.TH PUSHTLS 2
.SH NAME
-pushtls, tlsClient, tlsServer, initThumbprints, freeThumbprints, okThumbprint, readcert, readcertchain \- attach TLS1 or SSL3 encryption to a communication channel
+pushtls, tlsClient, tlsServer, initThumbprints, freeThumbprints, okThumbprint, okCertificate, readcert, readcertchain \- attach TLS1 or SSL3 encryption to a communication channel
.SH SYNOPSIS
.B #include <u.h>
.br
PEMchain *readcertchain(char *filename)
.PP
.B
-Thumbprint *initThumbprints(char *ok, char *crl)
+Thumbprint *initThumbprints(char *ok, char *crl, char *tag)
.PP
.B
void freeThumbprints(Thumbprint *table)
.PP
.B
-int okThumbprint(uchar *hash, Thumbprint *table)
+int okThumbprint(uchar *hash, int len, Thumbprint *table)
+.PP
+.B
+int okCertificate(uchar *cert, int len, Thumbprint *table)
.SH DESCRIPTION
Transport Layer Security (TLS) comprises a record layer protocol,
doing message digesting and encrypting in the kernel,
char dir[40]; /* OUT connection directory */
uchar *cert; /* IN/OUT certificate */
uchar *sessionID; /* IN/OUT session ID */
- int certlen, sessionIDlen;
+ uchar *psk; /* opt IN pre-shared key */
+ int certlen, sessionIDlen, psklen;
int (*trace)(char*fmt, ...);
PEMChain *chain;
char *sessionType; /* opt IN session type */
uchar *sessionKey; /* opt IN/OUT session key */
int sessionKeylen; /* opt IN session key length */
char *sessionConst; /* opt IN session constant */
+ char *serverName; /* opt IN server name */
+ char *pskID; /* opt IN pre-shared key ID */
} TLSconn;
.EE
.PP
defined in
-.IR tls.h .
+.IR libsec.h .
On input, the caller can provide options such as
.IR cert ,
the local certificate, and
.IR malloc ed
.B PEMChain
structures, defined in
-.IR tls.h :
+.IR libsec.h :
.IP
.EX
typedef struct PEMChain PEMChain;
Start the client half of TLS and check the remote certificate:
.IP
.EX
-uchar hash[SHA1dlen];
-
conn = (TLSconn*)mallocz(sizeof *conn, 1);
fd = tlsClient(fd, conn);
-sha1(conn->cert, conn->certlen, hash, nil);
-if(!okThumbprint(hash,table))
- exits("suspect server");
+if(!okCertificate(conn->cert, conn->certlen, table))
+ sysfatal("suspect server: %r");
\fI...application begins...\fP
.EE
.PP