diff options
author | Jannis Hoffmann <jannis@fehcom.de> | 2024-07-03 19:03:11 +0200 |
---|---|---|
committer | Jannis Hoffmann <jannis@fehcom.de> | 2024-07-03 19:03:11 +0200 |
commit | 20b85c03e751b4876fa3c92040464e483172b746 (patch) | |
tree | 734fadbfdbc143ec4465093857f4c239448715e0 /src/tls_remote.c | |
parent | a6a7d6ce079cabdaf2fa502b2e2cf15e5428ac6f (diff) |
manual format adjustment
Diffstat (limited to 'src/tls_remote.c')
-rw-r--r-- | src/tls_remote.c | 69 |
1 files changed, 35 insertions, 34 deletions
diff --git a/src/tls_remote.c b/src/tls_remote.c index 7986077..fd72033 100644 --- a/src/tls_remote.c +++ b/src/tls_remote.c @@ -13,18 +13,19 @@ #include "tls_errors.h" #include "ucspissl.h" -/** @file tls_remote.c -- TLS client functions - @brief connection functions: tls_conn, tls_exit; - verification functions: tls_certkey, tls_checkpeer, tls_fingerprint, tlsa_check; - tls_destination, tls_domaincert - dummy functions: tls_crlcheck - - tls_checkpeer: r = 0 -> ADH, r = 1 -> wildcard DN, r = 2 -> DN, r = 3 -> CA; r < 0 -> error - tls_fingerprint: r = 0 -> failed, r = 1 -> ok; r < 0 -> error - tlsa_check: r = 0 -> nothing, r = usage + 1, r < 0 -> error +/** + @file tls_remote.c -- TLS client functions + @brief connection functions: tls_conn, tls_exit; + verification functions: tls_certkey, tls_checkpeer, tls_fingerprint, tlsa_check; + tls_destination, tls_domaincert + dummy functions: tls_crlcheck + + tls_checkpeer: r = 0 -> ADH, r = 1 -> wildcard DN, r = 2 -> DN, r = 3 -> CA; r < 0 -> error + tls_fingerprint: r = 0 -> failed, r = 1 -> ok; r < 0 -> error + tlsa_check: r = 0 -> nothing, r = usage + 1, r < 0 -> error */ -/* Caution: OpenSSL's X509_pubkey_digest() does not work as expected. +/* Caution: OpenSSL's X509_pubkey_digest() does not work as expected. I've included now: X509_pkey_digest() and X509_cert_digest() (as makro) */ #define X509_cert_digest X509_digest @@ -126,7 +127,6 @@ int tls_checkpeer(SSL *ssl, X509 *cert, const stralloc host, const int flag, con int tls_checkcrl(SSL *ssl) // not implemented yet { - return 0; } @@ -144,11 +144,12 @@ int dig_ascii(char *digascii, const char *digest, const int len) return (2 * j); // 2*len } -/* X509_pkey_digest() takes the same args as X509_digest(); - however returning the correct hash of pubkey in md. - Subjects keys are restricted to 2048 byte in size. - Return codes: 1: sucess, 0: failed. */ - +/* + X509_pkey_digest() takes the same args as X509_digest(); + however returning the correct hash of pubkey in md. + Subjects keys are restricted to 2048 byte in size. + Return codes: 1: sucess, 0: failed. +*/ int X509_pkey_digest(const X509 *cert, const EVP_MD *type, unsigned char *md, unsigned int *dlen) { unsigned int len = 0; @@ -171,10 +172,11 @@ int X509_pkey_digest(const X509 *cert, const EVP_MD *type, unsigned char *md, un return 1; } -/* Return codes: -4: no X.509 cert (fatal), -3: matching error (deferred), - -2: unsupported type, -1: weird TLSA record - 0: No X.509 cert; seen: usage++; */ - +/* + Return codes: -4: no X.509 cert (fatal), -3: matching error (deferred), + -2: unsupported type, -1: weird TLSA record + 0: No X.509 cert; seen: usage++; +*/ int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned long p) { const EVP_MD *methodsha256 = EVP_sha256(); @@ -201,8 +203,7 @@ int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned if (!stralloc_cats(&sa, "._tcp.")) temp_nomem(); if (!stralloc_cats(&sa, host.s)) temp_nomem(); - if (dns_cname(&cn, &sa) > 0) // query name could be a cname - { + if (dns_cname(&cn, &sa) > 0) { // query name could be a cname if (dns_tlsa(&out, &cn) <= 0) return 0; } else { if (dns_tlsa(&out, &sa) <= 0) return 0; @@ -211,7 +212,7 @@ int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned /* https://www.openssl.org/docs/man3.0/man3/X509_digest.html (1.1.1): "The len parameter, if not NULL, points to a place where the digest size will be stored." - [sigh] + [sigh] */ do { @@ -228,8 +229,9 @@ int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned } else if (type == 2) { if (selector == 0) r = X509_cert_digest(cert, methodsha512, digest, &dlen); if (selector == 1) r = X509_pkey_digest(cert, methodsha512, digest, &dlen); - } else + } else { return -2; + } if (!byte_diff(digest, dlen, out.s + i + 3)) return ++usage; } @@ -271,23 +273,22 @@ int tls_fingerprint(X509 *cert, const char *fingerprint, int dlen) int tls_exit(SSL *ssl) { if (SSL_shutdown(ssl) == 0) SSL_shutdown(ssl); - return 0; } -/** @brief tls_destination - @param stralloc hostname (maybe 0-terminated) +/** + @brief tls_destination + @param stralloc hostname (maybe 0-terminated) Certificate Fallthru - @return values: | ADH | Cert *DN FQDN Hash | noTLSA noTLS - ----------+-----+--------------------+------------- - optional TLS | 1 | 3 - - - | - 9 - mandatory TLS | 2 | 4 5 6 7 | 8 - - no TLS -1 - */ + @return values: | ADH | Cert *DN FQDN Hash | noTLSA noTLS + ----------+-----+--------------------+------------- + optional TLS | 1 | 3 - - - | - 9 + mandatory TLS | 2 | 4 5 6 7 | 8 + no TLS -1 +*/ int tls_destination(const stralloc hostname) { int i; |