Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 440b6c7fd4fc82cef6e1476f4e7f111e4de7c9cc^! / . / src / session_server.h
commit440b6c7fd4fc82cef6e1476f4e7f111e4de7c9cc[log] [tgz]
authorAndrew Langefeld <andrew.langefeld@adtran.com>Mon Aug 27 16:26:20 2018 -0500
committerAndrew Langefeld <andrew.langefeld@adtran.com>Mon Aug 27 16:26:20 2018 -0500
tree5bb78132c451032d7f19b9dcdbfd0bb075b539cf
parent1bbe159e1be943150b36a4112702e2c0b8313da2 [diff] [blame]
Provide a mechanism to setup TLS cert chain

This commit from @jwwilcox, together with a corresponding commit to
_netopeer2_, fixes the TLS connection scenario in which the server's
certificate has been signed by an intermediate CA, but the client only has
the root CA available locally. In this case, the client will reject the
connection attempt, because it does not know about the intermediate CA.

The changes here use the new _netopeer2_ callback (which supplies the
intermediate certificate(s)) to call `SSL_CTX_add_extra_chain_cert()`,
which allows the server's TLS context to automatically provide the intermediate
certificate(s) to the client.

This scenario is demonstrated in the integration test
`test_tls_client_missing_server_intermediate()` in
[ADTRAN:netopeer2-integration-tests](https://github.com/ADTRAN/netopeer2-integration-tests/blob/master/tests/test_tls.py#L73).
The changes here, together with the corresponding commit in _netopeer2_, will
allow [the currently failing test case](https://travis-ci.org/ADTRAN/netopeer2-integration-tests/jobs/420293391#L7434)
to pass.

diff --git a/src/session_server.h b/src/session_server.h
index 2d84865..fd4c6ef 100644
--- a/src/session_server.h
+++ b/src/session_server.h

@@ -664,6 +664,23 @@
                                        void *user_data, void (*free_user_data)(void *user_data));
 
 /**
+ * @brief Set the callback for retrieving server certificate chain
+ *
+ * @param[in] cert_chain_clb Callback that should return all the certificates of the chain. Zero return indicates success,
+ *                           non-zero an error. On success, \p cert_paths and \p cert_data are expected to be set or left
+ *                           NULL. Both will be (deeply) freed.
+ *                           - \p cert_paths expect an array of PEM files,
+ *                           - \p cert_path_count number of \p cert_paths array members,
+ *                           - \p cert_data expect an array of base-64 encoded ASN.1 DER cert data,
+ *                           - \p cert_data_count number of \p cert_data array members.
+ * @param[in] user_data Optional arbitrary user data that will be passed to \p cert_clb.
+ * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
+ */
+void nc_server_tls_set_server_cert_chain_clb(int (*cert_chain_clb)(const char *name, void *user_data, char ***cert_paths,
+                                                                   int *cert_path_count, char ***cert_data, int *cert_data_count),
+                                             void *user_data, void (*free_user_data)(void *user_data));
+
+/**
  * @brief Add a trusted certificate list. Can be both a CA or a client one. Can be
  *        safely used together with nc_server_tls_endpt_set_trusted_ca_paths().
  *