summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_peer.c
diff options
context:
space:
mode:
authorjsing <>2015-09-11 11:28:01 +0000
committerjsing <>2015-09-11 11:28:01 +0000
commit368b501095ffe62862d468562cfaf9d1012ca99c (patch)
tree122bc4c787f76caf0f4eb0c1dd4c691818a0adca /src/lib/libtls/tls_peer.c
parent42bff14389893c2dd1a5b78696866d589b5aac93 (diff)
downloadopenbsd-368b501095ffe62862d468562cfaf9d1012ca99c.tar.gz
openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.tar.bz2
openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.zip
Provide tls_peer_cert_hash() which returns a hash of the raw certificate
that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@
Diffstat (limited to 'src/lib/libtls/tls_peer.c')
-rw-r--r--src/lib/libtls/tls_peer.c87
1 files changed, 87 insertions, 0 deletions
diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c
new file mode 100644
index 0000000000..e2a2c7b141
--- /dev/null
+++ b/src/lib/libtls/tls_peer.c
@@ -0,0 +1,87 @@
1/* $OpenBSD: tls_peer.c,v 1.1 2015/09/11 11:28:01 jsing Exp $ */
2/*
3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <stdio.h>
19
20#include <openssl/x509.h>
21
22#include <tls.h>
23#include "tls_internal.h"
24
25static int
26tls_hex_string(const unsigned char *in, size_t inlen, char **out,
27 size_t *outlen)
28{
29 static const char hex[] = "0123456789abcdef";
30 size_t i, len;
31 char *p;
32
33 if (outlen != NULL)
34 *outlen = 0;
35
36 if (inlen >= SIZE_MAX)
37 return (-1);
38 if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
39 return (-1);
40
41 p = *out;
42 len = 0;
43 for (i = 0; i < inlen; i++) {
44 p[len++] = hex[(in[i] >> 4) & 0x0f];
45 p[len++] = hex[in[i] & 0x0f];
46 }
47 p[len++] = 0;
48
49 if (outlen != NULL)
50 *outlen = len;
51
52 return (0);
53}
54
55int
56tls_peer_cert_hash(struct tls *ctx, char **hash)
57{
58 char d[EVP_MAX_MD_SIZE], *dhex = NULL;
59 int dlen, rv = -1;
60
61 *hash = NULL;
62 if (ctx->ssl_peer_cert == NULL)
63 return (0);
64
65 if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
66 tls_set_errorx(ctx, "digest failed");
67 goto err;
68 }
69
70 if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
71 tls_set_errorx(ctx, "digest hex string failed");
72 goto err;
73 }
74
75 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
76 tls_set_errorx(ctx, "out of memory");
77 *hash = NULL;
78 goto err;
79 }
80
81 rv = 0;
82
83err:
84 free(dhex);
85
86 return (rv);
87}