Subversion Repositories planix.SVN

.TH PUSHTLS 2

.TH PUSHTLS 2

.SH NAME

.SH NAME

.SH SYNOPSIS

.SH SYNOPSIS

.B #include <u.h>

.B #include <u.h>

.br

.br

.B #include <libc.h>

.B #include <libc.h>

.PP

.PP

.PP

.PP

.B

.B

PEMchain *readcertchain(char *filename)

PEMchain *readcertchain(char *filename)

.PP

.PP

.B

.B

.PP

.PP

.B

.B

void	freeThumbprints(Thumbprint *table)

void	freeThumbprints(Thumbprint *table)

.PP

.PP

.B

.B

.SH DESCRIPTION

.SH DESCRIPTION

Transport Layer Security (TLS) comprises a record layer protocol,

Transport Layer Security (TLS) comprises a record layer protocol,

doing message digesting and encrypting in the kernel,

doing message digesting and encrypting in the kernel,

and a handshake protocol,

and a handshake protocol,

doing initial authentication and secret creation at

doing initial authentication and secret creation at

.IR secret .

.IR secret .

These parameters must have been arranged at the two ends of the

These parameters must have been arranged at the two ends of the

conversation by other means.

conversation by other means.

For example,

For example,

.I hashalg

.I hashalg

.BR sha1 ,

.BR sha1 ,

.I encalg

.I encalg

could be

could be

.BR rc4_128 ,

.BR rc4_128 ,

.I secret

.I secret

could be the base-64 encoding of two (client-to-server and server-to-client)

could be the base-64 encoding of two (client-to-server and server-to-client)

20-byte digest keys and two corresponding 16-byte encryption keys.

20-byte digest keys and two corresponding 16-byte encryption keys.

.I Pushtls

.I Pushtls

returns a file descriptor for the TLS data channel.  Anything written to this

returns a file descriptor for the TLS data channel.  Anything written to this

descriptor will get encrypted and authenticated and then written to the

descriptor will get encrypted and authenticated and then written to the

file descriptor,

file descriptor,

.IR fd .

.IR fd .

If

If

.I dir

.I dir

is non-zero, the path name of the connection directory is copied into

is non-zero, the path name of the connection directory is copied into

.IR dir .

.IR dir .

This path name is guaranteed to be less than 40 bytes long.

This path name is guaranteed to be less than 40 bytes long.

.EX

.EX

typedef struct TLSconn {

typedef struct TLSconn {

	char	dir[40];		/* OUT    connection directory */

	char	dir[40];		/* OUT    connection directory */

	uchar *cert;		/* IN/OUT certificate */

	uchar *cert;		/* IN/OUT certificate */

	uchar *sessionID;	/* IN/OUT session ID */

	uchar *sessionID;	/* IN/OUT session ID */

	PEMChain *chain;

	PEMChain *chain;

	char	*sessionType;	/* opt IN  session type */

	char	*sessionType;	/* opt IN  session type */

	uchar *sessionKey;	/* opt IN/OUT session key */

	uchar *sessionKey;	/* opt IN/OUT session key */

	int	sessionKeylen;	/* opt IN  session key length */

	int	sessionKeylen;	/* opt IN  session key length */

	char	*sessionConst;	/* opt IN  session constant */

	char	*sessionConst;	/* opt IN  session constant */

} TLSconn;

} TLSconn;

.EE

.EE

.PP

.PP

defined in

defined in

On input, the caller can provide options such as

On input, the caller can provide options such as

.IR cert ,

.IR cert ,

the local certificate, and

the local certificate, and

.IR sessionID ,

.IR sessionID ,

used by a client to resume a previously negotiated security association.

used by a client to resume a previously negotiated security association.

.I filename

.I filename

and return a pointer to a linked list of

and return a pointer to a linked list of

.IR malloc ed

.IR malloc ed

.B PEMChain

.B PEMChain

structures, defined in

structures, defined in

.IP

.IP

.EX

.EX

typedef struct PEMChain PEMChain;

typedef struct PEMChain PEMChain;

struct PEMChain {

struct PEMChain {

	PEMChain*next;

	PEMChain*next;

	int	pemlen;

	int	pemlen;

};

};

.EE

.EE

.LP

.LP

By setting

By setting

conn->chain = readcertchain("intermediate-certs.pem");

conn->chain = readcertchain("intermediate-certs.pem");

.EE

.EE

.LP

.LP

the server can present extra certificate evidence

the server can present extra certificate evidence

to establish the chain of trust to a root authority

to establish the chain of trust to a root authority

be freed by the application whenever convenient.

be freed by the application whenever convenient.

.SH EXAMPLES

.SH EXAMPLES

Start the client half of TLS and check the remote certificate:

Start the client half of TLS and check the remote certificate:

.IP

.IP

.EX

.EX

conn = (TLSconn*)mallocz(sizeof *conn, 1);

conn = (TLSconn*)mallocz(sizeof *conn, 1);

fd = tlsClient(fd, conn);

fd = tlsClient(fd, conn);

\fI...application begins...\fP

\fI...application begins...\fP

.EE

.EE

.PP

.PP

Run the server side:

Run the server side:

.IP

.IP

.SH DIAGNOSTICS

.SH DIAGNOSTICS

Return \-1 on failure.

Return \-1 on failure.

.SH BUGS

.SH BUGS

Client certificates and client sessionIDs are not yet

Client certificates and client sessionIDs are not yet

implemented.

implemented.

.PP

.PP

Note that in the TLS protocol

Note that in the TLS protocol

.I sessionID

.I sessionID

itself is public;  it is used as a pointer to

itself is public;  it is used as a pointer to

secrets stored in

secrets stored in