| #
13bba76f |
| 08-Apr-2024 |
tb <tb@openbsd.org> |
Remove spaces before tabs
|
| #
2b31d1bd |
| 27-Mar-2024 |
joshua <joshua@openbsd.org> |
Add TLS_ERROR_INVALID_ARGUMENT error code to libtls
This is an initial pass, defining the error code and using it for
"too long"/length-related errors.
ok beck jsing
|
| #
40ae7d6b |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Add TLS_ERROR_INVALID_CONTEXT error code to libtls
ok jsing@ beck@
|
| #
7a756d37 |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok jsing@ beck@
show more ...
|
| #
aa2571bd |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Use errno_value instead of num for readability
ok jsing@
|
| #
deae75ad |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Use errno_value instead of num for readability
ok beck@ jsing@
|
| #
5c389b79 |
| 02-Jul-2023 |
beck <beck@openbsd.org> |
Remove the ability to do tls 1.0 and 1.1 from libtls.
With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls
Remove the ability to do tls 1.0 and 1.1 from libtls.
With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls 1.0 and tls 1.1 support from libssl.
ok tb@
show more ...
|
| #
9dba47cf |
| 18-Jun-2023 |
op <op@openbsd.org> |
libtls: switch ECDSA_METHOD usage to EC_KEY_METHOD
smtpd and the bits it needs in libtls are the only consumer left of
ECDSA_METHOD, which is long deprecated. This paves the way for the
removal in
libtls: switch ECDSA_METHOD usage to EC_KEY_METHOD
smtpd and the bits it needs in libtls are the only consumer left of
ECDSA_METHOD, which is long deprecated. This paves the way for the
removal in libcrypto.
The diff is from gilles' work on OpenSMTPD-portable, libretls had a
similar diff.
ok tb@, jsing@
show more ...
|
| #
508824d4 |
| 25-May-2023 |
op <op@openbsd.org> |
Forcibly update the EVP_PKEY's internal key
To aid privilege separation, libtls maintains application-specific data
on the key inside the EVP_PKEY abstraction because the EVP API doesn't
provide a w
Forcibly update the EVP_PKEY's internal key
To aid privilege separation, libtls maintains application-specific data
on the key inside the EVP_PKEY abstraction because the EVP API doesn't
provide a way to do that on the EVP_PKEY itself.
OpenSSL 3 changed behavior of EVP_PKEY_get1_RSA() and related functions.
These now return a struct from some cache. Thus, modifying the RSA will
no longer modify the EVP_PKEY like it did previously, which was clearly
implied to be the case in the older documentation.
This is a subtle breaking change that affects several applications.
While this is documented, no real solution is provided. The transition
plan from one OpenSSL major version to the next one tends to involve
many #ifdef in the ecosystem, and the only suggestion provided by the
new documentation is to switch to a completely unrelated, new API.
Instead, forcibly reset the internal key on EVP_PKEY after modification,
this way the change is picked up also by OpenSSL 3.
Fixes issue 1171 in OpenSMTPD-portable
ok tb@, jsing@
show more ...
|
| #
e6d77be9 |
| 14-May-2023 |
op <op@openbsd.org> |
add missing #include <string.h>; ok tb@
|
| #
56f8640c |
| 08-Feb-2022 |
tb <tb@openbsd.org> |
Plug a long standing leak in libtls CRL handling
X509_STORE_add_crl() does not take ownership of the CRL, it bumps its
refcount. So nulling out the CRL from the stack will leak it.
Issue reported b
Plug a long standing leak in libtls CRL handling
X509_STORE_add_crl() does not take ownership of the CRL, it bumps its
refcount. So nulling out the CRL from the stack will leak it.
Issue reported by KS Sreeram, thanks!
ok jsing
show more ...
|
| #
9ecbddc1 |
| 25-Jan-2022 |
eric <eric@openbsd.org> |
Introduce a signer interface intented to make TLS privsep simpler
to implement.
Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config.
Introduce a signer interface intented to make TLS privsep simpler
to implement.
Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config. When used,
the context installs fake pivate keys internally, and the callback
receives the hash of the public key.
Add a tls_signer_*() set of functions to manage tls_signer objects.
A tls_signer is an opaque structure on which keys are added.
It is used to compute signatures with private keys identified by
their associated public key hash.
Discussed with and ok jsing@ tb@
show more ...
|
| #
cbc8ac2b |
| 21-Oct-2021 |
tb <tb@openbsd.org> |
Switch from X509_VERIFY_PARAM_set_flags() to X509_STORE_set_flags().
This reduces the number of reacharounds into libcrypto internals.
ok jsing
|
| #
4c5367e0 |
| 21-Oct-2021 |
tb <tb@openbsd.org> |
Use *printf %d instead of %i
ok jsing
|
| #
61298c2b |
| 02-Oct-2021 |
jsing <jsing@openbsd.org> |
Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.
|
| #
e3a30b14 |
| 01-Feb-2021 |
tb <tb@openbsd.org> |
Use "EC/RSA key setup failure" to align error with others
ok eric jsing
|
| #
f8e1ec60 |
| 26-Jan-2021 |
eric <eric@openbsd.org> |
Move private key setup to a helper function with proper error
checking. Only install the hash on the key if fake key is used,
and do it for EC keys too.
ok tb@ jsing@
|
| #
b609dc20 |
| 21-Jan-2021 |
eric <eric@openbsd.org> |
return -1 on error for consistency
ok tb@
|
| #
15339a8c |
| 21-Jan-2021 |
eric <eric@openbsd.org> |
Allow setting a keypair on a tls context without specifying the private
key, and fake it internally with the certificate public key instead.
It makes it easier for privsep engines like relayd that do
Allow setting a keypair on a tls context without specifying the private
key, and fake it internally with the certificate public key instead.
It makes it easier for privsep engines like relayd that don't have to
use bogus keys anymore.
ok beck@ tb@ jsing@
show more ...
|
| #
3c640480 |
| 24-May-2020 |
jsing <jsing@openbsd.org> |
Clear SSL_MODE_AUTO_RETRY in libtls, since we handle WANT_POLLIN correctly.
|
| #
4c479435 |
| 20-Jan-2020 |
jsing <jsing@openbsd.org> |
Add support for TLSv1.3 as a protocol to libtls.
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3".
If TLSv1.3 is enabled libtls will also request libssl to enable it.
ok beck@
Add support for TLSv1.3 as a protocol to libtls.
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3".
If TLSv1.3 is enabled libtls will also request libssl to enable it.
ok beck@ tb@
show more ...
|
| #
bebb943a |
| 01-Apr-2019 |
jsing <jsing@openbsd.org> |
Add a mutex to guard reference counting for tls_config.
This makes libtls more friendly for multithreaded use - otherwise we can
end up with incorrect refcounts and end up freeing when we should not
Add a mutex to guard reference counting for tls_config.
This makes libtls more friendly for multithreaded use - otherwise we can
end up with incorrect refcounts and end up freeing when we should not be
(or not freeing when we should be).
ok beck@
show more ...
|
| #
f6b75673 |
| 29-Nov-2018 |
tedu <tedu@openbsd.org> |
expose the default cert file as a function, not a define. it's really
an internal detail of the library, so the string should live inside it,
not in the application code.
ok jsing
|
| #
44f35d7b |
| 06-Nov-2018 |
jsing <jsing@openbsd.org> |
Define TLS_CA_CERT_FILE rather than having every application create their
own define for /etc/ssl/cert.pem.
ok beck@ bluhm@ tb@
|
| #
c650228d |
| 07-Apr-2018 |
jsing <jsing@openbsd.org> |
Switch to OPENSSL_init_ssl() and prevent an openssl configuration file from
being loaded behind our back, at a later point.
ok beck@
|