[PATCH] ustream-ssl: store TLS peer cert data in a ustream_ssl structure

Fri, 19 Feb 2021 12:07:57 -0800 

Store peer certificate, it's sha256 hash and subject name in ustream_ssl 
struct, so the upper layer
can access and use this data. This data can then be used, for example, in 
client authentication.

Signed-off-by: Luka Logar <luka.lo...@cifra.si>
---
 ustream-openssl.c | 22 ++++++++++++++++++++++
 ustream-ssl.c     |  5 +++++
 ustream-ssl.h     |  4 ++++
 3 files changed, 31 insertions(+)

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 1ce796a..926fe71 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -267,6 +267,10 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
        void *ssl = us->ssl;
        X509 *cert;
        int res;
+       BIO *bio;
+       char *ptr;
+       int len;
+       unsigned char md[32];
 
        res = SSL_get_verify_result(ssl);
        if (res != X509_V_OK) {
@@ -282,6 +286,24 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
        us->valid_cert = true;
        us->valid_cn = ustream_ssl_verify_cn(us, cert);
 
+       bio = BIO_new(BIO_s_mem());
+       PEM_write_bio_X509(bio, cert);
+       len = BIO_get_mem_data(bio, &ptr);
+       us->peer_cert = calloc(1, len + 1);
+       memcpy(us->peer_cert, ptr, len);
+       BIO_free(bio);
+
+       X509_digest(cert, EVP_sha256(), md, NULL);
+       for (int n = 0; n < 32; n++)
+               sprintf(&us->peer_cert_sha256[2*n], "%02X", md[n]);
+
+       bio = BIO_new(BIO_s_mem());
+       X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, 0);
+       len = BIO_get_mem_data(bio, &ptr);
+       us->peer_cert_sn = calloc(1, len + 1);
+       memcpy(us->peer_cert_sn, ptr, len);
+       BIO_free(bio);
+
        X509_free(cert);
 }
 
diff --git a/ustream-ssl.c b/ustream-ssl.c
index cd69f9e..98435c8 100644
--- a/ustream-ssl.c
+++ b/ustream-ssl.c
@@ -156,6 +156,8 @@ static void ustream_ssl_free(struct ustream *s)
        uloop_timeout_cancel(&us->error_timer);
        __ustream_ssl_session_free(us->ssl);
        free(us->peer_cn);
+       free(us->peer_cert);
+       free(us->peer_cert_sn);
 
        us->ctx = NULL;
        us->ssl = NULL;
@@ -199,6 +201,9 @@ static int _ustream_ssl_init(struct ustream_ssl *us, struct 
ustream *conn, struc
        us->conn = conn;
        us->ctx = ctx;
 
+       us->peer_cert = NULL;
+       us->peer_cert_sn = NULL;
+
        us->ssl = __ustream_ssl_session_new(us->ctx);
        if (!us->ssl)
                return -ENOMEM;
diff --git a/ustream-ssl.h b/ustream-ssl.h
index 87c0ae6..fc80552 100644
--- a/ustream-ssl.h
+++ b/ustream-ssl.h
@@ -43,6 +43,10 @@ struct ustream_ssl {
        bool valid_cert;
        bool valid_cn;
        bool require_validation;
+
+       char *peer_cert;
+       char  peer_cert_sha256[65];
+       char *peer_cert_sn;
 };
 
 struct ustream_ssl_ctx;
-- 
2.25.1



_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to