Instead of only using a hash over the whole certificate for
white/black-listing, now we can also use a hash over the
Subject Public Key Info (SPKI) field of the certificate which
contians the public key algorithm and the public key itself.
This allows certificates to be renewed independendtly of the
public key.
X509dump() now prints the public key thumbprint in addition
to the certificate thumbprint.
tlsclient will print the certificate when run with -D flag.
okCertificate() will print the public key thumbprint in its
error string when no match has been found.
initThumbprints() now takes an application tag argument
so x509 and ssh can coexist.
the thumbprint entries can now hold both sha1 and sha256
hashes. okThumbprint() now takes a len argument for the
hash length used.
the new function okCertificate() hashes the certificate
with both and checks for any matches.
on failure, okCertificate() returns 0 and sets error string.
we also check for include loops now in thumbfiles, limiting
the number of includes to 8.
- TLSconn structure on stack but not initialized (zeroed)
- original filedescriptor double closed in error case
- original filedescriptor leaked in success case
- leaked TLSconn.sessionID and TLSconn.cert
- clarify in pushtls(2) and pushssl(2)
This patch adds client TLS authentication to libsec in compliance with
rfc 4346.
A new -c flag has been introduced for tlsclient allowing the user to
specify a certificate in pem(8) format which will be provided to the
server upon request.
A -D debug flag has been introduced to enable debugging output.
The patch has been tested against OpenSSL 0.9.7j 04 May 2006.
It exists today because of the great (debugging) help and insight
provided by Matthias Bauer.
TODOs:
- specification of a certain client key in factotum is not possible at
the moment
- tlssrv should support this too
These will get added in another patch.
The first try to submit this patch failed due to a network error.
Sorry for the duplication!
Kind regards,
Christian
