From b0550d90c9c27c74edfe93c8ebbd10b9cb5e2832 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 30 Oct 2012 07:51:03 +0000 Subject: [PATCH] - Added ssl_get_peer_cert() to SSL API --- include/polarssl/ssl.h | 16 ++++++++++++++++ library/ssl_tls.c | 8 ++++++++ programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_mail_client.c | 2 +- programs/ssl/ssl_server2.c | 6 +++--- 5 files changed, 29 insertions(+), 5 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 3c812f25a4..8a1c19d8f6 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -928,6 +928,22 @@ const char *ssl_get_ciphersuite( const ssl_context *ssl ); */ const char *ssl_get_version( const ssl_context *ssl ); +/** + * \brief Return the peer certificate from the current connection + * + * Note: Can be NULL in case no certificate was sent during + * the handshake. Different calls for the same connection can + * return the same or different pointers for the same + * certificate and even a different certificate altogether. + * The peer cert CAN change in a single connection if + * renegotiation is performed. + * + * \param ssl SSL context + * + * \return the current peer certificate + */ +const x509_cert *ssl_get_peer_cert( const ssl_context *ssl ); + /** * \brief Perform the SSL handshake * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f5fcba47b7..b63c7d4c24 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3405,6 +3405,14 @@ const char *ssl_get_version( const ssl_context *ssl ) return( "unknown" ); } +const x509_cert *ssl_get_peer_cert( const ssl_context *ssl ) +{ + if( ssl == NULL || ssl->session == NULL ) + return NULL; + + return ssl->session->peer_cert; +} + const int ssl_default_ciphersuites[] = { #if defined(POLARSSL_DHM_C) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index ae98b1bad9..949ef58f55 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -539,7 +539,7 @@ int main( int argc, char *argv[] ) printf( " . Peer certificate information ...\n" ); x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", - ssl.session->peer_cert ); + ssl_get_peer_cert( &ssl ) ); printf( "%s\n", buf ); /* diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index b450030c98..b303df8d06 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -172,7 +172,7 @@ int do_handshake( ssl_context *ssl, struct options *opt ) printf( " . Peer certificate information ...\n" ); x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", - ssl->session->peer_cert ); + ssl_get_peer_cert( &ssl ) ); printf( "%s\n", buf ); return( 0 ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5076be398d..3e2c35e1bf 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -501,7 +501,7 @@ reset: { printf( " failed\n" ); - if( !ssl.session->peer_cert ) + if( !ssl_get_peer_cert( &ssl ) ) printf( " ! no client certificate sent\n" ); if( ( ret & BADCERT_EXPIRED ) != 0 ) @@ -518,11 +518,11 @@ reset: else printf( " ok\n" ); - if( ssl.session->peer_cert ) + if( ssl_get_peer_cert( &ssl ) ) { printf( " . Peer certificate information ...\n" ); x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", - ssl.session->peer_cert ); + ssl_get_peer_cert( &ssl ) ); printf( "%s\n", buf ); }