session wrapper UPDATE tls verify callback
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
index 1db33f7..4ac3736 100644
--- a/src/session_server_tls.c
+++ b/src/session_server_tls.c
@@ -386,7 +386,7 @@
data->matched_ctns |= map_type;
data->matched_ctn_type[data->matched_ctn_count++] = map_type;
if (!data->username && (map_type == NC_TLS_CTN_SPECIFIED)) {
- data->username = ctn->name; // TODO make a copy?
+ data->username = ctn->name;
}
}
}
@@ -555,7 +555,7 @@
}
int
-nc_server_tls_verify_cert(void *cert, int depth, int self_signed, struct nc_tls_verify_cb_data *cb_data)
+nc_server_tls_verify_cert(void *cert, int depth, int trusted, struct nc_tls_verify_cb_data *cb_data)
{
int ret = 0, i;
char *subject = NULL, *issuer = NULL;
@@ -563,6 +563,11 @@
struct nc_session *session = cb_data->session;
struct nc_endpt *referenced_endpt;
+ if (session->username) {
+ /* already verified */
+ return 0;
+ }
+
subject = nc_server_tls_get_subject_wrap(cert);
issuer = nc_server_tls_get_issuer_wrap(cert);
if (!subject || !issuer) {
@@ -576,7 +581,7 @@
VRB(session, "Cert verify: issuer: %s.", issuer);
if (depth == 0) {
- if (self_signed) {
+ if (!trusted) {
/* peer cert is not trusted, so it must match any configured end-entity cert
* on the given endpoint in order for the client to be authenticated */
ret = nc_server_tls_verify_peer_cert(cert, opts);