add C-Keens tls-client-auth

This patch adds client TLS authentication to libsec in compliance with
rfc 4346.

A new -c flag has been introduced for tlsclient allowing the user to
specify a certificate in pem(8) format which will be provided to the
server upon request.

A -D debug flag has been introduced to enable debugging output.

The patch has been tested against OpenSSL 0.9.7j 04 May 2006.

It exists today because of the great (debugging) help and insight
provided by Matthias Bauer.

TODOs:

- specification of a certain client key in factotum is not possible at
	the moment
- tlssrv should support this too

These will get added in another patch.

The first try to submit this patch failed due to a network error.
Sorry for the duplication!

Kind regards,

Christian

1 files changed, 10 insertions, 4 deletions

diff --git a/sys/src/libsec/port/x509.c b/sys/src/libsec/port/x509.c
index 103ab2933..77c2205f9 100644
--- a/sys/src/libsec/port/x509.c
+++ b/sys/src/libsec/port/x509.c
@@ -2036,27 +2036,33 @@ asn1mpint(Elem *e)
 	return nil;
 }
 
-static mpint*
-pkcs1pad(Bytes *b, mpint *modulus)
+mpint*
+pkcs1padbuf(uchar *buf, int len, mpint *modulus)
 {
 	int n = (mpsignif(modulus)+7)/8;
 	int pm1, i;
 	uchar *p;
 	mpint *mp;
 
-	pm1 = n - 1 - b->len;
+	pm1 = n - 1 - len;
 	p = (uchar*)emalloc(n);
 	p[0] = 0;
 	p[1] = 1;
 	for(i = 2; i < pm1; i++)
 		p[i] = 0xFF;
 	p[pm1] = 0;
-	memcpy(&p[pm1+1], b->data, b->len);
+	memcpy(&p[pm1+1], buf, len);
 	mp = betomp(p, n, nil);
 	free(p);
 	return mp;
 }
 
+static mpint*
+pkcs1pad(Bytes *b, mpint *modulus)
+{
+	return pkcs1padbuf(b->data, b->len, modulus);
+}
+
 RSApriv*
 asn1toRSApriv(uchar *kd, int kn)
 {