diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2017-04-23 19:00:08 +0200 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2017-04-23 19:00:08 +0200 |
| commit | 346f5828e0e435d76ef7da8316e77a426c826d19 (patch) | |
| tree | 316f4fb2d2c4d08e51a32efa6206b814362393dc /sys/man/2 | |
| parent | 2d1fbbdafa37080ddaacb76ac1e4f5a413ef2dc3 (diff) | |
libsec: sha256 support for thumbprint files, use it in ssh as well
initThumbprints() now takes an application tag argument
so x509 and ssh can coexist.
the thumbprint entries can now hold both sha1 and sha256
hashes. okThumbprint() now takes a len argument for the
hash length used.
the new function okCertificate() hashes the certificate
with both and checks for any matches.
on failure, okCertificate() returns 0 and sets error string.
we also check for include loops now in thumbfiles, limiting
the number of includes to 8.
Diffstat (limited to 'sys/man/2')
| -rw-r--r-- | sys/man/2/pushtls | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/sys/man/2/pushtls b/sys/man/2/pushtls index ed3f293dd..72a2605bf 100644 --- a/sys/man/2/pushtls +++ b/sys/man/2/pushtls @@ -1,6 +1,6 @@ .TH PUSHTLS 2 .SH NAME -pushtls, tlsClient, tlsServer, initThumbprints, freeThumbprints, okThumbprint, readcert, readcertchain \- attach TLS1 or SSL3 encryption to a communication channel +pushtls, tlsClient, tlsServer, initThumbprints, freeThumbprints, okThumbprint, okCertificate, readcert, readcertchain \- attach TLS1 or SSL3 encryption to a communication channel .SH SYNOPSIS .B #include <u.h> .br @@ -29,13 +29,16 @@ uchar *readcert(char *filename, int *pcertlen) PEMchain *readcertchain(char *filename) .PP .B -Thumbprint *initThumbprints(char *ok, char *crl) +Thumbprint *initThumbprints(char *ok, char *crl, char *tag) .PP .B void freeThumbprints(Thumbprint *table) .PP .B -int okThumbprint(uchar *hash, Thumbprint *table) +int okThumbprint(uchar *hash, int len, Thumbprint *table) +.PP +.B +int okCertificate(uchar *cert, int len, Thumbprint *table) .SH DESCRIPTION Transport Layer Security (TLS) comprises a record layer protocol, doing message digesting and encrypting in the kernel, @@ -213,13 +216,10 @@ be freed by the application whenever convenient. Start the client half of TLS and check the remote certificate: .IP .EX -uchar hash[SHA1dlen]; - conn = (TLSconn*)mallocz(sizeof *conn, 1); fd = tlsClient(fd, conn); -sha1(conn->cert, conn->certlen, hash, nil); -if(!okThumbprint(hash,table)) - exits("suspect server"); +if(!okCertificate(conn->cert, conn->certlen, table)) + sysfatal("suspect server: %r"); \fI...application begins...\fP .EE .PP |