add connect to get peer cert only

2011-08-17 12:33:36 -07:00 · 2011-08-17 12:33:36 -07:00 · 501bddae75
commit 501bddae75
parent 9b02ec95ef
4 changed files with 29 additions and 0 deletions
--- a/include/cyassl_int.h
+++ b/include/cyassl_int.h
@ -927,6 +927,7 @@ typedef struct Options {
    byte            processReply;       /* nonblocking resume */
    byte            partialWrite;       /* only one msg per write call */
    byte            quietShutdown;      /* don't send close notify */
+    byte            certOnly;           /* stop once we get cert */
 #ifndef NO_PSK
    byte            havePSK;            /* psk key set by user */
    psk_client_callback client_psk_cb;
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -646,6 +646,9 @@ CYASSL_API int  CyaSSL_get_chain_cert_pem(X509_CHAIN*, int idx,
 CYASSL_API const unsigned char* CyaSSL_get_sessionID(const SSL_SESSION* sess);
 CYASSL_API int  CyaSSL_X509_get_serial_number(X509*, unsigned char*, int*);

+/* connect enough to get peer cert */
+CYASSL_API int  CyaSSL_connect_cert(SSL* ssl);
+
 /* server CTX Diffie-Hellman parameters */
 CYASSL_API int  CyaSSL_SetTmpDH(SSL*, unsigned char* p, int pSz,
                                unsigned char* g, int gSz);
--- a/src/cyassl_int.c
+++ b/src/cyassl_int.c
@ -721,6 +721,7 @@ int InitSSL(SSL* ssl, SSL_CTX* ctx)
    ssl->options.dtls   = 0;
    ssl->options.partialWrite  = ctx->partialWrite;
    ssl->options.quietShutdown = ctx->quietShutdown;
+    ssl->options.certOnly = 0;

    /* SSL_CTX still owns certificate, certChain, key, and caList buffers */
    ssl->buffers.certificate = ctx->certificate;
--- a/src/ssl.c
+++ b/src/ssl.c
@ -1333,6 +1333,9 @@ int SSL_CTX_set_cipher_list(SSL_CTX* ctx, const char* list)
            CYASSL_MSG("connect state: HELLO_AGAIN");

        case HELLO_AGAIN :
+            if (ssl->options.certOnly)
+                return SSL_SUCCESS;
+
            #ifdef CYASSL_DTLS
                if (ssl->options.dtls && !ssl->options.resuming) {
                    /* re-init hashes, exclude first hello and verify request */
@ -4198,5 +4201,26 @@ const byte* CyaSSL_get_sessionID(const SSL_SESSION* session)
 }


+/* connect enough to get peer cert chain, no validation */
+int CyaSSL_connect_cert(SSL* ssl)
+{
+    int  ret;
+    byte oldVerify;
+
+    if (ssl == NULL)
+        return SSL_FAILURE;
+
+    oldVerify = ssl->options.verifyNone;
+    ssl->options.verifyNone = 1;
+    ssl->options.certOnly   = 1;
+
+    ret = SSL_connect(ssl);
+
+    ssl->options.verifyNone = oldVerify;
+    ssl->options.certOnly   = 0;
+
+    return ret;
+}
+
 #endif /* SESSION_CERTS */