Move SSL_get_peer_* to Connection information. This is arguably more commonly queried connection information than the tls-unique. Change-Id: I1f080536153ba9f178af8e92cb43b03df37110b5 Reviewed-on: https://boringssl-review.googlesource.com/5874 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 34a4c90..06a32df 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -941,6 +941,21 @@ /* Connection information. */ +/* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the + * peer did not use certificates. The caller must call |X509_free| on the + * result to release it. */ +OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl); + +/* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if + * unavailable or the peer did not use certificates. For historical reasons, + * this may not be available if resuming a serialized |SSL_SESSION|. The caller + * does not take ownership of the result. + * + * WARNING: This function behaves differently between client and server. If + * |ssl| is a server, the returned chain does not include the leaf certificate. + * If a client, it does. */ +OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); + /* SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value * for |ssl| to |out| and sets |*out_len| to the number of bytes written. It * returns one on success or zero on error. In general |max_out| should be at @@ -2380,21 +2395,6 @@ OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len); -/* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the - * peer did not use certificates. The caller must call |X509_free| on the - * result to release it. */ -OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl); - -/* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if - * unavailable or the peer did not use certificates. For historical reasons, - * this may not be available if resuming a serialized |SSL_SESSION|. The caller - * does not take ownership of the result. - * - * WARNING: This function behaves differently between client and server. If - * |ssl| is a server, the returned chain does not include the leaf certificate. - * If a client, it does. */ -OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); - OPENSSL_EXPORT int SSL_CTX_get_verify_mode(const SSL_CTX *ctx); OPENSSL_EXPORT int SSL_CTX_get_verify_depth(const SSL_CTX *ctx); OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 16abc47..9672e8c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -868,6 +868,55 @@ uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; } +X509 *SSL_get_peer_certificate(const SSL *ssl) { + if (ssl == NULL || ssl->session == NULL || ssl->session->peer == NULL) { + return NULL; + } + return X509_up_ref(ssl->session->peer); +} + +STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { + if (ssl == NULL || ssl->session == NULL) { + return NULL; + } + return ssl->session->cert_chain; +} + +int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, + size_t max_out) { + /* The tls-unique value is the first Finished message in the handshake, which + * is the client's in a full handshake and the server's for a resumption. See + * https://tools.ietf.org/html/rfc5929#section-3.1. */ + const uint8_t *finished = ssl->s3->previous_client_finished; + size_t finished_len = ssl->s3->previous_client_finished_len; + if (ssl->hit) { + /* tls-unique is broken for resumed sessions unless EMS is used. */ + if (!ssl->session->extended_master_secret) { + goto err; + } + finished = ssl->s3->previous_server_finished; + finished_len = ssl->s3->previous_server_finished_len; + } + + if (!ssl->s3->initial_handshake_complete || + ssl->version < TLS1_VERSION) { + goto err; + } + + *out_len = finished_len; + if (finished_len > max_out) { + *out_len = max_out; + } + + memcpy(out, finished, *out_len); + return 1; + +err: + *out_len = 0; + memset(out, 0, max_out); + return 0; +} + int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, unsigned int sid_ctx_len) { if (sid_ctx_len > sizeof ctx->sid_ctx) { @@ -1187,20 +1236,6 @@ : 0; } -X509 *SSL_get_peer_certificate(const SSL *ssl) { - if (ssl == NULL || ssl->session == NULL || ssl->session->peer == NULL) { - return NULL; - } - return X509_up_ref(ssl->session->peer); -} - -STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { - if (ssl == NULL || ssl->session == NULL) { - return NULL; - } - return ssl->session->cert_chain; -} - /* Fix this so it checks all the valid key/cert options */ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { if (ctx->cert->x509 == NULL) { @@ -2745,41 +2780,6 @@ EVP_AEAD_CTX_get_rc4_state(&ssl->aead_write_ctx->ctx, write_key); } -int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, - size_t max_out) { - /* The tls-unique value is the first Finished message in the handshake, which - * is the client's in a full handshake and the server's for a resumption. See - * https://tools.ietf.org/html/rfc5929#section-3.1. */ - const uint8_t *finished = ssl->s3->previous_client_finished; - size_t finished_len = ssl->s3->previous_client_finished_len; - if (ssl->hit) { - /* tls-unique is broken for resumed sessions unless EMS is used. */ - if (!ssl->session->extended_master_secret) { - goto err; - } - finished = ssl->s3->previous_server_finished; - finished_len = ssl->s3->previous_server_finished_len; - } - - if (!ssl->s3->initial_handshake_complete || - ssl->version < TLS1_VERSION) { - goto err; - } - - *out_len = finished_len; - if (finished_len > max_out) { - *out_len = max_out; - } - - memcpy(out, finished, *out_len); - return 1; - -err: - *out_len = 0; - memset(out, 0, max_out); - return 0; -} - int SSL_clear(SSL *ssl) { if (ssl->method == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_METHOD_SPECIFIED);