add tls_peer functions for checking names and issuers of peer certificates.

ok jsing@
author: beck <> 2015-09-11 12:56:55 +0000
committer: beck <> 2015-09-11 12:56:55 +0000
commit: 68048eefb0353c6cb686c092af50ba61fca67874 (patch)
tree: 6080d52d99050fc94d1bd00cdb70fd607c96d262 /src/lib/libtls/tls_init.3
parent: 656ef1e2adb75d20a81b8763a2088b2c8e6c3058 (diff)
download: openbsd-68048eefb0353c6cb686c092af50ba61fca67874.tar.gz
openbsd-68048eefb0353c6cb686c092af50ba61fca67874.tar.bz2
openbsd-68048eefb0353c6cb686c092af50ba61fca67874.zip
1 files changed, 29 insertions, 2 deletions
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 6197817f6f..4066713603 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.37 2015/09/11 09:02:10 beck Exp $
+.\" $OpenBSD: tls_init.3,v 1.38 2015/09/11 12:56:55 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -112,6 +112,10 @@
 .Fn tls_config_verify_client "struct tls_config *config"
 .Ft "void"
 .Fn tls_config_verify_client_optional "struct tls_config *config"
+.Ft "int"
+.Fn tls_peer_cert_provided "struct tls *ctx"
+.Ft "int"
+.Fn tls_peer_cert_contains_name "struct tls *ctx" "const char *name"
 .Ft "uint8_t *"
 .Fn tls_load_file "const char *file" "size_t *len" "char *password"
 .Ft "struct tls *"
@@ -354,6 +358,24 @@ enables client certificate verification, requiring the client to send
 a certificate.
 .Em (Server)
 .It
+.Fn tls_peer_cert_provided
+checks if the peer of 
+.Ar ctx 
+has provided a certificate.
+.Fn tls_peer_cert_provided
+will only succeed after the handshake is complete. 
+.Em (Server and client)
+.It
+.Fn tls_peer_cert_constains_name
+checks if the peer of a tls 
+.Ar ctx
+ has povided a certificate that contains a 
+SAN or CN that matches
+.Ar name
+.Fn tls_peer_cert_contains_name
+will only succeed after the handshake is complete. 
+.Em (Server and client)
+.It
 .Fn tls_config_verify_client_opional
 enables client certificate verification, without requiring the client
 to send a certificate.
@@ -455,7 +477,12 @@ or
 .Fn tls_connect_servername .
 .El
 .Sh RETURN VALUES
-Functions that return
+The 
+.Fn tls_peer_cert_provided
+and
+.Fn tls_peer_cert_contain_name
+functions return 1 if the check succeeds, and 0 if it does not. 
+All other functions that return
 .Vt int
 or
 .Vt ssize_t
author	beck <>	2015-09-11 12:56:55 +0000
committer	beck <>	2015-09-11 12:56:55 +0000
commit	68048eefb0353c6cb686c092af50ba61fca67874 (patch)
tree	6080d52d99050fc94d1bd00cdb70fd607c96d262 /src/lib/libtls/tls_init.3
parent	656ef1e2adb75d20a81b8763a2088b2c8e6c3058 (diff)
download	openbsd-68048eefb0353c6cb686c092af50ba61fca67874.tar.gz openbsd-68048eefb0353c6cb686c092af50ba61fca67874.tar.bz2 openbsd-68048eefb0353c6cb686c092af50ba61fca67874.zip

diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 6197817f6f..4066713603 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: tls_init.3,v 1.37 2015/09/11 09:02:10 beck Exp $	1	.\" $OpenBSD: tls_init.3,v 1.38 2015/09/11 12:56:55 beck Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4	.\"	4	.\"
@@ -112,6 +112,10 @@
112	.Fn tls_config_verify_client "struct tls_config *config"	112	.Fn tls_config_verify_client "struct tls_config *config"
113	.Ft "void"	113	.Ft "void"
114	.Fn tls_config_verify_client_optional "struct tls_config *config"	114	.Fn tls_config_verify_client_optional "struct tls_config *config"
		115	.Ft "int"
		116	.Fn tls_peer_cert_provided "struct tls *ctx"
		117	.Ft "int"
		118	.Fn tls_peer_cert_contains_name "struct tls ctx" "const char name"
115	.Ft "uint8_t *"	119	.Ft "uint8_t *"
116	.Fn tls_load_file "const char file" "size_t len" "char *password"	120	.Fn tls_load_file "const char file" "size_t len" "char *password"
117	.Ft "struct tls *"	121	.Ft "struct tls *"
@@ -354,6 +358,24 @@ enables client certificate verification, requiring the client to send
354	a certificate.	358	a certificate.
355	.Em (Server)	359	.Em (Server)
356	.It	360	.It
		361	.Fn tls_peer_cert_provided
		362	checks if the peer of
		363	.Ar ctx
		364	has provided a certificate.
		365	.Fn tls_peer_cert_provided
		366	will only succeed after the handshake is complete.
		367	.Em (Server and client)
		368	.It
		369	.Fn tls_peer_cert_constains_name
		370	checks if the peer of a tls
		371	.Ar ctx
		372	has povided a certificate that contains a
		373	SAN or CN that matches
		374	.Ar name
		375	.Fn tls_peer_cert_contains_name
		376	will only succeed after the handshake is complete.
		377	.Em (Server and client)
		378	.It
357	.Fn tls_config_verify_client_opional	379	.Fn tls_config_verify_client_opional
358	enables client certificate verification, without requiring the client	380	enables client certificate verification, without requiring the client
359	to send a certificate.	381	to send a certificate.
@@ -455,7 +477,12 @@ or
455	.Fn tls_connect_servername .	477	.Fn tls_connect_servername .
456	.El	478	.El
457	.Sh RETURN VALUES	479	.Sh RETURN VALUES
458	Functions that return	480	The
		481	.Fn tls_peer_cert_provided
		482	and
		483	.Fn tls_peer_cert_contain_name
		484	functions return 1 if the check succeeds, and 0 if it does not.
		485	All other functions that return
459	.Vt int	486	.Vt int
460	or	487	or
461	.Vt ssize_t	488	.Vt ssize_t