session server UPDATE reflect wrapper changes
diff --git a/src/session_server.c b/src/session_server.c
index 35f2746..dbe434a 100644
--- a/src/session_server.c
+++ b/src/session_server.c
@@ -1651,7 +1651,7 @@
}
break;
case NC_TI_TLS:
- r = nc_tls_have_pending_wrap(session->ti.tls.session);
+ r = nc_tls_get_num_pending_bytes_wrap(session->ti.tls.session);
if (!r) {
/* no data pending in the SSL buffer, poll fd */
pfd.fd = nc_tls_get_fd_wrap(session);
diff --git a/src/session_server.h b/src/session_server.h
index 4c4b2e7..b605901 100644
--- a/src/session_server.h
+++ b/src/session_server.h
@@ -558,8 +558,7 @@
* @brief Set TLS authentication additional verify callback.
*
* Server will always perform cert-to-name based on its configuration. Only after it passes
- * and this callback is set, it is also called. It should return exactly what OpenSSL
- * verify callback meaning 1 for success, 0 to deny the user.
+ * and this callback is set, it is also called. It should return non-zero for success, 0 to deny the user.
*
* @param[in] verify_clb Additional user verify callback.
*/
diff --git a/src/session_server_ssh.c b/src/session_server_ssh.c
index c31b7f1..f7fc74d 100644
--- a/src/session_server_ssh.c
+++ b/src/session_server_ssh.c
@@ -1009,7 +1009,7 @@
* and the data is in network byte order. The key has to be in the SSH2 format.
*/
static const char *
-nc_server_ssh_get_pubkey_type(const char *buffer, uint32_t *len)
+nc_server_ssh_get_pubkey_type(const unsigned char *buffer, uint32_t *len)
{
uint32_t type_len;
@@ -1021,7 +1021,7 @@
/* move 4 bytes in the buffer, this is where the type should be */
buffer += sizeof type_len;
- return buffer;
+ return (const char *)buffer;
}
/**
@@ -1035,7 +1035,7 @@
nc_server_ssh_create_ssh_pubkey(const char *base64, ssh_key *key)
{
int ret = 0;
- char *bin = NULL;
+ unsigned char *bin = NULL;
const char *pub_type = NULL;
uint32_t pub_type_len = 0;
@@ -1045,7 +1045,6 @@
/* convert base64 to binary */
if (nc_base64_decode_wrap(base64, &bin) == -1) {
- ERR(NULL, "Unable to decode base64.");
ret = 1;
goto cleanup;
}
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
index 8b47e36..8e00b12 100644
--- a/src/session_server_tls.c
+++ b/src/session_server_tls.c
@@ -117,24 +117,6 @@
return cert;
}
-static int
-nc_base64der_to_cert_add_to_store(const char *in, void *cert_store)
-{
- int ret;
- char *buf = NULL;
-
- NC_CHECK_ARG_RET(NULL, in, cert_store, 1);
-
- if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
- ERRMEM;
- return 1;
- }
-
- ret = nc_tls_pem_to_cert_add_to_store_wrap(buf, cert_store);
- free(buf);
- return ret;
-}
-
static void *
nc_base64der_to_privkey(const char *in, const char *key_str)
{
@@ -420,55 +402,18 @@
return ret;
}
-static int
-nc_server_tls_verify_peer_cert(void *peer_cert, struct nc_cert_grouping *ee_certs)
-{
- int i, ret;
- void *cert;
- struct nc_certificate *certs;
- uint16_t cert_count;
-
- if (ee_certs->store == NC_STORE_LOCAL) {
- /* local definition */
- certs = ee_certs->certs;
- cert_count = ee_certs->cert_count;
- } else {
- /* truststore reference */
- if (nc_server_tls_ts_ref_get_certs(ee_certs->ts_ref, &certs, &cert_count)) {
- ERR(NULL, "Error getting end-entity certificates from the truststore reference \"%s\".", ee_certs->ts_ref);
- return -1;
- }
- }
-
- for (i = 0; i < cert_count; i++) {
- /* import stored cert */
- cert = nc_base64der_to_cert(certs[i].data);
-
- /* compare stored with received */
- ret = nc_server_tls_certs_match_wrap(peer_cert, cert);
- nc_tls_cert_destroy_wrap(cert);
- if (ret) {
- /* found a match */
- VRB(NULL, "Cert verify: fail, but the end-entity certificate is trusted, continuing.");
- return 0;
- }
- }
-
- return 1;
-}
-
int
nc_server_tls_get_username_from_cert(void *cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
{
- char *subject, *cn, *san_value = NULL;
+ char *subject, *cn, *san_value = NULL, rdn_separator;
void *sans;
int i, nsans = 0, rc;
NC_TLS_CTN_MAPTYPE san_type = 0;
#ifdef HAVE_LIBMEDTLS
- char rdn_separator = ',';
+ rdn_separator = ',';
#else
- char rdn_separator = '/';
+ rdn_separator = '/';
#endif
if (map_type == NC_TLS_CTN_COMMON_NAME) {
@@ -546,6 +491,69 @@
return 0;
}
+static int
+_nc_server_tls_verify_peer_cert(void *peer_cert, struct nc_cert_grouping *ee_certs)
+{
+ int i, ret;
+ void *cert;
+ struct nc_certificate *certs;
+ uint16_t cert_count;
+
+ if (ee_certs->store == NC_STORE_LOCAL) {
+ /* local definition */
+ certs = ee_certs->certs;
+ cert_count = ee_certs->cert_count;
+ } else {
+ /* truststore reference */
+ if (nc_server_tls_ts_ref_get_certs(ee_certs->ts_ref, &certs, &cert_count)) {
+ ERR(NULL, "Error getting end-entity certificates from the truststore reference \"%s\".", ee_certs->ts_ref);
+ return -1;
+ }
+ }
+
+ for (i = 0; i < cert_count; i++) {
+ /* import stored cert */
+ cert = nc_base64der_to_cert(certs[i].data);
+
+ /* compare stored with received */
+ ret = nc_server_tls_certs_match_wrap(peer_cert, cert);
+ nc_tls_cert_destroy_wrap(cert);
+ if (ret) {
+ /* found a match */
+ VRB(NULL, "Cert verify: fail, but the end-entity certificate is trusted, continuing.");
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+int
+nc_server_tls_verify_peer_cert(void *peer_cert, struct nc_server_tls_opts *opts)
+{
+ int rc;
+ struct nc_endpt *referenced_endpt;
+
+ rc = _nc_server_tls_verify_peer_cert(peer_cert, &opts->ee_certs);
+ if (!rc) {
+ return 0;
+ }
+
+ if (opts->referenced_endpt_name) {
+ if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
+ ERRINT;
+ return -1;
+ }
+
+ rc = _nc_server_tls_verify_peer_cert(peer_cert, &referenced_endpt->opts.tls->ee_certs);
+ if (!rc) {
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
int
nc_server_tls_verify_cert(void *cert, int depth, int self_signed, struct nc_tls_verify_cb_data *cb_data)
{
@@ -571,22 +579,10 @@
if (self_signed) {
/* peer cert is not trusted, so it must match any configured end-entity cert
* on the given endpoint in order for the client to be authenticated */
- ret = nc_server_tls_verify_peer_cert(cert, &opts->ee_certs);
+ ret = nc_server_tls_verify_peer_cert(cert, opts);
if (ret) {
- /* we can still check the referenced endpoint's ee certs */
- if (opts->referenced_endpt_name) {
- if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
- ERRINT;
- ret = -1;
- goto cleanup;
- }
-
- ret = nc_server_tls_verify_peer_cert(cert, &referenced_endpt->opts.tls->ee_certs);
- }
- if (ret) {
- ERR(session, "Cert verify: fail (Client certificate not trusted and does not match any configured end-entity certificate).");
- goto cleanup;
- }
+ ERR(session, "Cert verify: fail (Client certificate not trusted and does not match any configured end-entity certificate).");
+ goto cleanup;
}
}
}
@@ -784,13 +780,13 @@
}
static int
-nc_server_tls_crl_path(const char *path, void *cert_store, void *crl_store)
+nc_server_tls_crl_path(const char *path, void *crl_store)
{
- return nc_tls_import_crl_path_wrap(path, cert_store, crl_store);
+ return nc_tls_import_crl_path_wrap(path, crl_store);
}
static int
-nc_server_tls_crl_url(const char *url, void *cert_store, void *crl_store)
+nc_server_tls_crl_url(const char *url, void *crl_store)
{
int ret = 0;
CURL *handle = NULL;
@@ -811,7 +807,7 @@
}
/* convert the downloaded data to CRL and add it to the store */
- ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, cert_store, crl_store);
+ ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, crl_store);
if (ret) {
goto cleanup;
}
@@ -852,7 +848,7 @@
}
/* convert the downloaded data to CRL and add it to the store */
- ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, cert_store, crl_store);
+ ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, crl_store);
if (ret) {
goto cleanup;
}
@@ -871,11 +867,11 @@
nc_server_tls_load_crl(struct nc_server_tls_opts *opts, void *cert_store, void *crl_store)
{
if (opts->crl_path) {
- if (nc_server_tls_crl_path(opts->crl_path, cert_store, crl_store)) {
+ if (nc_server_tls_crl_path(opts->crl_path, crl_store)) {
return 1;
}
} else if (opts->crl_url) {
- if (nc_server_tls_crl_url(opts->crl_url, cert_store, crl_store)) {
+ if (nc_server_tls_crl_url(opts->crl_url, crl_store)) {
return 1;
}
} else {
@@ -892,6 +888,7 @@
{
struct nc_certificate *certs;
uint16_t i, cert_count;
+ void *cert;
if (ca_certs->store == NC_STORE_LOCAL) {
/* local definition */
@@ -906,7 +903,15 @@
}
for (i = 0; i < cert_count; i++) {
- if (nc_base64der_to_cert_add_to_store(certs[i].data, cert_store)) {
+ /* parse data into cert */
+ cert = nc_base64der_to_cert(certs[i].data);
+ if (!cert) {
+ return 1;
+ }
+
+ /* store cert in cert store */
+ if (nc_tls_add_cert_to_store_wrap(cert, cert_store)) {
+ nc_tls_cert_destroy_wrap(cert);
return 1;
}
}
@@ -931,7 +936,7 @@
}
if (accept_ret != 1) {
- nc_server_tls_print_accept_error_wrap(accept_ret, tls_session);
+ nc_server_tls_print_accept_err_wrap(accept_ret, tls_session);
}
return accept_ret;
@@ -953,7 +958,7 @@
cb_data.opts = opts;
/* prepare TLS context from which a session will be created */
- tls_cfg = nc_server_tls_config_new_wrap();
+ tls_cfg = nc_tls_config_new_wrap(NC_SERVER);
if (!tls_cfg) {
goto fail;
}
@@ -1016,8 +1021,11 @@
nc_server_tls_set_cipher_suites_wrap(tls_cfg, opts->ciphers);
}
+ /* set verify flags, callback and its data */
+ nc_server_tls_set_verify_wrap(tls_cfg, &cb_data);
+
/* init TLS context and store data which may be needed later in it */
- if (nc_tls_init_ctx_wrap(&session->ti.tls.ctx, sock, srv_cert, srv_pkey, cert_store, crl_store)) {
+ if (nc_tls_init_ctx_wrap(sock, srv_cert, srv_pkey, cert_store, crl_store, &session->ti.tls.ctx)) {
goto fail;
}
@@ -1025,9 +1033,9 @@
srv_cert = srv_pkey = cert_store = crl_store = NULL;
/* setup config from ctx */
- if (nc_tls_setup_config_wrap(tls_cfg, NC_SERVER, &session->ti.tls.ctx)) {
+ if (nc_tls_setup_config_from_ctx_wrap(&session->ti.tls.ctx, NC_SERVER, tls_cfg)) {
goto fail;
- } // TODO free openssl shit
+ }
session->ti.tls.config = tls_cfg;
tls_cfg = NULL;
@@ -1037,9 +1045,6 @@
goto fail;
}
- /* set verify callback and its data */
- nc_server_tls_set_verify_cb_wrap(session->ti.tls.session, &cb_data);
-
/* set session fd */
nc_server_tls_set_fd_wrap(session->ti.tls.session, sock, &session->ti.tls.ctx);