Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 134783bad1503983989ec632808171b7205a228d / . / src / session_server_tls.c
blob: 1649588a7483e99283df36dc8d44c695c700f2be [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]2 * @file session_server_tls.c
3 * @author Michal Vasko <mvasko@cesnet.cz>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]4 * @author Roman Janota <janota@cesnet.cz>
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]5 * @brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]6 *
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]7 * @copyright
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]8 * Copyright (c) 2015 - 2023 CESNET, z.s.p.o.
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]9 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]10 * This source code is licensed under BSD 3-Clause License (the "License").
11 * You may not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]13 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]14 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]15 */
16
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]17#define _GNU_SOURCE
18
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]19#include <poll.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]20#include <stdint.h>
21#include <stdio.h>
22#include <stdlib.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]23#include <string.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]24#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]25
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]26#include <curl/curl.h>
27#include <openssl/bio.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]28#include <openssl/err.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]29#include <openssl/evp.h>
30#include <openssl/ssl.h>
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]31#include <openssl/x509.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]32#include <openssl/x509v3.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]33
Michal Vasko316c9632020-04-15 11:06:57 +0200[diff] [blame]34#include "compat.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]35#include "config.h"
36#include "log_p.h"
37#include "session.h"
38#include "session_p.h"
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]39
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]40struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]41extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]42
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]43static char *
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]44asn1time_to_str(const ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]45{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]46 char *cp;
47 BIO *bio;
48 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]49
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]50 if (!t) {
51 return NULL;
52 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]53
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]54 bio = BIO_new(BIO_s_mem());
55 if (!bio) {
56 return NULL;
57 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]58
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]59 ASN1_TIME_print(bio, t);
60 n = BIO_pending(bio);
61 cp = malloc(n + 1);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]62 if (!cp) {
63 ERRMEM;
64 BIO_free(bio);
65 return NULL;
66 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]67
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]68 n = BIO_read(bio, cp, n);
69 if (n < 0) {
70 BIO_free(bio);
71 free(cp);
72 return NULL;
73 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]74
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]75 cp[n] = '\0';
76 BIO_free(bio);
77 return cp;
78}
79
80static void
81digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
82{
83 unsigned int i;
84
85 *str = malloc(dig_len * 3);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]86 if (!*str) {
87 ERRMEM;
88 return;
89 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]90 for (i = 0; i < dig_len - 1; ++i) {
91 sprintf((*str) + (i * 3), "%02x:", digest[i]);
92 }
93 sprintf((*str) + (i * 3), "%02x", digest[i]);
94}
95
96/* return NULL - SSL error can be retrieved */
97static X509 *
98base64der_to_cert(const char *in)
99{
100 X509 *out;
101 char *buf;
102 BIO *bio;
103
104 if (in == NULL) {
105 return NULL;
106 }
107
108 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
109 return NULL;
110 }
111 bio = BIO_new_mem_buf(buf, strlen(buf));
112 if (!bio) {
113 free(buf);
114 return NULL;
115 }
116
117 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
118 if (!out) {
119 free(buf);
120 BIO_free(bio);
121 return NULL;
122 }
123
124 free(buf);
125 BIO_free(bio);
126 return out;
127}
128
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]129static EVP_PKEY *
Michal Vaskoddce1212019-05-24 09:58:49 +0200[diff] [blame]130base64der_to_privatekey(const char *in, const char *key_str)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]131{
132 EVP_PKEY *out;
133 char *buf;
134 BIO *bio;
135
136 if (in == NULL) {
137 return NULL;
138 }
139
Michal Vaskoddce1212019-05-24 09:58:49 +0200[diff] [blame]140 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", key_str, " PRIVATE KEY-----\n", in, "\n-----END ",
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]141 key_str, " PRIVATE KEY-----") == -1) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]142 return NULL;
143 }
144 bio = BIO_new_mem_buf(buf, strlen(buf));
145 if (!bio) {
146 free(buf);
147 return NULL;
148 }
149
150 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
151 if (!out) {
152 free(buf);
153 BIO_free(bio);
154 return NULL;
155 }
156
157 free(buf);
158 BIO_free(bio);
159 return out;
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]160}
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]161
162static int
163cert_pubkey_match(X509 *cert1, X509 *cert2)
164{
165 ASN1_BIT_STRING *bitstr1, *bitstr2;
166
167 bitstr1 = X509_get0_pubkey_bitstr(cert1);
168 bitstr2 = X509_get0_pubkey_bitstr(cert2);
169
170 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
171 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
172 return 0;
173 }
174
175 return 1;
176}
177
178static int
179nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
180{
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]181 STACK_OF(GENERAL_NAME) * san_names;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]182 GENERAL_NAME *san_name;
183 ASN1_OCTET_STRING *ip;
184 int i, san_count;
185 char *subject, *common_name;
186
Michal Vaskod9a78642022-02-24 16:25:21 +0100[diff] [blame]187 *username = NULL;
188
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]189 if (map_type == NC_TLS_CTN_COMMON_NAME) {
190 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
191 common_name = strstr(subject, "CN=");
192 if (!common_name) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]193 WRN(NULL, "Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]194 free(subject);
195 return 1;
196 }
197 common_name += 3;
198 if (strchr(common_name, '/')) {
199 *strchr(common_name, '/') = '\0';
200 }
201 *username = strdup(common_name);
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]202 NC_CHECK_ERRMEM_RET(!*username, 1);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]203 free(subject);
204 } else {
205 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
206 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
207 if (!san_names) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]208 WRN(NULL, "Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]209 return 1;
210 }
211
212 san_count = sk_GENERAL_NAME_num(san_names);
213 for (i = 0; i < san_count; ++i) {
214 san_name = sk_GENERAL_NAME_value(san_names, i);
215
216 /* rfc822Name (email) */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]217 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_RFC822_NAME)) &&
218 (san_name->type == GEN_EMAIL)) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]219 *username = strdup((char *)ASN1_STRING_get0_data(san_name->d.rfc822Name));
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]220 NC_CHECK_ERRMEM_RET(!*username, 1);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]221 break;
222 }
223
224 /* dNSName */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]225 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_DNS_NAME)) &&
226 (san_name->type == GEN_DNS)) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]227 *username = strdup((char *)ASN1_STRING_get0_data(san_name->d.dNSName));
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]228 NC_CHECK_ERRMEM_RET(!*username, 1);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]229 break;
230 }
231
232 /* iPAddress */
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]233 if (((map_type == NC_TLS_CTN_SAN_ANY) || (map_type == NC_TLS_CTN_SAN_IP_ADDRESS)) &&
234 (san_name->type == GEN_IPADD)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]235 ip = san_name->d.iPAddress;
236 if (ip->length == 4) {
237 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]238 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]239 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
240 return -1;
241 }
242 break;
243 } else if (ip->length == 16) {
244 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
245 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
246 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
247 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]248 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]249 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
250 return -1;
251 }
252 break;
253 } else {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]254 WRN(NULL, "SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]255 }
256 }
257 }
258 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
259
Vitaly Kuzina3b66322021-08-26 12:33:43 +0300[diff] [blame]260 if (i == san_count) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]261 switch (map_type) {
262 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]263 WRN(NULL, "Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]264 break;
265 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]266 WRN(NULL, "Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]267 break;
268 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]269 WRN(NULL, "Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]270 break;
271 case NC_TLS_CTN_SAN_ANY:
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]272 WRN(NULL, "Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]273 break;
274 default:
275 break;
276 }
277 return 1;
278 }
279 }
280
281 return 0;
282}
283
284/* return: 0 - OK, 1 - no match, -1 - error */
285static int
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]286nc_tls_cert_to_name(struct nc_session *session, struct nc_ctn *ctn_first, X509 *cert)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]287{
288 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
289 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]290 unsigned char *buf;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]291 unsigned int buf_len = 64;
292 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]293 struct nc_ctn *ctn;
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]294 NC_TLS_CTN_MAPTYPE map_type;
295 char *username = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]296
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]297 buf = malloc(buf_len);
298 NC_CHECK_ERRMEM_RET(!buf, -1);
Michal Vasko4eb3c312016-03-01 14:09:37 +0100[diff] [blame]299
roman84473212023-10-12 16:29:17 +0200[diff] [blame]300 if (!session || !cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]301 free(buf);
302 return -1;
303 }
304
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]305 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]306 /* reset map_type */
307 map_type = NC_TLS_CTN_UNKNOWN;
308
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100[diff] [blame]309 /* first make sure the entry is valid */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]310 if (!ctn->map_type || ((ctn->map_type == NC_TLS_CTN_SPECIFIED) && !ctn->name)) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]311 VRB(session, "Cert verify CTN: entry with id %u not valid, skipping.", ctn->id);
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100[diff] [blame]312 continue;
313 }
314
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]315 /* if ctn has no fingerprint, it will match any certificate */
316 if (!ctn->fingerprint) {
317 map_type = ctn->map_type;
318
319 /* MD5 */
320 } else if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]321 if (!digest_md5) {
322 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]323 ERR(session, "Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]324 ret = -1;
325 goto cleanup;
326 }
327 digest_to_str(buf, buf_len, &digest_md5);
328 }
329
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]330 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]331 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]332 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]333 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]334 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]335 free(digest_md5);
336 digest_md5 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]337
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]338 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]339 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]340 if (!digest_sha1) {
341 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]342 ERR(session, "Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]343 ret = -1;
344 goto cleanup;
345 }
346 digest_to_str(buf, buf_len, &digest_sha1);
347 }
348
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]349 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]350 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]351 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]352 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]353 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]354 free(digest_sha1);
355 digest_sha1 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]356
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]357 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]358 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]359 if (!digest_sha224) {
360 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]361 ERR(session, "Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]362 ret = -1;
363 goto cleanup;
364 }
365 digest_to_str(buf, buf_len, &digest_sha224);
366 }
367
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]368 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]369 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]370 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]371 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]372 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]373 free(digest_sha224);
374 digest_sha224 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]375
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]376 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]377 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]378 if (!digest_sha256) {
379 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]380 ERR(session, "Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]381 ret = -1;
382 goto cleanup;
383 }
384 digest_to_str(buf, buf_len, &digest_sha256);
385 }
386
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]387 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]388 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]389 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]390 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]391 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]392 free(digest_sha256);
393 digest_sha256 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]394
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]395 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]396 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]397 if (!digest_sha384) {
398 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]399 ERR(session, "Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]400 ret = -1;
401 goto cleanup;
402 }
403 digest_to_str(buf, buf_len, &digest_sha384);
404 }
405
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]406 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]407 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]408 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]409 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]410 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]411 free(digest_sha384);
412 digest_sha384 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]413
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]414 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]415 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]416 if (!digest_sha512) {
417 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]418 ERR(session, "Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]419 ret = -1;
420 goto cleanup;
421 }
422 digest_to_str(buf, buf_len, &digest_sha512);
423 }
424
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]425 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]426 /* we got ourselves a potential winner! */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]427 VRB(session, "Cert verify CTN: entry with a matching fingerprint found.");
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]428 map_type = ctn->map_type;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]429 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]430 free(digest_sha512);
431 digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]432
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]433 /* unknown */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]434 } else {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]435 WRN(session, "Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]436 continue;
437 }
438
439 if (map_type != NC_TLS_CTN_UNKNOWN) {
440 /* found a fingerprint match */
441 if (map_type == NC_TLS_CTN_SPECIFIED) {
442 /* specified -> get username from the ctn entry */
443 session->username = strdup(ctn->name);
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]444 NC_CHECK_ERRMEM_GOTO(!session->username, ret = -1, cleanup);
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]445 } else {
446 /* try to get the username from the cert with this ctn's map type */
447 ret = nc_tls_ctn_get_username_from_cert(session->opts.server.client_cert, map_type, &username);
448 if (ret == -1) {
449 /* fatal error */
450 goto cleanup;
451 } else if (ret) {
452 /* didn't get username, try next ctn entry */
453 continue;
454 }
455
456 /* success */
457 session->username = username;
458 }
459
460 /* matching fingerprint found and username obtained, success */
461 ret = 0;
462 goto cleanup;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]463 }
464 }
465
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]466 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]467 ret = 1;
468 }
469
470cleanup:
471 free(digest_md5);
472 free(digest_sha1);
473 free(digest_sha224);
474 free(digest_sha256);
475 free(digest_sha384);
476 free(digest_sha512);
477 free(buf);
478 return ret;
479}
480
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]481static int
482nc_server_tls_check_crl(X509_STORE *crl_store, X509_STORE_CTX *x509_ctx, X509 *cert,
483 const X509_NAME *subject, const X509_NAME *issuer)
484{
485 int n, i, ret = 0;
486 X509_STORE_CTX *store_ctx = NULL;
487 X509_OBJECT *obj = NULL;
488 X509_CRL *crl;
489 X509_REVOKED *revoked;
490 EVP_PKEY *pubkey;
491 const ASN1_INTEGER *serial;
492 const ASN1_TIME *last_update = NULL, *next_update = NULL;
493 char *cp;
494
495 store_ctx = X509_STORE_CTX_new();
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]496 NC_CHECK_ERRMEM_GOTO(!store_ctx, ret = -1, cleanup);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]497
498 /* init store context */
499 ret = X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL);
500 if (!ret) {
501 ERR(NULL, "Initializing x509 store ctx failed (%s).", ERR_reason_error_string(ERR_get_error()));
502 ret = -1;
503 goto cleanup;
504 }
505 ret = 0;
506
507 /* try to find a CRL entry that corresponds to the current certificate in question */
508 obj = X509_STORE_CTX_get_obj_by_subject(store_ctx, X509_LU_CRL, subject);
509 crl = X509_OBJECT_get0_X509_CRL(obj);
510 X509_OBJECT_free(obj);
511 if (crl) {
512 /* found it */
513 cp = X509_NAME_oneline(subject, NULL, 0);
514 VRB(NULL, "Cert verify CRL: issuer: %s.", cp);
515 OPENSSL_free(cp);
516
517 last_update = X509_CRL_get0_lastUpdate(crl);
518 next_update = X509_CRL_get0_nextUpdate(crl);
519 cp = asn1time_to_str(last_update);
520 VRB(NULL, "Cert verify CRL: last update: %s.", cp);
521 free(cp);
522 cp = asn1time_to_str(next_update);
523 VRB(NULL, "Cert verify CRL: next update: %s.", cp);
524 free(cp);
525
526 /* verify the signature on this CRL */
527 pubkey = X509_get0_pubkey(cert);
528 if (X509_CRL_verify(crl, pubkey) <= 0) {
529 ERR(NULL, "Cert verify CRL: invalid signature.");
530 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
531 ret = -1;
532 goto cleanup;
533 }
534
535 /* check date of CRL to make sure it's not expired */
536 if (!next_update) {
537 ERR(NULL, "Cert verify CRL: invalid nextUpdate field.");
538 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
539 ret = -1;
540 goto cleanup;
541 }
542
543 if (X509_cmp_current_time(next_update) < 0) {
544 ERR(NULL, "Cert verify CRL: expired - revoking all certificates.");
545 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
546 ret = -1;
547 goto cleanup;
548 }
549 }
550
551 /* try to retrieve a CRL corresponding to the _issuer_ of
552 * the current certificate in order to check for revocation */
553 obj = X509_STORE_CTX_get_obj_by_subject(store_ctx, X509_LU_CRL, issuer);
554 crl = X509_OBJECT_get0_X509_CRL(obj);
555 if (crl) {
556 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
557 for (i = 0; i < n; i++) {
558 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
559 serial = X509_REVOKED_get0_serialNumber(revoked);
560 if (ASN1_INTEGER_cmp(serial, X509_get_serialNumber(cert)) == 0) {
561 cp = X509_NAME_oneline(issuer, NULL, 0);
562 ERR(NULL, "Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.",
563 serial, serial, cp);
564 OPENSSL_free(cp);
565 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
566 ret = -1;
567 goto cleanup;
568 }
569 }
570 }
571
572cleanup:
573 X509_STORE_CTX_free(store_ctx);
574 X509_OBJECT_free(obj);
575 return ret;
576}
577
578static int
579nc_server_tls_ts_ref_get_certs(const char *referenced_name, struct nc_certificate **certs, uint16_t *cert_count)
580{
581 uint16_t i;
582 struct nc_truststore *ts = &server_opts.truststore;
583
584 *certs = NULL;
585 *cert_count = 0;
586
587 /* lookup name */
588 for (i = 0; i < ts->cert_bag_count; i++) {
589 if (!strcmp(referenced_name, ts->cert_bags[i].name)) {
590 break;
591 }
592 }
593
594 if (i == ts->cert_bag_count) {
595 ERR(NULL, "Truststore entry \"%s\" not found.", referenced_name);
596 return -1;
597 }
598
599 *certs = ts->cert_bags[i].certs;
600 *cert_count = ts->cert_bags[i].cert_count;
601 return 0;
602}
603
604/* In case a CA chain verification failed an end-entity certificate must match.
605 * The meaning of local_or_referenced is that it states, which end-entity certificates to check
606 * (1 = current endpoint's, 2 = referenced endpoint's).
607 */
608static int
609nc_server_tls_do_preverify(struct nc_session *session, X509_STORE_CTX *x509_ctx, int local_or_referenced)
610{
611 X509_STORE *store;
612 struct nc_cert_grouping *ee_certs;
613 int i, ret;
614 X509 *cert;
615 struct nc_certificate *certs;
616 uint16_t cert_count;
617
618 store = X509_STORE_CTX_get0_store(x509_ctx);
619 if (!store) {
620 ERR(session, "Error getting store from context (%s).", ERR_reason_error_string(ERR_get_error()));
621 return -1;
622 }
623
624 /* get the data from the store */
625 ee_certs = X509_STORE_get_ex_data(store, local_or_referenced);
626 if (!ee_certs) {
627 ERR(session, "Error getting data from store (%s).", ERR_reason_error_string(ERR_get_error()));
628 return -1;
629 }
630
631 if (ee_certs->store == NC_STORE_LOCAL) {
632 /* local definition */
633 certs = ee_certs->certs;
634 cert_count = ee_certs->cert_count;
635 } else {
636 /* truststore reference */
637 if (nc_server_tls_ts_ref_get_certs(ee_certs->ts_ref, &certs, &cert_count)) {
638 ERR(NULL, "Error getting end-entity certificates from the truststore reference \"%s\".", ee_certs->ts_ref);
639 return -1;
640 }
641 }
642
643 for (i = 0; i < cert_count; i++) {
644 cert = base64der_to_cert(certs[i].data);
645 ret = cert_pubkey_match(session->opts.server.client_cert, cert);
646 X509_free(cert);
647 if (ret) {
648 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
649 * this callback will be called again with the same current certificate and preverify_ok == 1 */
650 VRB(session, "Cert verify: fail (%s), but the end-entity certificate is trusted, continuing.",
651 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
652 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
653 return 1;
654 }
655 }
656
657 return 0;
658}
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]659
660static int
661nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
662{
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]663 X509_NAME *subject;
664 X509_NAME *issuer;
665 X509 *cert;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]666 char *cp;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]667 X509_STORE *store;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]668
669 STACK_OF(X509) * cert_stack;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]670 struct nc_session *session;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]671 struct nc_server_tls_opts *opts;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]672 struct nc_endpt *referenced_endpt;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]673 int rc, depth;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]674
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]675 store = X509_STORE_CTX_get0_store(x509_ctx);
676 if (!store) {
677 ERR(NULL, "Error getting store from context (%s).", ERR_reason_error_string(ERR_get_error()));
678 return 0;
679 }
680
681 /* get session from the store */
682 session = X509_STORE_get_ex_data(store, 0);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]683 if (!session) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]684 ERR(session, "Error getting session from store (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]685 return 0;
686 }
687
688 opts = session->data;
689
690 /* get the last certificate, that is the peer (client) certificate */
691 if (!session->opts.server.client_cert) {
692 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
Andrew Langefeld62bc6712018-08-28 16:17:16 -0500[diff] [blame]693 session->opts.server.client_cert = sk_X509_value(cert_stack, 0);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]694 X509_up_ref(session->opts.server.client_cert);
695 sk_X509_pop_free(cert_stack, X509_free);
696 }
697
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]698 /* standard certificate verification failed, so an end-entity client cert must match to continue */
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]699 if (!preverify_ok) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]700 /* check current endpoint's end-entity certs */
701 rc = nc_server_tls_do_preverify(session, x509_ctx, 1);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]702 if (rc == -1) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]703 return 0;
704 } else if (rc == 1) {
705 return 1;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]706 }
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]707
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]708 /* no match, continue */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]709 if (opts->referenced_endpt_name) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]710 /* check referenced endpoint's end-entity certs */
711 rc = nc_server_tls_do_preverify(session, x509_ctx, 2);
712 if (rc == -1) {
713 return 0;
714 } else if (rc == 1) {
715 return 1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]716 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]717 }
718
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]719 /* no match, fail */
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]720 ERR(session, "Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]721 return 0;
722 }
723
724 /* print cert verify info */
725 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]726 VRB(session, "Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]727
728 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
729 subject = X509_get_subject_name(cert);
730 issuer = X509_get_issuer_name(cert);
731
732 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]733 VRB(session, "Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]734 OPENSSL_free(cp);
735 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]736 VRB(session, "Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]737 OPENSSL_free(cp);
738
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]739 /* check if the current certificate is revoked if CRL is set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]740 if (opts->crl_store) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]741 rc = nc_server_tls_check_crl(opts->crl_store, x509_ctx, cert, subject, issuer);
742 if (rc) {
743 return 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]744 }
745 }
746
747 /* cert-to-name already successful */
748 if (session->username) {
749 return 1;
750 }
751
752 /* cert-to-name */
Roytakbe391922023-07-27 19:59:24 +0200[diff] [blame]753 rc = nc_tls_cert_to_name(session, opts->ctn, cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]754 if (rc == -1) {
755 /* fatal error */
756 depth = 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]757 goto fail;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]758 } else if ((rc == 1) && !opts->referenced_endpt_name) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]759 /* no match found and no referenced endpoint */
760 goto fail;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]761 } else if ((rc == 1) && opts->referenced_endpt_name) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]762 /* no match found, but has a referenced endpoint so try it */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]763 if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
764 /* fatal error */
765 ERRINT;
766 depth = 0;
767 goto fail;
768 }
769
770 rc = nc_tls_cert_to_name(session, referenced_endpt->opts.tls->ctn, cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]771 if (rc) {
772 if (rc == -1) {
773 /* fatal error */
774 depth = 0;
775 }
776 /* rc == 1 is a normal CTN fail (no match found) */
777 goto fail;
778 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]779 }
780
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]781 VRB(session, "Cert verify CTN: new client username recognized as \"%s\".", session->username);
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]782
783 if (server_opts.user_verify_clb && !server_opts.user_verify_clb(session)) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]784 VRB(session, "Cert verify: user verify callback revoked authorization.");
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]785 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
786 return 0;
787 }
788
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]789 return 1;
790
791fail:
792 if (depth > 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]793 VRB(session, "Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]794 return 1;
795 }
796
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]797 VRB(session, "Cert-to-name unsuccessful, dropping the new client.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]798 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
799 return 0;
800}
801
Michal Vasko709598e2016-11-28 14:48:32 +0100[diff] [blame]802API const X509 *
803nc_session_get_client_cert(const struct nc_session *session)
804{
805 if (!session || (session->side != NC_SERVER)) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]806 ERRARG(session, "session");
Michal Vasko709598e2016-11-28 14:48:32 +0100[diff] [blame]807 return NULL;
808 }
809
810 return session->opts.server.client_cert;
811}
812
Michal Vasko7060bcf2016-11-28 14:48:11 +0100[diff] [blame]813API void
814nc_server_tls_set_verify_clb(int (*verify_clb)(const struct nc_session *session))
815{
816 server_opts.user_verify_clb = verify_clb;
817}
818
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]819static int
820nc_server_tls_ks_ref_get_cert_key(const char *referenced_key_name, const char *referenced_cert_name,
821 char **privkey_data, NC_PRIVKEY_FORMAT *privkey_type, char **cert_data)
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]822{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]823 uint16_t i, j;
824 struct nc_keystore *ks = &server_opts.keystore;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]825
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]826 *privkey_data = NULL;
827 *cert_data = NULL;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]828
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]829 /* lookup name */
830 for (i = 0; i < ks->asym_key_count; i++) {
831 if (!strcmp(referenced_key_name, ks->asym_keys[i].name)) {
832 break;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]833 }
834 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]835 if (i == ks->asym_key_count) {
836 ERR(NULL, "Keystore entry \"%s\" not found.", referenced_key_name);
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]837 return -1;
838 }
839
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]840 for (j = 0; j < ks->asym_keys[i].cert_count; j++) {
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]841 if (!strcmp(referenced_cert_name, ks->asym_keys[i].certs[j].name)) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]842 break;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]843 }
844 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]845 if (j == ks->asym_keys[i].cert_count) {
846 ERR(NULL, "Keystore certificate entry \"%s\" associated with the key \"%s\" not found.",
847 referenced_cert_name, referenced_key_name);
848 return -1;
849 }
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]850
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]851 *privkey_data = ks->asym_keys[i].privkey_data;
852 *privkey_type = ks->asym_keys[i].privkey_type;
853 *cert_data = ks->asym_keys[i].certs[j].data;
854 return 0;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]855}
856
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]857static int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]858nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]859{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]860 char *privkey_data = NULL, *cert_data = NULL;
Michal Vaskoddce1212019-05-24 09:58:49 +0200[diff] [blame]861 int ret = 0;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]862 NC_PRIVKEY_FORMAT privkey_type;
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]863 X509 *cert = NULL;
864 EVP_PKEY *pkey = NULL;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]865
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]866 NC_CHECK_ARG_RET(NULL, tls_ctx, opts, -1);
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]867
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]868 /* get data needed for setting the server cert */
869 if (opts->store == NC_STORE_LOCAL) {
870 /* local definition */
871 cert_data = opts->cert_data;
872 privkey_data = opts->privkey_data;
873 privkey_type = opts->privkey_type;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]874 } else {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]875 /* keystore */
876 ret = nc_server_tls_ks_ref_get_cert_key(opts->key_ref, opts->cert_ref, &privkey_data, &privkey_type, &cert_data);
877 if (ret) {
878 ERR(NULL, "Getting server certificate from the keystore reference \"%s\" failed.", opts->key_ref);
879 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]880 }
881 }
882
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]883 /* load the cert */
884 cert = base64der_to_cert(cert_data);
885 if (!cert) {
886 ERR(NULL, "Converting certificate data to certificate format failed.");
887 ret = -1;
888 goto cleanup;
889 }
890
891 /* set server cert */
892 ret = SSL_CTX_use_certificate(tls_ctx, cert);
893 if (ret != 1) {
894 ERR(NULL, "Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
895 ret = -1;
896 goto cleanup;
897 }
898
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]899 /* load the private key */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]900 pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type));
901 if (!pkey) {
902 ERR(NULL, "Converting private key data to private key format failed.");
903 ret = -1;
904 goto cleanup;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]905 }
906
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]907 /* set server key */
908 ret = SSL_CTX_use_PrivateKey(tls_ctx, pkey);
909 if (ret != 1) {
910 ERR(NULL, "Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
911 ret = -1;
912 goto cleanup;
913 }
914
915 ret = 0;
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500[diff] [blame]916
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]917cleanup:
Michal Vasko6e08cb72017-02-02 11:15:29 +0100[diff] [blame]918 X509_free(cert);
919 EVP_PKEY_free(pkey);
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]920 return ret;
921}
922
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]923static int
924tls_store_add_trusted_cert(X509_STORE *cert_store, const char *cert_data)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]925{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]926 X509 *cert;
927
928 cert = base64der_to_cert(cert_data);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]929
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]930 if (!cert) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]931 ERR(NULL, "Loading a trusted certificate (data \"%s\") failed (%s).", cert_data,
932 ERR_reason_error_string(ERR_get_error()));
933 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]934 }
935
936 /* add the trusted certificate */
937 if (X509_STORE_add_cert(cert_store, cert) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]938 ERR(NULL, "Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]939 X509_free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]940 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]941 }
942 X509_free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]943
944 return 0;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]945}
946
947static int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]948nc_tls_store_set_trusted_certs(X509_STORE *cert_store, struct nc_cert_grouping *ca_certs)
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]949{
950 uint16_t i;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]951 struct nc_certificate *certs;
952 uint16_t cert_count;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]953
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]954 if (ca_certs->store == NC_STORE_LOCAL) {
955 /* local definition */
956 certs = ca_certs->certs;
957 cert_count = ca_certs->cert_count;
958 } else {
959 /* truststore */
960 if (nc_server_tls_ts_ref_get_certs(ca_certs->ts_ref, &certs, &cert_count)) {
961 ERR(NULL, "Error getting certificate-authority certificates from the truststore reference \"%s\".", ca_certs->ts_ref);
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]962 return -1;
963 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]964 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]965
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]966 for (i = 0; i < cert_count; i++) {
967 if (tls_store_add_trusted_cert(cert_store, certs[i].data)) {
968 return -1;
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]969 }
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]970 }
971
972 return 0;
973}
974
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]975static int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]976nc_server_tls_crl_path(struct nc_session *session, const char *crl_path, X509_STORE *store)
977{
978 int ret = 0;
979 X509_CRL *crl = NULL;
980 FILE *f;
981
982 f = fopen(crl_path, "r");
983 if (!f) {
984 ERR(session, "Unable to open CRL file \"%s\".", crl_path);
985 return -1;
986 }
987
988 /* try DER first */
989 crl = d2i_X509_CRL_fp(f, NULL);
990 if (crl) {
991 /* success */
992 goto ok;
993 }
994
995 /* DER failed, try PEM */
996 rewind(f);
997 crl = PEM_read_X509_CRL(f, NULL, NULL, NULL);
998 if (!crl) {
999 ERR(session, "Reading CRL from file \"%s\" failed.", crl_path);
1000 ret = -1;
1001 goto cleanup;
1002 }
1003
1004ok:
1005 ret = X509_STORE_add_crl(store, crl);
1006 if (!ret) {
1007 ERR(session, "Error adding CRL to store (%s).", ERR_reason_error_string(ERR_get_error()));
1008 ret = -1;
1009 goto cleanup;
1010 }
1011 /* ok */
1012 ret = 0;
1013
1014cleanup:
1015 fclose(f);
1016 X509_CRL_free(crl);
1017 return ret;
1018}
1019
1020static size_t
1021nc_server_tls_curl_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
1022{
1023 struct nc_curl_data *data;
1024
1025 size = nmemb;
1026
1027 data = (struct nc_curl_data *)userdata;
1028
1029 data->data = nc_realloc(data->data, data->size + size);
roman3a95bb22023-10-26 11:07:17 +0200[diff] [blame]1030 NC_CHECK_ERRMEM_RET(!data->data, 0);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1031
1032 memcpy(&data->data[data->size], ptr, size);
1033 data->size += size;
1034
1035 return size;
1036}
1037
1038static int
1039nc_server_tls_curl_init(struct nc_session *session, CURL **handle, struct nc_curl_data *data)
1040{
1041 NC_CHECK_ARG_RET(session, handle, data, -1);
1042
1043 *handle = NULL;
1044
1045 *handle = curl_easy_init();
1046 if (!*handle) {
1047 ERR(session, "Initializing CURL failed.");
1048 return -1;
1049 }
1050
1051 if (curl_easy_setopt(*handle, CURLOPT_WRITEFUNCTION, nc_server_tls_curl_cb)) {
1052 ERR(session, "Setting curl callback failed.");
1053 return -1;
1054 }
1055
1056 if (curl_easy_setopt(*handle, CURLOPT_WRITEDATA, data)) {
1057 ERR(session, "Setting curl callback data failed.");
1058 return -1;
1059 }
1060
1061 return 0;
1062}
1063
1064static int
1065nc_server_tls_curl_fetch(struct nc_session *session, CURL *handle, const char *url)
1066{
1067 char err_buf[CURL_ERROR_SIZE];
1068
1069 /* set uri */
1070 if (curl_easy_setopt(handle, CURLOPT_URL, url)) {
1071 ERR(session, "Setting URI \"%s\" to download CRL from failed.", url);
1072 return -1;
1073 }
1074
1075 /* set err buf */
roman134783b2023-11-09 12:41:45 +0100[diff] [blame^]1076 if (curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buf)) {
1077 ERR(session, "Setting CURL error buffer option failed.");
1078 return -1;
1079 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1080
1081 /* download */
1082 if (curl_easy_perform(handle)) {
1083 ERR(session, "Downloading CRL from \"%s\" failed (%s).", url, err_buf);
1084 return -1;
1085 }
1086
1087 return 0;
1088}
1089
1090static int
1091nc_server_tls_add_crl_to_store(struct nc_session *session, struct nc_curl_data *downloaded, X509_STORE *store)
1092{
1093 int ret = 0;
1094 X509_CRL *crl = NULL;
1095 BIO *bio = NULL;
1096
1097 /* try DER first */
1098 crl = d2i_X509_CRL(NULL, (const unsigned char **) &downloaded->data, downloaded->size);
1099 if (crl) {
1100 /* it was DER */
1101 goto ok;
1102 }
1103
1104 /* DER failed, try PEM next */
1105 bio = BIO_new_mem_buf(downloaded->data, downloaded->size);
1106 if (!bio) {
1107 ERR(session, "Creating new bio failed (%s).", ERR_reason_error_string(ERR_get_error()));
1108 ret = -1;
1109 goto cleanup;
1110 }
1111
1112 /* try to parse PEM from the downloaded data */
1113 crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
1114 if (!crl) {
1115 ERR(session, "Reading downloaded CRL failed (%s).", ERR_reason_error_string(ERR_get_error()));
1116 ret = -1;
1117 goto cleanup;
1118 }
1119
1120ok:
1121 /* we obtained the CRL, now add it to the CRL store */
1122 ret = X509_STORE_add_crl(store, crl);
1123 if (!ret) {
1124 ERR(session, "Error adding CRL to store (%s).", ERR_reason_error_string(ERR_get_error()));
1125 ret = -1;
1126 goto cleanup;
1127 }
1128 /* ok */
1129 ret = 0;
1130
1131cleanup:
1132 X509_CRL_free(crl);
1133 BIO_free(bio);
1134 return ret;
1135}
1136
1137static int
1138nc_server_tls_crl_url(struct nc_session *session, const char *url, X509_STORE *store)
1139{
1140 int ret = 0;
1141 CURL *handle = NULL;
1142 struct nc_curl_data downloaded = {0};
1143
1144 /* init curl */
1145 ret = nc_server_tls_curl_init(session, &handle, &downloaded);
1146 if (ret) {
1147 goto cleanup;
1148 }
1149
1150 VRB(session, "Downloading CRL from \"%s\".", url);
1151
1152 /* download the CRL */
1153 ret = nc_server_tls_curl_fetch(session, handle, url);
1154 if (ret) {
1155 goto cleanup;
1156 }
1157
1158 /* convert the downloaded data to CRL and add it to the store */
1159 ret = nc_server_tls_add_crl_to_store(session, &downloaded, store);
1160 if (ret) {
1161 goto cleanup;
1162 }
1163
1164cleanup:
1165 curl_easy_cleanup(handle);
1166 return ret;
1167}
1168
1169static int
1170nc_server_tls_crl_cert_ext(struct nc_session *session, X509_STORE *cert_store, X509_STORE *crl_store)
1171{
1172 int ret = 0, i, j, k, gtype;
1173 CURL *handle = NULL;
1174 struct nc_curl_data downloaded = {0};
1175
1176 STACK_OF(X509_OBJECT) * objs;
1177 X509_OBJECT *obj;
1178 X509 *cert;
1179
1180 STACK_OF(DIST_POINT) * dist_points;
1181 DIST_POINT *dist_point;
1182 GENERAL_NAMES *general_names;
1183 GENERAL_NAME *general_name;
1184 ASN1_STRING *asn_string_uri;
1185 const char *crl_distpoint_uri;
1186
1187 /* init curl */
1188 ret = nc_server_tls_curl_init(session, &handle, &downloaded);
1189 if (ret) {
1190 goto cleanup;
1191 }
1192
1193 /* treat all entries in the cert_store as X509_OBJECTs */
1194 objs = X509_STORE_get0_objects(cert_store);
1195 if (!objs) {
1196 ERR(session, "Getting certificates from store failed (%s).", ERR_reason_error_string(ERR_get_error()));
1197 ret = -1;
1198 goto cleanup;
1199 }
1200
1201 /* iterate over all the CAs */
1202 for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
1203 obj = sk_X509_OBJECT_value(objs, i);
1204 cert = X509_OBJECT_get0_X509(obj);
1205 if (!cert) {
1206 /* the object on this index was not a certificate */
1207 continue;
1208 }
1209
1210 /* get all the distribution points for this CA */
1211 dist_points = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
1212
1213 /* iterate over all the dist points (there can be multiple for a single cert) */
1214 for (j = 0; j < sk_DIST_POINT_num(dist_points); j++) {
1215 dist_point = sk_DIST_POINT_value(dist_points, j);
1216 if (!dist_point) {
1217 continue;
1218 }
1219 general_names = dist_point->distpoint->name.fullname;
1220
1221 /* iterate over all the GeneralesNames in the distribution point */
1222 for (k = 0; k < sk_GENERAL_NAME_num(general_names); k++) {
1223 general_name = sk_GENERAL_NAME_value(general_names, k);
1224 asn_string_uri = GENERAL_NAME_get0_value(general_name, &gtype);
1225
1226 /* check if the general name is a URI and has a valid length */
1227 if ((gtype != GEN_URI) || (ASN1_STRING_length(asn_string_uri) <= 6)) {
1228 continue;
1229 }
1230
1231 crl_distpoint_uri = (const char *) ASN1_STRING_get0_data(asn_string_uri);
1232
1233 VRB(session, "Downloading CRL from \"%s\".", crl_distpoint_uri);
1234
1235 /* download the CRL */
1236 ret = nc_server_tls_curl_fetch(session, handle, crl_distpoint_uri);
1237 if (ret) {
1238 /* failed to download the CRL from this entry, try th next */
1239 continue;
1240 }
1241
1242 /* convert the downloaded data to CRL and add it to the store */
1243 ret = nc_server_tls_add_crl_to_store(session, &downloaded, crl_store);
1244 if (ret) {
1245 goto cleanup;
1246 }
1247
1248 /* the CRL was downloaded, no need to download it again using different protocol */
1249 break;
1250 }
1251 }
1252 }
1253
1254cleanup:
1255 curl_easy_cleanup(handle);
1256 return ret;
1257}
1258
1259static int
1260nc_tls_store_set_crl(struct nc_session *session, struct nc_server_tls_opts *opts, X509_STORE *store)
1261{
1262 if (!opts->crl_store) {
1263 /* first call on this endpoint */
1264 opts->crl_store = X509_STORE_new();
roman124a4362023-10-26 15:36:22 +0200[diff] [blame]1265 NC_CHECK_ERRMEM_GOTO(!opts->crl_store, , fail);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1266 }
1267
1268 if (opts->crl_path) {
1269 if (nc_server_tls_crl_path(session, opts->crl_path, opts->crl_store)) {
1270 goto fail;
1271 }
1272 } else if (opts->crl_url) {
1273 if (nc_server_tls_crl_url(session, opts->crl_url, opts->crl_store)) {
1274 goto fail;
1275 }
1276 } else {
1277 if (nc_server_tls_crl_cert_ext(session, store, opts->crl_store)) {
1278 goto fail;
1279 }
1280 }
1281
1282 return 0;
1283
1284fail:
1285 return -1;
1286}
1287
1288static int
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1289nc_server_tls_accept_check(int accept_ret, struct nc_session *session)
1290{
1291 int verify;
1292
1293 /* check certificate verification result */
1294 verify = SSL_get_verify_result(session->ti.tls);
1295 switch (verify) {
1296 case X509_V_OK:
1297 if (accept_ret == 1) {
1298 VRB(session, "Client certificate verified.");
1299 }
1300 break;
1301 default:
1302 ERR(session, "Client certificate error (%s).", X509_verify_cert_error_string(verify));
1303 }
1304
1305 if (accept_ret != 1) {
1306 switch (SSL_get_error(session->ti.tls, accept_ret)) {
1307 case SSL_ERROR_SYSCALL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1308 ERR(session, "SSL accept failed (%s).", strerror(errno));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1309 break;
1310 case SSL_ERROR_SSL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1311 ERR(session, "SSL accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1312 break;
1313 default:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1314 ERR(session, "SSL accept failed.");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1315 break;
1316 }
1317 }
1318
1319 return accept_ret;
1320}
1321
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1322int
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1323nc_accept_tls_session(struct nc_session *session, struct nc_server_tls_opts *opts, int sock, int timeout)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1324{
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1325 X509_STORE *cert_store;
1326 SSL_CTX *tls_ctx;
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1327 int ret;
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]1328 struct timespec ts_timeout;
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]1329 struct nc_endpt *referenced_endpt;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1330
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1331 /* SSL_CTX */
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]1332 tls_ctx = SSL_CTX_new(TLS_server_method());
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1333
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1334 if (!tls_ctx) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]1335 ERR(session, "Failed to create TLS context.");
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1336 goto error;
1337 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1338
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1339 SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1340 if (nc_tls_ctx_set_server_cert_key(tls_ctx, opts)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1341 goto error;
1342 }
1343
1344 /* X509_STORE, managed (freed) with the context */
1345 cert_store = X509_STORE_new();
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1346 if (!cert_store) {
1347 ERR(session, "Creating certificate store failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]1348 goto error;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1349 }
1350
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]1351 /* store the session, retrieve it when needed */
1352 ret = X509_STORE_set_ex_data(cert_store, 0, session);
1353 if (!ret) {
1354 ERR(session, "Setting certificate store data failed (%s).", ERR_reason_error_string(ERR_get_error()));
1355 goto error;
1356 }
1357
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1358 /* set end-entity certs as cert store data, retrieve them if verification fails later */
1359 ret = X509_STORE_set_ex_data(cert_store, 1, &opts->ee_certs);
1360 if (!ret) {
1361 ERR(session, "Setting certificate store data failed (%s).", ERR_reason_error_string(ERR_get_error()));
1362 goto error;
1363 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1364
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1365 /* do the same for referenced endpoint's end entity certs */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]1366 if (opts->referenced_endpt_name) {
1367 if (nc_server_get_referenced_endpt(opts->referenced_endpt_name, &referenced_endpt)) {
1368 ERRINT;
1369 goto error;
1370 }
1371
1372 ret = X509_STORE_set_ex_data(cert_store, 2, &referenced_endpt->opts.tls->ee_certs);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1373 if (!ret) {
1374 ERR(session, "Setting certificate store data failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1375 goto error;
1376 }
1377 }
1378
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1379 /* set store to the context */
1380 SSL_CTX_set_cert_store(tls_ctx, cert_store);
1381
1382 /* set certificate authority certs */
1383 if (nc_tls_store_set_trusted_certs(cert_store, &opts->ca_certs)) {
1384 goto error;
1385 }
1386
1387 /* set referenced endpoint's CA certs if set */
roman78df0fa2023-11-02 10:33:57 +0100[diff] [blame]1388 if (opts->referenced_endpt_name) {
1389 if (nc_tls_store_set_trusted_certs(cert_store, &referenced_endpt->opts.tls->ca_certs)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1390 goto error;
1391 }
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1392 }
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1393
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1394 /* set Certificate Revocation List if configured */
1395 if (opts->crl_path || opts->crl_url || opts->crl_cert_ext) {
1396 if (nc_tls_store_set_crl(session, opts, cert_store)) {
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1397 goto error;
1398 }
1399 }
1400
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1401 session->ti_type = NC_TI_OPENSSL;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1402 session->ti.tls = SSL_new(tls_ctx);
1403
Michal Vasko4c1fb492017-01-30 14:31:07 +0100[diff] [blame]1404 /* context can be freed already, trusted certs must be freed manually */
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1405 SSL_CTX_free(tls_ctx);
1406 tls_ctx = NULL;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1407
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1408 if (!session->ti.tls) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]1409 ERR(session, "Failed to create TLS structure from context.");
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1410 goto error;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1411 }
1412
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1413 /* set TLS versions for the current SSL session */
1414 if (opts->tls_versions) {
1415 if (!(opts->tls_versions & NC_TLS_VERSION_10)) {
1416 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1);
1417 }
1418 if (!(opts->tls_versions & NC_TLS_VERSION_11)) {
1419 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1_1);
1420 }
1421 if (!(opts->tls_versions & NC_TLS_VERSION_12)) {
1422 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1_2);
1423 }
1424 if (!(opts->tls_versions & NC_TLS_VERSION_13)) {
1425 SSL_set_options(session->ti.tls, SSL_OP_NO_TLSv1_3);
1426 }
1427 }
1428
1429 /* set TLS cipher suites */
1430 if (opts->ciphers) {
1431 /* set for TLS1.2 and lower */
1432 SSL_set_cipher_list(session->ti.tls, opts->ciphers);
1433 /* set for TLS1.3 */
1434 SSL_set_ciphersuites(session->ti.tls, opts->ciphers);
1435 }
1436
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1437 SSL_set_fd(session->ti.tls, sock);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1438 sock = -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1439 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1440
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1441 if (timeout > -1) {
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]1442 nc_timeouttime_get(&ts_timeout, timeout);
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]1443 }
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1444 while (((ret = SSL_accept(session->ti.tls)) == -1) && (SSL_get_error(session->ti.tls, ret) == SSL_ERROR_WANT_READ)) {
1445 usleep(NC_TIMEOUT_STEP);
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]1446 if ((timeout > -1) && (nc_timeouttime_cur_diff(&ts_timeout) < 1)) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]1447 ERR(session, "SSL accept timeout.");
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]1448 return 0;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]1449 }
1450 }
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]1451 if (nc_server_tls_accept_check(ret, session) != 1) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1452 return -1;
1453 }
1454
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1455 return 1;
Michal Vaskoe2713da2016-08-22 16:06:40 +0200[diff] [blame]1456
1457error:
1458 if (sock > -1) {
1459 close(sock);
1460 }
1461 SSL_CTX_free(tls_ctx);
1462 return -1;
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1463}