validity times for tls connections.
ok jsing@
-# $OpenBSD: Makefile,v 1.21 2015/09/14 16:16:38 jsing Exp $
+# $OpenBSD: Makefile,v 1.22 2015/10/07 23:33:38 beck Exp $
CFLAGS+= -Wall -Werror -Wimplicit
CFLAGS+= -DLIBRESSL_INTERNAL
MLINKS+=tls_init.3 tls_peer_cert_issuer.3
MLINKS+=tls_init.3 tls_peer_cert_subject.3
MLINKS+=tls_init.3 tls_peer_cert_hash.3
+MLINKS+=tls_init.3 tls_peer_cert_notbefore.3
+MLINKS+=tls_init.3 tls_peer_cert_notafter.3
MLINKS+=tls_init.3 tls_conn_version.3
MLINKS+=tls_init.3 tls_conn_cipher.3
MLINKS+=tls_init.3 tls_load_file.3
-/* $OpenBSD: tls.h,v 1.25 2015/10/01 10:27:34 bcook Exp $ */
+/* $OpenBSD: tls.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
const char * tls_peer_cert_hash(struct tls *_ctx);
const char * tls_peer_cert_issuer(struct tls *ctx);
const char * tls_peer_cert_subject(struct tls *ctx);
+time_t tls_peer_cert_notbefore(struct tls *ctx);
+time_t tls_peer_cert_notafter(struct tls *ctx);
+
const char * tls_conn_version(struct tls *ctx);
const char * tls_conn_cipher(struct tls *ctx);
-/* $OpenBSD: tls_conninfo.c,v 1.4 2015/10/07 23:25:45 beck Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.5 2015/10/07 23:33:38 beck Exp $ */
/*
* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
return (0);
}
+static int
+tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter)
+{
+ struct tm before_tm, after_tm;
+ ASN1_TIME *before, *after;
+ int rv = -1;
+
+ memset(&before_tm, 0, sizeof(before_tm));
+ memset(&after_tm, 0, sizeof(after_tm));
+
+ if (ctx->ssl_peer_cert != NULL) {
+ if ((before = X509_get_notBefore(ctx->ssl_peer_cert)) == NULL)
+ goto err;
+ if ((after = X509_get_notAfter(ctx->ssl_peer_cert)) == NULL)
+ goto err;
+ if (asn1_time_parse(before->data, before->length, &before_tm, 0)
+ == -1)
+ goto err;
+ if (asn1_time_parse(after->data, after->length, &after_tm, 0)
+ == -1)
+ goto err;
+ if ((*notbefore = timegm(&before_tm)) == -1)
+ goto err;
+ if ((*notafter = timegm(&after_tm)) == -1)
+ goto err;
+ }
+ rv = 0;
+ err:
+ return (rv);
+}
+
int
tls_get_conninfo(struct tls *ctx) {
const char * tmp;
goto err;
if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1)
goto err;
+ if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore,
+ &ctx->conninfo->notafter) == -1)
+ goto err;
}
if ((tmp = SSL_get_version(ctx->ssl_conn)) == NULL)
goto err;
-.\" $OpenBSD: tls_init.3,v 1.49 2015/09/14 21:23:00 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.50 2015/10/07 23:33:38 beck Exp $
.\"
.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
.\"
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: September 14 2015 $
+.Dd $Mdocdate: October 7 2015 $
.Dt TLS_INIT 3
.Os
.Sh NAME
.Nm tls_peer_cert_issuer ,
.Nm tls_peer_cert_subject ,
.Nm tls_peer_cert_hash ,
+.Nm tls_peer_cert_notbefore ,
+.Nm tls_peer_cert_notafter ,
.Nm tls_conn_version ,
.Nm tls_conn_cipher ,
.Nm tls_load_file ,
.Fn tls_peer_cert_subject "struct tls *ctx"
.Ft "const char *"
.Fn tls_peer_cert_hash "struct tls *ctx"
+.Ft "time_t"
+.Fn tls_peer_cert_notbefore "struct tls *ctx"
+.Ft "time_t"
+.Fn tls_peer_cert_notafter "struct tls *ctx"
.Ft "const char *"
.Fn tls_conn_version "struct tls *ctx"
.Ft "const char *"
printf "SHA256:${h}\\n"
.Ed
.It
+.Fn tls_peer_cert_notbefore
+returns the time corresponding to the start of the validity period of
+the peer certificate from
+.Ar ctx .
+.Fn tls_peer_cert_notbefore
+will only succeed after the handshake is complete.
+.Em (Server and client)
+.It
+.Fn tls_peer_cert_notafter
+returns the time corresponding to the end of the validity period of
+the peer certificate from
+.Ar ctx .
+.Fn tls_peer_cert_notafter
+will only succeed after the handshake is complete.
+.Em (Server and client)
+.It
.Fn tls_conn_version
returns a string
corresponding to a TLS version negotiated with the peer
and
.Fn tls_peer_cert_contains_name
functions return 1 if the check succeeds, and 0 if it does not.
+Functions that return a
+.Vt time_t
+will return a time in epoch-seconds on success, and -1 on error.
+Functions that return a
+.Vt ssize_t
+will return a size on success, and -1 on error.
All other functions that return
.Vt int
-or
-.Vt ssize_t
will return 0 on success and -1 on error.
Functions that return a pointer will return NULL on error, which indicates an
out of memory condition.
-/* $OpenBSD: tls_internal.h,v 1.25 2015/09/29 13:10:53 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.26 2015/10/07 23:33:38 beck Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
char *fingerprint;
char *version;
char *cipher;
+ time_t notbefore;
+ time_t notafter;
};
#define TLS_CLIENT (1 << 0)
int tls_get_conninfo(struct tls *ctx);
void tls_free_conninfo(struct tls_conninfo *conninfo);
+int asn1_time_parse(const char *, size_t, struct tm *, int);
+
#endif /* HEADER_TLS_INTERNAL_H */
-/* $OpenBSD: tls_peer.c,v 1.4 2015/09/12 21:00:38 beck Exp $ */
+/* $OpenBSD: tls_peer.c,v 1.5 2015/10/07 23:33:38 beck Exp $ */
/*
* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
return (tls_check_name(ctx, ctx->ssl_peer_cert, name) == 0);
}
+time_t
+tls_peer_cert_notbefore(struct tls *ctx)
+{
+ if (ctx->ssl_peer_cert == NULL)
+ return (-1);
+ if (ctx->conninfo == NULL)
+ return (-1);
+ return (ctx->conninfo->notbefore);
+}
+
+time_t
+tls_peer_cert_notafter(struct tls *ctx)
+{
+ if (ctx->ssl_peer_cert == NULL)
+ return (-1);
+ if (ctx->conninfo == NULL)
+ return (-1);
+ return (ctx->conninfo->notafter);
+}
+
projects / openbsd / commitdiff