From 68048eefb0353c6cb686c092af50ba61fca67874 Mon Sep 17 00:00:00 2001 From: beck <> Date: Fri, 11 Sep 2015 12:56:55 +0000 Subject: add tls_peer functions for checking names and issuers of peer certificates. ok jsing@ --- src/lib/libtls/Makefile | 4 +++- src/lib/libtls/tls.h | 7 +++++- src/lib/libtls/tls_client.c | 4 ++-- src/lib/libtls/tls_init.3 | 31 +++++++++++++++++++++++++-- src/lib/libtls/tls_internal.h | 4 ++-- src/lib/libtls/tls_peer.c | 50 ++++++++++++++++++++++++++++++++++++++++++- src/lib/libtls/tls_verify.c | 8 +++---- 7 files changed, 95 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile index 0e3329589e..2e03e247e4 100644 --- a/src/lib/libtls/Makefile +++ b/src/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.15 2015/09/11 11:28:01 jsing Exp $ +# $OpenBSD: Makefile,v 1.16 2015/09/11 12:56:55 beck Exp $ CFLAGS+= -Wall -Werror -Wimplicit CFLAGS+= -DLIBRESSL_INTERNAL @@ -46,6 +46,8 @@ MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3 MLINKS+=tls_init.3 tls_config_verify.3 MLINKS+=tls_init.3 tls_config_verify_client.3 MLINKS+=tls_init.3 tls_config_verify_client_optional.3 +MLINKS+=tls_init.3 tls_peer_cert_provided.3 +MLINKS+=tls_init.3 tls_peer_cert_contains_name.3 MLINKS+=tls_init.3 tls_load_file.3 MLINKS+=tls_init.3 tls_client.3 MLINKS+=tls_init.3 tls_server.3 diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 3cb24f0ee5..3d1682e2b6 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.19 2015/09/11 11:28:01 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.20 2015/09/11 12:56:55 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -76,6 +76,11 @@ void tls_config_verify(struct tls_config *_config); void tls_config_verify_client(struct tls_config *_config); void tls_config_verify_client_optional(struct tls_config *_config); +int tls_peer_cert_provided(struct tls *ctx); +int tls_peer_cert_contains_name(struct tls *ctx, const char *name); +int tls_peer_cert_issuer(struct tls *ctx, char **name); +int tls_peer_cert_subject(struct tls *ctx, char **subject); + void tls_config_clear_keys(struct tls_config *_config); int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr); diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index fb7f3a6f75..2aca519f8b 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.26 2015/09/10 10:14:20 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.27 2015/09/11 12:56:55 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -262,7 +262,7 @@ tls_handshake_client(struct tls *ctx) tls_set_errorx(ctx, "no server certificate"); goto err; } - if ((rv = tls_check_servername(ctx, cert, + if ((rv = tls_check_name(ctx, cert, ctx->servername)) != 0) { if (rv != -2) tls_set_errorx(ctx, "name `%s' not present in" diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 6197817f6f..4066713603 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.37 2015/09/11 09:02:10 beck Exp $ +.\" $OpenBSD: tls_init.3,v 1.38 2015/09/11 12:56:55 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -112,6 +112,10 @@ .Fn tls_config_verify_client "struct tls_config *config" .Ft "void" .Fn tls_config_verify_client_optional "struct tls_config *config" +.Ft "int" +.Fn tls_peer_cert_provided "struct tls *ctx" +.Ft "int" +.Fn tls_peer_cert_contains_name "struct tls *ctx" "const char *name" .Ft "uint8_t *" .Fn tls_load_file "const char *file" "size_t *len" "char *password" .Ft "struct tls *" @@ -354,6 +358,24 @@ enables client certificate verification, requiring the client to send a certificate. .Em (Server) .It +.Fn tls_peer_cert_provided +checks if the peer of +.Ar ctx +has provided a certificate. +.Fn tls_peer_cert_provided +will only succeed after the handshake is complete. +.Em (Server and client) +.It +.Fn tls_peer_cert_constains_name +checks if the peer of a tls +.Ar ctx + has povided a certificate that contains a +SAN or CN that matches +.Ar name +.Fn tls_peer_cert_contains_name +will only succeed after the handshake is complete. +.Em (Server and client) +.It .Fn tls_config_verify_client_opional enables client certificate verification, without requiring the client to send a certificate. @@ -455,7 +477,12 @@ or .Fn tls_connect_servername . .El .Sh RETURN VALUES -Functions that return +The +.Fn tls_peer_cert_provided +and +.Fn tls_peer_cert_contain_name +functions return 1 if the check succeeds, and 0 if it does not. +All other functions that return .Vt int or .Vt ssize_t diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index b514847cfe..34af0fb48a 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.19 2015/09/11 09:24:54 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.20 2015/09/11 12:56:55 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -73,7 +73,7 @@ struct tls { struct tls *tls_new(void); struct tls *tls_server_conn(struct tls *ctx); -int tls_check_servername(struct tls *ctx, X509 *cert, const char *servername); +int tls_check_name(struct tls *ctx, X509 *cert, const char *servername); int tls_configure_keypair(struct tls *ctx, int); int tls_configure_server(struct tls *ctx); int tls_configure_ssl(struct tls *ctx); diff --git a/src/lib/libtls/tls_peer.c b/src/lib/libtls/tls_peer.c index e2a2c7b141..39a9d90cab 100644 --- a/src/lib/libtls/tls_peer.c +++ b/src/lib/libtls/tls_peer.c @@ -1,6 +1,7 @@ -/* $OpenBSD: tls_peer.c,v 1.1 2015/09/11 11:28:01 jsing Exp $ */ +/* $OpenBSD: tls_peer.c,v 1.2 2015/09/11 12:56:55 beck Exp $ */ /* * Copyright (c) 2015 Joel Sing + * Copyright (c) 2015 Bob Beck * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -85,3 +86,50 @@ err: return (rv); } + +int +tls_peer_cert_provided(struct tls *ctx) +{ + return (ctx->ssl_peer_cert != NULL); +} + +int +tls_peer_cert_contains_name(struct tls *ctx, const char *name) +{ + if (ctx->ssl_peer_cert == NULL) + return (0); + + return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0); +} + +int +tls_peer_cert_issuer(struct tls *ctx, char **issuer) +{ + X509_NAME *name = NULL; + + *issuer = NULL; + if (ctx->ssl_peer_cert != NULL) + return (-1); + if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL) + return (-1); + *issuer = X509_NAME_oneline(name, 0, 0); + if (*issuer == NULL) + return (-1); + return (0); +} + +int +tls_peer_cert_subject(struct tls *ctx, char **subject) +{ + X509_NAME *name = NULL; + + *subject = NULL; + if (ctx->ssl_peer_cert == NULL) + return (-1); + if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL) + return (-1); + *subject = X509_NAME_oneline(name, 0, 0); + if (*subject == NULL) + return (-1); + return (0); +} diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index 7fd0b3d545..c6f29c897d 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.11 2015/09/09 19:49:07 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.12 2015/09/11 12:56:55 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * @@ -246,13 +246,13 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name) } int -tls_check_servername(struct tls *ctx, X509 *cert, const char *servername) +tls_check_name(struct tls *ctx, X509 *cert, const char *name) { int rv; - rv = tls_check_subject_altname(ctx, cert, servername); + rv = tls_check_subject_altname(ctx, cert, name); if (rv == 0 || rv == -2) return rv; - return tls_check_common_name(ctx, cert, servername); + return tls_check_common_name(ctx, cert, name); } -- cgit v1.2.3-55-g6feb