![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / lib / libtls
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.16 / (download) - annotate - [select for diffs], Thu Mar 24 15:56:34 2022 UTC (2 years, 2 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
HEAD
Changes since 1.15: +0 -7 lines
Diff to previous 1.15 (colored)
Hide the tls_signer from public visibility. It's not ready yet and should not be used. It will be revisited after release. ok beck inoguchi jsing
Revision 1.15 / (download) - annotate - [select for diffs], Fri Jan 28 03:46:46 2022 UTC (2 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.14: +1 -0 lines
Diff to previous 1.14 (colored)
Expose tls_signer_error() Add tls_signer_error to Symbols.list - this was missed during the last libtls minor bump and can ride along. ok deraadt@
Revision 1.14 / (download) - annotate - [select for diffs], Tue Jan 25 21:51:24 2022 UTC (2 years, 4 months ago) by eric
Branch: MAIN
Changes since 1.13: +6 -0 lines
Diff to previous 1.13 (colored)
Introduce a signer interface intented to make TLS privsep simpler to implement. Add a tls_config_set_sign_cb() function that allows to register a callback for the signing operation on a tls_config. When used, the context installs fake pivate keys internally, and the callback receives the hash of the public key. Add a tls_signer_*() set of functions to manage tls_signer objects. A tls_signer is an opaque structure on which keys are added. It is used to compute signatures with private keys identified by their associated public key hash. Discussed with and ok jsing@ tb@
Revision 1.13 / (download) - annotate - [select for diffs], Thu Jan 21 19:09:10 2021 UTC (3 years, 4 months ago) by eric
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.12: +1 -0 lines
Diff to previous 1.12 (colored)
Allow setting a keypair on a tls context without specifying the private key, and fake it internally with the certificate public key instead. It makes it easier for privsep engines like relayd that don't have to use bogus keys anymore. ok beck@ tb@ jsing@
Revision 1.12 / (download) - annotate - [select for diffs], Sat Nov 2 13:37:59 2019 UTC (4 years, 7 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.11: +1 -0 lines
Diff to previous 1.11 (colored)
Provide tls_conn_cipher_strength(). This returns the strength in bits of the symmetric cipher used for the connection. Diff from gilles@ ok tb@
Revision 1.11 / (download) - annotate - [select for diffs], Thu Nov 29 15:51:49 2018 UTC (5 years, 6 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.10: +1 -0 lines
Diff to previous 1.10 (colored)
missed adding tls_default_ca_cert_file here. found by sthen
Revision 1.10 / (download) - annotate - [select for diffs], Sat Feb 10 04:41:24 2018 UTC (6 years, 4 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.9: +2 -0 lines
Diff to previous 1.9 (colored)
Add support to libtls for client-side TLS session resumption. A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. Discussed at length with deraadt@ and tedu@. Rides previous minor bump. ok beck@
Revision 1.9 / (download) - annotate - [select for diffs], Thu Aug 10 18:18:30 2017 UTC (6 years, 10 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.8: +1 -0 lines
Diff to previous 1.8 (colored)
Add a tls_config_set_ecdhecurves() function to libtls, which allows the names of the elliptic curves that may be used during client and server key exchange to be specified. This deprecates tls_config_set_ecdhecurve(), which could only be used to specify a single supported curve. ok beck@
Revision 1.8 / (download) - annotate - [select for diffs], Thu Jul 6 17:12:22 2017 UTC (6 years, 11 months ago) by jsing
Branch: MAIN
Changes since 1.7: +2 -0 lines
Diff to previous 1.7 (colored)
Add support for providing CRLs to libtls - once a CRL is provided we enable CRL checking for the full certificate chain. Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks! Discussed with beck@
Revision 1.7 / (download) - annotate - [select for diffs], Sat May 6 20:57:45 2017 UTC (7 years, 1 month ago) by jsing
Branch: MAIN
Changes since 1.6: +1 -0 lines
Diff to previous 1.6 (colored)
Provide a tls_unload_file() function, that frees the memory returned from a tls_load_file() call, ensuring that it the contents become inaccessible. This is specifically needed on platforms where the library allocators may be different from the application allocator. ok beck@
Revision 1.6 / (download) - annotate - [select for diffs], Wed Apr 5 03:19:22 2017 UTC (7 years, 2 months ago) by beck
Branch: MAIN
Changes since 1.5: +1 -0 lines
Diff to previous 1.5 (colored)
Add tls_peer_cert_chain_pem - To retreive the peer certificate and chain as PEM format. This allows for it to be used or examined with tools external to libtls bump minor ok jsing@
Revision 1.5 / (download) - annotate - [select for diffs], Wed Apr 5 03:13:53 2017 UTC (7 years, 2 months ago) by beck
Branch: MAIN
Changes since 1.4: +1 -0 lines
Diff to previous 1.4 (colored)
Internal changes to allow for relayd engine privsep. sends the hash of the public key as an identifier to RSA, and adds an function for relayd to use to disable private key checking when doing engine privsep. ok jsing@
Revision 1.4 / (download) - annotate - [select for diffs], Tue Jan 31 16:18:57 2017 UTC (7 years, 4 months ago) by beck
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.3: +4 -0 lines
Diff to previous 1.3 (colored)
Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be added associated to a keypair used for SNI, and are usable for more than just the "main" certificate. Modify httpd to use this. Bump libtls minor. ok jsing@
Revision 1.3 / (download) - annotate - [select for diffs], Tue Jan 24 01:48:05 2017 UTC (7 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.2: +3 -0 lines
Diff to previous 1.2 (colored)
Introduce ticket support. To enable them it is enough to set a positive lifetime with tls_config_set_session_lifetime(). This enables tickets and uses an internal automatic rekeying mode for the ticket keys. If multiple processes are involved the following functions can be used to make tickets work accross all instances: - tls_config_set_session_id() sets the session identifier - tls_config_add_ticket_key() adds an encryption and authentication key For now only the last 4 keys added will be used (unless they are too old). If tls_config_add_ticket_key() is used the caller must ensure to add new keys regularly. It is best to do this 4 times per session lifetime (which is also the ticket key lifetime). Since tickets break PFS it is best to minimize the session lifetime according to needs. With a lot of help, input and OK beck@, jsing@
Revision 1.2 / (download) - annotate - [select for diffs], Sat Nov 5 15:13:26 2016 UTC (7 years, 7 months ago) by beck
Branch: MAIN
Changes since 1.1: +2 -0 lines
Diff to previous 1.1 (colored)
Add support for server side OCSP stapling to libtls. Add support for server side OCSP stapling to netcat.
Revision 1.1 / (download) - annotate - [select for diffs], Fri Nov 4 18:23:32 2016 UTC (7 years, 7 months ago) by guenther
Branch: MAIN
Add an explict list of exported symbols with just the functions declared
in <tls.h>, and use __{BEGIN,END}_HIDDEN_DECLS in tls_internal.h to
optimize internal functions
ok jsing@