transport-tls: add ${.tls.x509_fp} variable to contain the X.509 fing…

…erprint

If trusted-keys() is used, the certificate fingerprint is added added
to ${.tls.x509_fp} with the same algorithm that was used to validate
trusted-keys, which is SHA1 at the moment (unfortunately, but that's
a separate PR.

Signed-off-by: Balazs Scheidler <[email protected]>

lib/transport/tls-session.c

@@ -132,6 +132,7 @@ tls_session_verify_fingerprint(X509_STORE_CTX *ctx)
           if (strcmp((const gchar *)(current_fingerprint->data), hash->str) == 0)
             {
               match = TRUE;
+              g_strlcpy(self->peer_info.fingerprint, hash->str, sizeof(self->peer_info.fingerprint));
               break;
             }
         }

lib/transport/tls-session.h

@@ -28,6 +28,7 @@
 #define X509_MAX_CN_LEN 64
 #define X509_MAX_O_LEN 64
 #define X509_MAX_OU_LEN 32
+#define X509_MAX_FP_LEN 256
 
 typedef struct _TLSContext TLSContext;
 typedef struct _TLSSession
@@ -41,6 +42,7 @@ typedef struct _TLSSession
     gchar o[X509_MAX_O_LEN];
     gchar ou[X509_MAX_OU_LEN];
     gchar cn[X509_MAX_CN_LEN];
+    gchar fingerprint[X509_MAX_FP_LEN];
   } peer_info;
 } TLSSession;
 

lib/transport/transport-tls.c

@@ -112,6 +112,8 @@ log_transport_tls_read_method(LogTransport *s, gpointer buf, gsize buflen, LogTr
           log_transport_aux_data_add_nv_pair(aux, ".tls.x509_o", self->tls_session->peer_info.o);
           log_transport_aux_data_add_nv_pair(aux, ".tls.x509_ou", self->tls_session->peer_info.ou);
         }
+      if (self->tls_session->peer_info.fingerprint[0])
+        log_transport_aux_data_add_nv_pair(aux, ".tls.x509_fp", self->tls_session->peer_info.fingerprint);
 
       /* NOTE: we only support TLS on top of TCP for now.  We could reuse the
        * proto auto detection code from transport-socket to make this more