diff options
| author |   jsing <jsing@openbsd.org> | 2016-08-22 17:12:35 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2016-08-22 17:12:35 +0000 |
| commit | dc559dc0fe18085363583edb12b8b17aebbee4d2 (patch) | |
| tree | 1de06f8b7c1b1f81f31a59570ad938a3e8700977 /lib/libtls/tls_conninfo.c | |
| parent | Stick with the usual 'if NULL return NULL' idiom. (diff) | |
| download | wireguard-openbsd-dc559dc0fe18085363583edb12b8b17aebbee4d2.tar.xz wireguard-openbsd-dc559dc0fe18085363583edb12b8b17aebbee4d2.zip | |
Various clean up and reorganisation of the connection info handling code.
In particular, rename tls_free_conninfo() to tls_conninfo_free() and make
it a real free function. Rename tls_get_conninfo() to
tls_conninfo_populate() and have it allocate the struct tls_conninfo (after
freeing any existing one).
ok beck@
Diffstat (limited to 'lib/libtls/tls_conninfo.c')
| -rw-r--r-- | lib/libtls/tls_conninfo.c | 147 |
1 files changed, 89 insertions, 58 deletions
diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c index 281af798665..5882a19cee8 100644 --- a/lib/libtls/tls_conninfo.c +++ b/lib/libtls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.10 2016/08/22 14:55:59 jsing Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.11 2016/08/22 17:12:35 jsing Exp $ */ /* * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> * Copyright (c) 2015 Bob Beck <beck@openbsd.org> @@ -120,34 +120,57 @@ tls_get_peer_cert_subject(struct tls *ctx, char **subject) } static int -tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter) +tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, + time_t *notafter) { struct tm before_tm, after_tm; ASN1_TIME *before, *after; - int rv = -1; + + if (ctx->ssl_peer_cert == NULL) + return (-1); memset(&before_tm, 0, sizeof(before_tm)); memset(&after_tm, 0, sizeof(after_tm)); - if (ctx->ssl_peer_cert != NULL) { - if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL) - goto err; - if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL) - goto err; - if (asn1_time_parse(before->data, before->length, &before_tm, 0) - == -1) - goto err; - if (asn1_time_parse(after->data, after->length, &after_tm, 0) - == -1) - goto err; - if ((*notbefore = timegm(&before_tm)) == -1) - goto err; - if ((*notafter = timegm(&after_tm)) == -1) - goto err; - } - rv = 0; + if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL) + goto err; + if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL) + goto err; + if (asn1_time_parse(before->data, before->length, &before_tm, 0) == -1) + goto err; + if (asn1_time_parse(after->data, after->length, &after_tm, 0) == -1) + goto err; + if ((*notbefore = timegm(&before_tm)) == -1) + goto err; + if ((*notafter = timegm(&after_tm)) == -1) + goto err; + + return (0); + err: - return (rv); + return (-1); +} + +static int +tls_get_peer_cert_info(struct tls *ctx) +{ + if (ctx->ssl_peer_cert == NULL) + return (0); + + if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1) + goto err; + if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject) == -1) + goto err; + if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1) + goto err; + if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore, + &ctx->conninfo->notafter) == -1) + goto err; + + return (0); + + err: + return (-1); } static int @@ -171,63 +194,71 @@ tls_conninfo_alpn_proto(struct tls *ctx) } int -tls_get_conninfo(struct tls *ctx) +tls_conninfo_populate(struct tls *ctx) { - const char * tmp; + const char *tmp; - if (ctx->ssl_peer_cert != NULL) { - if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1) - goto err; - if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject) - == -1) - goto err; - if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1) - goto err; - if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore, - &ctx->conninfo->notafter) == -1) - goto err; - } - if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL) + tls_conninfo_free(ctx->conninfo); + + if ((ctx->conninfo = calloc(1, sizeof(struct tls_conninfo))) == NULL) { + tls_set_errorx(ctx, "out of memory"); goto err; - ctx->conninfo->version = strdup(tmp); - if (ctx->conninfo->version == NULL) + } + + if (tls_conninfo_alpn_proto(ctx) == -1) goto err; + if ((tmp = SSL_get_cipher(ctx->ssl_conn)) == NULL) goto err; ctx->conninfo->cipher = strdup(tmp); if (ctx->conninfo->cipher == NULL) goto err; - if (tls_conninfo_alpn_proto(ctx) == -1) - goto err; + if (ctx->servername != NULL) { if ((ctx->conninfo->servername = strdup(ctx->servername)) == NULL) goto err; } + if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL) + goto err; + ctx->conninfo->version = strdup(tmp); + if (ctx->conninfo->version == NULL) + goto err; + + if (tls_get_peer_cert_info(ctx) == -1) + goto err; + return (0); -err: - tls_free_conninfo(ctx->conninfo); + + err: + tls_conninfo_free(ctx->conninfo); + ctx->conninfo = NULL; + return (-1); } void -tls_free_conninfo(struct tls_conninfo *conninfo) +tls_conninfo_free(struct tls_conninfo *conninfo) { - if (conninfo != NULL) { - free(conninfo->alpn); - conninfo->alpn = NULL; - free(conninfo->hash); - conninfo->hash = NULL; - free(conninfo->subject); - conninfo->subject = NULL; - free(conninfo->issuer); - conninfo->issuer = NULL; - free(conninfo->version); - conninfo->version = NULL; - free(conninfo->cipher); - conninfo->cipher = NULL; - } + if (conninfo == NULL) + return; + + free(conninfo->alpn); + conninfo->alpn = NULL; + free(conninfo->cipher); + conninfo->cipher = NULL; + free(conninfo->version); + conninfo->version = NULL; + + free(conninfo->hash); + conninfo->hash = NULL; + free(conninfo->issuer); + conninfo->issuer = NULL; + free(conninfo->subject); + conninfo->subject = NULL; + + free(conninfo); } const char * @@ -253,7 +284,7 @@ tls_conn_servername(struct tls *ctx) return (NULL); return (ctx->conninfo->servername); } - + const char * tls_conn_version(struct tls *ctx) { |