Added support for RFC7469 key PIN

That allows the hash provided to the client to be the RFC7469 key PIN.
That is, a base64 encoding of the public key sha256 hash instead of the hex
equivalent. That reduces the number of characters that need to be typed.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/dtls.c b/dtls.c
index a10d4ed3a842e7b904a0ba976af24675c374056e..c97d14d15a53bb9b53ca5297ccc617e17359ec10 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -85,6 +85,25 @@ char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len)
        return p;
 }
 
+char *openconnect_bin2base64(const char *prefix, const uint8_t *data, unsigned len)
+{
+       struct oc_text_buf *buf;
+       char *p = NULL;
+
+       buf = buf_alloc();
+       if (prefix)
+               buf_append(buf, "%s", prefix);
+       buf_append_base64(buf, data, len);
+
+       if (!buf_error(buf)) {
+               p = buf->data;
+               buf->data = NULL;
+       }
+       buf_free(buf);
+
+       return p;
+}
+
 static int connect_dtls_socket(struct openconnect_info *vpninfo)
 {
        int dtls_fd, ret;

diff --git a/library.c b/library.c
index 3ca1e7a5749c99389db80b4d7d1883ef43d1d80a..12d48fcde5939640ee272018b270b22ef31d92e2 100644 (file)
--- a/library.c
+++ b/library.c
@@ -978,6 +978,9 @@ int openconnect_check_peer_cert_hash(struct openconnect_info *vpninfo,
                } else if (strncmp(old_hash, "sha256:", 7) == 0) {
                        fingerprint = openconnect_bin2hex("sha256:", vpninfo->peer_cert_sha256_raw, sizeof(vpninfo->peer_cert_sha256_raw));
                        min_match_len = real_min_match_len + sizeof("sha256:")-1;
+               } else if (strncmp(old_hash, "pin-sha256:", 11) == 0) {
+                       fingerprint = openconnect_bin2base64("pin-sha256:", vpninfo->peer_cert_sha256_raw, sizeof(vpninfo->peer_cert_sha256_raw));
+                       min_match_len = real_min_match_len + sizeof("pin-sha256:")-1;
                } else {
                        vpn_progress(vpninfo, PRG_ERR, _("Unknown certificate hash: %s.\n"), old_hash);
                        return -EIO;

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 291eb4b746aa7428b08522453d4a7797d2f54853..4aac2ce6aa75bee889f31187d25ada8eae00ce76 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -828,6 +828,7 @@ void dtls_detect_mtu(struct openconnect_info *vpninfo);
 int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms);
 int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len);
 char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len);
+char *openconnect_bin2base64(const char *prefix, const uint8_t *data, unsigned len);
 
 /* cstp.c */
 void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);

diff --git a/openconnect.8.in b/openconnect.8.in
index b7e2bfc0be6583bfa2fea611398ff1d59f94be09..c97dec2b3b69573f5dc20a254ceec7b3698f9490 100644 (file)
--- a/openconnect.8.in
+++ b/openconnect.8.in
@@ -479,11 +479,15 @@ instead of using the normal resolver to look it up.
 Accept server's SSL certificate only if the provided fingerprint matches.
 The allowed fingerprint types are
 .IR SHA1 ,
+.IR SHA256 ,
 and
-.IR SHA256 .
-They are distinguished by the 'sha1:' or 'sha256:' prefixes to the hex encoded
-hash. To ease certain testing use-cases, a partial match of the hash will also
-be accepted, if it is at least 4 characters.
+.IR PIN-SHA256 .
+They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the
+encoded hash. The first two are custom identifiers providing hex
+encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key
+PIN, which utilizes base64 encoding. To ease certain
+testing use-cases, a partial match of the hash will also
+be accepted, if it is at least 4 characters past the prefix.
 .TP
 .B \-\-useragent=STRING
 Use