Provide tls_peer_cert_hash() which returns a hash of the raw certificate

that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@
author: jsing <> 2015-09-11 11:28:01 +0000
committer: jsing <> 2015-09-11 11:28:01 +0000
commit: 368b501095ffe62862d468562cfaf9d1012ca99c (patch)
tree: 122bc4c787f76caf0f4eb0c1dd4c691818a0adca /src
parent: 42bff14389893c2dd1a5b78696866d589b5aac93 (diff)
download: openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.tar.gz
openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.tar.bz2
openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.zip
3 files changed, 92 insertions, 2 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 4b6b34c283..0e3329589e 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.14 2015/09/11 07:07:23 jmc Exp $
+#       $OpenBSD: Makefile,v 1.15 2015/09/11 11:28:01 jsing Exp $
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -15,6 +15,7 @@ HDRS=	tls.h
 SRCS=   tls.c \
        tls_client.c \
        tls_config.c \
+        tls_peer.c \
        tls_server.c \
        tls_util.c \
        tls_verify.c
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index f7c12920e0..3cb24f0ee5 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.18 2015/09/10 10:26:49 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.19 2015/09/11 11:28:01 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -99,6 +99,8 @@ ssize_t tls_read(struct tls *_ctx, void *_buf, size_t _buflen);
 ssize_t tls_write(struct tls *_ctx, const void *_buf, size_t _buflen);
 int tls_close(struct tls *_ctx);
+int tls_peer_cert_hash(struct tls *_ctx, char **_hash);
 uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password);
 #ifdef __cplusplus
diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c
new file mode 100644
index 0000000000..e2a2c7b141
--- /dev/null
+++ b/src/lib/libtls/tls_peer.c
@@ -0,0 +1,87 @@
+/* $OpenBSD: tls_peer.c,v 1.1 2015/09/11 11:28:01 jsing Exp $ */
+/*
+ * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <stdio.h>
+#include <openssl/x509.h>
+#include <tls.h>
+#include "tls_internal.h"
+static int
+tls_hex_string(const unsigned char *in, size_t inlen, char **out,
+    size_t *outlen)
+{
+        static const char hex[] = "0123456789abcdef";
+        size_t i, len;
+        char *p;
+        if (outlen != NULL)
+                *outlen = 0;
+        if (inlen >= SIZE_MAX)
+                return (-1);
+        if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
+                return (-1);
+        p = *out;
+        len = 0;
+        for (i = 0; i < inlen; i++) {
+                p[len++] = hex[(in[i] >> 4) & 0x0f];
+                p[len++] = hex[in[i] & 0x0f];
+        }
+        p[len++] = 0;
+        if (outlen != NULL)
+                *outlen = len;
+        return (0);
+}
+int
+tls_peer_cert_hash(struct tls *ctx, char **hash)
+{
+        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+        int dlen, rv = -1;
+        *hash = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (0);
+        if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
+                tls_set_errorx(ctx, "digest failed");
+                goto err;
+        }
+        if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
+                tls_set_errorx(ctx, "digest hex string failed");
+                goto err;
+        }
+        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+                tls_set_errorx(ctx, "out of memory");
+                *hash = NULL;
+                goto err;
+        }
+        rv = 0;
+err:
+        free(dhex);
+        return (rv);
+}
author	jsing <>	2015-09-11 11:28:01 +0000
committer	jsing <>	2015-09-11 11:28:01 +0000
commit	368b501095ffe62862d468562cfaf9d1012ca99c (patch)
tree	122bc4c787f76caf0f4eb0c1dd4c691818a0adca /src
parent	42bff14389893c2dd1a5b78696866d589b5aac93 (diff)
download	openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.tar.gz openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.tar.bz2 openbsd-368b501095ffe62862d468562cfaf9d1012ca99c.zip

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile index 4b6b34c283..0e3329589e 100644 --- a/src/lib/libtls/Makefile +++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.14 2015/09/11 07:07:23 jmc Exp $	1	# $OpenBSD: Makefile,v 1.15 2015/09/11 11:28:01 jsing Exp $
2		2
3	CFLAGS+= -Wall -Werror -Wimplicit	3	CFLAGS+= -Wall -Werror -Wimplicit
4	CFLAGS+= -DLIBRESSL_INTERNAL	4	CFLAGS+= -DLIBRESSL_INTERNAL
@@ -15,6 +15,7 @@ HDRS= tls.h
15	SRCS= tls.c \	15	SRCS= tls.c \
16	tls_client.c \	16	tls_client.c \
17	tls_config.c \	17	tls_config.c \
		18	tls_peer.c \
18	tls_server.c \	19	tls_server.c \
19	tls_util.c \	20	tls_util.c \
20	tls_verify.c	21	tls_verify.c


diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index f7c12920e0..3cb24f0ee5 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.h,v 1.18 2015/09/10 10:26:49 beck Exp $ */	1	/* $OpenBSD: tls.h,v 1.19 2015/09/11 11:28:01 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -99,6 +99,8 @@ ssize_t tls_read(struct tls _ctx, void _buf, size_t _buflen);
99	ssize_t tls_write(struct tls _ctx, const void _buf, size_t _buflen);	99	ssize_t tls_write(struct tls _ctx, const void _buf, size_t _buflen);
100	int tls_close(struct tls *_ctx);	100	int tls_close(struct tls *_ctx);
101		101
		102	int tls_peer_cert_hash(struct tls _ctx, char *_hash);
		103
102	uint8_t tls_load_file(const char _file, size_t _len, char _password);	104	uint8_t tls_load_file(const char _file, size_t _len, char _password);
103		105
104	#ifdef __cplusplus	106	#ifdef __cplusplus


diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c new file mode 100644 index 0000000000..e2a2c7b141 --- /dev/null +++ b/src/lib/libtls/tls_peer.c
@@ -0,0 +1,87 @@
		1	/* $OpenBSD: tls_peer.c,v 1.1 2015/09/11 11:28:01 jsing Exp $ */
		2	/*
		3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
		4	*
		5	* Permission to use, copy, modify, and distribute this software for any
		6	* purpose with or without fee is hereby granted, provided that the above
		7	* copyright notice and this permission notice appear in all copies.
		8	*
		9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	*/
		17
		18	#include <stdio.h>
		19
		20	#include <openssl/x509.h>
		21
		22	#include <tls.h>
		23	#include "tls_internal.h"
		24
		25	static int
		26	tls_hex_string(const unsigned char in, size_t inlen, char *out,
		27	size_t *outlen)
		28	{
		29	static const char hex[] = "0123456789abcdef";
		30	size_t i, len;
		31	char *p;
		32
		33	if (outlen != NULL)
		34	*outlen = 0;
		35
		36	if (inlen >= SIZE_MAX)
		37	return (-1);
		38	if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
		39	return (-1);
		40
		41	p = *out;
		42	len = 0;
		43	for (i = 0; i < inlen; i++) {
		44	p[len++] = hex[(in[i] >> 4) & 0x0f];
		45	p[len++] = hex[in[i] & 0x0f];
		46	}
		47	p[len++] = 0;
		48
		49	if (outlen != NULL)
		50	*outlen = len;
		51
		52	return (0);
		53	}
		54
		55	int
		56	tls_peer_cert_hash(struct tls ctx, char *hash)
		57	{
		58	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
		59	int dlen, rv = -1;
		60
		61	*hash = NULL;
		62	if (ctx->ssl_peer_cert == NULL)
		63	return (0);
		64
		65	if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
		66	tls_set_errorx(ctx, "digest failed");
		67	goto err;
		68	}
		69
		70	if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
		71	tls_set_errorx(ctx, "digest hex string failed");
		72	goto err;
		73	}
		74
		75	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
		76	tls_set_errorx(ctx, "out of memory");
		77	*hash = NULL;
		78	goto err;
		79	}
		80
		81	rv = 0;
		82
		83	err:
		84	free(dhex);
		85
		86	return (rv);
		87	}