| #
26433cb1 |
| 10-Dec-2024 |
tb <tb@openbsd.org> |
Provide tls_peer_cert_common_name()
There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract
Provide tls_peer_cert_common_name()
There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract it from the peer cert's PEM by hand, but that way lies madness.
While the common name is close to being deprecated in the webpki, it is
still the de facto standard to identify client certs. It would be nice to
have a way to access the subject alternative names as well, but this is a
lot more difficult to expose in a clean and sane C interface due to its
multivaluedness.
Initial diff from henning, with input from beck, jsing and myself
henning and bluhm have plans of using this in syslogd.
ok beck
show more ...
|
| #
6a16e2b3 |
| 02-Aug-2024 |
tb <tb@openbsd.org> |
libtls: fix legacy protocol parsing
Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same
as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the
accompanying regre
libtls: fix legacy protocol parsing
Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same
as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the
accompanying regress tests. The protocol string all:tlsv1.0 would disable
TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all
protocols.
It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if
you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable
the two supported protocols TLSv1.3 and TLSv1.2.
Restore the defines to their original values and adjust the parsing code
to set/unset them.
Issue reported by Kenjiro Nakayama
Fixes https://github.com/libressl/openbsd/issues/151
with/ok jsing
show more ...
|
| #
2b31d1bd |
| 27-Mar-2024 |
joshua <joshua@openbsd.org> |
Add TLS_ERROR_INVALID_ARGUMENT error code to libtls
This is an initial pass, defining the error code and using it for
"too long"/length-related errors.
ok beck jsing
|
| #
40ae7d6b |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Add TLS_ERROR_INVALID_CONTEXT error code to libtls
ok jsing@ beck@
|
| #
7a756d37 |
| 26-Mar-2024 |
joshua <joshua@openbsd.org> |
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok
Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok jsing@ beck@
show more ...
|
| #
5c389b79 |
| 02-Jul-2023 |
beck <beck@openbsd.org> |
Remove the ability to do tls 1.0 and 1.1 from libtls.
With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls
Remove the ability to do tls 1.0 and 1.1 from libtls.
With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls 1.0 and tls 1.1 support from libssl.
ok tb@
show more ...
|
| #
fd9951f7 |
| 24-Mar-2022 |
tb <tb@openbsd.org> |
Hide the tls_signer from public visibility. It's not ready yet and
should not be used. It will be revisited after release.
ok beck inoguchi jsing
|
| #
bce97392 |
| 01-Feb-2022 |
jsing <jsing@openbsd.org> |
Provide our own signature padding defines.
Rather than leaking libcrypto defines through the tls_sign_cb and
tls_signer_sign() interfaces, provide and use our own TLS_PADDING_*
defines.
ok inoguchi
Provide our own signature padding defines.
Rather than leaking libcrypto defines through the tls_sign_cb and
tls_signer_sign() interfaces, provide and use our own TLS_PADDING_*
defines.
ok inoguchi@ tb@
show more ...
|
| #
82e78bf1 |
| 01-Feb-2022 |
jsing <jsing@openbsd.org> |
Revise signer callback interface.
The current design of tls_sign_cb provides a pointer to a buffer where the
signature needs to be copied, however it fails to provide a length which
could result in
Revise signer callback interface.
The current design of tls_sign_cb provides a pointer to a buffer where the
signature needs to be copied, however it fails to provide a length which
could result in buffer overwrites. Furthermore, tls_signer_sign() is
designed such that it allocates and returns ownership to the caller.
Revise tls_sign_cb so that the called function is expected to allocate a
buffer, returning ownership of the buffer (along with its length) to the
caller of the callback. This makes it far easier (and safer) to implement
a tls_sign_cb callback, plus tls_signer_sign can be directly plugged in
(with an appropriate cast).
While here, rename and reorder some arguments - while we will normally
sign a digest, there is no requirement for this to be the case hence use
'input' and 'input_len'. Move padding (an input) before the outputs and
add some additional bounds/return value checks.
This is technically an API/ABI break that would need a libtls major bump,
however since nothing is using the signer interface (outside of regress),
we'll ride the original minor bump.
With input from tb@
ok inoguchi@ tb@
show more ...
|
| #
9ecbddc1 |
| 25-Jan-2022 |
eric <eric@openbsd.org> |
Introduce a signer interface intented to make TLS privsep simpler
to implement.
Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config.
Introduce a signer interface intented to make TLS privsep simpler
to implement.
Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config. When used,
the context installs fake pivate keys internally, and the callback
receives the hash of the public key.
Add a tls_signer_*() set of functions to manage tls_signer objects.
A tls_signer is an opaque structure on which keys are added.
It is used to compute signatures with private keys identified by
their associated public key hash.
Discussed with and ok jsing@ tb@
show more ...
|
| #
c6bdffd5 |
| 22-Jan-2020 |
beck <beck@openbsd.org> |
Enable TLS version 1.3 in the default protocols for libtls.
This will as yet not do anything, until we turn it on in the
lower level libraries.
ok jsing@
|
| #
4c479435 |
| 20-Jan-2020 |
jsing <jsing@openbsd.org> |
Add support for TLSv1.3 as a protocol to libtls.
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3".
If TLSv1.3 is enabled libtls will also request libssl to enable it.
ok beck@
Add support for TLSv1.3 as a protocol to libtls.
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3".
If TLSv1.3 is enabled libtls will also request libssl to enable it.
ok beck@ tb@
show more ...
|
| #
bbf181b7 |
| 02-Nov-2019 |
jsing <jsing@openbsd.org> |
Provide tls_conn_cipher_strength().
This returns the strength in bits of the symmetric cipher used for the
connection.
Diff from gilles@
ok tb@
|
| #
f6b75673 |
| 29-Nov-2018 |
tedu <tedu@openbsd.org> |
expose the default cert file as a function, not a define. it's really
an internal detail of the library, so the string should live inside it,
not in the application code.
ok jsing
|
| #
44f35d7b |
| 06-Nov-2018 |
jsing <jsing@openbsd.org> |
Define TLS_CA_CERT_FILE rather than having every application create their
own define for /etc/ssl/cert.pem.
ok beck@ bluhm@ tb@
|
| #
cda4f3c7 |
| 10-Feb-2018 |
jsing <jsing@openbsd.org> |
Bump TLS API version since we've added more functionality.
|
| #
0dd084b9 |
| 10-Feb-2018 |
jsing <jsing@openbsd.org> |
Add support to libtls for client-side TLS session resumption.
A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage
Add support to libtls for client-side TLS session resumption.
A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage reading
and writing of session data across TLS handshakes.
Discussed at length with deraadt@ and tedu@.
Rides previous minor bump.
ok beck@
show more ...
|
| #
4896de1e |
| 10-Aug-2017 |
jsing <jsing@openbsd.org> |
Add a tls_config_set_ecdhecurves() function to libtls, which allows the
names of the elliptic curves that may be used during client and server
key exchange to be specified.
This deprecates tls_confi
Add a tls_config_set_ecdhecurves() function to libtls, which allows the
names of the elliptic curves that may be used during client and server
key exchange to be specified.
This deprecates tls_config_set_ecdhecurve(), which could only be used to
specify a single supported curve.
ok beck@
show more ...
|
| #
80bc881d |
| 06-Jul-2017 |
jsing <jsing@openbsd.org> |
Add support for providing CRLs to libtls - once a CRL is provided we
enable CRL checking for the full certificate chain.
Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
Di
Add support for providing CRLs to libtls - once a CRL is provided we
enable CRL checking for the full certificate chain.
Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
Discussed with beck@
show more ...
|
| #
028ca023 |
| 06-May-2017 |
jsing <jsing@openbsd.org> |
Provide a tls_unload_file() function, that frees the memory returned from
a tls_load_file() call, ensuring that it the contents become inaccessible.
This is specifically needed on platforms where the
Provide a tls_unload_file() function, that frees the memory returned from
a tls_load_file() call, ensuring that it the contents become inaccessible.
This is specifically needed on platforms where the library allocators may
be different from the application allocator.
ok beck@
show more ...
|
| #
c67861f7 |
| 05-Apr-2017 |
beck <beck@openbsd.org> |
Add tls_peer_cert_chain_pem - To retreive the peer certificate and chain
as PEM format. This allows for it to be used or examined with tools
external to libtls
bump minor
ok jsing@
|
| #
ef012c23 |
| 31-Jan-2017 |
beck <beck@openbsd.org> |
Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be
added associated to a keypair used for SNI, and are usable for more than
just the "main" certificate. Modify httpd to use th
Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be
added associated to a keypair used for SNI, and are usable for more than
just the "main" certificate. Modify httpd to use this.
Bump libtls minor.
ok jsing@
show more ...
|
| #
6ccd397d |
| 26-Jan-2017 |
jsing <jsing@openbsd.org> |
Bump TLS_API due to new features being added earlier this week.
|
| #
47c43cfe |
| 24-Jan-2017 |
claudio <claudio@openbsd.org> |
Introduce ticket support. To enable them it is enough to set a positive
lifetime with tls_config_set_session_lifetime(). This enables tickets
and uses an internal automatic rekeying mode for the tick
Introduce ticket support. To enable them it is enough to set a positive
lifetime with tls_config_set_session_lifetime(). This enables tickets
and uses an internal automatic rekeying mode for the ticket keys.
If multiple processes are involved the following functions can be used to make
tickets work accross all instances:
- tls_config_set_session_id() sets the session identifier
- tls_config_add_ticket_key() adds an encryption and authentication key
For now only the last 4 keys added will be used (unless they are too old).
If tls_config_add_ticket_key() is used the caller must ensure to add new keys
regularly. It is best to do this 4 times per session lifetime (which is also
the ticket key lifetime).
Since tickets break PFS it is best to minimize the session lifetime according
to needs.
With a lot of help, input and OK beck@, jsing@
show more ...
|
| #
50ef2d71 |
| 22-Jan-2017 |
jsing <jsing@openbsd.org> |
Wrap long lines.
|