add tls_peer functions for checking names and issuers of peer certificates.

ok jsing@

7 files changed, 95 insertions, 13 deletions

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 0e3329589e..2e03e247e4 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.15 2015/09/11 11:28:01 jsing Exp $
+#       $OpenBSD: Makefile,v 1.16 2015/09/11 12:56:55 beck Exp $
 
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -46,6 +46,8 @@ MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3
 MLINKS+=tls_init.3 tls_config_verify.3
 MLINKS+=tls_init.3 tls_config_verify_client.3
 MLINKS+=tls_init.3 tls_config_verify_client_optional.3
+MLINKS+=tls_init.3 tls_peer_cert_provided.3
+MLINKS+=tls_init.3 tls_peer_cert_contains_name.3
 MLINKS+=tls_init.3 tls_load_file.3
 MLINKS+=tls_init.3 tls_client.3
 MLINKS+=tls_init.3 tls_server.3
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 3cb24f0ee5..3d1682e2b6 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.19 2015/09/11 11:28:01 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.20 2015/09/11 12:56:55 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -76,6 +76,11 @@ void tls_config_verify(struct tls_config *_config);
 void tls_config_verify_client(struct tls_config *_config);
 void tls_config_verify_client_optional(struct tls_config *_config);
 
+int tls_peer_cert_provided(struct tls *ctx);
+int tls_peer_cert_contains_name(struct tls *ctx, const char *name);
+int tls_peer_cert_issuer(struct tls *ctx, char **name);
+int tls_peer_cert_subject(struct tls *ctx, char **subject);
+
 void tls_config_clear_keys(struct tls_config *_config);
 int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr);
 
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index fb7f3a6f75..2aca519f8b 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.26 2015/09/10 10:14:20 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.27 2015/09/11 12:56:55 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -262,7 +262,7 @@ tls_handshake_client(struct tls *ctx)
                         tls_set_errorx(ctx, "no server certificate");
                         goto err;
                 }
-                if ((rv = tls_check_servername(ctx, cert,
+                if ((rv = tls_check_name(ctx, cert,
                     ctx->servername)) != 0) {
                         if (rv != -2)
                                 tls_set_errorx(ctx, "name `%s' not present in"
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 6197817f6f..4066713603 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.37 2015/09/11 09:02:10 beck Exp $
+.\" $OpenBSD: tls_init.3,v 1.38 2015/09/11 12:56:55 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -112,6 +112,10 @@
 .Fn tls_config_verify_client "struct tls_config *config"
 .Ft "void"
 .Fn tls_config_verify_client_optional "struct tls_config *config"
+.Ft "int"
+.Fn tls_peer_cert_provided "struct tls *ctx"
+.Ft "int"
+.Fn tls_peer_cert_contains_name "struct tls *ctx" "const char *name"
 .Ft "uint8_t *"
 .Fn tls_load_file "const char *file" "size_t *len" "char *password"
 .Ft "struct tls *"
@@ -354,6 +358,24 @@ enables client certificate verification, requiring the client to send
 a certificate.
 .Em (Server)
 .It
+.Fn tls_peer_cert_provided
+checks if the peer of 
+.Ar ctx 
+has provided a certificate.
+.Fn tls_peer_cert_provided
+will only succeed after the handshake is complete. 
+.Em (Server and client)
+.It
+.Fn tls_peer_cert_constains_name
+checks if the peer of a tls 
+.Ar ctx
+ has povided a certificate that contains a 
+SAN or CN that matches
+.Ar name
+.Fn tls_peer_cert_contains_name
+will only succeed after the handshake is complete. 
+.Em (Server and client)
+.It
 .Fn tls_config_verify_client_opional
 enables client certificate verification, without requiring the client
 to send a certificate.
@@ -455,7 +477,12 @@ or
 .Fn tls_connect_servername .
 .El
 .Sh RETURN VALUES
-Functions that return
+The 
+.Fn tls_peer_cert_provided
+and
+.Fn tls_peer_cert_contain_name
+functions return 1 if the check succeeds, and 0 if it does not. 
+All other functions that return
 .Vt int
 or
 .Vt ssize_t
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index b514847cfe..34af0fb48a 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.19 2015/09/11 09:24:54 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.20 2015/09/11 12:56:55 beck Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -73,7 +73,7 @@ struct tls {
 struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 
-int tls_check_servername(struct tls *ctx, X509 *cert, const char *servername);
+int tls_check_name(struct tls *ctx, X509 *cert, const char *servername);
 int tls_configure_keypair(struct tls *ctx, int);
 int tls_configure_server(struct tls *ctx);
 int tls_configure_ssl(struct tls *ctx);
diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c
index e2a2c7b141..39a9d90cab 100644
--- a/src/lib/libtls/tls_peer.c
+++ b/src/lib/libtls/tls_peer.c
@@ -1,6 +1,7 @@
-/* $OpenBSD: tls_peer.c,v 1.1 2015/09/11 11:28:01 jsing Exp $ */
+/* $OpenBSD: tls_peer.c,v 1.2 2015/09/11 12:56:55 beck Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -85,3 +86,50 @@ err:
 
         return (rv);
 }
+
+int
+tls_peer_cert_provided(struct tls *ctx)
+{
+        return (ctx->ssl_peer_cert != NULL);
+}
+
+int
+tls_peer_cert_contains_name(struct tls *ctx, const char *name)
+{
+        if (ctx->ssl_peer_cert == NULL)
+                return (0);
+
+        return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0);
+}
+
+int
+tls_peer_cert_issuer(struct tls *ctx,  char **issuer)
+{
+        X509_NAME *name = NULL;
+
+        *issuer = NULL;
+        if (ctx->ssl_peer_cert != NULL)
+                return (-1);
+        if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
+                return (-1);
+        *issuer = X509_NAME_oneline(name, 0, 0);
+        if (*issuer == NULL)
+                return (-1);
+        return (0);
+}
+
+int
+tls_peer_cert_subject(struct tls *ctx, char **subject)
+{
+        X509_NAME *name = NULL;
+
+        *subject = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (-1);
+        if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
+                return (-1);
+        *subject = X509_NAME_oneline(name, 0, 0);
+        if (*subject == NULL)
+                return (-1);
+        return (0);
+}
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 7fd0b3d545..c6f29c897d 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.11 2015/09/09 19:49:07 jsing Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.12 2015/09/11 12:56:55 beck Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -246,13 +246,13 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name)
 }
 
 int
-tls_check_servername(struct tls *ctx, X509 *cert, const char *servername)
+tls_check_name(struct tls *ctx, X509 *cert, const char *name)
 {
         int     rv;
 
-        rv = tls_check_subject_altname(ctx, cert, servername);
+        rv = tls_check_subject_altname(ctx, cert, name);
         if (rv == 0 || rv == -2)
                 return rv;
 
-        return tls_check_common_name(ctx, cert, servername);
+        return tls_check_common_name(ctx, cert, name);
 }