3 files changed, 92 insertions, 2 deletions

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 4b6b34c283..0e3329589e 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.14 2015/09/11 07:07:23 jmc Exp $
+#       $OpenBSD: Makefile,v 1.15 2015/09/11 11:28:01 jsing Exp $
 
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -15,6 +15,7 @@ HDRS=	tls.h
 SRCS=   tls.c \
         tls_client.c \
         tls_config.c \
+        tls_peer.c \
         tls_server.c \
         tls_util.c \
         tls_verify.c
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index f7c12920e0..3cb24f0ee5 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.18 2015/09/10 10:26:49 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.19 2015/09/11 11:28:01 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -99,6 +99,8 @@ ssize_t tls_read(struct tls *_ctx, void *_buf, size_t _buflen);
 ssize_t tls_write(struct tls *_ctx, const void *_buf, size_t _buflen);
 int tls_close(struct tls *_ctx);
 
+int tls_peer_cert_hash(struct tls *_ctx, char **_hash);
+
 uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password);
 
 #ifdef __cplusplus
diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c
new file mode 100644
index 0000000000..e2a2c7b141
--- /dev/null
+++ b/src/lib/libtls/tls_peer.c
@@ -0,0 +1,87 @@
+/* $OpenBSD: tls_peer.c,v 1.1 2015/09/11 11:28:01 jsing Exp $ */
+/*
+ * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+
+#include <openssl/x509.h>
+
+#include <tls.h>
+#include "tls_internal.h"
+
+static int
+tls_hex_string(const unsigned char *in, size_t inlen, char **out,
+    size_t *outlen)
+{
+        static const char hex[] = "0123456789abcdef";
+        size_t i, len;
+        char *p;
+
+        if (outlen != NULL)
+                *outlen = 0;
+
+        if (inlen >= SIZE_MAX)
+                return (-1);
+        if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
+                return (-1);
+
+        p = *out;
+        len = 0;
+        for (i = 0; i < inlen; i++) {
+                p[len++] = hex[(in[i] >> 4) & 0x0f];
+                p[len++] = hex[in[i] & 0x0f];
+        }
+        p[len++] = 0;
+
+        if (outlen != NULL)
+                *outlen = len;
+
+        return (0);
+}
+
+int
+tls_peer_cert_hash(struct tls *ctx, char **hash)
+{
+        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+        int dlen, rv = -1;
+
+        *hash = NULL;
+        if (ctx->ssl_peer_cert == NULL)
+                return (0);
+
+        if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
+                tls_set_errorx(ctx, "digest failed");
+                goto err;
+        }
+
+        if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
+                tls_set_errorx(ctx, "digest hex string failed");
+                goto err;
+        }
+
+        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+                tls_set_errorx(ctx, "out of memory");
+                *hash = NULL;
+                goto err;
+        }
+
+        rv = 0;
+
+err:
+        free(dhex);
+
+        return (rv);
+}