From 5580fa7eb0864545bc1e93e8e28e05bd78181728 Mon Sep 17 00:00:00 2001 From: Arnaud Bouchez Date: Fri, 17 Jan 2025 09:07:56 +0100 Subject: [PATCH] net: populate raw TNetTlsContext.PeerCert on OpenSSL --- src/lib/mormot.lib.openssl11.pas | 3 +++ src/mormot.commit.inc | 2 +- src/net/mormot.net.sock.pas | 5 ++--- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/lib/mormot.lib.openssl11.pas b/src/lib/mormot.lib.openssl11.pas index 9816f1782..e7535c07a 100644 --- a/src/lib/mormot.lib.openssl11.pas +++ b/src/lib/mormot.lib.openssl11.pas @@ -10289,6 +10289,7 @@ function AfterConnectionPeerVerify( c := _PeerVerify; c.fContext.PeerIssuer := peer.IssuerName; c.fContext.PeerSubject := peer.SubjectName; + c.fContext.PeerCert := peer; try result := ord(c.fContext.OnEachPeerVerify( c.fSocket, c.fContext, wasok <> 0, c.fSsl, peer)); @@ -10384,6 +10385,7 @@ procedure TOpenSslNetTls.AfterConnection(Socket: TNetSocket; Context.PeerIssuer := ''; Context.PeerSubject := ''; Context.PeerInfo := ''; + Context.PeerCert := nil; Context.LastError := ''; // prepare TLS connection properties fCtx := SSL_CTX_new(TLS_client_method); @@ -10430,6 +10432,7 @@ procedure TOpenSslNetTls.AfterConnection(Socket: TNetSocket; // writeln(fPeer.SetUsage([kuCodeSign, kuDigitalSignature, kuTlsServer, kuTlsClient])); Context.PeerIssuer := fPeer.IssuerName; Context.PeerSubject := fPeer.SubjectName; + Context.PeerCert := fPeer; if Context.WithPeerInfo or (not Context.IgnoreCertificateErrors and not fSsl.IsVerified(@Context.LastError)) then diff --git a/src/mormot.commit.inc b/src/mormot.commit.inc index 5e43805fd..829c2cd0a 100644 --- a/src/mormot.commit.inc +++ b/src/mormot.commit.inc @@ -1 +1 @@ -'2.3.9414' +'2.3.9415' diff --git a/src/net/mormot.net.sock.pas b/src/net/mormot.net.sock.pas index bccf8a1e2..6c55343f7 100644 --- a/src/net/mormot.net.sock.pas +++ b/src/net/mormot.net.sock.pas @@ -775,7 +775,7 @@ procedure RegisterKnownHost(const HostName, Ip4: RawUtf8); // - wasok=true if the TLS library did validate the incoming certificate // - should process the supplied peer information, and return true to continue // and accept the connection, or false to abort the connection - // - Context.PeerIssuer and PeerSubject have been properly populated from Peer + // - Context.PeerIssuer, PeerSubject and PeerCert have been properly populated // - TLS and Peer are opaque structures, typically OpenSSL PSSL and PX509 pointers TOnNetTlsEachPeerVerify = function(Socket: TNetSocket; Context: PNetTlsContext; wasok: boolean; TLS, Peer: pointer): boolean of object; @@ -901,8 +901,7 @@ TNetTlsContext = record // - only populated if WithPeerInfo was set to true, or an error occurred PeerInfo: RawUtf8; /// output: full detailed raw information about the connected Peer - // - is a PWinCertInfo from mormot.lib.sspi on SChannel - // - not used on OpenSSL + // - is a PX509 on OpenSSL, or a PWinCertInfo from mormot.lib.sspi on SChannel PeerCert: pointer; /// output: low-level details about the last error at TLS level // - typically one X509_V_ERR_* integer constant