1 ebfc5784 2024-01-07 op /* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */
3 f9ab77a8 2023-08-23 op * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4 f9ab77a8 2023-08-23 op * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
6 f9ab77a8 2023-08-23 op * Permission to use, copy, modify, and distribute this software for any
7 f9ab77a8 2023-08-23 op * purpose with or without fee is hereby granted, provided that the above
8 f9ab77a8 2023-08-23 op * copyright notice and this permission notice appear in all copies.
10 f9ab77a8 2023-08-23 op * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 f9ab77a8 2023-08-23 op * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 f9ab77a8 2023-08-23 op * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 f9ab77a8 2023-08-23 op * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 f9ab77a8 2023-08-23 op * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 f9ab77a8 2023-08-23 op * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 f9ab77a8 2023-08-23 op * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 f9ab77a8 2023-08-23 op #include "config.h"
21 f9ab77a8 2023-08-23 op #include <stdio.h>
22 f9ab77a8 2023-08-23 op #include <string.h>
24 f9ab77a8 2023-08-23 op #include <openssl/x509.h>
26 f9ab77a8 2023-08-23 op #include <tls.h>
27 f9ab77a8 2023-08-23 op #include "tls_internal.h"
29 f9ab77a8 2023-08-23 op int ASN1_time_tm_clamp_notafter(struct tm *tm);
32 f9ab77a8 2023-08-23 op tls_hex_string(const unsigned char *in, size_t inlen, char **out,
33 f9ab77a8 2023-08-23 op size_t *outlen)
35 f9ab77a8 2023-08-23 op static const char hex[] = "0123456789abcdef";
36 f9ab77a8 2023-08-23 op size_t i, len;
39 f9ab77a8 2023-08-23 op if (outlen != NULL)
42 f9ab77a8 2023-08-23 op if (inlen >= SIZE_MAX)
44 f9ab77a8 2023-08-23 op if ((*out = reallocarray(NULL, inlen + 1, 2)) == NULL)
49 f9ab77a8 2023-08-23 op for (i = 0; i < inlen; i++) {
50 f9ab77a8 2023-08-23 op p[len++] = hex[(in[i] >> 4) & 0x0f];
51 f9ab77a8 2023-08-23 op p[len++] = hex[in[i] & 0x0f];
55 f9ab77a8 2023-08-23 op if (outlen != NULL)
56 f9ab77a8 2023-08-23 op *outlen = len;
62 f9ab77a8 2023-08-23 op tls_get_peer_cert_hash(struct tls *ctx, char **hash)
65 f9ab77a8 2023-08-23 op if (ctx->ssl_peer_cert == NULL)
68 f9ab77a8 2023-08-23 op if (tls_cert_hash(ctx->ssl_peer_cert, hash) == -1) {
69 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "unable to compute peer certificate hash - out of memory");
77 f9ab77a8 2023-08-23 op tls_get_peer_cert_issuer(struct tls *ctx, char **issuer)
79 f9ab77a8 2023-08-23 op X509_NAME *name = NULL;
81 f9ab77a8 2023-08-23 op *issuer = NULL;
82 f9ab77a8 2023-08-23 op if (ctx->ssl_peer_cert == NULL)
84 f9ab77a8 2023-08-23 op if ((name = X509_get_issuer_name(ctx->ssl_peer_cert)) == NULL)
86 f9ab77a8 2023-08-23 op *issuer = X509_NAME_oneline(name, 0, 0);
87 f9ab77a8 2023-08-23 op if (*issuer == NULL)
93 f9ab77a8 2023-08-23 op tls_get_peer_cert_subject(struct tls *ctx, char **subject)
95 f9ab77a8 2023-08-23 op X509_NAME *name = NULL;
97 f9ab77a8 2023-08-23 op *subject = NULL;
98 f9ab77a8 2023-08-23 op if (ctx->ssl_peer_cert == NULL)
100 f9ab77a8 2023-08-23 op if ((name = X509_get_subject_name(ctx->ssl_peer_cert)) == NULL)
102 f9ab77a8 2023-08-23 op *subject = X509_NAME_oneline(name, 0, 0);
103 f9ab77a8 2023-08-23 op if (*subject == NULL)
109 f9ab77a8 2023-08-23 op tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
110 f9ab77a8 2023-08-23 op time_t *notafter)
112 f9ab77a8 2023-08-23 op struct tm before_tm, after_tm;
113 f9ab77a8 2023-08-23 op ASN1_TIME *before, *after;
115 f9ab77a8 2023-08-23 op if (ctx->ssl_peer_cert == NULL)
118 f9ab77a8 2023-08-23 op if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)
120 f9ab77a8 2023-08-23 op if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
122 ebfc5784 2024-01-07 op if (!ASN1_TIME_to_tm(before, &before_tm))
124 ebfc5784 2024-01-07 op if (!ASN1_TIME_to_tm(after, &after_tm))
126 f9ab77a8 2023-08-23 op if (!ASN1_time_tm_clamp_notafter(&after_tm))
128 f9ab77a8 2023-08-23 op if ((*notbefore = timegm(&before_tm)) == -1)
130 f9ab77a8 2023-08-23 op if ((*notafter = timegm(&after_tm)) == -1)
140 f9ab77a8 2023-08-23 op tls_get_peer_cert_info(struct tls *ctx)
142 f9ab77a8 2023-08-23 op if (ctx->ssl_peer_cert == NULL)
145 f9ab77a8 2023-08-23 op if (tls_get_peer_cert_hash(ctx, &ctx->conninfo->hash) == -1)
147 f9ab77a8 2023-08-23 op if (tls_get_peer_cert_subject(ctx, &ctx->conninfo->subject) == -1)
149 f9ab77a8 2023-08-23 op if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
151 f9ab77a8 2023-08-23 op if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
152 f9ab77a8 2023-08-23 op &ctx->conninfo->notafter) == -1)
162 f9ab77a8 2023-08-23 op tls_conninfo_alpn_proto(struct tls *ctx)
164 f9ab77a8 2023-08-23 op const unsigned char *p;
165 f9ab77a8 2023-08-23 op unsigned int len;
167 f9ab77a8 2023-08-23 op free(ctx->conninfo->alpn);
168 f9ab77a8 2023-08-23 op ctx->conninfo->alpn = NULL;
170 f9ab77a8 2023-08-23 op SSL_get0_alpn_selected(ctx->ssl_conn, &p, &len);
171 f9ab77a8 2023-08-23 op if (len > 0) {
172 f9ab77a8 2023-08-23 op if ((ctx->conninfo->alpn = malloc(len + 1)) == NULL)
174 f9ab77a8 2023-08-23 op memcpy(ctx->conninfo->alpn, p, len);
175 f9ab77a8 2023-08-23 op ctx->conninfo->alpn[len] = '\0';
182 f9ab77a8 2023-08-23 op tls_conninfo_cert_pem(struct tls *ctx)
184 f9ab77a8 2023-08-23 op int i, rv = -1;
185 f9ab77a8 2023-08-23 op BIO *membio = NULL;
186 f9ab77a8 2023-08-23 op BUF_MEM *bptr = NULL;
188 f9ab77a8 2023-08-23 op if (ctx->ssl_peer_cert == NULL)
190 f9ab77a8 2023-08-23 op if ((membio = BIO_new(BIO_s_mem()))== NULL)
194 f9ab77a8 2023-08-23 op * We have to write the peer cert out separately, because
195 f9ab77a8 2023-08-23 op * the certificate chain may or may not contain it.
197 f9ab77a8 2023-08-23 op if (!PEM_write_bio_X509(membio, ctx->ssl_peer_cert))
199 f9ab77a8 2023-08-23 op for (i = 0; i < sk_X509_num(ctx->ssl_peer_chain); i++) {
200 f9ab77a8 2023-08-23 op X509 *chaincert = sk_X509_value(ctx->ssl_peer_chain, i);
201 f9ab77a8 2023-08-23 op if (chaincert != ctx->ssl_peer_cert &&
202 f9ab77a8 2023-08-23 op !PEM_write_bio_X509(membio, chaincert))
206 f9ab77a8 2023-08-23 op BIO_get_mem_ptr(membio, &bptr);
207 f9ab77a8 2023-08-23 op free(ctx->conninfo->peer_cert);
208 f9ab77a8 2023-08-23 op ctx->conninfo->peer_cert_len = 0;
209 f9ab77a8 2023-08-23 op if ((ctx->conninfo->peer_cert = malloc(bptr->length)) == NULL)
211 f9ab77a8 2023-08-23 op ctx->conninfo->peer_cert_len = bptr->length;
212 f9ab77a8 2023-08-23 op memcpy(ctx->conninfo->peer_cert, bptr->data,
213 f9ab77a8 2023-08-23 op ctx->conninfo->peer_cert_len);
215 f9ab77a8 2023-08-23 op /* BIO_free() will kill BUF_MEM - because we have not set BIO_NOCLOSE */
218 f9ab77a8 2023-08-23 op BIO_free(membio);
223 f9ab77a8 2023-08-23 op tls_conninfo_session(struct tls *ctx)
225 f9ab77a8 2023-08-23 op ctx->conninfo->session_resumed = SSL_session_reused(ctx->ssl_conn);
231 f9ab77a8 2023-08-23 op tls_conninfo_populate(struct tls *ctx)
233 f9ab77a8 2023-08-23 op const char *tmp;
235 f9ab77a8 2023-08-23 op tls_conninfo_free(ctx->conninfo);
237 f9ab77a8 2023-08-23 op if ((ctx->conninfo = calloc(1, sizeof(struct tls_conninfo))) == NULL) {
238 f9ab77a8 2023-08-23 op tls_set_errorx(ctx, "out of memory");
242 f9ab77a8 2023-08-23 op if (tls_conninfo_alpn_proto(ctx) == -1)
245 f9ab77a8 2023-08-23 op if ((tmp = SSL_get_cipher(ctx->ssl_conn)) == NULL)
247 f9ab77a8 2023-08-23 op if ((ctx->conninfo->cipher = strdup(tmp)) == NULL)
249 f9ab77a8 2023-08-23 op ctx->conninfo->cipher_strength = SSL_get_cipher_bits(ctx->ssl_conn, NULL);
251 f9ab77a8 2023-08-23 op if (ctx->servername != NULL) {
252 f9ab77a8 2023-08-23 op if ((ctx->conninfo->servername =
253 f9ab77a8 2023-08-23 op strdup(ctx->servername)) == NULL)
257 f9ab77a8 2023-08-23 op if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
259 f9ab77a8 2023-08-23 op if ((ctx->conninfo->version = strdup(tmp)) == NULL)
262 f9ab77a8 2023-08-23 op if (tls_get_peer_cert_info(ctx) == -1)
265 f9ab77a8 2023-08-23 op if (tls_conninfo_cert_pem(ctx) == -1)
268 f9ab77a8 2023-08-23 op if (tls_conninfo_session(ctx) == -1)
274 f9ab77a8 2023-08-23 op tls_conninfo_free(ctx->conninfo);
275 f9ab77a8 2023-08-23 op ctx->conninfo = NULL;
281 f9ab77a8 2023-08-23 op tls_conninfo_free(struct tls_conninfo *conninfo)
283 f9ab77a8 2023-08-23 op if (conninfo == NULL)
286 f9ab77a8 2023-08-23 op free(conninfo->alpn);
287 f9ab77a8 2023-08-23 op free(conninfo->cipher);
288 f9ab77a8 2023-08-23 op free(conninfo->servername);
289 f9ab77a8 2023-08-23 op free(conninfo->version);
291 f9ab77a8 2023-08-23 op free(conninfo->hash);
292 f9ab77a8 2023-08-23 op free(conninfo->issuer);
293 f9ab77a8 2023-08-23 op free(conninfo->subject);
295 f9ab77a8 2023-08-23 op free(conninfo->peer_cert);
297 f9ab77a8 2023-08-23 op free(conninfo);
301 f9ab77a8 2023-08-23 op tls_conn_alpn_selected(struct tls *ctx)
303 f9ab77a8 2023-08-23 op if (ctx->conninfo == NULL)
304 f9ab77a8 2023-08-23 op return (NULL);
305 f9ab77a8 2023-08-23 op return (ctx->conninfo->alpn);
309 f9ab77a8 2023-08-23 op tls_conn_cipher(struct tls *ctx)
311 f9ab77a8 2023-08-23 op if (ctx->conninfo == NULL)
312 f9ab77a8 2023-08-23 op return (NULL);
313 f9ab77a8 2023-08-23 op return (ctx->conninfo->cipher);
317 f9ab77a8 2023-08-23 op tls_conn_cipher_strength(struct tls *ctx)
319 f9ab77a8 2023-08-23 op if (ctx->conninfo == NULL)
321 f9ab77a8 2023-08-23 op return (ctx->conninfo->cipher_strength);
325 f9ab77a8 2023-08-23 op tls_conn_servername(struct tls *ctx)
327 f9ab77a8 2023-08-23 op if (ctx->conninfo == NULL)
328 f9ab77a8 2023-08-23 op return (NULL);
329 f9ab77a8 2023-08-23 op return (ctx->conninfo->servername);
333 f9ab77a8 2023-08-23 op tls_conn_session_resumed(struct tls *ctx)
335 f9ab77a8 2023-08-23 op if (ctx->conninfo == NULL)
337 f9ab77a8 2023-08-23 op return (ctx->conninfo->session_resumed);
341 f9ab77a8 2023-08-23 op tls_conn_version(struct tls *ctx)
343 f9ab77a8 2023-08-23 op if (ctx->conninfo == NULL)
344 f9ab77a8 2023-08-23 op return (NULL);
345 f9ab77a8 2023-08-23 op return (ctx->conninfo->version);