Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 0be5dff7e07979bd30b693b2f7875fca710c1ce6 / . / src / session_server_tls.c
blob: 45a065b23fa76c9f5049411f4d4a91079bcb9b36 [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]2 * \file session_server_tls.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 * 3. Neither the name of the Company nor the names of its contributors
18 * may be used to endorse or promote products derived from this
19 * software without specific prior written permission.
20 *
21 */
22
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]23#define _GNU_SOURCE
24
25#include <string.h>
26#include <poll.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]27#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]28
29#include <openssl/ssl.h>
30#include <openssl/evp.h>
31#include <openssl/err.h>
32#include <openssl/x509v3.h>
33
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]34#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]35#include "session_server_ch.h"
36#include "libnetconf.h"
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]37
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]38struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]39pthread_mutex_t tls_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]40extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]41
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]42static pthread_key_t verify_key;
43static pthread_once_t verify_once = PTHREAD_ONCE_INIT;
44
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]45static char *
46asn1time_to_str(ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]47{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]48 char *cp;
49 BIO *bio;
50 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]51
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]52 if (!t) {
53 return NULL;
54 }
55 bio = BIO_new(BIO_s_mem());
56 if (!bio) {
57 return NULL;
58 }
59 ASN1_TIME_print(bio, t);
60 n = BIO_pending(bio);
61 cp = malloc(n + 1);
62 n = BIO_read(bio, cp, n);
63 if (n < 0) {
64 BIO_free(bio);
65 free(cp);
66 return NULL;
67 }
68 cp[n] = '\0';
69 BIO_free(bio);
70 return cp;
71}
72
73static void
74digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
75{
76 unsigned int i;
77
78 *str = malloc(dig_len * 3);
79 for (i = 0; i < dig_len - 1; ++i) {
80 sprintf((*str) + (i * 3), "%02x:", digest[i]);
81 }
82 sprintf((*str) + (i * 3), "%02x", digest[i]);
83}
84
85/* return NULL - SSL error can be retrieved */
86static X509 *
87base64der_to_cert(const char *in)
88{
89 X509 *out;
90 char *buf;
91 BIO *bio;
92
93 if (in == NULL) {
94 return NULL;
95 }
96
97 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
98 return NULL;
99 }
100 bio = BIO_new_mem_buf(buf, strlen(buf));
101 if (!bio) {
102 free(buf);
103 return NULL;
104 }
105
106 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
107 if (!out) {
108 free(buf);
109 BIO_free(bio);
110 return NULL;
111 }
112
113 free(buf);
114 BIO_free(bio);
115 return out;
116}
117
118/* return NULL - either errno or SSL error */
119static X509 *
120pem_to_cert(const char *path)
121{
122 FILE *fp;
123 X509 *out;
124
125 fp = fopen(path, "r");
126 if (!fp) {
127 return NULL;
128 }
129
130 out = PEM_read_X509(fp, NULL, NULL, NULL);
131 fclose(fp);
132 return out;
133}
134
135static EVP_PKEY *
136base64der_to_privatekey(const char *in, int rsa)
137{
138 EVP_PKEY *out;
139 char *buf;
140 BIO *bio;
141
142 if (in == NULL) {
143 return NULL;
144 }
145
146 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----\n", in, "\n-----END ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----") == -1) {
147 return NULL;
148 }
149 bio = BIO_new_mem_buf(buf, strlen(buf));
150 if (!bio) {
151 free(buf);
152 return NULL;
153 }
154
155 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
156 if (!out) {
157 free(buf);
158 BIO_free(bio);
159 return NULL;
160 }
161
162 free(buf);
163 BIO_free(bio);
164 return out;
165}
166
167static int
168cert_pubkey_match(X509 *cert1, X509 *cert2)
169{
170 ASN1_BIT_STRING *bitstr1, *bitstr2;
171
172 bitstr1 = X509_get0_pubkey_bitstr(cert1);
173 bitstr2 = X509_get0_pubkey_bitstr(cert2);
174
175 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
176 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
177 return 0;
178 }
179
180 return 1;
181}
182
183static int
184nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
185{
186 STACK_OF(GENERAL_NAME) *san_names;
187 GENERAL_NAME *san_name;
188 ASN1_OCTET_STRING *ip;
189 int i, san_count;
190 char *subject, *common_name;
191
192 if (map_type == NC_TLS_CTN_COMMON_NAME) {
193 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
194 common_name = strstr(subject, "CN=");
195 if (!common_name) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]196 WRN("Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]197 free(subject);
198 return 1;
199 }
200 common_name += 3;
201 if (strchr(common_name, '/')) {
202 *strchr(common_name, '/') = '\0';
203 }
204 *username = strdup(common_name);
205 free(subject);
206 } else {
207 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
208 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
209 if (!san_names) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]210 WRN("Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]211 return 1;
212 }
213
214 san_count = sk_GENERAL_NAME_num(san_names);
215 for (i = 0; i < san_count; ++i) {
216 san_name = sk_GENERAL_NAME_value(san_names, i);
217
218 /* rfc822Name (email) */
219 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_RFC822_NAME) &&
220 san_name->type == GEN_EMAIL) {
221 *username = strdup((char *)ASN1_STRING_data(san_name->d.rfc822Name));
222 break;
223 }
224
225 /* dNSName */
226 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_DNS_NAME) &&
227 san_name->type == GEN_DNS) {
228 *username = strdup((char *)ASN1_STRING_data(san_name->d.dNSName));
229 break;
230 }
231
232 /* iPAddress */
233 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_IP_ADDRESS) &&
234 san_name->type == GEN_IPADD) {
235 ip = san_name->d.iPAddress;
236 if (ip->length == 4) {
237 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]238 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]239 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
240 return -1;
241 }
242 break;
243 } else if (ip->length == 16) {
244 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
245 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
246 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
247 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]248 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]249 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
250 return -1;
251 }
252 break;
253 } else {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]254 WRN("SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]255 }
256 }
257 }
258 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
259
260 if (i < san_count) {
261 switch (map_type) {
262 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]263 WRN("Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]264 break;
265 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]266 WRN("Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]267 break;
268 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]269 WRN("Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]270 break;
271 case NC_TLS_CTN_SAN_ANY:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]272 WRN("Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]273 break;
274 default:
275 break;
276 }
277 return 1;
278 }
279 }
280
281 return 0;
282}
283
284/* return: 0 - OK, 1 - no match, -1 - error */
285static int
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]286nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]287{
288 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
289 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]290 unsigned char *buf = malloc(64);
291 unsigned int buf_len = 64;
292 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]293 struct nc_ctn *ctn;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]294
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]295 if (!ctn_first || !cert || !map_type || !name) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]296 free(buf);
297 return -1;
298 }
299
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]300 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]301 /* MD5 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]302 if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]303 if (!digest_md5) {
304 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]305 ERR("Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]306 ret = -1;
307 goto cleanup;
308 }
309 digest_to_str(buf, buf_len, &digest_md5);
310 }
311
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]312 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]313 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]314 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]315 *map_type = ctn->map_type;
316 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
317 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]318 }
319 break;
320 }
321
322 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]323 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]324 if (!digest_sha1) {
325 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]326 ERR("Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]327 ret = -1;
328 goto cleanup;
329 }
330 digest_to_str(buf, buf_len, &digest_sha1);
331 }
332
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]333 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]334 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]335 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]336 *map_type = ctn->map_type;
337 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
338 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]339 }
340 break;
341 }
342
343 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]344 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]345 if (!digest_sha224) {
346 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]347 ERR("Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]348 ret = -1;
349 goto cleanup;
350 }
351 digest_to_str(buf, buf_len, &digest_sha224);
352 }
353
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]354 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]355 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]356 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]357 *map_type = ctn->map_type;
358 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
359 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]360 }
361 break;
362 }
363
364 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]365 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]366 if (!digest_sha256) {
367 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]368 ERR("Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]369 ret = -1;
370 goto cleanup;
371 }
372 digest_to_str(buf, buf_len, &digest_sha256);
373 }
374
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]375 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]376 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]377 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]378 *map_type = ctn->map_type;
379 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
380 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]381 }
382 break;
383 }
384
385 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]386 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]387 if (!digest_sha384) {
388 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]389 ERR("Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]390 ret = -1;
391 goto cleanup;
392 }
393 digest_to_str(buf, buf_len, &digest_sha384);
394 }
395
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]396 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]397 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]398 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]399 *map_type = ctn->map_type;
400 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
401 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]402 }
403 break;
404 }
405
406 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]407 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]408 if (!digest_sha512) {
409 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]410 ERR("Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]411 ret = -1;
412 goto cleanup;
413 }
414 digest_to_str(buf, buf_len, &digest_sha512);
415 }
416
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]417 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]418 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]419 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]420 *map_type = ctn->map_type;
421 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
422 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]423 }
424 break;
425 }
426
427 /* unknown */
428 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]429 WRN("Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]430 }
431 }
432
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]433 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]434 ret = 1;
435 }
436
437cleanup:
438 free(digest_md5);
439 free(digest_sha1);
440 free(digest_sha224);
441 free(digest_sha256);
442 free(digest_sha384);
443 free(digest_sha512);
444 free(buf);
445 return ret;
446}
447
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]448static int
449nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
450{
451 X509_STORE_CTX store_ctx;
452 X509_OBJECT obj;
453 X509_NAME *subject;
454 X509_NAME *issuer;
455 X509 *cert;
456 X509_CRL *crl;
457 X509_REVOKED *revoked;
458 STACK_OF(X509) *cert_stack;
459 EVP_PKEY *pubkey;
460 struct nc_session* session;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]461 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]462 long serial;
463 int i, n, rc, depth;
464 char *cp;
465 const char *username = NULL;
466 NC_TLS_CTN_MAPTYPE map_type = 0;
467 ASN1_TIME *last_update = NULL, *next_update = NULL;
468
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]469 /* get the thread session */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]470 session = pthread_getspecific(verify_key);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]471 if (!session) {
472 ERRINT;
473 return 0;
474 }
475
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]476 opts = session->ti_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]477
478 /* get the last certificate, that is the peer (client) certificate */
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]479 if (!session->tls_cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]480 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
481 /* TODO all that is needed, but function X509_up_ref not present in older OpenSSL versions
482 session->cert = sk_X509_value(cert_stack, sk_X509_num(cert_stack) - 1);
483 X509_up_ref(session->cert);
484 sk_X509_pop_free(cert_stack, X509_free); */
485 while ((cert = sk_X509_pop(cert_stack))) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]486 X509_free(session->tls_cert);
487 session->tls_cert = cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]488 }
489 sk_X509_pop_free(cert_stack, X509_free);
490 }
491
492 /* standard certificate verification failed, so a trusted client cert must match to continue */
493 if (!preverify_ok) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]494 subject = X509_get_subject_name(session->tls_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]495 cert_stack = X509_STORE_get1_certs(x509_ctx, subject);
496 if (cert_stack) {
497 for (i = 0; i < sk_X509_num(cert_stack); ++i) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]498 if (cert_pubkey_match(session->tls_cert, sk_X509_value(cert_stack, i))) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]499 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
500 * this callback will be called again with the same current certificate and preverify_ok == 1 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]501 VRB("Cert verify: fail (%s), but the client certificate is trusted, continuing.",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]502 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
503 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
504 sk_X509_pop_free(cert_stack, X509_free);
505 return 1;
506 }
507 }
508 sk_X509_pop_free(cert_stack, X509_free);
509 }
510
511 ERR("Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
512 return 0;
513 }
514
515 /* print cert verify info */
516 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]517 VRB("Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]518
519 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
520 subject = X509_get_subject_name(cert);
521 issuer = X509_get_issuer_name(cert);
522
523 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]524 VRB("Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]525 OPENSSL_free(cp);
526 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]527 VRB("Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]528 OPENSSL_free(cp);
529
530 /* check for revocation if set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]531 if (opts->crl_store) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]532 /* try to retrieve a CRL corresponding to the _subject_ of
533 * the current certificate in order to verify it's integrity */
534 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]535 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]536 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
537 X509_STORE_CTX_cleanup(&store_ctx);
538 crl = obj.data.crl;
539 if (rc > 0 && crl) {
540 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]541 VRB("Cert verify CRL: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]542 OPENSSL_free(cp);
543
544 last_update = X509_CRL_get_lastUpdate(crl);
545 next_update = X509_CRL_get_nextUpdate(crl);
546 cp = asn1time_to_str(last_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]547 VRB("Cert verify CRL: last update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]548 free(cp);
549 cp = asn1time_to_str(next_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]550 VRB("Cert verify CRL: next update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]551 free(cp);
552
553 /* verify the signature on this CRL */
554 pubkey = X509_get_pubkey(cert);
555 if (X509_CRL_verify(crl, pubkey) <= 0) {
556 ERR("Cert verify CRL: invalid signature.");
557 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
558 X509_OBJECT_free_contents(&obj);
559 if (pubkey) {
560 EVP_PKEY_free(pubkey);
561 }
562 return 0;
563 }
564 if (pubkey) {
565 EVP_PKEY_free(pubkey);
566 }
567
568 /* check date of CRL to make sure it's not expired */
569 if (!next_update) {
570 ERR("Cert verify CRL: invalid nextUpdate field.");
571 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
572 X509_OBJECT_free_contents(&obj);
573 return 0;
574 }
575 if (X509_cmp_current_time(next_update) < 0) {
576 ERR("Cert verify CRL: expired - revoking all certificates.");
577 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
578 X509_OBJECT_free_contents(&obj);
579 return 0;
580 }
581 X509_OBJECT_free_contents(&obj);
582 }
583
584 /* try to retrieve a CRL corresponding to the _issuer_ of
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]585 * the current certificate in order to check for revocation */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]586 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]587 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]588 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
589 X509_STORE_CTX_cleanup(&store_ctx);
590 crl = obj.data.crl;
591 if (rc > 0 && crl) {
592 /* check if the current certificate is revoked by this CRL */
593 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
594 for (i = 0; i < n; i++) {
595 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
596 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
597 serial = ASN1_INTEGER_get(revoked->serialNumber);
598 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]599 ERR("Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.", serial, serial, cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]600 OPENSSL_free(cp);
601 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
602 X509_OBJECT_free_contents(&obj);
603 return 0;
604 }
605 }
606 X509_OBJECT_free_contents(&obj);
607 }
608 }
609
610 /* cert-to-name already successful */
611 if (session->username) {
612 return 1;
613 }
614
615 /* cert-to-name */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]616 rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]617
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]618 if (rc) {
619 if (rc == -1) {
620 /* fatal error */
621 depth = 0;
622 }
623 /* rc == 1 is a normal CTN fail (no match found) */
624 goto fail;
625 }
626
627 /* cert-to-name match, now to extract the specific field from the peer cert */
628 if (map_type == NC_TLS_CTN_SPECIFIED) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]629 nc_ctx_lock(-1, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]630 session->username = lydict_insert(server_opts.ctx, username, 0);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]631 nc_ctx_unlock();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]632 } else {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]633 rc = nc_tls_ctn_get_username_from_cert(session->tls_cert, map_type, &cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]634 if (rc) {
635 if (rc == -1) {
636 depth = 0;
637 }
638 goto fail;
639 }
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]640 nc_ctx_lock(-1, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]641 session->username = lydict_insert_zc(server_opts.ctx, cp);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]642 nc_ctx_unlock();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]643 }
644
645 VRB("Cert verify CTN: new client username recognized as \"%s\".", session->username);
646 return 1;
647
648fail:
649 if (depth > 0) {
650 VRB("Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
651 return 1;
652 }
653
654 VRB("Cert-to-name unsuccessful, dropping the new client.");
655 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
656 return 0;
657}
658
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]659API int
660nc_server_tls_add_endpt_listen(const char *name, const char *address, uint16_t port)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]661{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]662 return nc_server_add_endpt_listen(name, address, port, NC_TI_OPENSSL);
663}
664
665API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]666nc_server_tls_endpt_set_address(const char *endpt_name, const char *address)
667{
668 return nc_server_endpt_set_address_port(endpt_name, address, 0, NC_TI_OPENSSL);
669}
670
671API int
672nc_server_tls_endpt_set_port(const char *endpt_name, uint16_t port)
673{
674 return nc_server_endpt_set_address_port(endpt_name, NULL, port, NC_TI_OPENSSL);
675}
676
677API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]678nc_server_tls_del_endpt(const char *name)
679{
680 return nc_server_del_endpt(name, NC_TI_OPENSSL);
681}
682
683static int
684nc_server_tls_set_cert(const char *cert, struct nc_server_tls_opts *opts)
685{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]686 X509 *x509_cert;
687
688 if (!cert) {
689 ERRARG;
690 return -1;
691 }
692
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]693 if (!opts->tls_ctx) {
694 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
695 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]696 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]697 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]698 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]699 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]700 }
701
702 x509_cert = base64der_to_cert(cert);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]703 if (!x509_cert || (SSL_CTX_use_certificate(opts->tls_ctx, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]704 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]705 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]706 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]707 }
708 X509_free(x509_cert);
709
710 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]711
712fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]713 return -1;
714}
715
716API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]717nc_server_tls_endpt_set_cert(const char *endpt_name, const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]718{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]719 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]720 struct nc_endpt *endpt;
721
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]722 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]723 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]724 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]725 return -1;
726 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]727 ret = nc_server_tls_set_cert(cert, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]728 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]729 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]730
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]731 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]732}
733
734API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]735nc_server_tls_ch_set_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]736{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]737 int ret;
738
739 /* OPTS LOCK */
740 pthread_mutex_lock(&tls_ch_opts_lock);
741 ret = nc_server_tls_set_cert(cert, &tls_ch_opts);
742 /* OPTS UNLOCK */
743 pthread_mutex_unlock(&tls_ch_opts_lock);
744
745 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]746}
747
748static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]749nc_server_tls_set_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]750{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]751 if (!cert_path) {
752 ERRARG;
753 return -1;
754 }
755
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]756 if (!opts->tls_ctx) {
757 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
758 if (!opts->tls_ctx) {
759 ERR("Failed to create TLS context.");
760 goto fail;
761 }
762 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
763 }
764
765 if (SSL_CTX_use_certificate_file(opts->tls_ctx, cert_path, SSL_FILETYPE_PEM) != 1) {
766 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
767 goto fail;
768 }
769
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]770 return 0;
771
772fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]773 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]774}
775
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]776API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]777nc_server_tls_endpt_set_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]778{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]779 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]780 struct nc_endpt *endpt;
781
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]782 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]783 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]784 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]785 return -1;
786 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]787 ret = nc_server_tls_set_cert_path(cert_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]788 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]789 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]790
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]791 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]792}
793
794API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]795nc_server_tls_ch_set_cert_path(const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]796{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]797 int ret;
798
799 /* OPTS LOCK */
800 pthread_mutex_lock(&tls_ch_opts_lock);
801 ret = nc_server_tls_set_cert_path(cert_path, &tls_ch_opts);
802 /* OPTS UNLOCK */
803 pthread_mutex_unlock(&tls_ch_opts_lock);
804
805 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]806}
807
808static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]809nc_server_tls_set_key(const char *privkey, int is_rsa, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]810{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]811 EVP_PKEY *key;;
812
813 if (!privkey) {
814 ERRARG;
815 return -1;
816 }
817
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]818 if (!opts->tls_ctx) {
819 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
820 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]821 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]822 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]823 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]824 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]825 }
826
827 key = base64der_to_privatekey(privkey, is_rsa);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]828 if (!key || (SSL_CTX_use_PrivateKey(opts->tls_ctx, key) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]829 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]830 EVP_PKEY_free(key);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]831 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]832 }
833 EVP_PKEY_free(key);
834
835 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]836
837fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]838 return -1;
839}
840
841API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]842nc_server_tls_endpt_set_key(const char *endpt_name, const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]843{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]844 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]845 struct nc_endpt *endpt;
846
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]847 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]848 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]849 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]850 return -1;
851 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]852 ret = nc_server_tls_set_key(privkey, is_rsa, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]853 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]854 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]855
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]856 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]857}
858
859API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]860nc_server_tls_ch_set_key(const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]861{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]862 int ret;
863
864 /* OPTS LOCK */
865 pthread_mutex_lock(&tls_ch_opts_lock);
866 ret = nc_server_tls_set_key(privkey, is_rsa, &tls_ch_opts);
867 /* OPTS UNLOCK */
868 pthread_mutex_unlock(&tls_ch_opts_lock);
869
870 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]871}
872
873static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]874nc_server_tls_set_key_path(const char *privkey_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]875{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]876 if (!privkey_path) {
877 ERRARG;
878 return -1;
879 }
880
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]881 if (!opts->tls_ctx) {
882 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
883 if (!opts->tls_ctx) {
884 ERR("Failed to create TLS context.");
885 goto fail;
886 }
887 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
888 }
889
890 if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, privkey_path, SSL_FILETYPE_PEM) != 1) {
891 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
892 goto fail;
893 }
894
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]895 return 0;
896
897fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]898 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]899}
900
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]901API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]902nc_server_tls_endpt_set_key_path(const char *endpt_name, const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]903{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]904 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]905 struct nc_endpt *endpt;
906
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]907 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]908 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]909 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]910 return -1;
911 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]912 ret = nc_server_tls_set_key_path(privkey_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]913 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]914 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]915
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]916 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]917}
918
919API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]920nc_server_tls_ch_set_key_path(const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]921{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]922 int ret;
923
924 /* OPTS LOCK */
925 pthread_mutex_lock(&tls_ch_opts_lock);
926 ret = nc_server_tls_set_key_path(privkey_path, &tls_ch_opts);
927 /* OPTS UNLOCK */
928 pthread_mutex_unlock(&tls_ch_opts_lock);
929
930 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]931}
932
933static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]934nc_server_tls_add_trusted_cert(const char *cert, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]935{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]936 X509_STORE *cert_store;
937 X509 *x509_cert;
938
939 if (!cert) {
940 ERRARG;
941 return -1;
942 }
943
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]944 if (!opts->tls_ctx) {
945 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
946 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]947 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]948 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]949 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]950 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]951 }
952
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]953 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]954 if (!cert_store) {
955 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]956 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]957 }
958
959 x509_cert = base64der_to_cert(cert);
960 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]961 ERR("Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]962 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]963 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]964 }
965 X509_free(x509_cert);
966
967 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]968
969fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]970 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]971}
972
973API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]974nc_server_tls_endpt_add_trusted_cert(const char *endpt_name, const char *cert)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]975{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]976 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]977 struct nc_endpt *endpt;
978
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]979 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]980 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]981 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]982 return -1;
983 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]984 ret = nc_server_tls_add_trusted_cert(cert, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]985 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]986 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]987
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]988 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]989}
990
991API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]992nc_server_tls_ch_add_trusted_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]993{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]994 int ret;
995
996 /* OPTS LOCK */
997 pthread_mutex_lock(&tls_ch_opts_lock);
998 ret = nc_server_tls_add_trusted_cert(cert, &tls_ch_opts);
999 /* OPTS UNLOCK */
1000 pthread_mutex_unlock(&tls_ch_opts_lock);
1001
1002 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1003}
1004
1005static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1006nc_server_tls_add_trusted_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1007{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1008 X509_STORE *cert_store;
1009 X509 *x509_cert;
1010
1011 if (!cert_path) {
1012 ERRARG;
1013 return -1;
1014 }
1015
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1016 if (!opts->tls_ctx) {
1017 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1018 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1019 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1020 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1021 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1022 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1023 }
1024
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1025 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1026 if (!cert_store) {
1027 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1028 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1029 }
1030
1031 errno = 0;
1032 x509_cert = pem_to_cert(cert_path);
1033 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1034 ERR("Adding a trusted certificate failed (%s).",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1035 (errno ? strerror(errno) : ERR_reason_error_string(ERR_get_error())));
1036 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1037 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1038 }
1039 X509_free(x509_cert);
1040
1041 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1042
1043fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1044 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1045}
1046
1047API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1048nc_server_tls_endpt_add_trusted_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1049{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1050 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1051 struct nc_endpt *endpt;
1052
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1053 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1054 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1055 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1056 return -1;
1057 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1058 ret = nc_server_tls_add_trusted_cert_path(cert_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1059 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1060 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1061
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1062 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1063}
1064
1065API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1066nc_server_tls_ch_add_trusted_cert_path(const char *cert_path)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1067{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1068 int ret;
1069
1070 /* OPTS LOCK */
1071 pthread_mutex_lock(&tls_ch_opts_lock);
1072 ret = nc_server_tls_add_trusted_cert_path(cert_path, &tls_ch_opts);
1073 /* OPTS UNLOCK */
1074 pthread_mutex_unlock(&tls_ch_opts_lock);
1075
1076 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1077}
1078
1079static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1080nc_server_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1081{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1082 X509_STORE *cert_store;
1083 X509_LOOKUP *lookup;
1084
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1085 if (!ca_file && !ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1086 ERRARG;
1087 return -1;
1088 }
1089
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1090 if (!opts->tls_ctx) {
1091 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1092 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1093 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1094 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1095 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1096 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1097 }
1098
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1099 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1100 if (!cert_store) {
1101 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1102 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1103 }
1104
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1105 if (ca_file) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1106 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file());
1107 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1108 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1109 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1110 }
1111
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1112 if (X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1113 ERR("Failed to add a trusted cert file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1114 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1115 }
1116 }
1117
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1118 if (ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1119 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
1120 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1121 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1122 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1123 }
1124
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1125 if (X509_LOOKUP_add_dir(lookup, ca_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1126 ERR("Failed to add a trusted cert directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1127 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1128 }
1129 }
1130
1131 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1132
1133fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1134 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1135}
1136
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1137API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1138nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1139{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1140 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1141 struct nc_endpt *endpt;
1142
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1143 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1144 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1145 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1146 return -1;
1147 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1148 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1149 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1150 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1151
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1152 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1153}
1154
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1155API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1156nc_server_tls_ch_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1157{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1158 int ret;
1159
1160 /* OPTS LOCK */
1161 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1162 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1163 /* OPTS UNLOCK */
1164 pthread_mutex_unlock(&tls_ch_opts_lock);
1165
1166 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1167}
1168
1169static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1170nc_server_tls_clear_certs(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1171{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1172 if (!opts->tls_ctx) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1173 return;
1174 }
1175
1176 SSL_CTX_free(opts->tls_ctx);
1177 opts->tls_ctx = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1178}
1179
1180API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1181nc_server_tls_endpt_clear_certs(const char *endpt_name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1182{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1183 struct nc_endpt *endpt;
1184
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1185 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1186 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1187 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1188 return;
1189 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1190 nc_server_tls_clear_certs(endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1191 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1192 nc_server_endpt_unlock(endpt);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1193}
1194
1195API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1196nc_server_tls_ch_clear_certs(void)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1197{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1198 /* OPTS LOCK */
1199 pthread_mutex_lock(&tls_ch_opts_lock);
1200 nc_server_tls_clear_certs(&tls_ch_opts);
1201 /* OPTS UNLOCK */
1202 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1203}
1204
1205static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1206nc_server_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1207{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1208 X509_LOOKUP *lookup;
1209
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1210 if (!crl_file && !crl_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1211 ERRARG;
1212 return -1;
1213 }
1214
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1215 if (!opts->crl_store) {
1216 opts->crl_store = X509_STORE_new();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1217 }
1218
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1219 if (crl_file) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1220 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1221 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1222 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1223 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1224 }
1225
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1226 if (X509_LOOKUP_load_file(lookup, crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1227 ERR("Failed to add a revocation lookup file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1228 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1229 }
1230 }
1231
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1232 if (crl_dir) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1233 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1234 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1235 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1236 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1237 }
1238
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1239 if (X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1240 ERR("Failed to add a revocation lookup directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1241 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1242 }
1243 }
1244
1245 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1246
1247fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1248 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1249}
1250
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1251API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1252nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1253{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1254 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1255 struct nc_endpt *endpt;
1256
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1257 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1258 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1259 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1260 return -1;
1261 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1262 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1263 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1264 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1265
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1266 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1267}
1268
1269API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1270nc_server_tls_ch_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1271{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1272 int ret;
1273
1274 /* OPTS LOCK */
1275 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1276 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1277 /* OPTS UNLOCK */
1278 pthread_mutex_unlock(&tls_ch_opts_lock);
1279
1280 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1281}
1282
1283static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1284nc_server_tls_clear_crls(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1285{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1286 if (!opts->crl_store) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1287 return;
1288 }
1289
1290 X509_STORE_free(opts->crl_store);
1291 opts->crl_store = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1292}
1293
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1294API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1295nc_server_tls_endpt_clear_crls(const char *endpt_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1296{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1297 struct nc_endpt *endpt;
1298
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1299 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1300 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1301 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1302 return;
1303 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1304 nc_server_tls_clear_crls(endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1305 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1306 nc_server_endpt_unlock(endpt);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1307}
1308
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1309API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1310nc_server_tls_ch_clear_crls(void)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1311{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1312 /* OPTS LOCK */
1313 pthread_mutex_lock(&tls_ch_opts_lock);
1314 nc_server_tls_clear_crls(&tls_ch_opts);
1315 /* OPTS UNLOCK */
1316 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1317}
1318
1319static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1320nc_server_tls_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1321{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1322 struct nc_ctn *ctn, *new;
1323
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1324 if (!fingerprint || !map_type || ((map_type == NC_TLS_CTN_SPECIFIED) && !name)
1325 || ((map_type != NC_TLS_CTN_SPECIFIED) && name)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1326 ERRARG;
1327 return -1;
1328 }
1329
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1330 new = malloc(sizeof *new);
1331
1332 nc_ctx_lock(-1, NULL);
1333 new->fingerprint = lydict_insert(server_opts.ctx, fingerprint, 0);
1334 new->name = lydict_insert(server_opts.ctx, name, 0);
1335 nc_ctx_unlock();
1336 new->id = id;
1337 new->map_type = map_type;
1338 new->next = NULL;
1339
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1340 if (!opts->ctn) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1341 /* the first item */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1342 opts->ctn = new;
1343 } else if (opts->ctn->id > id) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1344 /* insert at the beginning */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1345 new->next = opts->ctn;
1346 opts->ctn = new;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1347 } else {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1348 for (ctn = opts->ctn; ctn->next && ctn->next->id <= id; ctn = ctn->next);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1349 /* insert after ctn */
1350 new->next = ctn->next;
1351 ctn->next = new;
1352 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1353
1354 return 0;
1355}
1356
1357API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1358nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1359{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1360 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1361 struct nc_endpt *endpt;
1362
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1363 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1364 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1365 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1366 return -1;
1367 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1368 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1369 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1370 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1371
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1372 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1373}
1374
1375API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1376nc_server_tls_ch_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1377{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1378 int ret;
1379
1380 /* OPTS LOCK */
1381 pthread_mutex_lock(&tls_ch_opts_lock);
1382 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1383 /* OPTS UNLOCK */
1384 pthread_mutex_unlock(&tls_ch_opts_lock);
1385
1386 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1387}
1388
1389static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1390nc_server_tls_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1391{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1392 struct nc_ctn *ctn, *next, *prev;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1393 int ret = -1;
1394
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1395 if ((id < 0) && !fingerprint && !map_type && !name) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1396 ctn = opts->ctn;
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1397 nc_ctx_lock(-1, NULL);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1398 while (ctn) {
1399 lydict_remove(server_opts.ctx, ctn->fingerprint);
1400 lydict_remove(server_opts.ctx, ctn->name);
1401
1402 next = ctn->next;
1403 free(ctn);
1404 ctn = next;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1405
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1406 ret = 0;
1407 }
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1408 nc_ctx_unlock();
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1409 opts->ctn = NULL;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1410 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1411 prev = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1412 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1413 while (ctn) {
1414 if (((id < 0) || (ctn->id == id))
1415 && (!fingerprint || !strcmp(ctn->fingerprint, fingerprint))
1416 && (!map_type || (ctn->map_type == map_type))
1417 && (!name || (ctn->name && !strcmp(ctn->name, name)))) {
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1418 nc_ctx_lock(-1, NULL);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1419 lydict_remove(server_opts.ctx, ctn->fingerprint);
1420 lydict_remove(server_opts.ctx, ctn->name);
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]1421 nc_ctx_unlock();
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1422
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1423 if (prev) {
1424 prev->next = ctn->next;
1425 next = ctn->next;
1426 } else {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1427 opts->ctn = ctn->next;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1428 next = ctn->next;
1429 }
1430 free(ctn);
1431 ctn = next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1432
1433 ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1434 } else {
1435 prev = ctn;
1436 ctn = ctn->next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1437 }
1438 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1439 }
1440
1441 return ret;
1442}
1443
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1444API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1445nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1446{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1447 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1448 struct nc_endpt *endpt;
1449
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1450 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1451 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1452 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1453 return -1;
1454 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1455 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1456 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1457 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1458
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1459 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1460}
1461
1462API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1463nc_server_tls_ch_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1464{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1465 int ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1466
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1467 /* OPTS LOCK */
1468 pthread_mutex_lock(&tls_ch_opts_lock);
1469 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1470 /* OPTS UNLOCK */
1471 pthread_mutex_unlock(&tls_ch_opts_lock);
1472
1473 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1474}
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1475
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1476void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1477nc_server_tls_clear_opts(struct nc_server_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1478{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1479 nc_server_tls_clear_certs(opts);
1480 nc_server_tls_clear_crls(opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1481 nc_server_tls_del_ctn(-1, NULL, 0, NULL, opts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1482}
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1483
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1484API void
1485nc_server_tls_ch_clear_opts(void)
1486{
1487 /* OPTS LOCK */
1488 pthread_mutex_lock(&tls_ch_opts_lock);
1489 nc_server_tls_clear_opts(&tls_ch_opts);
1490 /* OPTS UNLOCK */
1491 pthread_mutex_unlock(&tls_ch_opts_lock);
1492}
1493
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1494static void
1495nc_tls_make_verify_key(void)
1496{
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1497 pthread_key_create(&verify_key, NULL);
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1498}
1499
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1500API int
1501nc_connect_callhome_tls(const char *host, uint16_t port, int timeout, struct nc_session **session)
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1502{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1503 return nc_connect_callhome(host, port, NC_TI_OPENSSL, timeout, session);
1504}
1505
1506int
1507nc_accept_tls_session(struct nc_session *session, int sock, int timeout)
1508{
1509 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1510 struct pollfd pfd;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1511 struct timespec old_ts, new_ts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1512 int ret, elapsed = 0;
1513
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1514 opts = session->ti_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1515
1516 pfd.fd = sock;
1517 pfd.events = POLLIN;
1518 pfd.revents = 0;
1519
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1520 if (timeout > 0) {
1521 clock_gettime(CLOCK_MONOTONIC_RAW, &old_ts);
1522 }
1523
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1524 /* poll for a new connection */
1525 errno = 0;
1526 ret = poll(&pfd, 1, timeout);
1527 if (!ret) {
1528 /* we timeouted */
1529 close(sock);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1530 return 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1531 } else if (ret == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1532 ERR("poll failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1533 close(sock);
1534 return -1;
1535 }
1536
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1537 if (timeout > 0) {
1538 /* decrease timeout */
1539 clock_gettime(CLOCK_MONOTONIC_RAW, &new_ts);
1540
1541 elapsed = (new_ts.tv_sec - old_ts.tv_sec) * 1000;
1542 elapsed += (new_ts.tv_nsec - old_ts.tv_nsec) / 1000000;
1543 }
1544
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1545 /* data waiting, prepare session */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1546 session->ti_type = NC_TI_OPENSSL;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1547
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1548 session->ti.tls = SSL_new(opts->tls_ctx);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1549
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1550 if (!session->ti.tls) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1551 ERR("Failed to create TLS structure from context.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1552 close(sock);
1553 return -1;
1554 }
1555
1556 SSL_set_fd(session->ti.tls, sock);
1557 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1558
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1559 /* store session on per-thread basis */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1560 pthread_once(&verify_once, nc_tls_make_verify_key);
1561 pthread_setspecific(verify_key, session);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1562
1563 ret = SSL_accept(session->ti.tls);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1564
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1565 if (ret != 1) {
1566 switch (SSL_get_error(session->ti.tls, ret)) {
1567 case SSL_ERROR_SYSCALL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1568 ERR("SSL_accept failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1569 break;
1570 case SSL_ERROR_SSL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1571 ERR("SSL_accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1572 break;
1573 default:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1574 ERR("SSL_accept failed.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1575 break;
1576 }
1577 return -1;
1578 }
1579
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1580 return 1;
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1581}