diff options
| author | beck <> | 2015-09-11 12:56:55 +0000 | 
|---|---|---|
| committer | beck <> | 2015-09-11 12:56:55 +0000 | 
| commit | 27e5e00bb80457049b7e7613f43e8f1165402316 (patch) | |
| tree | 6080d52d99050fc94d1bd00cdb70fd607c96d262 /src/lib/libtls/tls_init.3 | |
| parent | eafebfdd3adba0417a72d6cc8a75f367fc2fbbdb (diff) | |
| download | openbsd-27e5e00bb80457049b7e7613f43e8f1165402316.tar.gz openbsd-27e5e00bb80457049b7e7613f43e8f1165402316.tar.bz2 openbsd-27e5e00bb80457049b7e7613f43e8f1165402316.zip | |
add tls_peer functions for checking names and issuers of peer certificates.
ok jsing@
Diffstat (limited to 'src/lib/libtls/tls_init.3')
| -rw-r--r-- | src/lib/libtls/tls_init.3 | 31 | 
1 files changed, 29 insertions, 2 deletions
| diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 6197817f6f..4066713603 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: tls_init.3,v 1.37 2015/09/11 09:02:10 beck Exp $ | 1 | .\" $OpenBSD: tls_init.3,v 1.38 2015/09/11 12:56:55 beck Exp $ | 
| 2 | .\" | 2 | .\" | 
| 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 
| 4 | .\" | 4 | .\" | 
| @@ -112,6 +112,10 @@ | |||
| 112 | .Fn tls_config_verify_client "struct tls_config *config" | 112 | .Fn tls_config_verify_client "struct tls_config *config" | 
| 113 | .Ft "void" | 113 | .Ft "void" | 
| 114 | .Fn tls_config_verify_client_optional "struct tls_config *config" | 114 | .Fn tls_config_verify_client_optional "struct tls_config *config" | 
| 115 | .Ft "int" | ||
| 116 | .Fn tls_peer_cert_provided "struct tls *ctx" | ||
| 117 | .Ft "int" | ||
| 118 | .Fn tls_peer_cert_contains_name "struct tls *ctx" "const char *name" | ||
| 115 | .Ft "uint8_t *" | 119 | .Ft "uint8_t *" | 
| 116 | .Fn tls_load_file "const char *file" "size_t *len" "char *password" | 120 | .Fn tls_load_file "const char *file" "size_t *len" "char *password" | 
| 117 | .Ft "struct tls *" | 121 | .Ft "struct tls *" | 
| @@ -354,6 +358,24 @@ enables client certificate verification, requiring the client to send | |||
| 354 | a certificate. | 358 | a certificate. | 
| 355 | .Em (Server) | 359 | .Em (Server) | 
| 356 | .It | 360 | .It | 
| 361 | .Fn tls_peer_cert_provided | ||
| 362 | checks if the peer of | ||
| 363 | .Ar ctx | ||
| 364 | has provided a certificate. | ||
| 365 | .Fn tls_peer_cert_provided | ||
| 366 | will only succeed after the handshake is complete. | ||
| 367 | .Em (Server and client) | ||
| 368 | .It | ||
| 369 | .Fn tls_peer_cert_constains_name | ||
| 370 | checks if the peer of a tls | ||
| 371 | .Ar ctx | ||
| 372 | has povided a certificate that contains a | ||
| 373 | SAN or CN that matches | ||
| 374 | .Ar name | ||
| 375 | .Fn tls_peer_cert_contains_name | ||
| 376 | will only succeed after the handshake is complete. | ||
| 377 | .Em (Server and client) | ||
| 378 | .It | ||
| 357 | .Fn tls_config_verify_client_opional | 379 | .Fn tls_config_verify_client_opional | 
| 358 | enables client certificate verification, without requiring the client | 380 | enables client certificate verification, without requiring the client | 
| 359 | to send a certificate. | 381 | to send a certificate. | 
| @@ -455,7 +477,12 @@ or | |||
| 455 | .Fn tls_connect_servername . | 477 | .Fn tls_connect_servername . | 
| 456 | .El | 478 | .El | 
| 457 | .Sh RETURN VALUES | 479 | .Sh RETURN VALUES | 
| 458 | Functions that return | 480 | The | 
| 481 | .Fn tls_peer_cert_provided | ||
| 482 | and | ||
| 483 | .Fn tls_peer_cert_contain_name | ||
| 484 | functions return 1 if the check succeeds, and 0 if it does not. | ||
| 485 | All other functions that return | ||
| 459 | .Vt int | 486 | .Vt int | 
| 460 | or | 487 | or | 
| 461 | .Vt ssize_t | 488 | .Vt ssize_t | 
