Store a reference to the peer certificate (if any) upon completion of the

handshake. Free the reference when we reset the TLS context.

ok beck@

2 files changed, 8 insertions, 2 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 282f68edf6..aa49641ab2 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.24 2015/09/10 18:43:03 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.25 2015/09/11 09:24:54 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -308,9 +308,11 @@ tls_reset(struct tls *ctx)
 {
         SSL_CTX_free(ctx->ssl_ctx);
         SSL_free(ctx->ssl_conn);
+        X509_free(ctx->ssl_peer_cert);
 
         ctx->ssl_conn = NULL;
         ctx->ssl_ctx = NULL;
+        ctx->ssl_peer_cert = NULL;
 
         ctx->socket = -1;
         ctx->state = 0;
@@ -379,6 +381,9 @@ tls_handshake(struct tls *ctx)
         else if ((ctx->flags & TLS_SERVER_CONN) != 0)
                 rv = tls_handshake_server(ctx);
 
+        if (rv == 0)
+                ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
+
         /* Prevent callers from performing incorrect error handling */
         errno = 0;
         return (rv);
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index a5399d5594..b514847cfe 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.18 2015/09/10 10:14:20 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.19 2015/09/11 09:24:54 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -67,6 +67,7 @@ struct tls {
 
         SSL *ssl_conn;
         SSL_CTX *ssl_ctx;
+        X509 *ssl_peer_cert;
 };
 
 struct tls *tls_new(void);