sslproc: prefix SPKI certfp types to distinguish them from CERT

This commit is contained in:
Simon Arlott 2016-04-25 20:12:27 +01:00
parent 93ad89b232
commit dc986b5468
No known key found for this signature in database
GPG key ID: C8975F2043CA5D24
3 changed files with 37 additions and 10 deletions

View file

@ -1407,7 +1407,8 @@ general {
*
* The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does
* not change unless the private key is changed. This allows the fingerprint to stay
* constant even if the certificate is reissued.
* constant even if the certificate is reissued. These fingerprints will be prefixed with
* "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type.
*/
certfp_method = sha1;

View file

@ -482,23 +482,48 @@ ssl_process_certfp(ssl_ctl_t * ctl, ssl_ctl_buf_t * ctl_buf)
{
struct Client *client_p;
uint32_t fd;
uint32_t certfp_method;
uint32_t len;
uint8_t *certfp;
char *certfp_string;
const char *method_string;
int method_len;
if(ctl_buf->buflen > 9 + RB_SSL_CERTFP_LEN)
if(ctl_buf->buflen > 13 + RB_SSL_CERTFP_LEN)
return; /* bogus message..drop it.. XXX should warn here */
fd = buf_to_uint32(&ctl_buf->buf[1]);
len = buf_to_uint32(&ctl_buf->buf[5]);
certfp = (uint8_t *)&ctl_buf->buf[9];
certfp_method = buf_to_uint32(&ctl_buf->buf[5]);
len = buf_to_uint32(&ctl_buf->buf[9]);
certfp = (uint8_t *)&ctl_buf->buf[13];
client_p = find_cli_connid_hash(fd);
if(client_p == NULL)
return;
switch (certfp_method) {
case RB_SSL_CERTFP_METH_CERT_SHA1:
case RB_SSL_CERTFP_METH_CERT_SHA256:
case RB_SSL_CERTFP_METH_CERT_SHA512:
method_string = "";
break;
/* These names are copied from RFC 7218 */
case RB_SSL_CERTFP_METH_SPKI_SHA256:
method_string = "SPKI:SHA2-256:";
break;
case RB_SSL_CERTFP_METH_SPKI_SHA512:
method_string = "SPKI:SHA2-512:";
break;
default:
return;
}
method_len = strlen(method_string);
rb_free(client_p->certfp);
certfp_string = rb_malloc(len * 2 + 1);
certfp_string = rb_malloc(method_len + len * 2 + 1);
strcpy(certfp_string, method_string);
for(uint32_t i = 0; i < len; i++)
snprintf(certfp_string + 2 * i, 3, "%02x",
snprintf(certfp_string + method_len + 2 * i, 3, "%02x",
certfp[i]);
client_p->certfp = certfp_string;
}

View file

@ -686,17 +686,18 @@ ssl_send_cipher(conn_t *conn)
static void
ssl_send_certfp(conn_t *conn)
{
uint8_t buf[9 + RB_SSL_CERTFP_LEN];
uint8_t buf[13 + RB_SSL_CERTFP_LEN];
int len = rb_get_ssl_certfp(conn->mod_fd, &buf[9], certfp_method);
int len = rb_get_ssl_certfp(conn->mod_fd, &buf[13], certfp_method);
if (!len)
return;
lrb_assert(len <= RB_SSL_CERTFP_LEN);
buf[0] = 'F';
uint32_to_buf(&buf[1], conn->id);
uint32_to_buf(&buf[5], len);
mod_cmd_write_queue(conn->ctl, buf, 9 + len);
uint32_to_buf(&buf[5], certfp_method);
uint32_to_buf(&buf[9], len);
mod_cmd_write_queue(conn->ctl, buf, 13 + len);
}
static void