7 files changed, 208 insertions, 120 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 1d7815f686..6e5914685c 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.18 2015/09/11 15:17:46 deraadt Exp $
+#       $OpenBSD: Makefile,v 1.19 2015/09/12 21:00:38 beck Exp $
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -15,6 +15,7 @@ HDRS=	tls.h
 SRCS=   tls.c \
        tls_client.c \
        tls_config.c \
+        tls_conninfo.c \
        tls_peer.c \
        tls_server.c \
        tls_util.c \
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 65103f106d..277970c932 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.26 2015/09/12 19:54:31 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.27 2015/09/12 21:00:38 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -323,6 +323,10 @@ tls_reset(struct tls *ctx)
        free(ctx->errmsg);
        ctx->errmsg = NULL;
        ctx->errnum = 0;
+        tls_free_conninfo(ctx->conninfo);
+        free(ctx->conninfo);
+        ctx->conninfo = NULL;
 }
 int
@@ -376,14 +380,19 @@ tls_handshake(struct tls *ctx)
 {
        int rv = -1;
+        if ((ctx->conninfo = calloc(1, sizeof(*ctx->conninfo))) == NULL)
+                goto out;
        if ((ctx->flags & TLS_CLIENT) != 0)
                rv = tls_handshake_client(ctx);
        else if ((ctx->flags & TLS_SERVER_CONN) != 0)
                rv = tls_handshake_server(ctx);
-        if (rv == 0)
+        if (rv == 0 &&
-                ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
+            (ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn)) &&
+            (tls_get_conninfo(ctx) == -1))
+                rv = -1;
+out:
        /* Prevent callers from performing incorrect error handling */
        errno = 0;
        return (rv);
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 1a6cb47544..2f91ea68ba 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.21 2015/09/12 16:46:43 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.22 2015/09/12 21:00:38 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -102,9 +102,9 @@ int tls_close(struct tls *_ctx);
 int tls_peer_cert_provided(struct tls *ctx);
 int tls_peer_cert_contains_name(struct tls *ctx, const char *name);
-int tls_peer_cert_hash(struct tls *_ctx, char **_hash);
+const char * tls_peer_cert_hash(struct tls *_ctx);
-int tls_peer_cert_issuer(struct tls *ctx, char **name);
+const char * tls_peer_cert_issuer(struct tls *ctx);
-int tls_peer_cert_subject(struct tls *ctx, char **subject);
+const char * tls_peer_cert_subject(struct tls *ctx);
 uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password);
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
new file mode 100644
index 0000000000..267a8747c9
--- /dev/null
+++ b/src/lib/libtls/tls_conninfo.c
@@ -0,0 +1,149 @@
+/* $OpenBSD: tls_conninfo.c,v 1.1 2015/09/12 21:00:38 beck Exp $ */
+/*
+ * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <stdio.h>
+#include <openssl/x509.h>
+#include <tls.h>
+#include "tls_internal.h"
+static int
+tls_hex_string(const unsigned char *in, size_t inlen, char **out,
+    size_t *outlen)
+{
+        static const char hex[] = "0123456789abcdef";
+        size_t i, len;
+        char *p;
+        if (outlen != NULL)
+                *outlen = 0;
+        if (inlen >= SIZE_MAX)
+                return (-1);
+        if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
+                return (-1);
+        p = *out;
+        len = 0;
+        for (i = 0; i < inlen; i++) {
+                p[len++] = hex[(in[i] >> 4) & 0x0f];
+                p[len++] = hex[in[i] & 0x0f];
+        }
+        p[len++] = 0;
+        if (outlen != NULL)
+                *outlen = len;
+        return (0);
+}
+static int
+tls_get_peer_cert_hash(struct tls *ctx, char **hash)
+{
+        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+        int dlen, rv = -1;
+        *hash = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (0);
+        if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
+                tls_set_errorx(ctx, "digest failed");
+                goto err;
+        }
+        if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
+                tls_set_errorx(ctx, "digest hex string failed");
+                goto err;
+        }
+        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+                tls_set_errorx(ctx, "out of memory");
+                *hash = NULL;
+                goto err;
+        }
+        rv = 0;
+err:
+        free(dhex);
+        return (rv);
+}
+static int
+tls_get_peer_cert_issuer(struct tls *ctx,  char **issuer)
+{
+        X509_NAME *name = NULL;
+        *issuer = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (-1);
+        if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
+                return (-1);
+        *issuer = X509_NAME_oneline(name, 0, 0);
+        if (*issuer == NULL)
+                return (-1);
+        return (0);
+}
+static int
+tls_get_peer_cert_subject(struct tls *ctx, char **subject)
+{
+        X509_NAME *name = NULL;
+        *subject = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (-1);
+        if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
+                return (-1);
+        *subject = X509_NAME_oneline(name, 0, 0);
+        if (*subject == NULL)
+                return (-1);
+        return (0);
+}
+int
+tls_get_conninfo(struct tls *ctx) {
+        int rv = -1;
+        if (ctx->ssl_peer_cert != NULL) {
+                if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
+                        goto err;
+                if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject)
+                    == -1)
+                        goto err;
+                if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
+                        goto err;
+        }
+        rv = 0;
+err:
+        return (rv);
+}
+void
+tls_free_conninfo(struct tls_conninfo *conninfo) {
+        if (conninfo != NULL) {
+                free(conninfo->hash);
+                conninfo->hash = NULL;
+                free(conninfo->subject);
+                conninfo->subject = NULL;
+                free(conninfo->issuer);
+                conninfo->issuer = NULL;
+        }
+}
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index a1fe52c83c..90cbdb3f3b 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.42 2015/09/11 14:22:53 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.43 2015/09/12 21:00:38 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 11 2015 $
+.Dd $Mdocdate: September 12 2015 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -121,12 +121,12 @@
 .Fn tls_peer_cert_provided "struct tls *ctx"
 .Ft "int"
 .Fn tls_peer_cert_contains_name "struct tls *ctx" "const char *name"
-.Ft "int"
+.Ft "const char *"
-.Fn tls_peer_cert_issuer "struct tls *ctx" "char **issuer"
+.Fn tls_peer_cert_issuer "struct tls *ctx"
-.Ft "int"
+.Ft "const char *"
-.Fn tls_peer_cert_subject "struct tls *ctx" "char **subject"
+.Fn tls_peer_cert_subject "struct tls *ctx"
-.Ft "int"
+.Ft "const char *"
-.Fn tls_peer_cert_hash "struct tls *ctx" "char **hash"
+.Fn tls_peer_cert_hash "struct tls *ctx"
 .Ft "uint8_t *"
 .Fn tls_load_file "const char *file" "size_t *len" "char *password"
 .Ft "struct tls *"
@@ -386,31 +386,23 @@ can only succeed after the handshake is complete.
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_subject
-returns a string in
+returns a string
-.Ar subject
 corresponding to the subject of the peer certificate from
 .Ar ctx .
 .Fn tls_peer_cert_subject
 will only succeed after the handshake is complete.
-Callers must free the string returned in
-.Ar subject .
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_issuer
-returns a string in
+returns a string
-.Ar subject
 corresponding to the issuer of the peer certificate from
 .Ar ctx .
 .Fn tls_peer_cert_issuer
 will only succeed after the handshake is complete.
-Callers must free the string returned in
-.Ar issuer .
 .Em (Server and client)
 .It
 .Fn tls_peer_cert_hash
 returns a string
-in
-.Ar hash
 corresponding to a hash of the raw peer certificate from
 .Ar ctx
 prefixed by a hash name followed by a colon.
@@ -426,8 +418,6 @@ printf "SHA256:${h}\\n"
 .Pp
 .Fn tls_peer_cert_subject
 will only succeed after the handshake is complete.
-Callers must free the string returned in
-.Ar hash .
 .Em (Server and client)
 .It
 .Fn tls_config_verify_client_opional
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 34af0fb48a..e31c39a135 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.20 2015/09/11 12:56:55 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.21 2015/09/12 21:00:38 beck Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -48,6 +48,14 @@ struct tls_config {
        int verify_name;
 };
+struct tls_conninfo {
+        char *issuer;
+        char *subject;
+        char *hash;
+        char *serial;
+        char *fingerprint;
+};
 #define TLS_CLIENT              (1 << 0)
 #define TLS_SERVER              (1 << 1)
 #define TLS_SERVER_CONN         (1 << 2)
@@ -68,6 +76,7 @@ struct tls {
        SSL *ssl_conn;
        SSL_CTX *ssl_ctx;
        X509 *ssl_peer_cert;
+        struct tls_conninfo *conninfo;
 };
 struct tls *tls_new(void);
@@ -89,5 +98,7 @@ int tls_set_errorx(struct tls *ctx, const char *fmt, ...)
    __attribute__((__nonnull__ (2)));
 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
    const char *prefix);
+int tls_get_conninfo(struct tls *ctx);
+void tls_free_conninfo(struct tls_conninfo *conninfo);
 #endif /* HEADER_TLS_INTERNAL_H */
diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c
index cd1984f215..3145e500c4 100644
--- a/src/lib/libtls/tls_peer.c
+++ b/src/lib/libtls/tls_peer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_peer.c,v 1.3 2015/09/11 13:22:39 beck Exp $ */
+/* $OpenBSD: tls_peer.c,v 1.4 2015/09/12 21:00:38 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -23,68 +23,27 @@
 #include <tls.h>
 #include "tls_internal.h"
-static int
+const char *
-tls_hex_string(const unsigned char *in, size_t inlen, char **out,
+tls_peer_cert_hash(struct tls *ctx)
-    size_t *outlen)
 {
-        static const char hex[] = "0123456789abcdef";
+        if (ctx->conninfo)
-        size_t i, len;
+                return (ctx->conninfo->hash);
-        char *p;
+        return NULL;
-        if (outlen != NULL)
-                *outlen = 0;
-        if (inlen >= SIZE_MAX)
-                return (-1);
-        if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
-                return (-1);
-        p = *out;
-        len = 0;
-        for (i = 0; i < inlen; i++) {
-                p[len++] = hex[(in[i] >> 4) & 0x0f];
-                p[len++] = hex[in[i] & 0x0f];
-        }
-        p[len++] = 0;
-        if (outlen != NULL)
-                *outlen = len;
-        return (0);
 }
+const char *
-int
+tls_peer_cert_issuer(struct tls *ctx)
-tls_peer_cert_hash(struct tls *ctx, char **hash)
 {
-        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+        if (ctx->conninfo)
-        int dlen, rv = -1;
+                return (ctx->conninfo->issuer);
+        return NULL;
-        *hash = NULL;
+}
-        if (ctx->ssl_peer_cert == NULL)
-                return (0);
-        if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
-                tls_set_errorx(ctx, "digest failed");
-                goto err;
-        }
-        if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
-                tls_set_errorx(ctx, "digest hex string failed");
-                goto err;
-        }
-        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
-                tls_set_errorx(ctx, "out of memory");
-                *hash = NULL;
-                goto err;
-        }
-        rv = 0;
-err:
-        free(dhex);
-        return (rv);
+const char *
+tls_peer_cert_subject(struct tls *ctx)
+{
+        if (ctx->conninfo)
+                return (ctx->conninfo->subject);
+        return NULL;
 }
 int
@@ -102,34 +61,3 @@ tls_peer_cert_contains_name(struct tls *ctx, const char *name)
        return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0);
 }
-int
-tls_peer_cert_issuer(struct tls *ctx,  char **issuer)
-{
-        X509_NAME *name = NULL;
-        *issuer = NULL;
-        if (ctx->ssl_peer_cert == NULL)
-                return (-1);
-        if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
-                return (-1);
-        *issuer = X509_NAME_oneline(name, 0, 0);
-        if (*issuer == NULL)
-                return (-1);
-        return (0);
-}
-int
-tls_peer_cert_subject(struct tls *ctx, char **subject)
-{
-        X509_NAME *name = NULL;
-        *subject = NULL;
-        if (ctx->ssl_peer_cert == NULL)
-                return (-1);
-        if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
-                return (-1);
-        *subject = X509_NAME_oneline(name, 0, 0);
-        if (*subject == NULL)
-                return (-1);
-        return (0);
-}

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile index 1d7815f686..6e5914685c 100644 --- a/src/lib/libtls/Makefile +++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.18 2015/09/11 15:17:46 deraadt Exp $	1	# $OpenBSD: Makefile,v 1.19 2015/09/12 21:00:38 beck Exp $
2		2
3	CFLAGS+= -Wall -Werror -Wimplicit	3	CFLAGS+= -Wall -Werror -Wimplicit
4	CFLAGS+= -DLIBRESSL_INTERNAL	4	CFLAGS+= -DLIBRESSL_INTERNAL
@@ -15,6 +15,7 @@ HDRS= tls.h
15	SRCS= tls.c \	15	SRCS= tls.c \
16	tls_client.c \	16	tls_client.c \
17	tls_config.c \	17	tls_config.c \
		18	tls_conninfo.c \
18	tls_peer.c \	19	tls_peer.c \
19	tls_server.c \	20	tls_server.c \
20	tls_util.c \	21	tls_util.c \


diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 65103f106d..277970c932 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.26 2015/09/12 19:54:31 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.27 2015/09/12 21:00:38 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -323,6 +323,10 @@ tls_reset(struct tls *ctx)
323	free(ctx->errmsg);	323	free(ctx->errmsg);
324	ctx->errmsg = NULL;	324	ctx->errmsg = NULL;
325	ctx->errnum = 0;	325	ctx->errnum = 0;
		326
		327	tls_free_conninfo(ctx->conninfo);
		328	free(ctx->conninfo);
		329	ctx->conninfo = NULL;
326	}	330	}
327		331
328	int	332	int
@@ -376,14 +380,19 @@ tls_handshake(struct tls *ctx)
376	{	380	{
377	int rv = -1;	381	int rv = -1;
378		382
		383	if ((ctx->conninfo = calloc(1, sizeof(*ctx->conninfo))) == NULL)
		384	goto out;
		385
379	if ((ctx->flags & TLS_CLIENT) != 0)	386	if ((ctx->flags & TLS_CLIENT) != 0)
380	rv = tls_handshake_client(ctx);	387	rv = tls_handshake_client(ctx);
381	else if ((ctx->flags & TLS_SERVER_CONN) != 0)	388	else if ((ctx->flags & TLS_SERVER_CONN) != 0)
382	rv = tls_handshake_server(ctx);	389	rv = tls_handshake_server(ctx);
383		390
384	if (rv == 0)	391	if (rv == 0 &&
385	ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);	392	(ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn)) &&
386		393	(tls_get_conninfo(ctx) == -1))
		394	rv = -1;
		395	out:
387	/* Prevent callers from performing incorrect error handling */	396	/* Prevent callers from performing incorrect error handling */
388	errno = 0;	397	errno = 0;
389	return (rv);	398	return (rv);


diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 1a6cb47544..2f91ea68ba 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.h,v 1.21 2015/09/12 16:46:43 jsing Exp $ */	1	/* $OpenBSD: tls.h,v 1.22 2015/09/12 21:00:38 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -102,9 +102,9 @@ int tls_close(struct tls *_ctx);
102	int tls_peer_cert_provided(struct tls *ctx);	102	int tls_peer_cert_provided(struct tls *ctx);
103	int tls_peer_cert_contains_name(struct tls ctx, const char name);	103	int tls_peer_cert_contains_name(struct tls ctx, const char name);
104		104
105	int tls_peer_cert_hash(struct tls _ctx, char *_hash);	105	const char * tls_peer_cert_hash(struct tls *_ctx);
106	int tls_peer_cert_issuer(struct tls ctx, char *name);	106	const char * tls_peer_cert_issuer(struct tls *ctx);
107	int tls_peer_cert_subject(struct tls ctx, char *subject);	107	const char * tls_peer_cert_subject(struct tls *ctx);
108		108
109	uint8_t tls_load_file(const char _file, size_t _len, char _password);	109	uint8_t tls_load_file(const char _file, size_t _len, char _password);
110		110


diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c new file mode 100644 index 0000000000..267a8747c9 --- /dev/null +++ b/src/lib/libtls/tls_conninfo.c
@@ -0,0 +1,149 @@
		1	/* $OpenBSD: tls_conninfo.c,v 1.1 2015/09/12 21:00:38 beck Exp $ */
		2	/*
		3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
		4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
		5	*
		6	* Permission to use, copy, modify, and distribute this software for any
		7	* purpose with or without fee is hereby granted, provided that the above
		8	* copyright notice and this permission notice appear in all copies.
		9	*
		10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		17	*/
		18
		19	#include <stdio.h>
		20
		21	#include <openssl/x509.h>
		22
		23	#include <tls.h>
		24	#include "tls_internal.h"
		25
		26	static int
		27	tls_hex_string(const unsigned char in, size_t inlen, char *out,
		28	size_t *outlen)
		29	{
		30	static const char hex[] = "0123456789abcdef";
		31	size_t i, len;
		32	char *p;
		33
		34	if (outlen != NULL)
		35	*outlen = 0;
		36
		37	if (inlen >= SIZE_MAX)
		38	return (-1);
		39	if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
		40	return (-1);
		41
		42	p = *out;
		43	len = 0;
		44	for (i = 0; i < inlen; i++) {
		45	p[len++] = hex[(in[i] >> 4) & 0x0f];
		46	p[len++] = hex[in[i] & 0x0f];
		47	}
		48	p[len++] = 0;
		49
		50	if (outlen != NULL)
		51	*outlen = len;
		52
		53	return (0);
		54	}
		55
		56	static int
		57	tls_get_peer_cert_hash(struct tls ctx, char *hash)
		58	{
		59	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
		60	int dlen, rv = -1;
		61
		62	*hash = NULL;
		63	if (ctx->ssl_peer_cert == NULL)
		64	return (0);
		65
		66	if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
		67	tls_set_errorx(ctx, "digest failed");
		68	goto err;
		69	}
		70
		71	if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
		72	tls_set_errorx(ctx, "digest hex string failed");
		73	goto err;
		74	}
		75
		76	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
		77	tls_set_errorx(ctx, "out of memory");
		78	*hash = NULL;
		79	goto err;
		80	}
		81
		82	rv = 0;
		83
		84	err:
		85	free(dhex);
		86
		87	return (rv);
		88	}
		89
		90	static int
		91	tls_get_peer_cert_issuer(struct tls ctx, char *issuer)
		92	{
		93	X509_NAME *name = NULL;
		94
		95	*issuer = NULL;
		96	if (ctx->ssl_peer_cert == NULL)
		97	return (-1);
		98	if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
		99	return (-1);
		100	*issuer = X509_NAME_oneline(name, 0, 0);
		101	if (*issuer == NULL)
		102	return (-1);
		103	return (0);
		104	}
		105
		106	static int
		107	tls_get_peer_cert_subject(struct tls ctx, char *subject)
		108	{
		109	X509_NAME *name = NULL;
		110
		111	*subject = NULL;
		112	if (ctx->ssl_peer_cert == NULL)
		113	return (-1);
		114	if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
		115	return (-1);
		116	*subject = X509_NAME_oneline(name, 0, 0);
		117	if (*subject == NULL)
		118	return (-1);
		119	return (0);
		120	}
		121
		122	int
		123	tls_get_conninfo(struct tls *ctx) {
		124	int rv = -1;
		125	if (ctx->ssl_peer_cert != NULL) {
		126	if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
		127	goto err;
		128	if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject)
		129	== -1)
		130	goto err;
		131	if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
		132	goto err;
		133	}
		134	rv = 0;
		135	err:
		136	return (rv);
		137	}
		138
		139	void
		140	tls_free_conninfo(struct tls_conninfo *conninfo) {
		141	if (conninfo != NULL) {
		142	free(conninfo->hash);
		143	conninfo->hash = NULL;
		144	free(conninfo->subject);
		145	conninfo->subject = NULL;
		146	free(conninfo->issuer);
		147	conninfo->issuer = NULL;
		148	}
		149	}


diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index a1fe52c83c..90cbdb3f3b 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: tls_init.3,v 1.42 2015/09/11 14:22:53 jmc Exp $	1	.\" $OpenBSD: tls_init.3,v 1.43 2015/09/12 21:00:38 beck Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 11 2015 $	17	.Dd $Mdocdate: September 12 2015 $
18	.Dt TLS_INIT 3	18	.Dt TLS_INIT 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -121,12 +121,12 @@
121	.Fn tls_peer_cert_provided "struct tls *ctx"	121	.Fn tls_peer_cert_provided "struct tls *ctx"
122	.Ft "int"	122	.Ft "int"
123	.Fn tls_peer_cert_contains_name "struct tls ctx" "const char name"	123	.Fn tls_peer_cert_contains_name "struct tls ctx" "const char name"
124	.Ft "int"	124	.Ft "const char *"
125	.Fn tls_peer_cert_issuer "struct tls ctx" "char *issuer"	125	.Fn tls_peer_cert_issuer "struct tls *ctx"
126	.Ft "int"	126	.Ft "const char *"
127	.Fn tls_peer_cert_subject "struct tls ctx" "char *subject"	127	.Fn tls_peer_cert_subject "struct tls *ctx"
128	.Ft "int"	128	.Ft "const char *"
129	.Fn tls_peer_cert_hash "struct tls ctx" "char *hash"	129	.Fn tls_peer_cert_hash "struct tls *ctx"
130	.Ft "uint8_t *"	130	.Ft "uint8_t *"
131	.Fn tls_load_file "const char file" "size_t len" "char *password"	131	.Fn tls_load_file "const char file" "size_t len" "char *password"
132	.Ft "struct tls *"	132	.Ft "struct tls *"
@@ -386,31 +386,23 @@ can only succeed after the handshake is complete.
386	.Em (Server and client)	386	.Em (Server and client)
387	.It	387	.It
388	.Fn tls_peer_cert_subject	388	.Fn tls_peer_cert_subject
389	returns a string in	389	returns a string
390	.Ar subject
391	corresponding to the subject of the peer certificate from	390	corresponding to the subject of the peer certificate from
392	.Ar ctx .	391	.Ar ctx .
393	.Fn tls_peer_cert_subject	392	.Fn tls_peer_cert_subject
394	will only succeed after the handshake is complete.	393	will only succeed after the handshake is complete.
395	Callers must free the string returned in
396	.Ar subject .
397	.Em (Server and client)	394	.Em (Server and client)
398	.It	395	.It
399	.Fn tls_peer_cert_issuer	396	.Fn tls_peer_cert_issuer
400	returns a string in	397	returns a string
401	.Ar subject
402	corresponding to the issuer of the peer certificate from	398	corresponding to the issuer of the peer certificate from
403	.Ar ctx .	399	.Ar ctx .
404	.Fn tls_peer_cert_issuer	400	.Fn tls_peer_cert_issuer
405	will only succeed after the handshake is complete.	401	will only succeed after the handshake is complete.
406	Callers must free the string returned in
407	.Ar issuer .
408	.Em (Server and client)	402	.Em (Server and client)
409	.It	403	.It
410	.Fn tls_peer_cert_hash	404	.Fn tls_peer_cert_hash
411	returns a string	405	returns a string
412	in
413	.Ar hash
414	corresponding to a hash of the raw peer certificate from	406	corresponding to a hash of the raw peer certificate from
415	.Ar ctx	407	.Ar ctx
416	prefixed by a hash name followed by a colon.	408	prefixed by a hash name followed by a colon.
@@ -426,8 +418,6 @@ printf "SHA256:${h}\\n"
426	.Pp	418	.Pp
427	.Fn tls_peer_cert_subject	419	.Fn tls_peer_cert_subject
428	will only succeed after the handshake is complete.	420	will only succeed after the handshake is complete.
429	Callers must free the string returned in
430	.Ar hash .
431	.Em (Server and client)	421	.Em (Server and client)
432	.It	422	.It
433	.Fn tls_config_verify_client_opional	423	.Fn tls_config_verify_client_opional


diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 34af0fb48a..e31c39a135 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_internal.h,v 1.20 2015/09/11 12:56:55 beck Exp $ */	1	/* $OpenBSD: tls_internal.h,v 1.21 2015/09/12 21:00:38 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>	3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -48,6 +48,14 @@ struct tls_config {
48	int verify_name;	48	int verify_name;
49	};	49	};
50		50
		51	struct tls_conninfo {
		52	char *issuer;
		53	char *subject;
		54	char *hash;
		55	char *serial;
		56	char *fingerprint;
		57	};
		58
51	#define TLS_CLIENT (1 << 0)	59	#define TLS_CLIENT (1 << 0)
52	#define TLS_SERVER (1 << 1)	60	#define TLS_SERVER (1 << 1)
53	#define TLS_SERVER_CONN (1 << 2)	61	#define TLS_SERVER_CONN (1 << 2)
@@ -68,6 +76,7 @@ struct tls {
68	SSL *ssl_conn;	76	SSL *ssl_conn;
69	SSL_CTX *ssl_ctx;	77	SSL_CTX *ssl_ctx;
70	X509 *ssl_peer_cert;	78	X509 *ssl_peer_cert;
		79	struct tls_conninfo *conninfo;
71	};	80	};
72		81
73	struct tls *tls_new(void);	82	struct tls *tls_new(void);
@@ -89,5 +98,7 @@ int tls_set_errorx(struct tls ctx, const char fmt, ...)
89	__attribute__((__nonnull__ (2)));	98	__attribute__((__nonnull__ (2)));
90	int tls_ssl_error(struct tls ctx, SSL ssl_conn, int ssl_ret,	99	int tls_ssl_error(struct tls ctx, SSL ssl_conn, int ssl_ret,
91	const char *prefix);	100	const char *prefix);
		101	int tls_get_conninfo(struct tls *ctx);
		102	void tls_free_conninfo(struct tls_conninfo *conninfo);
92		103
93	#endif /* HEADER_TLS_INTERNAL_H */	104	#endif /* HEADER_TLS_INTERNAL_H */


diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c index cd1984f215..3145e500c4 100644 --- a/src/lib/libtls/tls_peer.c +++ b/src/lib/libtls/tls_peer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_peer.c,v 1.3 2015/09/11 13:22:39 beck Exp $ */	1	/* $OpenBSD: tls_peer.c,v 1.4 2015/09/12 21:00:38 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -23,68 +23,27 @@
23	#include <tls.h>	23	#include <tls.h>
24	#include "tls_internal.h"	24	#include "tls_internal.h"
25		25
26	static int	26	const char *
27	tls_hex_string(const unsigned char in, size_t inlen, char *out,	27	tls_peer_cert_hash(struct tls *ctx)
28	size_t *outlen)
29	{	28	{
30	static const char hex[] = "0123456789abcdef";	29	if (ctx->conninfo)
31	size_t i, len;	30	return (ctx->conninfo->hash);
32	char *p;	31	return NULL;
33
34	if (outlen != NULL)
35	*outlen = 0;
36
37	if (inlen >= SIZE_MAX)
38	return (-1);
39	if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
40	return (-1);
41
42	p = *out;
43	len = 0;
44	for (i = 0; i < inlen; i++) {
45	p[len++] = hex[(in[i] >> 4) & 0x0f];
46	p[len++] = hex[in[i] & 0x0f];
47	}
48	p[len++] = 0;
49
50	if (outlen != NULL)
51	*outlen = len;
52
53	return (0);
54	}	32	}
55		33	const char *
56	int	34	tls_peer_cert_issuer(struct tls *ctx)
57	tls_peer_cert_hash(struct tls ctx, char *hash)
58	{	35	{
59	char d[EVP_MAX_MD_SIZE], *dhex = NULL;	36	if (ctx->conninfo)
60	int dlen, rv = -1;	37	return (ctx->conninfo->issuer);
61		38	return NULL;
62	*hash = NULL;	39	}
63	if (ctx->ssl_peer_cert == NULL)
64	return (0);
65
66	if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
67	tls_set_errorx(ctx, "digest failed");
68	goto err;
69	}
70
71	if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
72	tls_set_errorx(ctx, "digest hex string failed");
73	goto err;
74	}
75
76	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
77	tls_set_errorx(ctx, "out of memory");
78	*hash = NULL;
79	goto err;
80	}
81
82	rv = 0;
83
84	err:
85	free(dhex);
86		40
87	return (rv);	41	const char *
		42	tls_peer_cert_subject(struct tls *ctx)
		43	{
		44	if (ctx->conninfo)
		45	return (ctx->conninfo->subject);
		46	return NULL;
88	}	47	}
89		48
90	int	49	int
@@ -102,34 +61,3 @@ tls_peer_cert_contains_name(struct tls ctx, const char name)
102	return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0);	61	return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0);
103	}	62	}
104		63
105	int
106	tls_peer_cert_issuer(struct tls ctx, char *issuer)
107	{
108	X509_NAME *name = NULL;
109
110	*issuer = NULL;
111	if (ctx->ssl_peer_cert == NULL)
112	return (-1);
113	if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
114	return (-1);
115	*issuer = X509_NAME_oneline(name, 0, 0);
116	if (*issuer == NULL)
117	return (-1);
118	return (0);
119	}
120
121	int
122	tls_peer_cert_subject(struct tls ctx, char *subject)
123	{
124	X509_NAME *name = NULL;
125
126	*subject = NULL;
127	if (ctx->ssl_peer_cert == NULL)
128	return (-1);
129	if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
130	return (-1);
131	*subject = X509_NAME_oneline(name, 0, 0);
132	if (*subject == NULL)
133	return (-1);
134	return (0);
135	}