aboutsummaryrefslogtreecommitdiffstats
path: root/src/credentials
Commit message (Collapse)AuthorAgeFilesLines
* Change Credentials_Manager::trusted_certificate_authorities to returnlloyd2012-11-132-11/+22
| | | | | | | | | a list of Certificate_Stores instead of a list of actual certs, allowing for instance the ability to reference a DB cert store without actually pulling all the certs into memory. Add Certificate_Store::all_subjects which returns the DNs of all contained certificates.
* Move the hostname check last as it's the least 'important' error.lloyd2012-09-061-3/+3
| | | | Only check it if the cert is otherwise valid.
* Doxygen warning fixeslloyd2012-07-091-2/+32
|
* The messages for assertion checks were done both ways, both "assertionlloyd2012-07-091-0/+2
| | | | | | X is true" and "assertion X is false". Convert all of them to the form "assertion X is true" thus making it clear what it is that we are attempting to assert by testing the expression provided.
* Reorder Credentials_Manager with cert stuff first, then SRP, then PSKlloyd2012-06-261-66/+69
|
* Some post merge fixups.lloyd2012-05-252-34/+9
| | | | | Fix some bugs that triggered if DEFAULT_BUFFERSIZE was either too small or an odd size.
* Replace 0 and NULL pointer constants with nullptr. Also fix an oldlloyd2012-05-181-1/+1
| | | | style cast in secmem.h
* Fairly huge update that replaces the old secmem types with std::vectorlloyd2012-05-182-2/+2
| | | | | | using a custom allocator. Currently our allocator just does new/delete with a memset before deletion, and the mmap and mlock allocators have been removed.
* Huge pile of post merge fixups, mtn really fucked that mergelloyd2012-04-251-1/+2
|
* Various dependency/amalgamation fixeslloyd2012-04-191-0/+5
|
* Only do the hostname/DNS comparison if it is set. Otherwise, we havelloyd2012-04-171-1/+1
| | | | nothing meaningful to compare to.
* Finish up server side SRP support, a little ugly but it works.lloyd2012-04-062-19/+55
| | | | | | Add SRP hooks in the examples Fix next protocol support in the tls_server example.
* Revert the session_ticket callback in credentials manager. If a PSKlloyd2012-03-232-17/+2
| | | | | | | | | | | manager is being used, it could be easily used for session tickets as well, and if it's not the generate-on-first-call technique is easy to write. Avoid offering the session ticket extension if we know we don't have a key. For one thing it will cause us to avoid using stateful sessions, but additionally OpenSSL 1.0.1 is very intolerant of empty NewSessionTicket messages so definitely worth avoiding when we can.
* Add a special hook in credentials manager for the session ticket key,lloyd2012-03-232-0/+16
| | | | | with a default implementation that creates a new random key on the first call.
* Actually check CA signatures in Credentials_Manager. This area needs alloyd2012-02-012-15/+18
| | | | lot more work before this can be deployed.
* Split up the psk function as the server also wants to be able to looklloyd2012-01-272-15/+27
| | | | up a PSK from an identity.
* Credentials hooks for PSKlloyd2012-01-272-2/+27
|
* Deleting the return of private_key_for in the TLS server forces thelloyd2012-01-261-0/+2
| | | | | | | | | | | | | credentials server to return a new copy each time which is slow and mostly pointless. Instead, specify that the key remains owned by the credentials manager. This is theoretically an issue if you have thousands of keys to manage; the credentials server doesn't actually know when they have gone out of scope until its destructor runs. So it could be forced to use a lot of memory in the meantime. I'm not sure that this is a case worth optimizing for, at least until someone comes along who actually has this as a problem.
* We can now actually handle multiple certificate types in the serverlloyd2012-01-242-6/+37
| | | | | and will choose one depending on which ciphersuites the client offered.
* The credentials manager interface seems a much better place for certlloyd2012-01-232-1/+56
| | | | | | | | | checking, allowed client auth CAs, etc than the policy class. With this change, most users won't ever need to modify the default policy which is likely a good thing. Remove copy and paste of the credentials manager implemenation in the examples.
* Fix unused param warnings. Comments in headerlloyd2012-01-032-25/+32
|
* Add Credentials_Manager which is an interface to something that knowslloyd2012-01-033-0/+130
what certs, keys, etc are available to the app. Needs polishing but it seems like it should be sound.