1 files changed, 149 insertions, 0 deletions
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
new file mode 100644
index 0000000000..267a8747c9
--- /dev/null
+++ b/src/lib/libtls/tls_conninfo.c
@@ -0,0 +1,149 @@
+/* $OpenBSD: tls_conninfo.c,v 1.1 2015/09/12 21:00:38 beck Exp $ */
+/*
+ * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <stdio.h>
+#include <openssl/x509.h>
+#include <tls.h>
+#include "tls_internal.h"
+static int
+tls_hex_string(const unsigned char *in, size_t inlen, char **out,
+    size_t *outlen)
+{
+        static const char hex[] = "0123456789abcdef";
+        size_t i, len;
+        char *p;
+        if (outlen != NULL)
+                *outlen = 0;
+        if (inlen >= SIZE_MAX)
+                return (-1);
+        if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
+                return (-1);
+        p = *out;
+        len = 0;
+        for (i = 0; i < inlen; i++) {
+                p[len++] = hex[(in[i] >> 4) & 0x0f];
+                p[len++] = hex[in[i] & 0x0f];
+        }
+        p[len++] = 0;
+        if (outlen != NULL)
+                *outlen = len;
+        return (0);
+}
+static int
+tls_get_peer_cert_hash(struct tls *ctx, char **hash)
+{
+        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+        int dlen, rv = -1;
+        *hash = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (0);
+        if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
+                tls_set_errorx(ctx, "digest failed");
+                goto err;
+        }
+        if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
+                tls_set_errorx(ctx, "digest hex string failed");
+                goto err;
+        }
+        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+                tls_set_errorx(ctx, "out of memory");
+                *hash = NULL;
+                goto err;
+        }
+        rv = 0;
+err:
+        free(dhex);
+        return (rv);
+}
+static int
+tls_get_peer_cert_issuer(struct tls *ctx,  char **issuer)
+{
+        X509_NAME *name = NULL;
+        *issuer = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (-1);
+        if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
+                return (-1);
+        *issuer = X509_NAME_oneline(name, 0, 0);
+        if (*issuer == NULL)
+                return (-1);
+        return (0);
+}
+static int
+tls_get_peer_cert_subject(struct tls *ctx, char **subject)
+{
+        X509_NAME *name = NULL;
+        *subject = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (-1);
+        if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
+                return (-1);
+        *subject = X509_NAME_oneline(name, 0, 0);
+        if (*subject == NULL)
+                return (-1);
+        return (0);
+}
+int
+tls_get_conninfo(struct tls *ctx) {
+        int rv = -1;
+        if (ctx->ssl_peer_cert != NULL) {
+                if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
+                        goto err;
+                if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject)
+                    == -1)
+                        goto err;
+                if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
+                        goto err;
+        }
+        rv = 0;
+err:
+        return (rv);
+}
+void
+tls_free_conninfo(struct tls_conninfo *conninfo) {
+        if (conninfo != NULL) {
+                free(conninfo->hash);
+                conninfo->hash = NULL;
+                free(conninfo->subject);
+                conninfo->subject = NULL;
+                free(conninfo->issuer);
+                conninfo->issuer = NULL;
+        }
+}

diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c new file mode 100644 index 0000000000..267a8747c9 --- /dev/null +++ b/src/lib/libtls/tls_conninfo.c
@@ -0,0 +1,149 @@
	1	/* $OpenBSD: tls_conninfo.c,v 1.1 2015/09/12 21:00:38 beck Exp $ */
	2	/*
	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
	4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
	5	*
	6	* Permission to use, copy, modify, and distribute this software for any
	7	* purpose with or without fee is hereby granted, provided that the above
	8	* copyright notice and this permission notice appear in all copies.
	9	*
	10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	17	*/
	18
	19	#include <stdio.h>
	20
	21	#include <openssl/x509.h>
	22
	23	#include <tls.h>
	24	#include "tls_internal.h"
	25
	26	static int
	27	tls_hex_string(const unsigned char in, size_t inlen, char *out,
	28	size_t *outlen)
	29	{
	30	static const char hex[] = "0123456789abcdef";
	31	size_t i, len;
	32	char *p;
	33
	34	if (outlen != NULL)
	35	*outlen = 0;
	36
	37	if (inlen >= SIZE_MAX)
	38	return (-1);
	39	if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
	40	return (-1);
	41
	42	p = *out;
	43	len = 0;
	44	for (i = 0; i < inlen; i++) {
	45	p[len++] = hex[(in[i] >> 4) & 0x0f];
	46	p[len++] = hex[in[i] & 0x0f];
	47	}
	48	p[len++] = 0;
	49
	50	if (outlen != NULL)
	51	*outlen = len;
	52
	53	return (0);
	54	}
	55
	56	static int
	57	tls_get_peer_cert_hash(struct tls ctx, char *hash)
	58	{
	59	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
	60	int dlen, rv = -1;
	61
	62	*hash = NULL;
	63	if (ctx->ssl_peer_cert == NULL)
	64	return (0);
	65
	66	if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
	67	tls_set_errorx(ctx, "digest failed");
	68	goto err;
	69	}
	70
	71	if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
	72	tls_set_errorx(ctx, "digest hex string failed");
	73	goto err;
	74	}
	75
	76	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
	77	tls_set_errorx(ctx, "out of memory");
	78	*hash = NULL;
	79	goto err;
	80	}
	81
	82	rv = 0;
	83
	84	err:
	85	free(dhex);
	86
	87	return (rv);
	88	}
	89
	90	static int
	91	tls_get_peer_cert_issuer(struct tls ctx, char *issuer)
	92	{
	93	X509_NAME *name = NULL;
	94
	95	*issuer = NULL;
	96	if (ctx->ssl_peer_cert == NULL)
	97	return (-1);
	98	if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
	99	return (-1);
	100	*issuer = X509_NAME_oneline(name, 0, 0);
	101	if (*issuer == NULL)
	102	return (-1);
	103	return (0);
	104	}
	105
	106	static int
	107	tls_get_peer_cert_subject(struct tls ctx, char *subject)
	108	{
	109	X509_NAME *name = NULL;
	110
	111	*subject = NULL;
	112	if (ctx->ssl_peer_cert == NULL)
	113	return (-1);
	114	if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
	115	return (-1);
	116	*subject = X509_NAME_oneline(name, 0, 0);
	117	if (*subject == NULL)
	118	return (-1);
	119	return (0);
	120	}
	121
	122	int
	123	tls_get_conninfo(struct tls *ctx) {
	124	int rv = -1;
	125	if (ctx->ssl_peer_cert != NULL) {
	126	if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
	127	goto err;
	128	if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject)
	129	== -1)
	130	goto err;
	131	if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
	132	goto err;
	133	}
	134	rv = 0;
	135	err:
	136	return (rv);
	137	}
	138
	139	void
	140	tls_free_conninfo(struct tls_conninfo *conninfo) {
	141	if (conninfo != NULL) {
	142	free(conninfo->hash);
	143	conninfo->hash = NULL;
	144	free(conninfo->subject);
	145	conninfo->subject = NULL;
	146	free(conninfo->issuer);
	147	conninfo->issuer = NULL;
	148	}
	149	}