document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hash

ok jsing@
author: beck <> 2015-09-11 13:59:20 +0000
committer: beck <> 2015-09-11 13:59:20 +0000
commit: 4fed0aed72c48fa0d340730ec63eeaa4bcf95443 (patch)
tree: 6854ac6cc54fce0efe40bb9d56b6f4131d7fffff
parent: 47904bc3ab0adff66a702d760d60a201489b0e9f (diff)
download: openbsd-4fed0aed72c48fa0d340730ec63eeaa4bcf95443.tar.gz
openbsd-4fed0aed72c48fa0d340730ec63eeaa4bcf95443.tar.bz2
openbsd-4fed0aed72c48fa0d340730ec63eeaa4bcf95443.zip
2 files changed, 58 insertions, 3 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 2e03e247e4..b0141c274f 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.16 2015/09/11 12:56:55 beck Exp $
+#       $OpenBSD: Makefile,v 1.17 2015/09/11 13:59:20 beck Exp $
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -48,6 +48,9 @@ MLINKS+=tls_init.3 tls_config_verify_client.3
 MLINKS+=tls_init.3 tls_config_verify_client_optional.3
 MLINKS+=tls_init.3 tls_peer_cert_provided.3
 MLINKS+=tls_init.3 tls_peer_cert_contains_name.3
+MLINKS+=tls_init.3 tls_peer_cert_issuer3
+MLINKS+=tls_init.3 tls_peer_cert_subject.3
+MLINKS+=tls_init.3 tls_peer_cert_hash.3
 MLINKS+=tls_init.3 tls_load_file.3
 MLINKS+=tls_init.3 tls_client.3
 MLINKS+=tls_init.3 tls_server.3
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 4066713603..c5b0c1df46 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.38 2015/09/11 12:56:55 beck Exp $
+.\" $OpenBSD: tls_init.3,v 1.39 2015/09/11 13:59:20 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -116,6 +116,12 @@
 .Fn tls_peer_cert_provided "struct tls *ctx"
 .Ft "int"
 .Fn tls_peer_cert_contains_name "struct tls *ctx" "const char *name"
+.Ft "int
+.Fn tls_peer_cert_issuer "struct tls *ctx" "char **issuer"
+.Ft "int"
+.Fn tls_peer_cert_subject "struct tls *ctx" "char **subject"
+.Ft "int"
+.Fn tls_peer_cert_hash "struct tls *ctx" "char **hash"
 .Ft "uint8_t *"
 .Fn tls_load_file "const char *file" "size_t *len" "char *password"
 .Ft "struct tls *"
@@ -363,7 +369,7 @@ checks if the peer of
 .Ar ctx 
 has provided a certificate.
 .Fn tls_peer_cert_provided
-will only succeed after the handshake is complete. 
+can only succeed after the handshake is complete. 
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_constains_name
@@ -373,7 +379,52 @@ checks if the peer of a tls
 SAN or CN that matches
 .Ar name
 .Fn tls_peer_cert_contains_name
+can only succeed after the handshake is complete. 
+.Em (Server and client)
+.It
+.Fn tls_peer_cert_subject
+returns a string in
+.Ar subject
+corresponding to the subject of the peer certificate from
+.Ar ctx .
+.Fn tls_peer_cert_subject
+will only succeed after the handshake is complete. 
+Callers must free the string returned in 
+.Ar subject .
+.Em (Server and client)
+.It
+.Fn tls_peer_cert_issuer
+returns a string in 
+.Ar subject
+corresponding to the issuer of the peer certificate from
+.Ar ctx .
+.Fn tls_peer_cert_issuer
 will only succeed after the handshake is complete. 
+Callers must free the string returned in 
+.Ar issuer .
+.Em (Server and client)
+.It
+.Fn tls_peer_cert_hash
+returns a string
+in
+.Ar hash
+corresponding to a hash of the raw peer certificate from
+.Ar ctx
+prefixed by a hash name followed by a colon. 
+The hash currently used is SHA256, however this
+can change in the future. The hash string for a certificate
+in file
+.Ar mycert.crt
+can be generated using the commands:
+.Bd -literal -offset indent
+h=$(openssl x509 -outform der -in mycert.crt | sha256)
+printf "SHA256:${h}\\n"
+.Ed
+.Pp
+.Fn tls_peer_cert_subject
+will only succeed after the handshake is complete. 
+Callers must free the string returned in 
+.Ar hash .
 .Em (Server and client)
 .It
 .Fn tls_config_verify_client_opional
@@ -538,6 +589,7 @@ while (len > 0) {
 }
 \&...
 .Ed
+.Bd -literal -offset indent
 .Pp
 The following example demonstrates how to handle TLS writes on a
 non-blocking file descriptor using
author	beck <>	2015-09-11 13:59:20 +0000
committer	beck <>	2015-09-11 13:59:20 +0000
commit	4fed0aed72c48fa0d340730ec63eeaa4bcf95443 (patch)
tree	6854ac6cc54fce0efe40bb9d56b6f4131d7fffff
parent	47904bc3ab0adff66a702d760d60a201489b0e9f (diff)
download	openbsd-4fed0aed72c48fa0d340730ec63eeaa4bcf95443.tar.gz openbsd-4fed0aed72c48fa0d340730ec63eeaa4bcf95443.tar.bz2 openbsd-4fed0aed72c48fa0d340730ec63eeaa4bcf95443.zip

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile index 2e03e247e4..b0141c274f 100644 --- a/src/lib/libtls/Makefile +++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.16 2015/09/11 12:56:55 beck Exp $	1	# $OpenBSD: Makefile,v 1.17 2015/09/11 13:59:20 beck Exp $
2		2
3	CFLAGS+= -Wall -Werror -Wimplicit	3	CFLAGS+= -Wall -Werror -Wimplicit
4	CFLAGS+= -DLIBRESSL_INTERNAL	4	CFLAGS+= -DLIBRESSL_INTERNAL
@@ -48,6 +48,9 @@ MLINKS+=tls_init.3 tls_config_verify_client.3
48	MLINKS+=tls_init.3 tls_config_verify_client_optional.3	48	MLINKS+=tls_init.3 tls_config_verify_client_optional.3
49	MLINKS+=tls_init.3 tls_peer_cert_provided.3	49	MLINKS+=tls_init.3 tls_peer_cert_provided.3
50	MLINKS+=tls_init.3 tls_peer_cert_contains_name.3	50	MLINKS+=tls_init.3 tls_peer_cert_contains_name.3
		51	MLINKS+=tls_init.3 tls_peer_cert_issuer3
		52	MLINKS+=tls_init.3 tls_peer_cert_subject.3
		53	MLINKS+=tls_init.3 tls_peer_cert_hash.3
51	MLINKS+=tls_init.3 tls_load_file.3	54	MLINKS+=tls_init.3 tls_load_file.3
52	MLINKS+=tls_init.3 tls_client.3	55	MLINKS+=tls_init.3 tls_client.3
53	MLINKS+=tls_init.3 tls_server.3	56	MLINKS+=tls_init.3 tls_server.3


diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 4066713603..c5b0c1df46 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: tls_init.3,v 1.38 2015/09/11 12:56:55 beck Exp $	1	.\" $OpenBSD: tls_init.3,v 1.39 2015/09/11 13:59:20 beck Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4	.\"	4	.\"
@@ -116,6 +116,12 @@
116	.Fn tls_peer_cert_provided "struct tls *ctx"	116	.Fn tls_peer_cert_provided "struct tls *ctx"
117	.Ft "int"	117	.Ft "int"
118	.Fn tls_peer_cert_contains_name "struct tls ctx" "const char name"	118	.Fn tls_peer_cert_contains_name "struct tls ctx" "const char name"
		119	.Ft "int
		120	.Fn tls_peer_cert_issuer "struct tls ctx" "char *issuer"
		121	.Ft "int"
		122	.Fn tls_peer_cert_subject "struct tls ctx" "char *subject"
		123	.Ft "int"
		124	.Fn tls_peer_cert_hash "struct tls ctx" "char *hash"
119	.Ft "uint8_t *"	125	.Ft "uint8_t *"
120	.Fn tls_load_file "const char file" "size_t len" "char *password"	126	.Fn tls_load_file "const char file" "size_t len" "char *password"
121	.Ft "struct tls *"	127	.Ft "struct tls *"
@@ -363,7 +369,7 @@ checks if the peer of
363	.Ar ctx	369	.Ar ctx
364	has provided a certificate.	370	has provided a certificate.
365	.Fn tls_peer_cert_provided	371	.Fn tls_peer_cert_provided
366	will only succeed after the handshake is complete.	372	can only succeed after the handshake is complete.
367	.Em (Server and client)	373	.Em (Server and client)
368	.It	374	.It
369	.Fn tls_peer_cert_constains_name	375	.Fn tls_peer_cert_constains_name
@@ -373,7 +379,52 @@ checks if the peer of a tls
373	SAN or CN that matches	379	SAN or CN that matches
374	.Ar name	380	.Ar name
375	.Fn tls_peer_cert_contains_name	381	.Fn tls_peer_cert_contains_name
		382	can only succeed after the handshake is complete.
		383	.Em (Server and client)
		384	.It
		385	.Fn tls_peer_cert_subject
		386	returns a string in
		387	.Ar subject
		388	corresponding to the subject of the peer certificate from
		389	.Ar ctx .
		390	.Fn tls_peer_cert_subject
		391	will only succeed after the handshake is complete.
		392	Callers must free the string returned in
		393	.Ar subject .
		394	.Em (Server and client)
		395	.It
		396	.Fn tls_peer_cert_issuer
		397	returns a string in
		398	.Ar subject
		399	corresponding to the issuer of the peer certificate from
		400	.Ar ctx .
		401	.Fn tls_peer_cert_issuer
376	will only succeed after the handshake is complete.	402	will only succeed after the handshake is complete.
		403	Callers must free the string returned in
		404	.Ar issuer .
		405	.Em (Server and client)
		406	.It
		407	.Fn tls_peer_cert_hash
		408	returns a string
		409	in
		410	.Ar hash
		411	corresponding to a hash of the raw peer certificate from
		412	.Ar ctx
		413	prefixed by a hash name followed by a colon.
		414	The hash currently used is SHA256, however this
		415	can change in the future. The hash string for a certificate
		416	in file
		417	.Ar mycert.crt
		418	can be generated using the commands:
		419	.Bd -literal -offset indent
		420	h=$(openssl x509 -outform der -in mycert.crt \| sha256)
		421	printf "SHA256:${h}\\n"
		422	.Ed
		423	.Pp
		424	.Fn tls_peer_cert_subject
		425	will only succeed after the handshake is complete.
		426	Callers must free the string returned in
		427	.Ar hash .
377	.Em (Server and client)	428	.Em (Server and client)
378	.It	429	.It
379	.Fn tls_config_verify_client_opional	430	.Fn tls_config_verify_client_opional
@@ -538,6 +589,7 @@ while (len > 0) {
538	}	589	}
539	\&...	590	\&...
540	.Ed	591	.Ed
		592	.Bd -literal -offset indent
541	.Pp	593	.Pp
542	The following example demonstrates how to handle TLS writes on a	594	The following example demonstrates how to handle TLS writes on a
543	non-blocking file descriptor using	595	non-blocking file descriptor using