Bump TLS_API due to recent feature additions and changes.

Change the return value of tls_config_set_protocols() and
tls_config_set_verify_depth() from void to int. This makes them consistent
with all other tls_config_set_* functions and will allow for call

Change the return value of tls_config_set_protocols() and
tls_config_set_verify_depth() from void to int. This makes them consistent
with all other tls_config_set_* functions and will allow for call time
validation to be implemented.

Rides libtls major bump.

ok beck@

show more ...

Add support for server side OCSP stapling to libtls.
Add support for server side OCSP stapling to netcat.

Add ocsp_require_stapling config option for tls - allows a connection
to indicate that it requires the peer to provide a stapled OCSP response
with the handshake. Provide a "-T muststaple" for nc th

Add ocsp_require_stapling config option for tls - allows a connection
to indicate that it requires the peer to provide a stapled OCSP response
with the handshake. Provide a "-T muststaple" for nc that uses it.
ok jsing@, guenther@

show more ...

Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP sta

Add OCSP client side support to libtls.
- Provide access to certificate OCSP URL
- Provide ability to check a raw OCSP reply against an
established TLS ctx
- Check and validate OCSP stapling info in the TLS handshake
if a stapled OCSP response is provided.`

Add example code to show OCSP URL and stapled info
into netcat.

ok jsing@

show more ...

add a little more typing to the first callback argument.
it's always a tls context.

Bump TLS_API for addition of callbacks.

Add callback-based interface to libtls.

This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed

Add callback-based interface to libtls.

This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed.de>.
ok beck@

show more ...

Bump TLS_API due to the addition of server side SNI functions.

Provide an API that enables server side SNI support - add the ability to
provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and
allow the server to determine what servername the cl

Provide an API that enables server side SNI support - add the ability to
provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and
allow the server to determine what servername the client requested (via
tls_conn_servername()).

ok beck@

show more ...

Add ALPN support to libtls.

ok beck@ doug@

Revert previous since it adds new symbols.

Requested by deraadt@

Bump TLS_API for addition of ALPN support.

Add ALPN support to libtls.

ok beck@ doug@

Fix function parameters that do not have an underscore prefix.

Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions th

Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions that allow
a public certificate and private key to be set with a single function
call.

ok beck@

show more ...

Rework the error handling in libtls so that we can associate errors with
both configuration and contexts. This allows us to propagate errors that
occur during configuration, rather than either just f

Rework the error handling in libtls so that we can associate errors with
both configuration and contexts. This allows us to propagate errors that
occur during configuration, rather than either just failing with no reason
or delaying the failure until it can be propagated via the tls context.

Also provide a tls_config_error() function for retrieving the last error
from a tls_config *.

ok bcook@

show more ...

Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer certificate
validity times for tls connections.
ok jsing@

include <sys/types.h> for ssize_t

ok jsing@, deraadt@

Provide tls_config_insecure_noverifytime() in order to be able to disable
certificate validity checking.

ok beck@

add visibility of ciper and connection version strings
ok jsing@

Move connection info into it's own private structure allocated and filled in
at handshake time. change accessors to return const char * to remove need
for caller to free memory.
ok jsing@

Put tls_peer_cert* functions in the same place.

add tls_peer functions for checking names and issuers of peer certificates.
ok jsing@

Provide tls_peer_cert_hash() which returns a hash of the raw certificate
that was presented by the peer. The hash used is currently SHA256, however
since we prefix the result with the hash name, we c

Provide tls_peer_cert_hash() which returns a hash of the raw certificate
that was presented by the peer. The hash used is currently SHA256, however
since we prefix the result with the hash name, we can change this in the
future as the need arises.

The same output can be generated by using:

h=$(openssl x509 -outform der -in mycert.crt | sha256)
printf "SHA256:${h}\n"

ok beck@

show more ...