summaryrefslogtreecommitdiff
path: root/src/tls_remote.c
diff options
context:
space:
mode:
authorJannis Hoffmann <jannis@fehcom.de>2024-07-03 19:03:11 +0200
committerJannis Hoffmann <jannis@fehcom.de>2024-07-03 19:03:11 +0200
commit20b85c03e751b4876fa3c92040464e483172b746 (patch)
tree734fadbfdbc143ec4465093857f4c239448715e0 /src/tls_remote.c
parenta6a7d6ce079cabdaf2fa502b2e2cf15e5428ac6f (diff)
manual format adjustment
Diffstat (limited to 'src/tls_remote.c')
-rw-r--r--src/tls_remote.c69
1 files changed, 35 insertions, 34 deletions
diff --git a/src/tls_remote.c b/src/tls_remote.c
index 7986077..fd72033 100644
--- a/src/tls_remote.c
+++ b/src/tls_remote.c
@@ -13,18 +13,19 @@
#include "tls_errors.h"
#include "ucspissl.h"
-/** @file tls_remote.c -- TLS client functions
- @brief connection functions: tls_conn, tls_exit;
- verification functions: tls_certkey, tls_checkpeer, tls_fingerprint, tlsa_check;
- tls_destination, tls_domaincert
- dummy functions: tls_crlcheck
-
- tls_checkpeer: r = 0 -> ADH, r = 1 -> wildcard DN, r = 2 -> DN, r = 3 -> CA; r < 0 -> error
- tls_fingerprint: r = 0 -> failed, r = 1 -> ok; r < 0 -> error
- tlsa_check: r = 0 -> nothing, r = usage + 1, r < 0 -> error
+/**
+ @file tls_remote.c -- TLS client functions
+ @brief connection functions: tls_conn, tls_exit;
+ verification functions: tls_certkey, tls_checkpeer, tls_fingerprint, tlsa_check;
+ tls_destination, tls_domaincert
+ dummy functions: tls_crlcheck
+
+ tls_checkpeer: r = 0 -> ADH, r = 1 -> wildcard DN, r = 2 -> DN, r = 3 -> CA; r < 0 -> error
+ tls_fingerprint: r = 0 -> failed, r = 1 -> ok; r < 0 -> error
+ tlsa_check: r = 0 -> nothing, r = usage + 1, r < 0 -> error
*/
-/* Caution: OpenSSL's X509_pubkey_digest() does not work as expected.
+/* Caution: OpenSSL's X509_pubkey_digest() does not work as expected.
I've included now: X509_pkey_digest() and X509_cert_digest() (as makro) */
#define X509_cert_digest X509_digest
@@ -126,7 +127,6 @@ int tls_checkpeer(SSL *ssl, X509 *cert, const stralloc host, const int flag, con
int tls_checkcrl(SSL *ssl) // not implemented yet
{
-
return 0;
}
@@ -144,11 +144,12 @@ int dig_ascii(char *digascii, const char *digest, const int len)
return (2 * j); // 2*len
}
-/* X509_pkey_digest() takes the same args as X509_digest();
- however returning the correct hash of pubkey in md.
- Subjects keys are restricted to 2048 byte in size.
- Return codes: 1: sucess, 0: failed. */
-
+/*
+ X509_pkey_digest() takes the same args as X509_digest();
+ however returning the correct hash of pubkey in md.
+ Subjects keys are restricted to 2048 byte in size.
+ Return codes: 1: sucess, 0: failed.
+*/
int X509_pkey_digest(const X509 *cert, const EVP_MD *type, unsigned char *md, unsigned int *dlen)
{
unsigned int len = 0;
@@ -171,10 +172,11 @@ int X509_pkey_digest(const X509 *cert, const EVP_MD *type, unsigned char *md, un
return 1;
}
-/* Return codes: -4: no X.509 cert (fatal), -3: matching error (deferred),
- -2: unsupported type, -1: weird TLSA record
- 0: No X.509 cert; seen: usage++; */
-
+/*
+ Return codes: -4: no X.509 cert (fatal), -3: matching error (deferred),
+ -2: unsupported type, -1: weird TLSA record
+ 0: No X.509 cert; seen: usage++;
+*/
int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned long p)
{
const EVP_MD *methodsha256 = EVP_sha256();
@@ -201,8 +203,7 @@ int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned
if (!stralloc_cats(&sa, "._tcp.")) temp_nomem();
if (!stralloc_cats(&sa, host.s)) temp_nomem();
- if (dns_cname(&cn, &sa) > 0) // query name could be a cname
- {
+ if (dns_cname(&cn, &sa) > 0) { // query name could be a cname
if (dns_tlsa(&out, &cn) <= 0) return 0;
} else {
if (dns_tlsa(&out, &sa) <= 0) return 0;
@@ -211,7 +212,7 @@ int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned
/* https://www.openssl.org/docs/man3.0/man3/X509_digest.html (1.1.1):
"The len parameter, if not NULL, points to a place where the digest size will be stored."
- [sigh]
+ [sigh]
*/
do {
@@ -228,8 +229,9 @@ int tlsa_check(const STACK_OF(X509) * certs, const stralloc host, const unsigned
} else if (type == 2) {
if (selector == 0) r = X509_cert_digest(cert, methodsha512, digest, &dlen);
if (selector == 1) r = X509_pkey_digest(cert, methodsha512, digest, &dlen);
- } else
+ } else {
return -2;
+ }
if (!byte_diff(digest, dlen, out.s + i + 3)) return ++usage;
}
@@ -271,23 +273,22 @@ int tls_fingerprint(X509 *cert, const char *fingerprint, int dlen)
int tls_exit(SSL *ssl)
{
if (SSL_shutdown(ssl) == 0) SSL_shutdown(ssl);
-
return 0;
}
-/** @brief tls_destination
- @param stralloc hostname (maybe 0-terminated)
+/**
+ @brief tls_destination
+ @param stralloc hostname (maybe 0-terminated)
Certificate Fallthru
- @return values: | ADH | Cert *DN FQDN Hash | noTLSA noTLS
- ----------+-----+--------------------+-------------
- optional TLS | 1 | 3 - - - | - 9
- mandatory TLS | 2 | 4 5 6 7 | 8
-
- no TLS -1
- */
+ @return values: | ADH | Cert *DN FQDN Hash | noTLSA noTLS
+ ----------+-----+--------------------+-------------
+ optional TLS | 1 | 3 - - - | - 9
+ mandatory TLS | 2 | 4 5 6 7 | 8
+ no TLS -1
+*/
int tls_destination(const stralloc hostname)
{
int i;