Re: TOFU/cert pinning in libtls

Sun, 10 May 2020 03:05:09 -0700 

Hi Lucas,

Lucas wrote on Sat, May 09, 2020 at 06:18:50PM +0000:

> I experimented with cert FP pinning in the past, too. tls_peer_cert_hash
> is probably what you're looking for. Found it looking at
> /usr/include/tls.h. Then tried to find it referenced in other manpages,
> 
> oolong$ man -k Xr=tls_peer_cert_hash 
> nc(1) - arbitrary TCP and UDP connections and listens
> 
> That's far from ideal IMO,

While -k Xr= is occasionally useful, you should be aware that it does
a substring search, so it only finds manual pages that explicitly
reference tls_peer_cert_hash(3), but not manual pages that reference
the same page under the more usual name tls_conn_version(3) or under
other names like tls_peer_cert_notafter(3).

For example, as tedu@ pointed out:

   $ man -k Xr=tls_conn_version | sed 's/,.*//'
  tls_config_verify
  tls_init
  tls_ocsp_process_response
  tls_read

It would be theoretically possible to do this:

 * When searching for "Xr", treat that as a special case as follows:
 * First search for all pages having the Xr expression in their name
   rather than in an Xr macro.
 * Build a list of names from that, possibly including multiple names
   even when only a single page exists.
 * Search for Xr macros containing each of the names in turn
   and show all matching pages.

Then again, it would be quite ugly to implement that.  Doing such a
multi-step search also wouldn't be fast but might take quite some time.
And finally, while in this case, it's clearly what you would want,
in other cases, users might wish to only search for one specific
substring as we currently do, so your proposed behaviour would result
in false positives from their point of view.  Also, the current
behaviour is much easier to explain in the apropos(1) manual page,
which currently just needs to say

  Operator = evaluates a substring,
  while ~ evaluates a case-sensitive extended regular expression.

without having to explain a special case for Xr.

> but I don't know where, of the many tls_*
> manpages, would I reference it.

It is actually already referenced from at least four places in four
different tls*(3) pages.

Also, this is Unix, you can use pipes:

   $ man -k Nm=tls_peer_cert_hash | \      
     sed 's/(.*//; s/,//g; s/\</Xr=/g' | \ 
     xargs man -k | sed 's/,.*//'          
  nc(1) - arbitrary TCP and UDP connections and listens
  tls_config_verify
  tls_init
  tls_ocsp_process_response
  tls_read

Yours,
  Ingo

Reply via email to