37:50 Bump minor due to symbol addition. Prompted by jsg@, since I apparently left it sitting in my tree...
4896de1e 2017-08-10 18:18:30 Add a tls_config_set_ecdhecurves() function to libtls, which allows the names of the elliptic curves that may be used during client and server key exchange to be specified. This deprecates tls_config_set_ecdhecurve(), which could only be used to specify a single supported curve. ok beck@
6db33edd 2017-08-09 21:27:24 Don't use tls_cert_hash for the hashing used by the engine offloading magic for the TLS privsep code. Instead use X509_pubkey_digest() because only the key should be used as identifier. Relayd is rewriting certificates and then the hash would change. Rename the hash is struct tls_keypair to pubkey_hash to make clear what this hash is about. With input and OK jsing@
5b1edaac 2017-08-01 08:41:36 correct function name; from carlos cardenas
0d038da5 2017-07-06 17:27:19 Document tls_config_set_crl_file() and tls_config_set_crl_mem(). Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
aa344fb7 2017-07-06 17:12:44 Bump minor due to symbol addition.