From patchwork Fri Feb 19 20:01:50 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Luka Logar <luka.logar@cifra.si>
X-Patchwork-Id: 1442438
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org
 (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=merlin.20170209 header.b=YjG5GeqU;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=cifra.si header.i=@cifra.si header.a=rsa-sha256
 header.s=dkim header.b=rBMJYPfg;
	dkim-atps=neutral
Received: from merlin.infradead.org (merlin.infradead.org
 [IPv6:2001:8b0:10b:1231::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dj2bd30ktz9sVy
	for <incoming@patchwork.ozlabs.org>; Sat, 20 Feb 2021 07:04:28 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=9KvUq4UhmDzaUG0pyVE1BQ5rszFLsJ86t+pFmBvUoMw=; b=YjG5GeqUxOeL65Bsme/DLc8+ca
	FOS8oqEDQWqx/VCC3w5lMuPvZSCuQTV1fdgoQ++oN8TCpnWCFykzQW7flEpolm5yAnLVlNFJGflXP
	GWigdINe+S9qAcR+KohuXr+xcoXLyhCAoooOMFNNVOzf6j6MsaXAbW9CB1MoXXffSg4TRUj+O5v6K
	9L4KWv9KOisBTDHLo4tEMnYtA8H5Kow52HU+GWXAMPdlLepLypcs70BZg4EBiEaZouk/ANsRt3IWf
	GA9rOSBR/GbK88+022DcnSpHvgYdJp1URH+DrsCwn9oq/8hOyFgO1wjSpAfs8z2MN7VgavNIeJ884
	diQPp73w==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1lDByc-00012v-4R; Fri, 19 Feb 2021 20:02:10 +0000
Received: from cifra.si ([84.255.231.188] helo=mail.cifra.si)
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1lDByZ-00011R-6W
 for openwrt-devel@lists.openwrt.org; Fri, 19 Feb 2021 20:02:08 +0000
dkim-signature: v=1; a=rsa-sha256; d=cifra.si; s=dkim;
 c=relaxed/relaxed; q=dns/txt;
 h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Transfer-Encoding;
 bh=6wO+BANHxnHxIbVDzfi7URMXw63c9HN+cibECCnYews=;
 b=rBMJYPfgOsh3ghtK7tJp57Uzt9t5MNeEPPt6V+huuWrCfCgiHygW9EOocgQWUx332VotfJ60tUibqhSf4a+PdiNsWnlsMBzYqQAyjnSl+BUc0YHsaTolFSJSquPecDr5lzitgJ99eNeBDlduA/Lk31NX/VoFs796wgwnmh175No=
Received: from localhost.localdomain (vm2.cifra.si [10.0.0.208])
 by mail.cifra.si with ESMTP ; Fri, 19 Feb 2021 21:01:51 +0100
From: Luka Logar <luka.logar@cifra.si>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH] ustream-ssl: store TLS peer cert data in a ustream_ssl
 structure
Date: Fri, 19 Feb 2021 21:01:50 +0100
Message-Id: <20210219200150.1345895-1-luka.logar@cifra.si>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210219_150207_555429_9CCD48B7 
X-CRM114-Status: GOOD (  10.54  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
 Content analysis details:   (-0.2 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Luka Logar <luka.logar@cifra.si>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Store peer certificate, it's sha256 hash and subject name in ustream_ssl struct, so the upper layer
can access and use this data. This data can then be used, for example, in client authentication.

Signed-off-by: Luka Logar <luka.logar@cifra.si>
---
 ustream-openssl.c | 22 ++++++++++++++++++++++
 ustream-ssl.c     |  5 +++++
 ustream-ssl.h     |  4 ++++
 3 files changed, 31 insertions(+)

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 1ce796a..926fe71 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -267,6 +267,10 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
 	void *ssl = us->ssl;
 	X509 *cert;
 	int res;
+	BIO *bio;
+	char *ptr;
+	int len;
+	unsigned char md[32];
 
 	res = SSL_get_verify_result(ssl);
 	if (res != X509_V_OK) {
@@ -282,6 +286,24 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
 	us->valid_cert = true;
 	us->valid_cn = ustream_ssl_verify_cn(us, cert);
 
+	bio = BIO_new(BIO_s_mem());
+	PEM_write_bio_X509(bio, cert);
+	len = BIO_get_mem_data(bio, &ptr);
+	us->peer_cert = calloc(1, len + 1);
+	memcpy(us->peer_cert, ptr, len);
+	BIO_free(bio);
+
+	X509_digest(cert, EVP_sha256(), md, NULL);
+	for (int n = 0; n < 32; n++)
+		sprintf(&us->peer_cert_sha256[2*n], "%02X", md[n]);
+
+	bio = BIO_new(BIO_s_mem());
+	X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, 0);
+	len = BIO_get_mem_data(bio, &ptr);
+	us->peer_cert_sn = calloc(1, len + 1);
+	memcpy(us->peer_cert_sn, ptr, len);
+	BIO_free(bio);
+
 	X509_free(cert);
 }
 
diff --git a/ustream-ssl.c b/ustream-ssl.c
index cd69f9e..98435c8 100644
--- a/ustream-ssl.c
+++ b/ustream-ssl.c
@@ -156,6 +156,8 @@ static void ustream_ssl_free(struct ustream *s)
 	uloop_timeout_cancel(&us->error_timer);
 	__ustream_ssl_session_free(us->ssl);
 	free(us->peer_cn);
+	free(us->peer_cert);
+	free(us->peer_cert_sn);
 
 	us->ctx = NULL;
 	us->ssl = NULL;
@@ -199,6 +201,9 @@ static int _ustream_ssl_init(struct ustream_ssl *us, struct ustream *conn, struc
 	us->conn = conn;
 	us->ctx = ctx;
 
+	us->peer_cert = NULL;
+	us->peer_cert_sn = NULL;
+
 	us->ssl = __ustream_ssl_session_new(us->ctx);
 	if (!us->ssl)
 		return -ENOMEM;
diff --git a/ustream-ssl.h b/ustream-ssl.h
index 87c0ae6..fc80552 100644
--- a/ustream-ssl.h
+++ b/ustream-ssl.h
@@ -43,6 +43,10 @@ struct ustream_ssl {
 	bool valid_cert;
 	bool valid_cn;
 	bool require_validation;
+
+	char *peer_cert;
+	char  peer_cert_sha256[65];
+	char *peer_cert_sn;
 };
 
 struct ustream_ssl_ctx;