diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h index ae9437b2..0aaa505a 100644 --- a/lib/libwebsockets.h +++ b/lib/libwebsockets.h @@ -5430,13 +5430,22 @@ lws_get_ssl(struct lws *wsi); enum lws_tls_cert_info { LWS_TLS_CERT_INFO_VALIDITY_FROM, + /**< fills .time with the time_t the cert validity started from */ LWS_TLS_CERT_INFO_VALIDITY_TO, + /**< fills .time with the time_t the cert validity ends at */ LWS_TLS_CERT_INFO_COMMON_NAME, + /**< fills up to len bytes of .ns.name with the cert common name */ LWS_TLS_CERT_INFO_ISSUER_NAME, + /**< fills up to len bytes of .ns.name with the cert issuer name */ LWS_TLS_CERT_INFO_USAGE, + /**< fills verified with a bitfield asserting the valid uses */ + LWS_TLS_CERT_INFO_VERIFIED, + /**< fills .verified with a bool representing peer cert validity, + * call returns -1 if no cert */ }; union lws_tls_cert_info_results { + unsigned int verified; time_t time; unsigned int usage; struct { @@ -5450,8 +5459,8 @@ union lws_tls_cert_info_results { * union lws_tls_cert_info_results *buf = * (union lws_tls_cert_info_results *)big; * - * lws_tls_peer_cert_info(wsi, type, buf, - * sizeof(big) - sizeof(*buf) + 64); + * lws_tls_peer_cert_info(wsi, type, buf, sizeof(big) - + * sizeof(*buf) + sizeof(buf->ns.name)); */ char name[64]; } ns; @@ -5468,6 +5477,9 @@ union lws_tls_cert_info_results { * lws_tls_peer_cert_info() lets you get hold of information from the peer * certificate. * + * Return 0 if there is a result in \p buf, or -1 indicating there was no cert + * or another problem. + * * This function works the same no matter if the TLS backend is OpenSSL or * mbedTLS. */ @@ -5486,13 +5498,15 @@ lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type, * lws_tls_vhost_cert_info() lets you get hold of information from the vhost * certificate. * + * Return 0 if there is a result in \p buf, or -1 indicating there was no cert + * or another problem. + * * This function works the same no matter if the TLS backend is OpenSSL or * mbedTLS. */ LWS_VISIBLE LWS_EXTERN int lws_tls_vhost_cert_info(struct lws_vhost *vhost, enum lws_tls_cert_info type, union lws_tls_cert_info_results *buf, size_t len); - ///@} /** \defgroup lws_ring LWS Ringbuffer APIs diff --git a/lib/tls/mbedtls/ssl.c b/lib/tls/mbedtls/ssl.c index d4f3e48b..0abc795c 100644 --- a/lib/tls/mbedtls/ssl.c +++ b/lib/tls/mbedtls/ssl.c @@ -398,6 +398,8 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type, case LWS_TLS_CERT_INFO_USAGE: buf->usage = x509->key_usage; break; + default: + return -1; } return 0; @@ -418,5 +420,16 @@ lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type, { mbedtls_x509_crt *x509 = ssl_get_peer_mbedtls_x509_crt(wsi->ssl); - return lws_tls_mbedtls_cert_info(x509, type, buf, len); + if (!x509) + return -1; + + switch (type) { + case LWS_TLS_CERT_INFO_VERIFIED: + buf->verified = SSL_get_verify_result(wsi->ssl) == X509_V_OK; + return 0; + default: + return lws_tls_mbedtls_cert_info(x509, type, buf, len); + } + + return -1; } diff --git a/lib/tls/openssl/ssl.c b/lib/tls/openssl/ssl.c index d120fe10..46d21ff8 100644 --- a/lib/tls/openssl/ssl.c +++ b/lib/tls/openssl/ssl.c @@ -574,6 +574,8 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type, #else return -1; #endif + default: + return -1; } return 0; @@ -598,9 +600,19 @@ LWS_VISIBLE int lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type, union lws_tls_cert_info_results *buf, size_t len) { + int rc = 0; X509 *x509 = SSL_get_peer_certificate(wsi->ssl); - int rc = lws_tls_openssl_cert_info(x509, type, buf, len); + if (!x509) + return -1; + + switch (type) { + case LWS_TLS_CERT_INFO_VERIFIED: + buf->verified = SSL_get_verify_result(wsi->ssl) == X509_V_OK; + break; + default: + rc = lws_tls_openssl_cert_info(x509, type, buf, len); + } X509_free(x509);