libsec: sha256 support for thumbprint files, use it in ssh as well

initThumbprints() now takes an application tag argument
so x509 and ssh can coexist.

the thumbprint entries can now hold both sha1 and sha256
hashes. okThumbprint() now takes a len argument for the
hash length used.

the new function okCertificate() hashes the certificate
with both and checks for any matches.

on failure, okCertificate() returns 0 and sets error string.

we also check for include loops now in thumbfiles, limiting
the number of includes to 8.

1 files changed, 5 insertions, 3 deletions

diff --git a/sys/include/libsec.h b/sys/include/libsec.h
index 0067302e8..12f4d4be4 100644
--- a/sys/include/libsec.h
+++ b/sys/include/libsec.h
@@ -453,7 +453,8 @@ DSApriv*	asn1toDSApriv(uchar*, int);
  */
 typedef struct Thumbprint{
 	struct Thumbprint *next;
-	uchar	sha1[SHA1dlen];
+	uchar	hash[SHA2_256dlen];
+	uchar	len;
 } Thumbprint;
 
 typedef struct TLSconn{
@@ -479,9 +480,10 @@ int tlsClient(int fd, TLSconn *c);
 int tlsServer(int fd, TLSconn *c);
 
 /* thumb.c */
-Thumbprint* initThumbprints(char *ok, char *crl);
+Thumbprint* initThumbprints(char *ok, char *crl, char *tag);
 void	freeThumbprints(Thumbprint *ok);
-int	okThumbprint(uchar *sha1, Thumbprint *ok);
+int	okThumbprint(uchar *hash, int len, Thumbprint *ok);
+int	okCertificate(uchar *cert, int len, Thumbprint *ok);
 
 /* readcert.c */
 uchar	*readcert(char *filename, int *pcertlen);