diff options
| author |   beck <beck@openbsd.org> | 2017-04-05 03:19:22 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2017-04-05 03:19:22 +0000 |
| commit | c67861f722ec9aaffcb1fbbacbe7d9d49ada2c73 (patch) | |
| tree | 5f2ed5e8bb90bc244fc29a274a9af65dd2e3129d /lib/libtls/tls_conninfo.c | |
| parent | Internal changes to allow for relayd engine privsep. sends the hash of the (diff) | |
| download | wireguard-openbsd-c67861f722ec9aaffcb1fbbacbe7d9d49ada2c73.tar.xz wireguard-openbsd-c67861f722ec9aaffcb1fbbacbe7d9d49ada2c73.zip | |
Add tls_peer_cert_chain_pem - To retreive the peer certificate and chain
as PEM format. This allows for it to be used or examined with tools
external to libtls
bump minor
ok jsing@
Diffstat (limited to 'lib/libtls/tls_conninfo.c')
| -rw-r--r-- | lib/libtls/tls_conninfo.c | 52 |
1 files changed, 51 insertions, 1 deletions
diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c index c4d23c308b5..87660fa9899 100644 --- a/lib/libtls/tls_conninfo.c +++ b/lib/libtls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.14 2017/04/05 03:13:53 beck Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.15 2017/04/05 03:19:22 beck Exp $ */ /* * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> * Copyright (c) 2015 Bob Beck <beck@openbsd.org> @@ -174,6 +174,49 @@ tls_conninfo_alpn_proto(struct tls *ctx) return (0); } +static int +tls_conninfo_cert_pem(struct tls *ctx) +{ + int i, rv = -1; + BIO *membio = NULL; + BUF_MEM *bptr = NULL; + + if (ctx->conninfo == NULL) + goto err; + if (ctx->ssl_peer_cert == NULL) + return 0; + if ((membio = BIO_new(BIO_s_mem()))== NULL) + goto err; + + /* + * We have to write the peer cert out separately, because + * the certificate chain may or may not contain it. + */ + if (!PEM_write_bio_X509(membio, ctx->ssl_peer_cert)) + goto err; + for (i = 0; i < sk_X509_num(ctx->ssl_peer_chain); i++) { + X509 *chaincert = sk_X509_value(ctx->ssl_peer_chain, i); + if (chaincert != ctx->ssl_peer_cert && + !PEM_write_bio_X509(membio, chaincert)) + goto err; + } + + BIO_get_mem_ptr(membio, &bptr); + free(ctx->conninfo->peer_cert); + ctx->conninfo->peer_cert_len = 0; + if ((ctx->conninfo->peer_cert = malloc(bptr->length)) == NULL) + goto err; + ctx->conninfo->peer_cert_len = bptr->length; + memcpy(ctx->conninfo->peer_cert, bptr->data, + ctx->conninfo->peer_cert_len); + + /* BIO_free() will kill BUF_MEM - because we have not set BIO_NOCLOSE */ + rv = 0; + err: + BIO_free(membio); + return rv; +} + int tls_conninfo_populate(struct tls *ctx) { @@ -210,6 +253,9 @@ tls_conninfo_populate(struct tls *ctx) if (tls_get_peer_cert_info(ctx) == -1) goto err; + if (tls_conninfo_cert_pem(ctx) == -1) + goto err; + return (0); err: @@ -241,6 +287,10 @@ tls_conninfo_free(struct tls_conninfo *conninfo) free(conninfo->subject); conninfo->subject = NULL; + free(conninfo->peer_cert); + conninfo->peer_cert = NULL; + conninfo->peer_cert_len = 0; + free(conninfo); } |