From patchwork Fri Feb 19 20:01:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luka Logar X-Patchwork-Id: 1442438 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=YjG5GeqU; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=cifra.si header.i=@cifra.si header.a=rsa-sha256 header.s=dkim header.b=rBMJYPfg; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dj2bd30ktz9sVy for ; Sat, 20 Feb 2021 07:04:28 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=9KvUq4UhmDzaUG0pyVE1BQ5rszFLsJ86t+pFmBvUoMw=; b=YjG5GeqUxOeL65Bsme/DLc8+ca FOS8oqEDQWqx/VCC3w5lMuPvZSCuQTV1fdgoQ++oN8TCpnWCFykzQW7flEpolm5yAnLVlNFJGflXP GWigdINe+S9qAcR+KohuXr+xcoXLyhCAoooOMFNNVOzf6j6MsaXAbW9CB1MoXXffSg4TRUj+O5v6K 9L4KWv9KOisBTDHLo4tEMnYtA8H5Kow52HU+GWXAMPdlLepLypcs70BZg4EBiEaZouk/ANsRt3IWf GA9rOSBR/GbK88+022DcnSpHvgYdJp1URH+DrsCwn9oq/8hOyFgO1wjSpAfs8z2MN7VgavNIeJ884 diQPp73w==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1lDByc-00012v-4R; Fri, 19 Feb 2021 20:02:10 +0000 Received: from cifra.si ([84.255.231.188] helo=mail.cifra.si) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1lDByZ-00011R-6W for openwrt-devel@lists.openwrt.org; Fri, 19 Feb 2021 20:02:08 +0000 dkim-signature: v=1; a=rsa-sha256; d=cifra.si; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Transfer-Encoding; bh=6wO+BANHxnHxIbVDzfi7URMXw63c9HN+cibECCnYews=; b=rBMJYPfgOsh3ghtK7tJp57Uzt9t5MNeEPPt6V+huuWrCfCgiHygW9EOocgQWUx332VotfJ60tUibqhSf4a+PdiNsWnlsMBzYqQAyjnSl+BUc0YHsaTolFSJSquPecDr5lzitgJ99eNeBDlduA/Lk31NX/VoFs796wgwnmh175No= Received: from localhost.localdomain (vm2.cifra.si [10.0.0.208]) by mail.cifra.si with ESMTP ; Fri, 19 Feb 2021 21:01:51 +0100 From: Luka Logar To: openwrt-devel@lists.openwrt.org Subject: [PATCH] ustream-ssl: store TLS peer cert data in a ustream_ssl structure Date: Fri, 19 Feb 2021 21:01:50 +0100 Message-Id: <20210219200150.1345895-1-luka.logar@cifra.si> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210219_150207_555429_9CCD48B7 X-CRM114-Status: GOOD ( 10.54 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Luka Logar Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Store peer certificate, it's sha256 hash and subject name in ustream_ssl struct, so the upper layer can access and use this data. This data can then be used, for example, in client authentication. Signed-off-by: Luka Logar --- ustream-openssl.c | 22 ++++++++++++++++++++++ ustream-ssl.c | 5 +++++ ustream-ssl.h | 4 ++++ 3 files changed, 31 insertions(+) diff --git a/ustream-openssl.c b/ustream-openssl.c index 1ce796a..926fe71 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -267,6 +267,10 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us) void *ssl = us->ssl; X509 *cert; int res; + BIO *bio; + char *ptr; + int len; + unsigned char md[32]; res = SSL_get_verify_result(ssl); if (res != X509_V_OK) { @@ -282,6 +286,24 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us) us->valid_cert = true; us->valid_cn = ustream_ssl_verify_cn(us, cert); + bio = BIO_new(BIO_s_mem()); + PEM_write_bio_X509(bio, cert); + len = BIO_get_mem_data(bio, &ptr); + us->peer_cert = calloc(1, len + 1); + memcpy(us->peer_cert, ptr, len); + BIO_free(bio); + + X509_digest(cert, EVP_sha256(), md, NULL); + for (int n = 0; n < 32; n++) + sprintf(&us->peer_cert_sha256[2*n], "%02X", md[n]); + + bio = BIO_new(BIO_s_mem()); + X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, 0); + len = BIO_get_mem_data(bio, &ptr); + us->peer_cert_sn = calloc(1, len + 1); + memcpy(us->peer_cert_sn, ptr, len); + BIO_free(bio); + X509_free(cert); } diff --git a/ustream-ssl.c b/ustream-ssl.c index cd69f9e..98435c8 100644 --- a/ustream-ssl.c +++ b/ustream-ssl.c @@ -156,6 +156,8 @@ static void ustream_ssl_free(struct ustream *s) uloop_timeout_cancel(&us->error_timer); __ustream_ssl_session_free(us->ssl); free(us->peer_cn); + free(us->peer_cert); + free(us->peer_cert_sn); us->ctx = NULL; us->ssl = NULL; @@ -199,6 +201,9 @@ static int _ustream_ssl_init(struct ustream_ssl *us, struct ustream *conn, struc us->conn = conn; us->ctx = ctx; + us->peer_cert = NULL; + us->peer_cert_sn = NULL; + us->ssl = __ustream_ssl_session_new(us->ctx); if (!us->ssl) return -ENOMEM; diff --git a/ustream-ssl.h b/ustream-ssl.h index 87c0ae6..fc80552 100644 --- a/ustream-ssl.h +++ b/ustream-ssl.h @@ -43,6 +43,10 @@ struct ustream_ssl { bool valid_cert; bool valid_cn; bool require_validation; + + char *peer_cert; + char peer_cert_sha256[65]; + char *peer_cert_sn; }; struct ustream_ssl_ctx;