Commit f2eb598e authored by Nikos Mavrogiannopoulos's avatar Nikos Mavrogiannopoulos Committed by David Woodhouse

Added support for RFC7469 key PIN

That allows the hash provided to the client to be the RFC7469 key PIN.
That is, a base64 encoding of the public key sha256 hash instead of the hex
equivalent. That reduces the number of characters that need to be typed.
Signed-off-by: default avatarNikos Mavrogiannopoulos <nmav@gnutls.org>
Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
parent b3e5f002
......@@ -85,6 +85,25 @@ char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len)
return p;
}
char *openconnect_bin2base64(const char *prefix, const uint8_t *data, unsigned len)
{
struct oc_text_buf *buf;
char *p = NULL;
buf = buf_alloc();
if (prefix)
buf_append(buf, "%s", prefix);
buf_append_base64(buf, data, len);
if (!buf_error(buf)) {
p = buf->data;
buf->data = NULL;
}
buf_free(buf);
return p;
}
static int connect_dtls_socket(struct openconnect_info *vpninfo)
{
int dtls_fd, ret;
......
......@@ -978,6 +978,9 @@ int openconnect_check_peer_cert_hash(struct openconnect_info *vpninfo,
} else if (strncmp(old_hash, "sha256:", 7) == 0) {
fingerprint = openconnect_bin2hex("sha256:", vpninfo->peer_cert_sha256_raw, sizeof(vpninfo->peer_cert_sha256_raw));
min_match_len = real_min_match_len + sizeof("sha256:")-1;
} else if (strncmp(old_hash, "pin-sha256:", 11) == 0) {
fingerprint = openconnect_bin2base64("pin-sha256:", vpninfo->peer_cert_sha256_raw, sizeof(vpninfo->peer_cert_sha256_raw));
min_match_len = real_min_match_len + sizeof("pin-sha256:")-1;
} else {
vpn_progress(vpninfo, PRG_ERR, _("Unknown certificate hash: %s.\n"), old_hash);
return -EIO;
......
......@@ -828,6 +828,7 @@ void dtls_detect_mtu(struct openconnect_info *vpninfo);
int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms);
int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len);
char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len);
char *openconnect_bin2base64(const char *prefix, const uint8_t *data, unsigned len);
/* cstp.c */
void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
......
......@@ -479,11 +479,15 @@ instead of using the normal resolver to look it up.
Accept server's SSL certificate only if the provided fingerprint matches.
The allowed fingerprint types are
.IR SHA1 ,
.IR SHA256 ,
and
.IR SHA256 .
They are distinguished by the 'sha1:' or 'sha256:' prefixes to the hex encoded
hash. To ease certain testing use-cases, a partial match of the hash will also
be accepted, if it is at least 4 characters.
.IR PIN-SHA256 .
They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the
encoded hash. The first two are custom identifiers providing hex
encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key
PIN, which utilizes base64 encoding. To ease certain
testing use-cases, a partial match of the hash will also
be accepted, if it is at least 4 characters past the prefix.
.TP
.B \-\-useragent=STRING
Use
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment