Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / d8973d1f9c093c3da2c4c1ee53f0962117d7a83b / . / src / session_server_tls.c
blob: 294d150df9b4f70fd0100cf34e9bc506e46bd531 [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]2 * @file session_server_tls.c
3 * @author Michal Vasko <mvasko@cesnet.cz>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]4 * @author Roman Janota <janota@cesnet.cz>
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]5 * @brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]6 *
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]7 * @copyright
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]8 * Copyright (c) 2015 - 2023 CESNET, z.s.p.o.
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]9 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]10 * This source code is licensed under BSD 3-Clause License (the "License").
11 * You may not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]13 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]14 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]15 */
16
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]17#define _GNU_SOURCE
18
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]19#include <poll.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]20#include <stdint.h>
21#include <stdio.h>
22#include <stdlib.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]23#include <string.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]24#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]25
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]26#include <curl/curl.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]27
Michal Vasko316c9632020-04-15 11:06:57 +0200[diff] [blame]28#include "compat.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]29#include "config.h"
30#include "log_p.h"
31#include "session.h"
32#include "session_p.h"
roman69962562024-04-05 12:33:39 +0200[diff] [blame]33#include "session_wrapper.h"
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]34
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]35struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]36extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]37
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]38static int
39nc_server_tls_ks_ref_get_cert_key(const char *referenced_key_name, const char *referenced_cert_name,
40 char **privkey_data, NC_PRIVKEY_FORMAT *privkey_type, char **cert_data)
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]41{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]42 uint16_t i, j;
43 struct nc_keystore *ks = &server_opts.keystore;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]44
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]45 *privkey_data = NULL;
46 *cert_data = NULL;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]47
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]48 /* lookup name */
49 for (i = 0; i < ks->asym_key_count; i++) {
50 if (!strcmp(referenced_key_name, ks->asym_keys[i].name)) {
51 break;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]52 }
53 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]54 if (i == ks->asym_key_count) {
55 ERR(NULL, "Keystore entry \"%s\" not found.", referenced_key_name);
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]56 return -1;
57 }
58
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]59 for (j = 0; j < ks->asym_keys[i].cert_count; j++) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]60 if (!strcmp(referenced_cert_name, ks->asym_keys[i].certs[j].name)) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]61 break;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]62 }
63 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]64 if (j == ks->asym_keys[i].cert_count) {
65 ERR(NULL, "Keystore certificate entry \"%s\" associated with the key \"%s\" not found.",
66 referenced_cert_name, referenced_key_name);
67 return -1;
68 }
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]69
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]70 *privkey_data = ks->asym_keys[i].privkey_data;
71 *privkey_type = ks->asym_keys[i].privkey_type;
72 *cert_data = ks->asym_keys[i].certs[j].data;
73 return 0;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]74}
75
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]76static int
roman69962562024-04-05 12:33:39 +0200[diff] [blame]77nc_server_tls_ts_ref_get_certs(const char *referenced_name, struct nc_certificate **certs, uint16_t *cert_count)
78{
79 uint16_t i;
80 struct nc_truststore *ts = &server_opts.truststore;
81
82 *certs = NULL;
83 *cert_count = 0;
84
85 /* lookup name */
86 for (i = 0; i < ts->cert_bag_count; i++) {
87 if (!strcmp(referenced_name, ts->cert_bags[i].name)) {
88 break;
89 }
90 }
91
92 if (i == ts->cert_bag_count) {
93 ERR(NULL, "Truststore entry \"%s\" not found.", referenced_name);
94 return -1;
95 }
96
97 *certs = ts->cert_bags[i].certs;
98 *cert_count = ts->cert_bags[i].cert_count;
99 return 0;
100}
101
102static void *
103nc_base64der_to_cert(const char *in)
104{
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]105 char *buf = NULL;
106 void *cert;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]107
108 NC_CHECK_ARG_RET(NULL, in, NULL);
109
110 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
111 ERRMEM;
112 return NULL;
113 }
114
115 cert = nc_tls_pem_to_cert_wrap(buf);
116 free(buf);
117 return cert;
118}
119
roman69962562024-04-05 12:33:39 +0200[diff] [blame]120static void *
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]121nc_base64der_to_privkey(const char *in, const char *key_str)
roman69962562024-04-05 12:33:39 +0200[diff] [blame]122{
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]123 char *buf = NULL;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]124 void *pkey;
125
126 NC_CHECK_ARG_RET(NULL, in, NULL);
127
128 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", key_str, " PRIVATE KEY-----\n", in, "\n-----END ",
129 key_str, " PRIVATE KEY-----") == -1) {
130 ERRMEM;
131 return NULL;
132 }
133
134 pkey = nc_tls_pem_to_privkey_wrap(buf);
135 free(buf);
136 return pkey;
137}
138
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]139static char *
roman69962562024-04-05 12:33:39 +0200[diff] [blame]140nc_server_tls_digest_to_hex(const unsigned char *digest, unsigned int digest_len)
141{
142 unsigned int i;
143 char *hex;
144
145 hex = malloc(digest_len * 3);
146 NC_CHECK_ERRMEM_RET(!hex, NULL);
147
148 for (i = 0; i < digest_len - 1; ++i) {
149 sprintf(hex + (i * 3), "%02x:", digest[i]);
150 }
151 sprintf(hex + (i * 3), "%02x", digest[i]);
152
153 return hex;
154}
155
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]156static char *
roman69962562024-04-05 12:33:39 +0200[diff] [blame]157nc_server_tls_md5(void *cert)
158{
159 int rc;
160 unsigned int buf_len = 16;
161 unsigned char buf[buf_len];
162
163 /* compute MD-5 hash of cert and store it in buf */
164 rc = nc_server_tls_md5_wrap(cert, buf);
165 if (rc) {
166 return NULL;
167 }
168
169 /* convert the hash to hex */
170 return nc_server_tls_digest_to_hex(buf, buf_len);
171}
172
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]173static char *
roman69962562024-04-05 12:33:39 +0200[diff] [blame]174nc_server_tls_sha1(void *cert)
175{
176 int rc;
177 unsigned int buf_len = 20;
178 unsigned char buf[buf_len];
179
180 /* compute SHA-1 hash of cert and store it in buf */
181 rc = nc_server_tls_sha1_wrap(cert, buf);
182 if (rc) {
183 return NULL;
184 }
185
186 /* convert the hash to hex */
187 return nc_server_tls_digest_to_hex(buf, buf_len);
188}
189
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]190static char *
roman69962562024-04-05 12:33:39 +0200[diff] [blame]191nc_server_tls_sha224(void *cert)
192{
193 int rc;
194 unsigned int buf_len = 28;
195 unsigned char buf[buf_len];
196
197 /* compute SHA-224 hash of cert and store it in buf */
198 rc = nc_server_tls_sha224_wrap(cert, buf);
199 if (rc) {
200 return NULL;
201 }
202
203 /* convert the hash to hex */
204 return nc_server_tls_digest_to_hex(buf, buf_len);
205}
206
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]207static char *
roman69962562024-04-05 12:33:39 +0200[diff] [blame]208nc_server_tls_sha256(void *cert)
209{
210 int rc;
211 unsigned int buf_len = 32;
212 unsigned char buf[buf_len];
213
214 /* compute SHA-256 hash of cert and store it in buf */
215 rc = nc_server_tls_sha256_wrap(cert, buf);
216 if (rc) {
217 return NULL;
218 }
219
220 /* convert the hash to hex */
221 return nc_server_tls_digest_to_hex(buf, buf_len);
222}
223
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]224static char *
roman69962562024-04-05 12:33:39 +0200[diff] [blame]225nc_server_tls_sha384(void *cert)
226{
227 int rc;
228 unsigned int buf_len = 48;
229 unsigned char buf[buf_len];
230
231 /* compute SHA-384 hash of cert and store it in buf */
232 rc = nc_server_tls_sha384_wrap(cert, buf);
233 if (rc) {
234 return NULL;
235 }
236
237 /* convert the hash to hex */
238 return nc_server_tls_digest_to_hex(buf, buf_len);
239}
240
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]241static char *
roman69962562024-04-05 12:33:39 +0200[diff] [blame]242nc_server_tls_sha512(void *cert)
243{
244 int rc;
245 unsigned int buf_len = 64;
246 unsigned char buf[buf_len];
247
248 /* compute SHA-512 hash of cert and store it in buf */
249 rc = nc_server_tls_sha512_wrap(cert, buf);
250 if (rc) {
251 return NULL;
252 }
253
254 /* convert the hash to hex */
255 return nc_server_tls_digest_to_hex(buf, buf_len);
256}
257
258static int
259nc_server_tls_cert_to_name(struct nc_ctn *ctn_first, void *cert, struct nc_ctn_data *data)
260{
261 int ret = 0;
262 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
263 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
264 struct nc_ctn *ctn;
265 NC_TLS_CTN_MAPTYPE map_type;
266
267 for (ctn = ctn_first; ctn; ctn = ctn->next) {
268 /* reset map_type */
269 map_type = NC_TLS_CTN_UNKNOWN;
270
271 /* first make sure the entry is valid */
272 if (!ctn->map_type || ((ctn->map_type == NC_TLS_CTN_SPECIFIED) && !ctn->name)) {
273 VRB(NULL, "Cert verify CTN: entry with id %u not valid, skipping.", ctn->id);
274 continue;
275 }
276
277 /* if ctn has no fingerprint, it will match any certificate */
278 if (!ctn->fingerprint) {
279 map_type = ctn->map_type;
280
281 /* MD5 */
282 } else if (!strncmp(ctn->fingerprint, "01", 2)) {
283 if (!digest_md5) {
284 digest_md5 = nc_server_tls_md5(cert);
285 if (!digest_md5) {
286 ret = -1;
287 goto cleanup;
288 }
289 }
290
291 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
292 /* we got ourselves a potential winner! */
293 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
294 map_type = ctn->map_type;
295 }
296
297 /* SHA-1 */
298 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
299 if (!digest_sha1) {
300 digest_sha1 = nc_server_tls_sha1(cert);
301 if (!digest_sha1) {
302 ret = -1;
303 goto cleanup;
304 }
305 }
306
307 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
308 /* we got ourselves a potential winner! */
309 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
310 map_type = ctn->map_type;
311 }
312
313 /* SHA-224 */
314 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
315 if (!digest_sha224) {
316 digest_sha224 = nc_server_tls_sha224(cert);
317 if (!digest_sha224) {
318 ret = -1;
319 goto cleanup;
320 }
321 }
322
323 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
324 /* we got ourselves a potential winner! */
325 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
326 map_type = ctn->map_type;
327 }
328
329 /* SHA-256 */
330 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
331 if (!digest_sha256) {
332 digest_sha256 = nc_server_tls_sha256(cert);
333 if (!digest_sha256) {
334 ret = -1;
335 goto cleanup;
336 }
337 }
338
339 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
340 /* we got ourselves a potential winner! */
341 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
342 map_type = ctn->map_type;
343 }
344
345 /* SHA-384 */
346 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
347 if (!digest_sha384) {
348 digest_sha384 = nc_server_tls_sha384(cert);
349 if (!digest_sha384) {
350 ret = -1;
351 goto cleanup;
352 }
353 }
354
355 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
356 /* we got ourselves a potential winner! */
357 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
358 map_type = ctn->map_type;
359 }
360
361 /* SHA-512 */
362 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
363 if (!digest_sha512) {
364 digest_sha512 = nc_server_tls_sha512(cert);
365 if (!digest_sha512) {
366 ret = -1;
367 goto cleanup;
368 }
369 }
370
371 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
372 /* we got ourselves a potential winner! */
373 VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found.");
374 map_type = ctn->map_type;
375 }
376
377 /* unknown */
378 } else {
379 WRN(NULL, "Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
380 continue;
381 }
382
383 if (map_type != NC_TLS_CTN_UNKNOWN) {
384 /* found a fingerprint match */
385 if (!(map_type & data->matched_ctns)) {
386 data->matched_ctns |= map_type;
387 data->matched_ctn_type[data->matched_ctn_count++] = map_type;
roman008cfe72024-04-05 12:36:18 +0200[diff] [blame]388 if (!data->username && (map_type == NC_TLS_CTN_SPECIFIED)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]389 data->username = ctn->name; // TODO make a copy?
390 }
391 }
392 }
393 }
394
395cleanup:
396 free(digest_md5);
397 free(digest_sha1);
398 free(digest_sha224);
399 free(digest_sha256);
400 free(digest_sha384);
401 free(digest_sha512);
402 return ret;
403}
404
roman69962562024-04-05 12:33:39 +0200[diff] [blame]405int
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]406nc_server_tls_get_username_from_cert(void *cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
407{
romance435112024-04-23 15:12:09 +0200[diff] [blame]408 char *subject, *cn, *san_value = NULL, rdn_separator;
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]409 void *sans;
410 int i, nsans = 0, rc;
411 NC_TLS_CTN_MAPTYPE san_type = 0;
412
413#ifdef HAVE_LIBMEDTLS
romance435112024-04-23 15:12:09 +0200[diff] [blame]414 rdn_separator = ',';
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]415#else
romance435112024-04-23 15:12:09 +0200[diff] [blame]416 rdn_separator = '/';
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]417#endif
418
419 if (map_type == NC_TLS_CTN_COMMON_NAME) {
420 subject = nc_server_tls_get_subject_wrap(cert);
421 if (!subject) {
422 return -1;
423 }
424
425 cn = strstr(subject, "CN=");
426 if (!cn) {
427 WRN(NULL, "Certificate does not include the commonName field.");
428 free(subject);
429 return 1;
430 }
431
432 /* skip "CN=" */
433 cn += 3;
434 if (strchr(cn, rdn_separator)) {
435 *strchr(cn, rdn_separator) = '\0';
436 }
437 *username = strdup(cn);
438 free(subject);
439 NC_CHECK_ERRMEM_RET(!*username, -1);
440 } else {
441 sans = nc_tls_get_sans_wrap(cert);
442 if (!sans) {
443 WRN(NULL, "Certificate has no SANs or failed to retrieve them.");
444 return 1;
445 }
446 nsans = nc_tls_get_num_sans_wrap(sans);
447
448 for (i = 0; i < nsans; i++) {
449 if ((rc = nc_tls_get_san_value_type_wrap(sans, i, &san_value, &san_type))) {
450 if (rc == -1) {
451 /* fatal error */
452 nc_tls_sans_destroy_wrap(sans);
453 return -1;
454 }
455
456 /* got a type that we dont care about */
457 continue;
458 }
459
460 if ((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == san_type)) {
461 /* found a match */
462 *username = san_value;
463 break;
464 }
465 free(san_value);
466 }
467
468 nc_tls_sans_destroy_wrap(sans);
469
470 if (i == nsans) {
471 switch (map_type) {
472 case NC_TLS_CTN_SAN_RFC822_NAME:
473 WRN(NULL, "Certificate does not include the SAN rfc822Name field.");
474 break;
475 case NC_TLS_CTN_SAN_DNS_NAME:
476 WRN(NULL, "Certificate does not include the SAN dNSName field.");
477 break;
478 case NC_TLS_CTN_SAN_IP_ADDRESS:
479 WRN(NULL, "Certificate does not include the SAN iPAddress field.");
480 break;
481 case NC_TLS_CTN_SAN_ANY:
482 WRN(NULL, "Certificate does not include any relevant SAN fields.");
483 break;
484 default:
485 break;
486 }
487 return 1;
488 }
489 }
490
491 return 0;
492}
493
romance435112024-04-23 15:12:09 +0200[diff] [blame]494static int
495_nc_server_tls_verify_peer_cert(void *peer_cert, struct nc_cert_grouping *ee_certs)
496{
497 int i, ret;
498 void *cert;
499 struct nc_certificate *certs;
500 uint16_t cert_count;
501
502 if (ee_certs->store == NC_STORE_LOCAL) {
503 /* local definition */
504 certs = ee_certs->certs;
505 cert_count = ee_certs->cert_count;
506 } else {
507 /* truststore reference */
508 if (nc_server_tls_ts_ref_get_certs(ee_certs->ts_ref, &certs, &cert_count)) {
509 ERR(NULL, "Error getting end-entity certificates from the truststore reference \"%s\".", ee_certs->ts_ref);
510 return -1;
511 }
512 }
513
514 for (i = 0; i < cert_count; i++) {
515 /* import stored cert */
516 cert = nc_base64der_to_cert(certs[i].data);
517
518 /* compare stored with received */
519 ret = nc_server_tls_certs_match_wrap(peer_cert, cert);
520 nc_tls_cert_destroy_wrap(cert);
521 if (ret) {
522 /* found a match */
523 VRB(NULL, "Cert verify: fail, but the end-entity certificate is trusted, continuing.");
524 return 0;
525 }
526 }
527
528 return 1;
529}
530
531int
532nc_server_tls_verify_peer_cert(void *peer_cert, struct nc_server_tls_opts *opts)
533{
534 int rc;
535 struct nc_endpt *referenced_endpt;
536
537 rc = _nc_server_tls_verify_peer_cert(peer_cert, &opts->ee_certs);
538 if (!rc) {
539 return 0;
540 }
541
542 if (opts->referenced_endpt_name) {
543 if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
544 ERRINT;
545 return -1;
546 }
547
548 rc = _nc_server_tls_verify_peer_cert(peer_cert, &referenced_endpt->opts.tls->ee_certs);
549 if (!rc) {
550 return 0;
551 }
552 }
553
554 return 1;
555}
556
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]557int
roman69962562024-04-05 12:33:39 +0200[diff] [blame]558nc_server_tls_verify_cert(void *cert, int depth, int self_signed, struct nc_tls_verify_cb_data *cb_data)
559{
560 int ret = 0, i;
561 char *subject = NULL, *issuer = NULL;
562 struct nc_server_tls_opts *opts = cb_data->opts;
563 struct nc_session *session = cb_data->session;
564 struct nc_endpt *referenced_endpt;
565
566 subject = nc_server_tls_get_subject_wrap(cert);
567 issuer = nc_server_tls_get_issuer_wrap(cert);
568 if (!subject || !issuer) {
569 ERR(session, "Failed to get certificate's subject or issuer.");
570 ret = -1;
571 goto cleanup;
572 }
573
574 VRB(session, "Cert verify: depth %d.", depth);
575 VRB(session, "Cert verify: subject: %s.", subject);
576 VRB(session, "Cert verify: issuer: %s.", issuer);
577
578 if (depth == 0) {
579 if (self_signed) {
580 /* peer cert is not trusted, so it must match any configured end-entity cert
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]581 * on the given endpoint in order for the client to be authenticated */
romance435112024-04-23 15:12:09 +0200[diff] [blame]582 ret = nc_server_tls_verify_peer_cert(cert, opts);
roman69962562024-04-05 12:33:39 +0200[diff] [blame]583 if (ret) {
romance435112024-04-23 15:12:09 +0200[diff] [blame]584 ERR(session, "Cert verify: fail (Client certificate not trusted and does not match any configured end-entity certificate).");
585 goto cleanup;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]586 }
587 }
588 }
589
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]590 /* get matching ctn entries */
roman69962562024-04-05 12:33:39 +0200[diff] [blame]591 ret = nc_server_tls_cert_to_name(opts->ctn, cert, &cb_data->ctn_data);
592 if (ret == -1) {
593 /* fatal error */
594 goto cleanup;
595 }
596
597 /* check the referenced endpoint's ctn entries */
598 if (opts->referenced_endpt_name) {
599 if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
600 ERRINT;
601 ret = -1;
602 goto cleanup;
603 }
604
605 ret = nc_server_tls_cert_to_name(referenced_endpt->opts.tls->ctn, cert, &cb_data->ctn_data);
606 if (ret == -1) {
607 /* fatal error */
608 goto cleanup;
609 }
610 }
611
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]612 /* obtain username from matched ctn entries */
roman69962562024-04-05 12:33:39 +0200[diff] [blame]613 if (depth == 0) {
614 for (i = 0; i < cb_data->ctn_data.matched_ctn_count; i++) {
615 if (cb_data->ctn_data.matched_ctn_type[i] == NC_TLS_CTN_SPECIFIED) {
616 session->username = strdup(cb_data->ctn_data.username);
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]617 NC_CHECK_ERRMEM_GOTO(!session->username, ret = -1, cleanup);
roman69962562024-04-05 12:33:39 +0200[diff] [blame]618 } else {
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]619 ret = nc_server_tls_get_username_from_cert(cert, cb_data->ctn_data.matched_ctn_type[i], &session->username);
roman69962562024-04-05 12:33:39 +0200[diff] [blame]620 if (ret == -1) {
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]621 /* fatal error */
roman69962562024-04-05 12:33:39 +0200[diff] [blame]622 goto cleanup;
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]623 } else if (!ret) {
624 /* username obtained */
625 break;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]626 }
627 }
628 }
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]629 if (session->username) {
630 VRB(NULL, "Cert verify CTN: new client username recognized as \"%s\".", session->username);
631 } else {
632 VRB(NULL, "Cert verify CTN: unsuccessful, dropping the new client.");
633 ret = 1;
634 goto cleanup;
635 }
roman69962562024-04-05 12:33:39 +0200[diff] [blame]636 }
637
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]638 if (session->username && server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]639 VRB(session, "Cert verify: user verify callback revoked authorization.");
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]640 ret = 1;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]641 goto cleanup;
642 }
643
644cleanup:
645 free(subject);
646 free(issuer);
647 return ret;
648}
649
650API const void *
651nc_session_get_client_cert(const struct nc_session *session)
652{
653 if (!session || (session->side != NC_SERVER)) {
654 ERRARG(session, "session");
655 return NULL;
656 }
657
658 return session->opts.server.client_cert;
659}
660
661API void
662nc_server_tls_set_verify_clb(int (*verify_clb)(const struct nc_session *session))
663{
664 server_opts.user_verify_clb = verify_clb;
665}
666
667int
668nc_server_tls_load_server_cert_key(struct nc_server_tls_opts *opts, void **srv_cert, void **srv_pkey)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]669{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]670 char *privkey_data = NULL, *cert_data = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]671 NC_PRIVKEY_FORMAT privkey_type;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]672 void *cert = NULL;
673 void *pkey = NULL;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]674
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]675 *srv_cert = *srv_pkey = NULL;
676
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]677 /* get data needed for setting the server cert */
678 if (opts->store == NC_STORE_LOCAL) {
679 /* local definition */
680 cert_data = opts->cert_data;
681 privkey_data = opts->privkey_data;
682 privkey_type = opts->privkey_type;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]683 } else {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]684 /* keystore */
roman69962562024-04-05 12:33:39 +0200[diff] [blame]685 if (nc_server_tls_ks_ref_get_cert_key(opts->key_ref, opts->cert_ref, &privkey_data, &privkey_type, &cert_data)) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]686 ERR(NULL, "Getting server certificate from the keystore reference \"%s\" failed.", opts->key_ref);
roman69962562024-04-05 12:33:39 +0200[diff] [blame]687 return 1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]688 }
689 }
romana55fee02024-03-21 16:00:48 +0100[diff] [blame]690 if (!cert_data || !privkey_data) {
691 ERR(NULL, "Server certificate not configured.");
romanbc541a82024-04-25 14:56:35 +0200[diff] [blame]692 return 1;
romana55fee02024-03-21 16:00:48 +0100[diff] [blame]693 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]694
roman69962562024-04-05 12:33:39 +0200[diff] [blame]695 cert = nc_base64der_to_cert(cert_data);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]696 if (!cert) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]697 return 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]698 }
699
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]700 pkey = nc_base64der_to_privkey(privkey_data, nc_privkey_format_to_str(privkey_type));
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]701 if (!pkey) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]702 nc_tls_cert_destroy_wrap(cert);
703 return 1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]704 }
705
roman69962562024-04-05 12:33:39 +0200[diff] [blame]706 *srv_cert = cert;
707 *srv_pkey = pkey;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]708 return 0;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]709}
710
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]711static size_t
712nc_server_tls_curl_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
713{
714 struct nc_curl_data *data;
715
716 size = nmemb;
717
718 data = (struct nc_curl_data *)userdata;
719
720 data->data = nc_realloc(data->data, data->size + size);
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]721 NC_CHECK_ERRMEM_RET(!data->data, 0);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]722
723 memcpy(&data->data[data->size], ptr, size);
724 data->size += size;
725
726 return size;
727}
728
729static int
roman69962562024-04-05 12:33:39 +0200[diff] [blame]730nc_server_tls_curl_fetch(CURL *handle, const char *url)
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]731{
732 char err_buf[CURL_ERROR_SIZE];
733
734 /* set uri */
735 if (curl_easy_setopt(handle, CURLOPT_URL, url)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]736 ERR(NULL, "Setting URI \"%s\" to download CRL from failed.", url);
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]737 return 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]738 }
739
740 /* set err buf */
roman134783b2023-11-09 12:41:45 +0100[diff] [blame]741 if (curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buf)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]742 ERR(NULL, "Setting CURL error buffer option failed.");
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]743 return 1;
roman134783b2023-11-09 12:41:45 +0100[diff] [blame]744 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]745
746 /* download */
747 if (curl_easy_perform(handle)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]748 ERR(NULL, "Downloading CRL from \"%s\" failed (%s).", url, err_buf);
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]749 return 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]750 }
751
752 return 0;
753}
754
755static int
roman69962562024-04-05 12:33:39 +0200[diff] [blame]756nc_server_tls_curl_init(CURL **handle, struct nc_curl_data *data)
757{
758 NC_CHECK_ARG_RET(NULL, handle, data, -1);
759
760 *handle = NULL;
761
762 *handle = curl_easy_init();
763 if (!*handle) {
764 ERR(NULL, "Initializing CURL failed.");
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]765 return 1;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]766 }
767
768 if (curl_easy_setopt(*handle, CURLOPT_WRITEFUNCTION, nc_server_tls_curl_cb)) {
769 ERR(NULL, "Setting curl callback failed.");
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]770 return 1;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]771 }
772
773 if (curl_easy_setopt(*handle, CURLOPT_WRITEDATA, data)) {
774 ERR(NULL, "Setting curl callback data failed.");
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]775 return 1;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]776 }
777
778 return 0;
779}
780
781static int
romance435112024-04-23 15:12:09 +0200[diff] [blame]782nc_server_tls_crl_path(const char *path, void *crl_store)
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]783{
romance435112024-04-23 15:12:09 +0200[diff] [blame]784 return nc_tls_import_crl_path_wrap(path, crl_store);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]785}
786
787static int
romance435112024-04-23 15:12:09 +0200[diff] [blame]788nc_server_tls_crl_url(const char *url, void *crl_store)
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]789{
790 int ret = 0;
791 CURL *handle = NULL;
792 struct nc_curl_data downloaded = {0};
793
794 /* init curl */
roman69962562024-04-05 12:33:39 +0200[diff] [blame]795 ret = nc_server_tls_curl_init(&handle, &downloaded);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]796 if (ret) {
797 goto cleanup;
798 }
799
roman69962562024-04-05 12:33:39 +0200[diff] [blame]800 VRB(NULL, "Downloading CRL from \"%s\".", url);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]801
802 /* download the CRL */
roman69962562024-04-05 12:33:39 +0200[diff] [blame]803 ret = nc_server_tls_curl_fetch(handle, url);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]804 if (ret) {
805 goto cleanup;
806 }
807
808 /* convert the downloaded data to CRL and add it to the store */
romance435112024-04-23 15:12:09 +0200[diff] [blame]809 ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, crl_store);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]810 if (ret) {
811 goto cleanup;
812 }
813
814cleanup:
815 curl_easy_cleanup(handle);
816 return ret;
817}
818
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]819static int
820nc_server_tls_crl_cert_ext(void *cert_store, void *crl_store)
821{
822 int ret = 0;
823 CURL *handle = NULL;
824 struct nc_curl_data downloaded = {0};
825 char **uris = NULL;
826 int uri_count = 0, i;
827
828 /* init curl */
829 ret = nc_server_tls_curl_init(&handle, &downloaded);
830 if (ret) {
831 goto cleanup;
832 }
833
834 /* get all the uris we can, even though some may point to the same CRL */
835 ret = nc_server_tls_get_crl_distpoint_uris_wrap(cert_store, &uris, &uri_count);
836 if (ret) {
837 goto cleanup;
838 }
839
840 for (i = 0; i < uri_count; i++) {
841 VRB(NULL, "Downloading CRL from \"%s\".", uris[i]);
842 ret = nc_server_tls_curl_fetch(handle, uris[i]);
843 if (ret) {
844 /* failed to download the CRL from this entry, try the next entry */
845 WRN(NULL, "Failed to fetch CRL from \"%s\".", uris[i]);
846 continue;
847 }
848
849 /* convert the downloaded data to CRL and add it to the store */
romance435112024-04-23 15:12:09 +0200[diff] [blame]850 ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, crl_store);
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]851 if (ret) {
852 goto cleanup;
853 }
854 }
855
856cleanup:
857 for (i = 0; i < uri_count; i++) {
858 free(uris[i]);
859 }
860 free(uris);
861 curl_easy_cleanup(handle);
862 return ret;
863}
864
roman69962562024-04-05 12:33:39 +0200[diff] [blame]865int
866nc_server_tls_load_crl(struct nc_server_tls_opts *opts, void *cert_store, void *crl_store)
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]867{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]868 if (opts->crl_path) {
romance435112024-04-23 15:12:09 +0200[diff] [blame]869 if (nc_server_tls_crl_path(opts->crl_path, crl_store)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]870 return 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]871 }
872 } else if (opts->crl_url) {
romance435112024-04-23 15:12:09 +0200[diff] [blame]873 if (nc_server_tls_crl_url(opts->crl_url, crl_store)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]874 return 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]875 }
876 } else {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]877 if (nc_server_tls_crl_cert_ext(cert_store, crl_store)) {
878 return 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]879 }
880 }
881
882 return 0;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]883}
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]884
roman69962562024-04-05 12:33:39 +0200[diff] [blame]885int
886nc_server_tls_load_trusted_certs(struct nc_cert_grouping *ca_certs, void *cert_store)
887{
888 struct nc_certificate *certs;
889 uint16_t i, cert_count;
romance435112024-04-23 15:12:09 +0200[diff] [blame]890 void *cert;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]891
892 if (ca_certs->store == NC_STORE_LOCAL) {
893 /* local definition */
894 certs = ca_certs->certs;
895 cert_count = ca_certs->cert_count;
896 } else {
897 /* truststore */
898 if (nc_server_tls_ts_ref_get_certs(ca_certs->ts_ref, &certs, &cert_count)) {
899 ERR(NULL, "Error getting certificate-authority certificates from the truststore reference \"%s\".", ca_certs->ts_ref);
900 return 1;
901 }
902 }
903
904 for (i = 0; i < cert_count; i++) {
romance435112024-04-23 15:12:09 +0200[diff] [blame]905 /* parse data into cert */
906 cert = nc_base64der_to_cert(certs[i].data);
907 if (!cert) {
908 return 1;
909 }
910
911 /* store cert in cert store */
912 if (nc_tls_add_cert_to_store_wrap(cert, cert_store)) {
913 nc_tls_cert_destroy_wrap(cert);
roman69962562024-04-05 12:33:39 +0200[diff] [blame]914 return 1;
915 }
916 }
917
918 return 0;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]919}
920
921static int
roman69962562024-04-05 12:33:39 +0200[diff] [blame]922nc_server_tls_accept_check(int accept_ret, void *tls_session)
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]923{
roman69962562024-04-05 12:33:39 +0200[diff] [blame]924 uint32_t verify;
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]925 char *err;
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]926
927 /* check certificate verification result */
roman69962562024-04-05 12:33:39 +0200[diff] [blame]928 verify = nc_tls_get_verify_result_wrap(tls_session);
roman008cfe72024-04-05 12:36:18 +0200[diff] [blame]929 if (!verify && (accept_ret == 1)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]930 VRB(NULL, "Client certificate verified.");
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]931 } else if (verify) {
932 err = nc_tls_verify_error_string_wrap(verify);
933 ERR(NULL, "Client certificate error (%s).", err);
934 free(err);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]935 }
936
937 if (accept_ret != 1) {
romance435112024-04-23 15:12:09 +0200[diff] [blame]938 nc_server_tls_print_accept_err_wrap(accept_ret, tls_session);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]939 }
940
941 return accept_ret;
942}
943
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]944int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]945nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opts, int sock, int timeout)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]946{
roman69962562024-04-05 12:33:39 +0200[diff] [blame]947 int rc, timeouted = 0;
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]948 struct timespec ts_timeout;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]949 struct nc_tls_verify_cb_data cb_data = {0};
950 struct nc_endpt *referenced_endpt;
951 void *tls_cfg, *srv_cert, *srv_pkey, *cert_store, *crl_store;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]952
roman69962562024-04-05 12:33:39 +0200[diff] [blame]953 tls_cfg = srv_cert = srv_pkey = cert_store = crl_store = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]954
roman69962562024-04-05 12:33:39 +0200[diff] [blame]955 /* set verify cb data */
956 cb_data.session = session;
957 cb_data.opts = opts;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]958
roman69962562024-04-05 12:33:39 +0200[diff] [blame]959 /* prepare TLS context from which a session will be created */
romance435112024-04-23 15:12:09 +0200[diff] [blame]960 tls_cfg = nc_tls_config_new_wrap(NC_SERVER);
roman69962562024-04-05 12:33:39 +0200[diff] [blame]961 if (!tls_cfg) {
962 goto fail;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]963 }
964
roman69962562024-04-05 12:33:39 +0200[diff] [blame]965 /* opaque CA/CRL certificate store */
966 cert_store = nc_tls_cert_store_new_wrap();
967 if (!cert_store) {
968 goto fail;
969 }
970
971 /* load server's key and certificate */
972 if (nc_server_tls_load_server_cert_key(opts, &srv_cert, &srv_pkey)) {
973 ERR(session, "Loading server certificate and/or private key failed.");
974 goto fail;
975 }
976
977 /* load trusted CA certificates */
978 if (nc_server_tls_load_trusted_certs(&opts->ca_certs, cert_store)) {
979 ERR(session, "Loading server CA certs failed.");
980 goto fail;
981 }
982
983 /* load referenced endpoint's trusted CA certs if set */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]984 if (opts->referenced_endpt_name) {
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]985 if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
986 ERR(session, "Referenced endpoint \"%s\" not found.", opts->referenced_endpt_name);
987 goto fail;
988 }
989
roman69962562024-04-05 12:33:39 +0200[diff] [blame]990 if (nc_server_tls_load_trusted_certs(&referenced_endpt->opts.tls->ca_certs, cert_store)) {
991 ERR(session, "Loading server CA certs from referenced endpoint failed.");
992 goto fail;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]993 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]994 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]995
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]996 if (opts->crl_path || opts->crl_url || opts->crl_cert_ext) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]997 /* opaque CRL store */
998 crl_store = nc_tls_crl_store_new_wrap();
999 if (!crl_store) {
1000 goto fail;
1001 }
1002
1003 /* load CRLs into one of the stores */
1004 if (nc_server_tls_load_crl(opts, cert_store, crl_store)) {
1005 ERR(session, "Loading server CRL failed.");
1006 goto fail;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1007 }
1008 }
1009
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1010 /* set supported TLS versions */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1011 if (opts->tls_versions) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1012 if (nc_server_tls_set_tls_versions_wrap(tls_cfg, opts->tls_versions)) {
1013 ERR(session, "Setting supported server TLS versions failed.");
1014 goto fail;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1015 }
1016 }
1017
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]1018 /* set supported cipher suites */
1019 if (opts->ciphers) {
1020 nc_server_tls_set_cipher_suites_wrap(tls_cfg, opts->ciphers);
1021 }
1022
romance435112024-04-23 15:12:09 +0200[diff] [blame]1023 /* set verify flags, callback and its data */
1024 nc_server_tls_set_verify_wrap(tls_cfg, &cb_data);
1025
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1026 /* init TLS context and store data which may be needed later in it */
romance435112024-04-23 15:12:09 +0200[diff] [blame]1027 if (nc_tls_init_ctx_wrap(sock, srv_cert, srv_pkey, cert_store, crl_store, &session->ti.tls.ctx)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1028 goto fail;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1029 }
1030
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1031 /* memory is managed by context now */
1032 srv_cert = srv_pkey = cert_store = crl_store = NULL;
1033
1034 /* setup config from ctx */
romance435112024-04-23 15:12:09 +0200[diff] [blame]1035 if (nc_tls_setup_config_from_ctx_wrap(&session->ti.tls.ctx, NC_SERVER, tls_cfg)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1036 goto fail;
romance435112024-04-23 15:12:09 +0200[diff] [blame]1037 }
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]1038 session->ti.tls.config = tls_cfg;
1039 tls_cfg = NULL;
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1040
1041 /* fill session data and create TLS session from config */
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]1042 session->ti_type = NC_TI_TLS;
1043 if (!(session->ti.tls.session = nc_tls_session_new_wrap(session->ti.tls.config))) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1044 goto fail;
1045 }
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1046
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1047 /* set session fd */
1048 nc_server_tls_set_fd_wrap(session->ti.tls.session, sock, &session->ti.tls.ctx);
1049
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1050 sock = -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1051
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1052 /* do the handshake */
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1053 if (timeout > -1) {
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]1054 nc_timeouttime_get(&ts_timeout, timeout);
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1055 }
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1056 while ((rc = nc_server_tls_handshake_step_wrap(session->ti.tls.session)) == 0) {
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1057 usleep(NC_TIMEOUT_STEP);
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]1058 if ((timeout > -1) && (nc_timeouttime_cur_diff(&ts_timeout) < 1)) {
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1059 ERR(session, "TLS accept timeout.");
1060 timeouted = 1;
1061 goto fail;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1062 }
1063 }
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1064
1065 /* check if handshake was ok */
1066 if (nc_server_tls_accept_check(rc, session->ti.tls.session) != 1) {
1067 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1068 }
1069
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1070 return 1;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1071
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1072fail:
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1073 if (sock > -1) {
1074 close(sock);
1075 }
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1076
romanebc7bba2024-04-15 14:58:39 +0200[diff] [blame]1077 nc_tls_config_destroy_wrap(tls_cfg);
1078 nc_tls_cert_destroy_wrap(srv_cert);
1079 nc_tls_privkey_destroy_wrap(srv_pkey);
1080 nc_tls_cert_store_destroy_wrap(cert_store);
1081 nc_tls_crl_store_destroy_wrap(crl_store);
roman69962562024-04-05 12:33:39 +0200[diff] [blame]1082
1083 if (timeouted) {
1084 return 0;
1085 } else {
1086 return -1;
1087 }
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1088}