1 files changed, 51 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index c4d23c308b..87660fa989 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.14 2017/04/05 03:13:53 beck Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.15 2017/04/05 03:19:22 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -174,6 +174,49 @@ tls_conninfo_alpn_proto(struct tls *ctx)
        return (0);
 }
+static int
+tls_conninfo_cert_pem(struct tls *ctx)
+{
+        int i, rv = -1;
+        BIO *membio = NULL;
+        BUF_MEM *bptr = NULL;
+        if (ctx->conninfo == NULL)
+                goto err;
+        if (ctx->ssl_peer_cert == NULL)
+                return 0;
+        if ((membio = BIO_new(BIO_s_mem()))== NULL)
+                goto err;
+        /*
+         * We have to write the peer cert out separately, because
+         * the certificate chain may or may not contain it.
+         */
+        if (!PEM_write_bio_X509(membio, ctx->ssl_peer_cert))
+                goto err;
+        for (i = 0; i < sk_X509_num(ctx->ssl_peer_chain); i++) {
+                X509 *chaincert = sk_X509_value(ctx->ssl_peer_chain, i);
+                if (chaincert != ctx->ssl_peer_cert &&
+                    !PEM_write_bio_X509(membio, chaincert))
+                        goto err;
+        }
+        BIO_get_mem_ptr(membio, &bptr);
+        free(ctx->conninfo->peer_cert);
+        ctx->conninfo->peer_cert_len = 0;
+        if ((ctx->conninfo->peer_cert = malloc(bptr->length)) == NULL)
+                goto err;
+        ctx->conninfo->peer_cert_len = bptr->length;
+        memcpy(ctx->conninfo->peer_cert, bptr->data,
+            ctx->conninfo->peer_cert_len);
+        /* BIO_free() will kill BUF_MEM - because we have not set BIO_NOCLOSE */
+        rv = 0;
+ err:
+        BIO_free(membio);
+        return rv;
+}
 int
 tls_conninfo_populate(struct tls *ctx)
 {
@@ -210,6 +253,9 @@ tls_conninfo_populate(struct tls *ctx)
        if (tls_get_peer_cert_info(ctx) == -1)
                goto err;
+        if (tls_conninfo_cert_pem(ctx) == -1)
+                goto err;
        return (0);
 err:
@@ -241,6 +287,10 @@ tls_conninfo_free(struct tls_conninfo *conninfo)
        free(conninfo->subject);
        conninfo->subject = NULL;
+        free(conninfo->peer_cert);
+        conninfo->peer_cert = NULL;
+        conninfo->peer_cert_len = 0;
        free(conninfo);
 }

diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index c4d23c308b..87660fa989 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_conninfo.c,v 1.14 2017/04/05 03:13:53 beck Exp $ */	1	/* $OpenBSD: tls_conninfo.c,v 1.15 2017/04/05 03:19:22 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -174,6 +174,49 @@ tls_conninfo_alpn_proto(struct tls *ctx)
174	return (0);	174	return (0);
175	}	175	}
176		176
		177	static int
		178	tls_conninfo_cert_pem(struct tls *ctx)
		179	{
		180	int i, rv = -1;
		181	BIO *membio = NULL;
		182	BUF_MEM *bptr = NULL;
		183
		184	if (ctx->conninfo == NULL)
		185	goto err;
		186	if (ctx->ssl_peer_cert == NULL)
		187	return 0;
		188	if ((membio = BIO_new(BIO_s_mem()))== NULL)
		189	goto err;
		190
		191	/*
		192	* We have to write the peer cert out separately, because
		193	* the certificate chain may or may not contain it.
		194	*/
		195	if (!PEM_write_bio_X509(membio, ctx->ssl_peer_cert))
		196	goto err;
		197	for (i = 0; i < sk_X509_num(ctx->ssl_peer_chain); i++) {
		198	X509 *chaincert = sk_X509_value(ctx->ssl_peer_chain, i);
		199	if (chaincert != ctx->ssl_peer_cert &&
		200	!PEM_write_bio_X509(membio, chaincert))
		201	goto err;
		202	}
		203
		204	BIO_get_mem_ptr(membio, &bptr);
		205	free(ctx->conninfo->peer_cert);
		206	ctx->conninfo->peer_cert_len = 0;
		207	if ((ctx->conninfo->peer_cert = malloc(bptr->length)) == NULL)
		208	goto err;
		209	ctx->conninfo->peer_cert_len = bptr->length;
		210	memcpy(ctx->conninfo->peer_cert, bptr->data,
		211	ctx->conninfo->peer_cert_len);
		212
		213	/* BIO_free() will kill BUF_MEM - because we have not set BIO_NOCLOSE */
		214	rv = 0;
		215	err:
		216	BIO_free(membio);
		217	return rv;
		218	}
		219
177	int	220	int
178	tls_conninfo_populate(struct tls *ctx)	221	tls_conninfo_populate(struct tls *ctx)
179	{	222	{
@@ -210,6 +253,9 @@ tls_conninfo_populate(struct tls *ctx)
210	if (tls_get_peer_cert_info(ctx) == -1)	253	if (tls_get_peer_cert_info(ctx) == -1)
211	goto err;	254	goto err;
212		255
		256	if (tls_conninfo_cert_pem(ctx) == -1)
		257	goto err;
		258
213	return (0);	259	return (0);
214		260
215	err:	261	err:
@@ -241,6 +287,10 @@ tls_conninfo_free(struct tls_conninfo *conninfo)
241	free(conninfo->subject);	287	free(conninfo->subject);
242	conninfo->subject = NULL;	288	conninfo->subject = NULL;
243		289
		290	free(conninfo->peer_cert);
		291	conninfo->peer_cert = NULL;
		292	conninfo->peer_cert_len = 0;
		293
244	free(conninfo);	294	free(conninfo);
245	}	295	}
246		296