3 files changed, 97 insertions, 69 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index df610fe238..85faedd56d 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.47 2016/08/22 14:51:37 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.48 2016/08/22 17:12:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -387,7 +387,9 @@ tls_free(struct tls *ctx)
 {
        if (ctx == NULL)
                return;
        tls_reset(ctx);
        free(ctx);
 }
@@ -414,8 +416,7 @@ tls_reset(struct tls *ctx)
        ctx->error.msg = NULL;
        ctx->error.num = -1;
-        tls_free_conninfo(ctx->conninfo);
+        tls_conninfo_free(ctx->conninfo);
-        free(ctx->conninfo);
        ctx->conninfo = NULL;
        for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
@@ -485,10 +486,6 @@ tls_handshake(struct tls *ctx)
                goto out;
        }
-        if (ctx->conninfo == NULL &&
-            (ctx->conninfo = calloc(1, sizeof(*ctx->conninfo))) == NULL)
-                goto out;
        if ((ctx->flags & TLS_CLIENT) != 0)
                rv = tls_handshake_client(ctx);
        else if ((ctx->flags & TLS_SERVER_CONN) != 0)
@@ -496,7 +493,7 @@ tls_handshake(struct tls *ctx)
        if (rv == 0) {
                ctx->ssl_peer_cert =  SSL_get_peer_certificate(ctx->ssl_conn);
-                if (tls_get_conninfo(ctx) == -1)
+                if (tls_conninfo_populate(ctx) == -1)
                    rv = -1;
        }
 out:
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 281af79866..5882a19cee 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.10 2016/08/22 14:55:59 jsing Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.11 2016/08/22 17:12:35 jsing Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -120,34 +120,57 @@ tls_get_peer_cert_subject(struct tls *ctx, char **subject)
 }
 static int
-tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter)
+tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
+    time_t *notafter)
 {
        struct tm before_tm, after_tm;
        ASN1_TIME *before, *after;
-        int rv = -1;
+        if (ctx->ssl_peer_cert == NULL)
+                return (-1);
        memset(&before_tm, 0, sizeof(before_tm));
        memset(&after_tm, 0, sizeof(after_tm));
-        if (ctx->ssl_peer_cert != NULL) {
+        if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)
-                if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)
+                goto err;
-                        goto err;
+        if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
-                if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
+                goto err;
-                        goto err;
+        if (asn1_time_parse(before->data, before->length, &before_tm, 0) == -1)
-                if (asn1_time_parse(before->data, before->length, &before_tm, 0)
+                goto err;
-                    == -1)
+        if (asn1_time_parse(after->data, after->length, &after_tm, 0) == -1)
-                        goto err;
+                goto err;
-                if (asn1_time_parse(after->data, after->length, &after_tm, 0)
+        if ((*notbefore = timegm(&before_tm)) == -1)
-                    == -1)
+                goto err;
-                        goto err;
+        if ((*notafter = timegm(&after_tm)) == -1)
-                if ((*notbefore = timegm(&before_tm)) == -1)
+                goto err;
-                        goto err;
-                if ((*notafter = timegm(&after_tm)) == -1)
+        return (0);
-                        goto err;
-        }
-        rv = 0;
 err:
-        return (rv);
+        return (-1);
+}
+static int
+tls_get_peer_cert_info(struct tls *ctx)
+{
+        if (ctx->ssl_peer_cert == NULL)
+                return (0);
+        if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
+                goto err;
+        if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject) == -1)
+                goto err;
+        if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
+                goto err;
+        if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
+            &ctx->conninfo->notafter) == -1)
+                goto err;
+        return (0);
+ err:
+        return (-1);
 }
 static int
@@ -171,63 +194,71 @@ tls_conninfo_alpn_proto(struct tls *ctx)
 }
 int
-tls_get_conninfo(struct tls *ctx)
+tls_conninfo_populate(struct tls *ctx)
 {
-        const char * tmp;
+        const char *tmp;
-        if (ctx->ssl_peer_cert != NULL) {
+        tls_conninfo_free(ctx->conninfo);
-                if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
-                        goto err;
+        if ((ctx->conninfo = calloc(1, sizeof(struct tls_conninfo))) == NULL) {
-                if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject)
+                tls_set_errorx(ctx, "out of memory");
-                    == -1)
-                        goto err;
-                if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
-                        goto err;
-                if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
-                    &ctx->conninfo->notafter) == -1)
-                        goto err;
-        }
-        if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
                goto err;
-        ctx->conninfo->version = strdup(tmp);
+        }
-        if (ctx->conninfo->version == NULL)
+        if (tls_conninfo_alpn_proto(ctx) == -1)
                goto err;
        if ((tmp = SSL_get_cipher(ctx->ssl_conn)) == NULL)
                goto err;
        ctx->conninfo->cipher = strdup(tmp);
        if (ctx->conninfo->cipher == NULL)
                goto err;
-        if (tls_conninfo_alpn_proto(ctx) == -1)
-                goto err;
        if (ctx->servername != NULL) {
                if ((ctx->conninfo->servername =
                    strdup(ctx->servername)) == NULL)
                        goto err;
        }
+        if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
+                goto err;
+        ctx->conninfo->version = strdup(tmp);
+        if (ctx->conninfo->version == NULL)
+                goto err;
+        if (tls_get_peer_cert_info(ctx) == -1)
+                goto err;
        return (0);
-err:
-        tls_free_conninfo(ctx->conninfo);
+ err:
+        tls_conninfo_free(ctx->conninfo);
+        ctx->conninfo = NULL;
        return (-1);
 }
 void
-tls_free_conninfo(struct tls_conninfo *conninfo)
+tls_conninfo_free(struct tls_conninfo *conninfo)
 {
-        if (conninfo != NULL) {
+        if (conninfo == NULL)
-                free(conninfo->alpn);
+                return;
-                conninfo->alpn = NULL;
-                free(conninfo->hash);
+        free(conninfo->alpn);
-                conninfo->hash = NULL;
+        conninfo->alpn = NULL;
-                free(conninfo->subject);
+        free(conninfo->cipher);
-                conninfo->subject = NULL;
+        conninfo->cipher = NULL;
-                free(conninfo->issuer);
+        free(conninfo->version);
-                conninfo->issuer = NULL;
+        conninfo->version = NULL;
-                free(conninfo->version);
-                conninfo->version = NULL;
+        free(conninfo->hash);
-                free(conninfo->cipher);
+        conninfo->hash = NULL;
-                conninfo->cipher = NULL;
+        free(conninfo->issuer);
-        }
+        conninfo->issuer = NULL;
+        free(conninfo->subject);
+        conninfo->subject = NULL;
+        free(conninfo);
 }
 const char *
@@ -253,7 +284,7 @@ tls_conn_servername(struct tls *ctx)
                return (NULL);
        return (ctx->conninfo->servername);
 }
- 
 const char *
 tls_conn_version(struct tls *ctx)
 {
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 3fcc7a021f..c7bf50af83 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.41 2016/08/22 14:55:59 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.42 2016/08/22 17:12:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -162,8 +162,8 @@ int tls_set_errorx(struct tls *ctx, const char *fmt, ...)
 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
    const char *prefix);
-int tls_get_conninfo(struct tls *ctx);
+int tls_conninfo_populate(struct tls *ctx);
-void tls_free_conninfo(struct tls_conninfo *conninfo);
+void tls_conninfo_free(struct tls_conninfo *conninfo);
 int asn1_time_parse(const char *, size_t, struct tm *, int);

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index df610fe238..85faedd56d 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.47 2016/08/22 14:51:37 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.48 2016/08/22 17:12:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -387,7 +387,9 @@ tls_free(struct tls *ctx)
387	{	387	{
388	if (ctx == NULL)	388	if (ctx == NULL)
389	return;	389	return;
		390
390	tls_reset(ctx);	391	tls_reset(ctx);
		392
391	free(ctx);	393	free(ctx);
392	}	394	}
393		395
@@ -414,8 +416,7 @@ tls_reset(struct tls *ctx)
414	ctx->error.msg = NULL;	416	ctx->error.msg = NULL;
415	ctx->error.num = -1;	417	ctx->error.num = -1;
416		418
417	tls_free_conninfo(ctx->conninfo);	419	tls_conninfo_free(ctx->conninfo);
418	free(ctx->conninfo);
419	ctx->conninfo = NULL;	420	ctx->conninfo = NULL;
420		421
421	for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {	422	for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
@@ -485,10 +486,6 @@ tls_handshake(struct tls *ctx)
485	goto out;	486	goto out;
486	}	487	}
487		488
488	if (ctx->conninfo == NULL &&
489	(ctx->conninfo = calloc(1, sizeof(*ctx->conninfo))) == NULL)
490	goto out;
491
492	if ((ctx->flags & TLS_CLIENT) != 0)	489	if ((ctx->flags & TLS_CLIENT) != 0)
493	rv = tls_handshake_client(ctx);	490	rv = tls_handshake_client(ctx);
494	else if ((ctx->flags & TLS_SERVER_CONN) != 0)	491	else if ((ctx->flags & TLS_SERVER_CONN) != 0)
@@ -496,7 +493,7 @@ tls_handshake(struct tls *ctx)
496		493
497	if (rv == 0) {	494	if (rv == 0) {
498	ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);	495	ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
499	if (tls_get_conninfo(ctx) == -1)	496	if (tls_conninfo_populate(ctx) == -1)
500	rv = -1;	497	rv = -1;
501	}	498	}
502	out:	499	out:


diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index 281af79866..5882a19cee 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_conninfo.c,v 1.10 2016/08/22 14:55:59 jsing Exp $ */	1	/* $OpenBSD: tls_conninfo.c,v 1.11 2016/08/22 17:12:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -120,34 +120,57 @@ tls_get_peer_cert_subject(struct tls ctx, char *subject)
120	}	120	}
121		121
122	static int	122	static int
123	tls_get_peer_cert_times(struct tls ctx, time_t notbefore, time_t *notafter)	123	tls_get_peer_cert_times(struct tls ctx, time_t notbefore,
		124	time_t *notafter)
124	{	125	{
125	struct tm before_tm, after_tm;	126	struct tm before_tm, after_tm;
126	ASN1_TIME before, after;	127	ASN1_TIME before, after;
127	int rv = -1;	128
		129	if (ctx->ssl_peer_cert == NULL)
		130	return (-1);
128		131
129	memset(&before_tm, 0, sizeof(before_tm));	132	memset(&before_tm, 0, sizeof(before_tm));
130	memset(&after_tm, 0, sizeof(after_tm));	133	memset(&after_tm, 0, sizeof(after_tm));
131		134
132	if (ctx->ssl_peer_cert != NULL) {	135	if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)
133	if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)	136	goto err;
134	goto err;	137	if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
135	if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)	138	goto err;
136	goto err;	139	if (asn1_time_parse(before->data, before->length, &before_tm, 0) == -1)
137	if (asn1_time_parse(before->data, before->length, &before_tm, 0)	140	goto err;
138	== -1)	141	if (asn1_time_parse(after->data, after->length, &after_tm, 0) == -1)
139	goto err;	142	goto err;
140	if (asn1_time_parse(after->data, after->length, &after_tm, 0)	143	if ((*notbefore = timegm(&before_tm)) == -1)
141	== -1)	144	goto err;
142	goto err;	145	if ((*notafter = timegm(&after_tm)) == -1)
143	if ((*notbefore = timegm(&before_tm)) == -1)	146	goto err;
144	goto err;	147
145	if ((*notafter = timegm(&after_tm)) == -1)	148	return (0);
146	goto err;	149
147	}
148	rv = 0;
149	err:	150	err:
150	return (rv);	151	return (-1);
		152	}
		153
		154	static int
		155	tls_get_peer_cert_info(struct tls *ctx)
		156	{
		157	if (ctx->ssl_peer_cert == NULL)
		158	return (0);
		159
		160	if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
		161	goto err;
		162	if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject) == -1)
		163	goto err;
		164	if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
		165	goto err;
		166	if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
		167	&ctx->conninfo->notafter) == -1)
		168	goto err;
		169
		170	return (0);
		171
		172	err:
		173	return (-1);
151	}	174	}
152		175
153	static int	176	static int
@@ -171,63 +194,71 @@ tls_conninfo_alpn_proto(struct tls *ctx)
171	}	194	}
172		195
173	int	196	int
174	tls_get_conninfo(struct tls *ctx)	197	tls_conninfo_populate(struct tls *ctx)
175	{	198	{
176	const char * tmp;	199	const char *tmp;
177		200
178	if (ctx->ssl_peer_cert != NULL) {	201	tls_conninfo_free(ctx->conninfo);
179	if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)	202
180	goto err;	203	if ((ctx->conninfo = calloc(1, sizeof(struct tls_conninfo))) == NULL) {
181	if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject)	204	tls_set_errorx(ctx, "out of memory");
182	== -1)
183	goto err;
184	if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
185	goto err;
186	if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
187	&ctx->conninfo->notafter) == -1)
188	goto err;
189	}
190	if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
191	goto err;	205	goto err;
192	ctx->conninfo->version = strdup(tmp);	206	}
193	if (ctx->conninfo->version == NULL)	207
		208	if (tls_conninfo_alpn_proto(ctx) == -1)
194	goto err;	209	goto err;
		210
195	if ((tmp = SSL_get_cipher(ctx->ssl_conn)) == NULL)	211	if ((tmp = SSL_get_cipher(ctx->ssl_conn)) == NULL)
196	goto err;	212	goto err;
197	ctx->conninfo->cipher = strdup(tmp);	213	ctx->conninfo->cipher = strdup(tmp);
198	if (ctx->conninfo->cipher == NULL)	214	if (ctx->conninfo->cipher == NULL)
199	goto err;	215	goto err;
200	if (tls_conninfo_alpn_proto(ctx) == -1)	216
201	goto err;
202	if (ctx->servername != NULL) {	217	if (ctx->servername != NULL) {
203	if ((ctx->conninfo->servername =	218	if ((ctx->conninfo->servername =
204	strdup(ctx->servername)) == NULL)	219	strdup(ctx->servername)) == NULL)
205	goto err;	220	goto err;
206	}	221	}
207		222
		223	if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
		224	goto err;
		225	ctx->conninfo->version = strdup(tmp);
		226	if (ctx->conninfo->version == NULL)
		227	goto err;
		228
		229	if (tls_get_peer_cert_info(ctx) == -1)
		230	goto err;
		231
208	return (0);	232	return (0);
209	err:	233
210	tls_free_conninfo(ctx->conninfo);	234	err:
		235	tls_conninfo_free(ctx->conninfo);
		236	ctx->conninfo = NULL;
		237
211	return (-1);	238	return (-1);
212	}	239	}
213		240
214	void	241	void
215	tls_free_conninfo(struct tls_conninfo *conninfo)	242	tls_conninfo_free(struct tls_conninfo *conninfo)
216	{	243	{
217	if (conninfo != NULL) {	244	if (conninfo == NULL)
218	free(conninfo->alpn);	245	return;
219	conninfo->alpn = NULL;	246
220	free(conninfo->hash);	247	free(conninfo->alpn);
221	conninfo->hash = NULL;	248	conninfo->alpn = NULL;
222	free(conninfo->subject);	249	free(conninfo->cipher);
223	conninfo->subject = NULL;	250	conninfo->cipher = NULL;
224	free(conninfo->issuer);	251	free(conninfo->version);
225	conninfo->issuer = NULL;	252	conninfo->version = NULL;
226	free(conninfo->version);	253
227	conninfo->version = NULL;	254	free(conninfo->hash);
228	free(conninfo->cipher);	255	conninfo->hash = NULL;
229	conninfo->cipher = NULL;	256	free(conninfo->issuer);
230	}	257	conninfo->issuer = NULL;
		258	free(conninfo->subject);
		259	conninfo->subject = NULL;
		260
		261	free(conninfo);
231	}	262	}
232		263
233	const char *	264	const char *
@@ -253,7 +284,7 @@ tls_conn_servername(struct tls *ctx)
253	return (NULL);	284	return (NULL);
254	return (ctx->conninfo->servername);	285	return (ctx->conninfo->servername);
255	}	286	}
256		287
257	const char *	288	const char *
258	tls_conn_version(struct tls *ctx)	289	tls_conn_version(struct tls *ctx)
259	{	290	{


diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 3fcc7a021f..c7bf50af83 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_internal.h,v 1.41 2016/08/22 14:55:59 jsing Exp $ */	1	/* $OpenBSD: tls_internal.h,v 1.42 2016/08/22 17:12:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>	3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -162,8 +162,8 @@ int tls_set_errorx(struct tls ctx, const char fmt, ...)
162	int tls_ssl_error(struct tls ctx, SSL ssl_conn, int ssl_ret,	162	int tls_ssl_error(struct tls ctx, SSL ssl_conn, int ssl_ret,
163	const char *prefix);	163	const char *prefix);
164		164
165	int tls_get_conninfo(struct tls *ctx);	165	int tls_conninfo_populate(struct tls *ctx);
166	void tls_free_conninfo(struct tls_conninfo *conninfo);	166	void tls_conninfo_free(struct tls_conninfo *conninfo);
167		167
168	int asn1_time_parse(const char , size_t, struct tm , int);	168	int asn1_time_parse(const char , size_t, struct tm , int);
169		169