summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbeck <>2015-10-07 23:33:38 +0000
committerbeck <>2015-10-07 23:33:38 +0000
commitb49e302bd49f7f927c92df560174bb439c2b2d88 (patch)
tree92254ea2710731c9a0faaf9eedfc6dd971a01640
parent1b2fcd3af52f5a520a8173eb1ed9bfece5963551 (diff)
downloadopenbsd-b49e302bd49f7f927c92df560174bb439c2b2d88.tar.gz
openbsd-b49e302bd49f7f927c92df560174bb439c2b2d88.tar.bz2
openbsd-b49e302bd49f7f927c92df560174bb439c2b2d88.zip
Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer certificate
validity times for tls connections. ok jsing@
Diffstat
-rw-r--r--src/lib/libtls/Makefile4
-rw-r--r--src/lib/libtls/tls.h5
-rw-r--r--src/lib/libtls/tls_conninfo.c36
-rw-r--r--src/lib/libtls/tls_init.334
-rw-r--r--src/lib/libtls/tls_internal.h6
-rw-r--r--src/lib/libtls/tls_peer.c22
6 files changed, 98 insertions, 9 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 679aabb9ed..5807780a84 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.21 2015/09/14 16:16:38 jsing Exp $ 1# $OpenBSD: Makefile,v 1.22 2015/10/07 23:33:38 beck Exp $
2 2
3CFLAGS+= -Wall -Werror -Wimplicit 3CFLAGS+= -Wall -Werror -Wimplicit
4CFLAGS+= -DLIBRESSL_INTERNAL 4CFLAGS+= -DLIBRESSL_INTERNAL
@@ -53,6 +53,8 @@ MLINKS+=tls_init.3 tls_peer_cert_contains_name.3
53MLINKS+=tls_init.3 tls_peer_cert_issuer.3 53MLINKS+=tls_init.3 tls_peer_cert_issuer.3
54MLINKS+=tls_init.3 tls_peer_cert_subject.3 54MLINKS+=tls_init.3 tls_peer_cert_subject.3
55MLINKS+=tls_init.3 tls_peer_cert_hash.3 55MLINKS+=tls_init.3 tls_peer_cert_hash.3
56MLINKS+=tls_init.3 tls_peer_cert_notbefore.3
57MLINKS+=tls_init.3 tls_peer_cert_notafter.3
56MLINKS+=tls_init.3 tls_conn_version.3 58MLINKS+=tls_init.3 tls_conn_version.3
57MLINKS+=tls_init.3 tls_conn_cipher.3 59MLINKS+=tls_init.3 tls_conn_cipher.3
58MLINKS+=tls_init.3 tls_load_file.3 60MLINKS+=tls_init.3 tls_load_file.3
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index f6e489d8e4..e5c31ed581 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.25 2015/10/01 10:27:34 bcook Exp $ */ 1/* $OpenBSD: tls.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -108,6 +108,9 @@ int tls_peer_cert_contains_name(struct tls *ctx, const char *name);
108const char * tls_peer_cert_hash(struct tls *_ctx); 108const char * tls_peer_cert_hash(struct tls *_ctx);
109const char * tls_peer_cert_issuer(struct tls *ctx); 109const char * tls_peer_cert_issuer(struct tls *ctx);
110const char * tls_peer_cert_subject(struct tls *ctx); 110const char * tls_peer_cert_subject(struct tls *ctx);
111time_t tls_peer_cert_notbefore(struct tls *ctx);
112time_t tls_peer_cert_notafter(struct tls *ctx);
113
111const char * tls_conn_version(struct tls *ctx); 114const char * tls_conn_version(struct tls *ctx);
112const char * tls_conn_cipher(struct tls *ctx); 115const char * tls_conn_cipher(struct tls *ctx);
113 116
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 48bb89fe63..1e134bfe59 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_conninfo.c,v 1.4 2015/10/07 23:25:45 beck Exp $ */ 1/* $OpenBSD: tls_conninfo.c,v 1.5 2015/10/07 23:33:38 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -119,6 +119,37 @@ tls_get_peer_cert_subject(struct tls *ctx, char **subject)
119 return (0); 119 return (0);
120} 120}
121 121
122static int
123tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter)
124{
125 struct tm before_tm, after_tm;
126 ASN1_TIME *before, *after;
127 int rv = -1;
128
129 memset(&before_tm, 0, sizeof(before_tm));
130 memset(&after_tm, 0, sizeof(after_tm));
131
132 if (ctx->ssl_peer_cert != NULL) {
133 if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)
134 goto err;
135 if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
136 goto err;
137 if (asn1_time_parse(before->data, before->length, &before_tm, 0)
138 == -1)
139 goto err;
140 if (asn1_time_parse(after->data, after->length, &after_tm, 0)
141 == -1)
142 goto err;
143 if ((*notbefore = timegm(&before_tm)) == -1)
144 goto err;
145 if ((*notafter = timegm(&after_tm)) == -1)
146 goto err;
147 }
148 rv = 0;
149 err:
150 return (rv);
151}
152
122int 153int
123tls_get_conninfo(struct tls *ctx) { 154tls_get_conninfo(struct tls *ctx) {
124 const char * tmp; 155 const char * tmp;
@@ -130,6 +161,9 @@ tls_get_conninfo(struct tls *ctx) {
130 goto err; 161 goto err;
131 if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1) 162 if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
132 goto err; 163 goto err;
164 if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
165 &ctx->conninfo->notafter) == -1)
166 goto err;
133 } 167 }
134 if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL) 168 if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
135 goto err; 169 goto err;
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index bf34b71466..d10c7cf73a 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_init.3,v 1.49 2015/09/14 21:23:00 jmc Exp $ 1.\" $OpenBSD: tls_init.3,v 1.50 2015/10/07 23:33:38 beck Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: September 14 2015 $ 17.Dd $Mdocdate: October 7 2015 $
18.Dt TLS_INIT 3 18.Dt TLS_INIT 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -49,6 +49,8 @@
49.Nm tls_peer_cert_issuer , 49.Nm tls_peer_cert_issuer ,
50.Nm tls_peer_cert_subject , 50.Nm tls_peer_cert_subject ,
51.Nm tls_peer_cert_hash , 51.Nm tls_peer_cert_hash ,
52.Nm tls_peer_cert_notbefore ,
53.Nm tls_peer_cert_notafter ,
52.Nm tls_conn_version , 54.Nm tls_conn_version ,
53.Nm tls_conn_cipher , 55.Nm tls_conn_cipher ,
54.Nm tls_load_file , 56.Nm tls_load_file ,
@@ -132,6 +134,10 @@
132.Fn tls_peer_cert_subject "struct tls *ctx" 134.Fn tls_peer_cert_subject "struct tls *ctx"
133.Ft "const char *" 135.Ft "const char *"
134.Fn tls_peer_cert_hash "struct tls *ctx" 136.Fn tls_peer_cert_hash "struct tls *ctx"
137.Ft "time_t"
138.Fn tls_peer_cert_notbefore "struct tls *ctx"
139.Ft "time_t"
140.Fn tls_peer_cert_notafter "struct tls *ctx"
135.Ft "const char *" 141.Ft "const char *"
136.Fn tls_conn_version "struct tls *ctx" 142.Fn tls_conn_version "struct tls *ctx"
137.Ft "const char *" 143.Ft "const char *"
@@ -431,6 +437,22 @@ h=$(openssl x509 -outform der -in mycert.crt | sha256)
431printf "SHA256:${h}\\n" 437printf "SHA256:${h}\\n"
432.Ed 438.Ed
433.It 439.It
440.Fn tls_peer_cert_notbefore
441returns the time corresponding to the start of the validity period of
442the peer certificate from
443.Ar ctx .
444.Fn tls_peer_cert_notbefore
445will only succeed after the handshake is complete.
446.Em (Server and client)
447.It
448.Fn tls_peer_cert_notafter
449returns the time corresponding to the end of the validity period of
450the peer certificate from
451.Ar ctx .
452.Fn tls_peer_cert_notafter
453will only succeed after the handshake is complete.
454.Em (Server and client)
455.It
434.Fn tls_conn_version 456.Fn tls_conn_version
435returns a string 457returns a string
436corresponding to a TLS version negotiated with the peer 458corresponding to a TLS version negotiated with the peer
@@ -554,10 +576,14 @@ The
554and 576and
555.Fn tls_peer_cert_contains_name 577.Fn tls_peer_cert_contains_name
556functions return 1 if the check succeeds, and 0 if it does not. 578functions return 1 if the check succeeds, and 0 if it does not.
579Functions that return a
580.Vt time_t
581will return a time in epoch-seconds on success, and -1 on error.
582Functions that return a
583.Vt ssize_t
584will return a size on success, and -1 on error.
557All other functions that return 585All other functions that return
558.Vt int 586.Vt int
559or
560.Vt ssize_t
561will return 0 on success and -1 on error. 587will return 0 on success and -1 on error.
562Functions that return a pointer will return NULL on error, which indicates an 588Functions that return a pointer will return NULL on error, which indicates an
563out of memory condition. 589out of memory condition.
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index b070b326c1..b203b5662e 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.25 2015/09/29 13:10:53 jsing Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -65,6 +65,8 @@ struct tls_conninfo {
65 char *fingerprint; 65 char *fingerprint;
66 char *version; 66 char *version;
67 char *cipher; 67 char *cipher;
68 time_t notbefore;
69 time_t notafter;
68}; 70};
69 71
70#define TLS_CLIENT (1 << 0) 72#define TLS_CLIENT (1 << 0)
@@ -113,4 +115,6 @@ int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
113int tls_get_conninfo(struct tls *ctx); 115int tls_get_conninfo(struct tls *ctx);
114void tls_free_conninfo(struct tls_conninfo *conninfo); 116void tls_free_conninfo(struct tls_conninfo *conninfo);
115 117
118int asn1_time_parse(const char *, size_t, struct tm *, int);
119
116#endif /* HEADER_TLS_INTERNAL_H */ 120#endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c
index 3145e500c4..8a74613ef8 100644
--- a/src/lib/libtls/tls_peer.c
+++ b/src/lib/libtls/tls_peer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_peer.c,v 1.4 2015/09/12 21:00:38 beck Exp $ */ 1/* $OpenBSD: tls_peer.c,v 1.5 2015/10/07 23:33:38 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -61,3 +61,23 @@ tls_peer_cert_contains_name(struct tls *ctx, const char *name)
61 return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0); 61 return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0);
62} 62}
63 63
64time_t
65tls_peer_cert_notbefore(struct tls *ctx)
66{
67 if (ctx->ssl_peer_cert == NULL)
68 return (-1);
69 if (ctx->conninfo == NULL)
70 return (-1);
71 return (ctx->conninfo->notbefore);
72}
73
74time_t
75tls_peer_cert_notafter(struct tls *ctx)
76{
77 if (ctx->ssl_peer_cert == NULL)
78 return (-1);
79 if (ctx->conninfo == NULL)
80 return (-1);
81 return (ctx->conninfo->notafter);
82}
83
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 16:07:01 +0000