MirrorHub/construct
0
0
Fork 0
mirror of https://github.com/matrix-construct/construct synced 2024-11-16 15:00:51 +01:00
Code Issues Releases Wiki Activity

sslproc: prefix SPKI certfp types to distinguish them from CERT

Browse source
This commit is contained in:
Simon Arlott 2016-04-25 20:12:27 +01:00
parent 93ad89b232
commit dc986b5468
No known key found for this signature in database
GPG key ID: C8975F2043CA5D24
3 changed files with 37 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/reference.conf
View file

@ -1407,7 +1407,8 @@ general {
* *
* The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does * The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does
* not change unless the private key is changed. This allows the fingerprint to stay * not change unless the private key is changed. This allows the fingerprint to stay
* constant even if the certificate is reissued. * constant even if the certificate is reissued. These fingerprints will be prefixed with
* "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type.
*/ */
certfp_method = sha1; certfp_method = sha1;

35
ircd/sslproc.c
View file

@ -482,23 +482,48 @@ ssl_process_certfp(ssl_ctl_t * ctl, ssl_ctl_buf_t * ctl_buf)
{ {
struct Client *client_p; struct Client *client_p;
uint32_t fd; uint32_t fd;
uint32_t certfp_method;
uint32_t len; uint32_t len;
uint8_t *certfp; uint8_t *certfp;
char *certfp_string; char *certfp_string;
const char *method_string;
int method_len;
if(ctl_buf->buflen > 9 + RB_SSL_CERTFP_LEN) if(ctl_buf->buflen > 13 + RB_SSL_CERTFP_LEN)
return; /* bogus message..drop it.. XXX should warn here */ return; /* bogus message..drop it.. XXX should warn here */
fd = buf_to_uint32(&ctl_buf->buf[1]); fd = buf_to_uint32(&ctl_buf->buf[1]);
len = buf_to_uint32(&ctl_buf->buf[5]); certfp_method = buf_to_uint32(&ctl_buf->buf[5]);
certfp = (uint8_t *)&ctl_buf->buf[9]; len = buf_to_uint32(&ctl_buf->buf[9]);
certfp = (uint8_t *)&ctl_buf->buf[13];
client_p = find_cli_connid_hash(fd); client_p = find_cli_connid_hash(fd);
if(client_p == NULL) if(client_p == NULL)
return; return;
switch (certfp_method) {
case RB_SSL_CERTFP_METH_CERT_SHA1:
case RB_SSL_CERTFP_METH_CERT_SHA256:
case RB_SSL_CERTFP_METH_CERT_SHA512:
method_string = "";
break;
/* These names are copied from RFC 7218 */
case RB_SSL_CERTFP_METH_SPKI_SHA256:
method_string = "SPKI:SHA2-256:";
break;
case RB_SSL_CERTFP_METH_SPKI_SHA512:
method_string = "SPKI:SHA2-512:";
break;
default:
return;
}
method_len = strlen(method_string);
rb_free(client_p->certfp); rb_free(client_p->certfp);
certfp_string = rb_malloc(len * 2 + 1); certfp_string = rb_malloc(method_len + len * 2 + 1);
strcpy(certfp_string, method_string);
for(uint32_t i = 0; i < len; i++) for(uint32_t i = 0; i < len; i++)
snprintf(certfp_string + 2 * i, 3, "%02x", snprintf(certfp_string + method_len + 2 * i, 3, "%02x",
certfp[i]); certfp[i]);
client_p->certfp = certfp_string; client_p->certfp = certfp_string;
} }

9
ssld/ssld.c
View file

@ -686,17 +686,18 @@ ssl_send_cipher(conn_t *conn)
static void static void
ssl_send_certfp(conn_t *conn) ssl_send_certfp(conn_t *conn)
{ {
uint8_t buf[9 + RB_SSL_CERTFP_LEN]; uint8_t buf[13 + RB_SSL_CERTFP_LEN];
int len = rb_get_ssl_certfp(conn->mod_fd, &buf[9], certfp_method); int len = rb_get_ssl_certfp(conn->mod_fd, &buf[13], certfp_method);
if (!len) if (!len)
return; return;
lrb_assert(len <= RB_SSL_CERTFP_LEN); lrb_assert(len <= RB_SSL_CERTFP_LEN);
buf[0] = 'F'; buf[0] = 'F';
uint32_to_buf(&buf[1], conn->id); uint32_to_buf(&buf[1], conn->id);
uint32_to_buf(&buf[5], len); uint32_to_buf(&buf[5], certfp_method);
mod_cmd_write_queue(conn->ctl, buf, 9 + len); uint32_to_buf(&buf[9], len);
mod_cmd_write_queue(conn->ctl, buf, 13 + len);
} }
static void static void