Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 2895b79d525e030fb33250e722fd5024e14438ba / . / src / session_server_tls.c
blob: 77a246d6e43d2b1be0c770004ab63dc87c3a3fc7 [file] [log] [blame]
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]1/**
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]2 * \file session_server_tls.c
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 TLS server session manipulation functions
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 * 3. Neither the name of the Company nor the names of its contributors
18 * may be used to endorse or promote products derived from this
19 * software without specific prior written permission.
20 *
21 */
22
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]23#define _GNU_SOURCE
24
25#include <string.h>
26#include <poll.h>
Michal Vaskof0537d82016-01-29 14:42:38 +0100[diff] [blame]27#include <unistd.h>
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]28
29#include <openssl/ssl.h>
30#include <openssl/evp.h>
31#include <openssl/err.h>
32#include <openssl/x509v3.h>
33
Michal Vasko11d142a2016-01-19 15:58:24 +0100[diff] [blame]34#include "session_server.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]35#include "session_server_ch.h"
36#include "libnetconf.h"
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]37
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]38struct nc_server_tls_opts tls_ch_opts;
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]39pthread_mutex_t tls_ch_opts_lock = PTHREAD_MUTEX_INITIALIZER;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]40extern struct nc_server_opts server_opts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]41
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]42static pthread_key_t verify_key;
43static pthread_once_t verify_once = PTHREAD_ONCE_INIT;
44
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]45static char *
46asn1time_to_str(ASN1_TIME *t)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]47{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]48 char *cp;
49 BIO *bio;
50 int n;
Radek Krejci5da708a2015-09-01 17:33:23 +0200[diff] [blame]51
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]52 if (!t) {
53 return NULL;
54 }
55 bio = BIO_new(BIO_s_mem());
56 if (!bio) {
57 return NULL;
58 }
59 ASN1_TIME_print(bio, t);
60 n = BIO_pending(bio);
61 cp = malloc(n + 1);
62 n = BIO_read(bio, cp, n);
63 if (n < 0) {
64 BIO_free(bio);
65 free(cp);
66 return NULL;
67 }
68 cp[n] = '\0';
69 BIO_free(bio);
70 return cp;
71}
72
73static void
74digest_to_str(const unsigned char *digest, unsigned int dig_len, char **str)
75{
76 unsigned int i;
77
78 *str = malloc(dig_len * 3);
79 for (i = 0; i < dig_len - 1; ++i) {
80 sprintf((*str) + (i * 3), "%02x:", digest[i]);
81 }
82 sprintf((*str) + (i * 3), "%02x", digest[i]);
83}
84
85/* return NULL - SSL error can be retrieved */
86static X509 *
87base64der_to_cert(const char *in)
88{
89 X509 *out;
90 char *buf;
91 BIO *bio;
92
93 if (in == NULL) {
94 return NULL;
95 }
96
97 if (asprintf(&buf, "%s%s%s", "-----BEGIN CERTIFICATE-----\n", in, "\n-----END CERTIFICATE-----") == -1) {
98 return NULL;
99 }
100 bio = BIO_new_mem_buf(buf, strlen(buf));
101 if (!bio) {
102 free(buf);
103 return NULL;
104 }
105
106 out = PEM_read_bio_X509(bio, NULL, NULL, NULL);
107 if (!out) {
108 free(buf);
109 BIO_free(bio);
110 return NULL;
111 }
112
113 free(buf);
114 BIO_free(bio);
115 return out;
116}
117
118/* return NULL - either errno or SSL error */
119static X509 *
120pem_to_cert(const char *path)
121{
122 FILE *fp;
123 X509 *out;
124
125 fp = fopen(path, "r");
126 if (!fp) {
127 return NULL;
128 }
129
130 out = PEM_read_X509(fp, NULL, NULL, NULL);
131 fclose(fp);
132 return out;
133}
134
135static EVP_PKEY *
136base64der_to_privatekey(const char *in, int rsa)
137{
138 EVP_PKEY *out;
139 char *buf;
140 BIO *bio;
141
142 if (in == NULL) {
143 return NULL;
144 }
145
146 if (asprintf(&buf, "%s%s%s%s%s%s%s", "-----BEGIN ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----\n", in, "\n-----END ", (rsa ? "RSA" : "DSA"), " PRIVATE KEY-----") == -1) {
147 return NULL;
148 }
149 bio = BIO_new_mem_buf(buf, strlen(buf));
150 if (!bio) {
151 free(buf);
152 return NULL;
153 }
154
155 out = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
156 if (!out) {
157 free(buf);
158 BIO_free(bio);
159 return NULL;
160 }
161
162 free(buf);
163 BIO_free(bio);
164 return out;
165}
166
167static int
168cert_pubkey_match(X509 *cert1, X509 *cert2)
169{
170 ASN1_BIT_STRING *bitstr1, *bitstr2;
171
172 bitstr1 = X509_get0_pubkey_bitstr(cert1);
173 bitstr2 = X509_get0_pubkey_bitstr(cert2);
174
175 if (!bitstr1 || !bitstr2 || (bitstr1->length != bitstr2->length) ||
176 memcmp(bitstr1->data, bitstr2->data, bitstr1->length)) {
177 return 0;
178 }
179
180 return 1;
181}
182
183static int
184nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type, char **username)
185{
186 STACK_OF(GENERAL_NAME) *san_names;
187 GENERAL_NAME *san_name;
188 ASN1_OCTET_STRING *ip;
189 int i, san_count;
190 char *subject, *common_name;
191
192 if (map_type == NC_TLS_CTN_COMMON_NAME) {
193 subject = X509_NAME_oneline(X509_get_subject_name(client_cert), NULL, 0);
194 common_name = strstr(subject, "CN=");
195 if (!common_name) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]196 WRN("Certificate does not include the commonName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]197 free(subject);
198 return 1;
199 }
200 common_name += 3;
201 if (strchr(common_name, '/')) {
202 *strchr(common_name, '/') = '\0';
203 }
204 *username = strdup(common_name);
205 free(subject);
206 } else {
207 /* retrieve subjectAltName's rfc822Name (email), dNSName and iPAddress values */
208 san_names = X509_get_ext_d2i(client_cert, NID_subject_alt_name, NULL, NULL);
209 if (!san_names) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]210 WRN("Certificate has no SANs or failed to retrieve them.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]211 return 1;
212 }
213
214 san_count = sk_GENERAL_NAME_num(san_names);
215 for (i = 0; i < san_count; ++i) {
216 san_name = sk_GENERAL_NAME_value(san_names, i);
217
218 /* rfc822Name (email) */
219 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_RFC822_NAME) &&
220 san_name->type == GEN_EMAIL) {
221 *username = strdup((char *)ASN1_STRING_data(san_name->d.rfc822Name));
222 break;
223 }
224
225 /* dNSName */
226 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_DNS_NAME) &&
227 san_name->type == GEN_DNS) {
228 *username = strdup((char *)ASN1_STRING_data(san_name->d.dNSName));
229 break;
230 }
231
232 /* iPAddress */
233 if ((map_type == NC_TLS_CTN_SAN_ANY || map_type == NC_TLS_CTN_SAN_IP_ADDRESS) &&
234 san_name->type == GEN_IPADD) {
235 ip = san_name->d.iPAddress;
236 if (ip->length == 4) {
237 if (asprintf(username, "%d.%d.%d.%d", ip->data[0], ip->data[1], ip->data[2], ip->data[3]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]238 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]239 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
240 return -1;
241 }
242 break;
243 } else if (ip->length == 16) {
244 if (asprintf(username, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
245 ip->data[0], ip->data[1], ip->data[2], ip->data[3], ip->data[4], ip->data[5],
246 ip->data[6], ip->data[7], ip->data[8], ip->data[9], ip->data[10], ip->data[11],
247 ip->data[12], ip->data[13], ip->data[14], ip->data[15]) == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]248 ERRMEM;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]249 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
250 return -1;
251 }
252 break;
253 } else {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]254 WRN("SAN IP address in an unknown format (length is %d).", ip->length);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]255 }
256 }
257 }
258 sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
259
260 if (i < san_count) {
261 switch (map_type) {
262 case NC_TLS_CTN_SAN_RFC822_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]263 WRN("Certificate does not include the SAN rfc822Name field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]264 break;
265 case NC_TLS_CTN_SAN_DNS_NAME:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]266 WRN("Certificate does not include the SAN dNSName field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]267 break;
268 case NC_TLS_CTN_SAN_IP_ADDRESS:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]269 WRN("Certificate does not include the SAN iPAddress field.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]270 break;
271 case NC_TLS_CTN_SAN_ANY:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]272 WRN("Certificate does not include any relevant SAN fields.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]273 break;
274 default:
275 break;
276 }
277 return 1;
278 }
279 }
280
281 return 0;
282}
283
284/* return: 0 - OK, 1 - no match, -1 - error */
285static int
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]286nc_tls_cert_to_name(struct nc_ctn *ctn_first, X509 *cert, NC_TLS_CTN_MAPTYPE *map_type, const char **name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]287{
288 char *digest_md5 = NULL, *digest_sha1 = NULL, *digest_sha224 = NULL;
289 char *digest_sha256 = NULL, *digest_sha384 = NULL, *digest_sha512 = NULL;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]290 unsigned char *buf = malloc(64);
291 unsigned int buf_len = 64;
292 int ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]293 struct nc_ctn *ctn;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]294
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]295 if (!ctn_first || !cert || !map_type || !name) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]296 free(buf);
297 return -1;
298 }
299
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]300 for (ctn = ctn_first; ctn; ctn = ctn->next) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]301 /* MD5 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]302 if (!strncmp(ctn->fingerprint, "01", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]303 if (!digest_md5) {
304 if (X509_digest(cert, EVP_md5(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]305 ERR("Calculating MD5 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]306 ret = -1;
307 goto cleanup;
308 }
309 digest_to_str(buf, buf_len, &digest_md5);
310 }
311
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]312 if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]313 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]314 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]315 *map_type = ctn->map_type;
316 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
317 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]318 }
319 break;
320 }
321
322 /* SHA-1 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]323 } else if (!strncmp(ctn->fingerprint, "02", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]324 if (!digest_sha1) {
325 if (X509_digest(cert, EVP_sha1(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]326 ERR("Calculating SHA-1 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]327 ret = -1;
328 goto cleanup;
329 }
330 digest_to_str(buf, buf_len, &digest_sha1);
331 }
332
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]333 if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]334 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]335 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]336 *map_type = ctn->map_type;
337 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
338 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]339 }
340 break;
341 }
342
343 /* SHA-224 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]344 } else if (!strncmp(ctn->fingerprint, "03", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]345 if (!digest_sha224) {
346 if (X509_digest(cert, EVP_sha224(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]347 ERR("Calculating SHA-224 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]348 ret = -1;
349 goto cleanup;
350 }
351 digest_to_str(buf, buf_len, &digest_sha224);
352 }
353
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]354 if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]355 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]356 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]357 *map_type = ctn->map_type;
358 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
359 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]360 }
361 break;
362 }
363
364 /* SHA-256 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]365 } else if (!strncmp(ctn->fingerprint, "04", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]366 if (!digest_sha256) {
367 if (X509_digest(cert, EVP_sha256(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]368 ERR("Calculating SHA-256 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]369 ret = -1;
370 goto cleanup;
371 }
372 digest_to_str(buf, buf_len, &digest_sha256);
373 }
374
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]375 if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]376 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]377 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]378 *map_type = ctn->map_type;
379 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
380 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]381 }
382 break;
383 }
384
385 /* SHA-384 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]386 } else if (!strncmp(ctn->fingerprint, "05", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]387 if (!digest_sha384) {
388 if (X509_digest(cert, EVP_sha384(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]389 ERR("Calculating SHA-384 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]390 ret = -1;
391 goto cleanup;
392 }
393 digest_to_str(buf, buf_len, &digest_sha384);
394 }
395
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]396 if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]397 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]398 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]399 *map_type = ctn->map_type;
400 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
401 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]402 }
403 break;
404 }
405
406 /* SHA-512 */
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]407 } else if (!strncmp(ctn->fingerprint, "06", 2)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]408 if (!digest_sha512) {
409 if (X509_digest(cert, EVP_sha512(), buf, &buf_len) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]410 ERR("Calculating SHA-512 digest failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]411 ret = -1;
412 goto cleanup;
413 }
414 digest_to_str(buf, buf_len, &digest_sha512);
415 }
416
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]417 if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]418 /* we got ourselves a winner! */
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]419 VRB("Cert verify CTN: entry with a matching fingerprint found.");
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]420 *map_type = ctn->map_type;
421 if (ctn->map_type == NC_TLS_CTN_SPECIFIED) {
422 *name = ctn->name;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]423 }
424 break;
425 }
426
427 /* unknown */
428 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]429 WRN("Unknown fingerprint algorithm used (%s), skipping.", ctn->fingerprint);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]430 }
431 }
432
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]433 if (!ctn) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]434 ret = 1;
435 }
436
437cleanup:
438 free(digest_md5);
439 free(digest_sha1);
440 free(digest_sha224);
441 free(digest_sha256);
442 free(digest_sha384);
443 free(digest_sha512);
444 free(buf);
445 return ret;
446}
447
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]448static int
449nc_tlsclb_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
450{
451 X509_STORE_CTX store_ctx;
452 X509_OBJECT obj;
453 X509_NAME *subject;
454 X509_NAME *issuer;
455 X509 *cert;
456 X509_CRL *crl;
457 X509_REVOKED *revoked;
458 STACK_OF(X509) *cert_stack;
459 EVP_PKEY *pubkey;
460 struct nc_session* session;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]461 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]462 long serial;
463 int i, n, rc, depth;
464 char *cp;
465 const char *username = NULL;
466 NC_TLS_CTN_MAPTYPE map_type = 0;
467 ASN1_TIME *last_update = NULL, *next_update = NULL;
468
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]469 /* get the thread session */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]470 session = pthread_getspecific(verify_key);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]471 if (!session) {
472 ERRINT;
473 return 0;
474 }
475
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]476 opts = session->ti_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]477
478 /* get the last certificate, that is the peer (client) certificate */
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]479 if (!session->tls_cert) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]480 cert_stack = X509_STORE_CTX_get1_chain(x509_ctx);
481 /* TODO all that is needed, but function X509_up_ref not present in older OpenSSL versions
482 session->cert = sk_X509_value(cert_stack, sk_X509_num(cert_stack) - 1);
483 X509_up_ref(session->cert);
484 sk_X509_pop_free(cert_stack, X509_free); */
485 while ((cert = sk_X509_pop(cert_stack))) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]486 X509_free(session->tls_cert);
487 session->tls_cert = cert;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]488 }
489 sk_X509_pop_free(cert_stack, X509_free);
490 }
491
492 /* standard certificate verification failed, so a trusted client cert must match to continue */
493 if (!preverify_ok) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]494 subject = X509_get_subject_name(session->tls_cert);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]495 cert_stack = X509_STORE_get1_certs(x509_ctx, subject);
496 if (cert_stack) {
497 for (i = 0; i < sk_X509_num(cert_stack); ++i) {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]498 if (cert_pubkey_match(session->tls_cert, sk_X509_value(cert_stack, i))) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]499 /* we are just overriding the failed standard certificate verification (preverify_ok == 0),
500 * this callback will be called again with the same current certificate and preverify_ok == 1 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100[diff] [blame]501 VRB("Cert verify: fail (%s), but the client certificate is trusted, continuing.",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]502 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
503 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
504 sk_X509_pop_free(cert_stack, X509_free);
505 return 1;
506 }
507 }
508 sk_X509_pop_free(cert_stack, X509_free);
509 }
510
511 ERR("Cert verify: fail (%s).", X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
512 return 0;
513 }
514
515 /* print cert verify info */
516 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]517 VRB("Cert verify: depth %d.", depth);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]518
519 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
520 subject = X509_get_subject_name(cert);
521 issuer = X509_get_issuer_name(cert);
522
523 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]524 VRB("Cert verify: subject: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]525 OPENSSL_free(cp);
526 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]527 VRB("Cert verify: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]528 OPENSSL_free(cp);
529
530 /* check for revocation if set */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]531 if (opts->crl_store) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]532 /* try to retrieve a CRL corresponding to the _subject_ of
533 * the current certificate in order to verify it's integrity */
534 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]535 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]536 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
537 X509_STORE_CTX_cleanup(&store_ctx);
538 crl = obj.data.crl;
539 if (rc > 0 && crl) {
540 cp = X509_NAME_oneline(subject, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]541 VRB("Cert verify CRL: issuer: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]542 OPENSSL_free(cp);
543
544 last_update = X509_CRL_get_lastUpdate(crl);
545 next_update = X509_CRL_get_nextUpdate(crl);
546 cp = asn1time_to_str(last_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]547 VRB("Cert verify CRL: last update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]548 free(cp);
549 cp = asn1time_to_str(next_update);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]550 VRB("Cert verify CRL: next update: %s.", cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]551 free(cp);
552
553 /* verify the signature on this CRL */
554 pubkey = X509_get_pubkey(cert);
555 if (X509_CRL_verify(crl, pubkey) <= 0) {
556 ERR("Cert verify CRL: invalid signature.");
557 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
558 X509_OBJECT_free_contents(&obj);
559 if (pubkey) {
560 EVP_PKEY_free(pubkey);
561 }
562 return 0;
563 }
564 if (pubkey) {
565 EVP_PKEY_free(pubkey);
566 }
567
568 /* check date of CRL to make sure it's not expired */
569 if (!next_update) {
570 ERR("Cert verify CRL: invalid nextUpdate field.");
571 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
572 X509_OBJECT_free_contents(&obj);
573 return 0;
574 }
575 if (X509_cmp_current_time(next_update) < 0) {
576 ERR("Cert verify CRL: expired - revoking all certificates.");
577 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
578 X509_OBJECT_free_contents(&obj);
579 return 0;
580 }
581 X509_OBJECT_free_contents(&obj);
582 }
583
584 /* try to retrieve a CRL corresponding to the _issuer_ of
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]585 * the current certificate in order to check for revocation */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]586 memset((char *)&obj, 0, sizeof(obj));
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]587 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]588 rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
589 X509_STORE_CTX_cleanup(&store_ctx);
590 crl = obj.data.crl;
591 if (rc > 0 && crl) {
592 /* check if the current certificate is revoked by this CRL */
593 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
594 for (i = 0; i < n; i++) {
595 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
596 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
597 serial = ASN1_INTEGER_get(revoked->serialNumber);
598 cp = X509_NAME_oneline(issuer, NULL, 0);
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]599 ERR("Cert verify CRL: certificate with serial %ld (0x%lX) revoked per CRL from issuer %s.", serial, serial, cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]600 OPENSSL_free(cp);
601 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
602 X509_OBJECT_free_contents(&obj);
603 return 0;
604 }
605 }
606 X509_OBJECT_free_contents(&obj);
607 }
608 }
609
610 /* cert-to-name already successful */
611 if (session->username) {
612 return 1;
613 }
614
615 /* cert-to-name */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]616 rc = nc_tls_cert_to_name(opts->ctn, cert, &map_type, &username);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]617
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]618 if (rc) {
619 if (rc == -1) {
620 /* fatal error */
621 depth = 0;
622 }
623 /* rc == 1 is a normal CTN fail (no match found) */
624 goto fail;
625 }
626
627 /* cert-to-name match, now to extract the specific field from the peer cert */
628 if (map_type == NC_TLS_CTN_SPECIFIED) {
629 session->username = lydict_insert(server_opts.ctx, username, 0);
630 } else {
Michal Vasko06e22432016-01-15 10:30:06 +0100[diff] [blame]631 rc = nc_tls_ctn_get_username_from_cert(session->tls_cert, map_type, &cp);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]632 if (rc) {
633 if (rc == -1) {
634 depth = 0;
635 }
636 goto fail;
637 }
638 session->username = lydict_insert_zc(server_opts.ctx, cp);
639 }
640
641 VRB("Cert verify CTN: new client username recognized as \"%s\".", session->username);
642 return 1;
643
644fail:
645 if (depth > 0) {
646 VRB("Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain.");
647 return 1;
648 }
649
650 VRB("Cert-to-name unsuccessful, dropping the new client.");
651 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
652 return 0;
653}
654
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]655API int
656nc_server_tls_add_endpt_listen(const char *name, const char *address, uint16_t port)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]657{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]658 return nc_server_add_endpt_listen(name, address, port, NC_TI_OPENSSL);
659}
660
661API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]662nc_server_tls_endpt_set_address(const char *endpt_name, const char *address)
663{
664 return nc_server_endpt_set_address_port(endpt_name, address, 0, NC_TI_OPENSSL);
665}
666
667API int
668nc_server_tls_endpt_set_port(const char *endpt_name, uint16_t port)
669{
670 return nc_server_endpt_set_address_port(endpt_name, NULL, port, NC_TI_OPENSSL);
671}
672
673API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]674nc_server_tls_del_endpt(const char *name)
675{
676 return nc_server_del_endpt(name, NC_TI_OPENSSL);
677}
678
679static int
680nc_server_tls_set_cert(const char *cert, struct nc_server_tls_opts *opts)
681{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]682 X509 *x509_cert;
683
684 if (!cert) {
685 ERRARG;
686 return -1;
687 }
688
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]689 if (!opts->tls_ctx) {
690 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
691 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]692 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]693 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]694 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]695 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]696 }
697
698 x509_cert = base64der_to_cert(cert);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]699 if (!x509_cert || (SSL_CTX_use_certificate(opts->tls_ctx, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]700 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]701 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]702 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]703 }
704 X509_free(x509_cert);
705
706 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]707
708fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]709 return -1;
710}
711
712API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]713nc_server_tls_endpt_set_cert(const char *endpt_name, const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]714{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]715 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]716 struct nc_endpt *endpt;
717
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]718 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]719 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]720 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]721 return -1;
722 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]723 ret = nc_server_tls_set_cert(cert, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]724 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]725 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]726
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]727 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]728}
729
730API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]731nc_server_tls_ch_set_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]732{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]733 int ret;
734
735 /* OPTS LOCK */
736 pthread_mutex_lock(&tls_ch_opts_lock);
737 ret = nc_server_tls_set_cert(cert, &tls_ch_opts);
738 /* OPTS UNLOCK */
739 pthread_mutex_unlock(&tls_ch_opts_lock);
740
741 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]742}
743
744static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]745nc_server_tls_set_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]746{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]747 if (!cert_path) {
748 ERRARG;
749 return -1;
750 }
751
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]752 if (!opts->tls_ctx) {
753 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
754 if (!opts->tls_ctx) {
755 ERR("Failed to create TLS context.");
756 goto fail;
757 }
758 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
759 }
760
761 if (SSL_CTX_use_certificate_file(opts->tls_ctx, cert_path, SSL_FILETYPE_PEM) != 1) {
762 ERR("Loading the server certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
763 goto fail;
764 }
765
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]766 return 0;
767
768fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]769 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]770}
771
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]772API int
Michal Vaskoda514772016-02-01 11:32:01 +0100[diff] [blame]773nc_server_tls_endpt_set_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]774{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]775 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]776 struct nc_endpt *endpt;
777
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]778 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]779 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]780 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]781 return -1;
782 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]783 ret = nc_server_tls_set_cert_path(cert_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]784 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]785 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]786
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]787 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]788}
789
790API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]791nc_server_tls_ch_set_cert_path(const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]792{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]793 int ret;
794
795 /* OPTS LOCK */
796 pthread_mutex_lock(&tls_ch_opts_lock);
797 ret = nc_server_tls_set_cert_path(cert_path, &tls_ch_opts);
798 /* OPTS UNLOCK */
799 pthread_mutex_unlock(&tls_ch_opts_lock);
800
801 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]802}
803
804static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]805nc_server_tls_set_key(const char *privkey, int is_rsa, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]806{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]807 EVP_PKEY *key;;
808
809 if (!privkey) {
810 ERRARG;
811 return -1;
812 }
813
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]814 if (!opts->tls_ctx) {
815 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
816 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]817 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]818 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]819 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]820 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]821 }
822
823 key = base64der_to_privatekey(privkey, is_rsa);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]824 if (!key || (SSL_CTX_use_PrivateKey(opts->tls_ctx, key) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]825 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]826 EVP_PKEY_free(key);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]827 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]828 }
829 EVP_PKEY_free(key);
830
831 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]832
833fail:
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]834 return -1;
835}
836
837API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]838nc_server_tls_endpt_set_key(const char *endpt_name, const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]839{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]840 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]841 struct nc_endpt *endpt;
842
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]843 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]844 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]845 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]846 return -1;
847 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]848 ret = nc_server_tls_set_key(privkey, is_rsa, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]849 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]850 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]851
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]852 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]853}
854
855API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]856nc_server_tls_ch_set_key(const char *privkey, int is_rsa)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]857{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]858 int ret;
859
860 /* OPTS LOCK */
861 pthread_mutex_lock(&tls_ch_opts_lock);
862 ret = nc_server_tls_set_key(privkey, is_rsa, &tls_ch_opts);
863 /* OPTS UNLOCK */
864 pthread_mutex_unlock(&tls_ch_opts_lock);
865
866 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]867}
868
869static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]870nc_server_tls_set_key_path(const char *privkey_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]871{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]872 if (!privkey_path) {
873 ERRARG;
874 return -1;
875 }
876
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]877 if (!opts->tls_ctx) {
878 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
879 if (!opts->tls_ctx) {
880 ERR("Failed to create TLS context.");
881 goto fail;
882 }
883 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
884 }
885
886 if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, privkey_path, SSL_FILETYPE_PEM) != 1) {
887 ERR("Loading the server private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
888 goto fail;
889 }
890
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]891 return 0;
892
893fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]894 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]895}
896
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]897API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]898nc_server_tls_endpt_set_key_path(const char *endpt_name, const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]899{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]900 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]901 struct nc_endpt *endpt;
902
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]903 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]904 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]905 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]906 return -1;
907 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]908 ret = nc_server_tls_set_key_path(privkey_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]909 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]910 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]911
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]912 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]913}
914
915API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]916nc_server_tls_ch_set_key_path(const char *privkey_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]917{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]918 int ret;
919
920 /* OPTS LOCK */
921 pthread_mutex_lock(&tls_ch_opts_lock);
922 ret = nc_server_tls_set_key_path(privkey_path, &tls_ch_opts);
923 /* OPTS UNLOCK */
924 pthread_mutex_unlock(&tls_ch_opts_lock);
925
926 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]927}
928
929static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]930nc_server_tls_add_trusted_cert(const char *cert, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]931{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]932 X509_STORE *cert_store;
933 X509 *x509_cert;
934
935 if (!cert) {
936 ERRARG;
937 return -1;
938 }
939
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]940 if (!opts->tls_ctx) {
941 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
942 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]943 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]944 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]945 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]946 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]947 }
948
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]949 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]950 if (!cert_store) {
951 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]952 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]953 }
954
955 x509_cert = base64der_to_cert(cert);
956 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]957 ERR("Adding a trusted certificate failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]958 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]959 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]960 }
961 X509_free(x509_cert);
962
963 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]964
965fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]966 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]967}
968
969API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]970nc_server_tls_endpt_add_trusted_cert(const char *endpt_name, const char *cert)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]971{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]972 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]973 struct nc_endpt *endpt;
974
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]975 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]976 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]977 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]978 return -1;
979 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]980 ret = nc_server_tls_add_trusted_cert(cert, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]981 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]982 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]983
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]984 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]985}
986
987API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]988nc_server_tls_ch_add_trusted_cert(const char *cert)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]989{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]990 int ret;
991
992 /* OPTS LOCK */
993 pthread_mutex_lock(&tls_ch_opts_lock);
994 ret = nc_server_tls_add_trusted_cert(cert, &tls_ch_opts);
995 /* OPTS UNLOCK */
996 pthread_mutex_unlock(&tls_ch_opts_lock);
997
998 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]999}
1000
1001static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1002nc_server_tls_add_trusted_cert_path(const char *cert_path, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1003{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1004 X509_STORE *cert_store;
1005 X509 *x509_cert;
1006
1007 if (!cert_path) {
1008 ERRARG;
1009 return -1;
1010 }
1011
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1012 if (!opts->tls_ctx) {
1013 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1014 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1015 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1016 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1017 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1018 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1019 }
1020
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1021 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1022 if (!cert_store) {
1023 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1024 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1025 }
1026
1027 errno = 0;
1028 x509_cert = pem_to_cert(cert_path);
1029 if (!x509_cert || (X509_STORE_add_cert(cert_store, x509_cert) != 1)) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1030 ERR("Adding a trusted certificate failed (%s).",
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1031 (errno ? strerror(errno) : ERR_reason_error_string(ERR_get_error())));
1032 X509_free(x509_cert);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1033 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1034 }
1035 X509_free(x509_cert);
1036
1037 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1038
1039fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1040 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1041}
1042
1043API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1044nc_server_tls_endpt_add_trusted_cert_path(const char *endpt_name, const char *cert_path)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1045{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1046 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1047 struct nc_endpt *endpt;
1048
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1049 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1050 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1051 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1052 return -1;
1053 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1054 ret = nc_server_tls_add_trusted_cert_path(cert_path, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1055 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1056 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1057
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1058 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1059}
1060
1061API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1062nc_server_tls_ch_add_trusted_cert_path(const char *cert_path)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1063{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1064 int ret;
1065
1066 /* OPTS LOCK */
1067 pthread_mutex_lock(&tls_ch_opts_lock);
1068 ret = nc_server_tls_add_trusted_cert_path(cert_path, &tls_ch_opts);
1069 /* OPTS UNLOCK */
1070 pthread_mutex_unlock(&tls_ch_opts_lock);
1071
1072 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1073}
1074
1075static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1076nc_server_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1077{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1078 X509_STORE *cert_store;
1079 X509_LOOKUP *lookup;
1080
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1081 if (!ca_file && !ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1082 ERRARG;
1083 return -1;
1084 }
1085
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1086 if (!opts->tls_ctx) {
1087 opts->tls_ctx = SSL_CTX_new(TLSv1_2_server_method());
1088 if (!opts->tls_ctx) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1089 ERR("Failed to create TLS context.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1090 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1091 }
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1092 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nc_tlsclb_verify);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1093 }
1094
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1095 cert_store = SSL_CTX_get_cert_store(opts->tls_ctx);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1096 if (!cert_store) {
1097 cert_store = X509_STORE_new();
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1098 SSL_CTX_set_cert_store(opts->tls_ctx, cert_store);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1099 }
1100
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1101 if (ca_file) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1102 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file());
1103 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1104 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1105 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1106 }
1107
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1108 if (X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1109 ERR("Failed to add a trusted cert file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1110 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1111 }
1112 }
1113
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1114 if (ca_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1115 lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
1116 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1117 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1118 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1119 }
1120
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1121 if (X509_LOOKUP_add_dir(lookup, ca_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1122 ERR("Failed to add a trusted cert directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1123 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1124 }
1125 }
1126
1127 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1128
1129fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1130 return -1;
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1131}
1132
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1133API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1134nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir)
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1135{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1136 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1137 struct nc_endpt *endpt;
1138
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1139 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1140 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1141 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1142 return -1;
1143 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1144 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1145 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1146 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1147
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1148 return ret;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1149}
1150
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1151API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1152nc_server_tls_ch_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1153{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1154 int ret;
1155
1156 /* OPTS LOCK */
1157 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1158 ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1159 /* OPTS UNLOCK */
1160 pthread_mutex_unlock(&tls_ch_opts_lock);
1161
1162 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1163}
1164
1165static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1166nc_server_tls_clear_certs(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1167{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1168 if (!opts->tls_ctx) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1169 return;
1170 }
1171
1172 SSL_CTX_free(opts->tls_ctx);
1173 opts->tls_ctx = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1174}
1175
1176API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1177nc_server_tls_endpt_clear_certs(const char *endpt_name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1178{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1179 struct nc_endpt *endpt;
1180
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1181 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1182 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1183 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1184 return;
1185 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1186 nc_server_tls_clear_certs(endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1187 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1188 nc_server_endpt_unlock(endpt);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1189}
1190
1191API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1192nc_server_tls_ch_clear_certs(void)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1193{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1194 /* OPTS LOCK */
1195 pthread_mutex_lock(&tls_ch_opts_lock);
1196 nc_server_tls_clear_certs(&tls_ch_opts);
1197 /* OPTS UNLOCK */
1198 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1199}
1200
1201static int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1202nc_server_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1203{
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1204 X509_LOOKUP *lookup;
1205
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1206 if (!crl_file && !crl_dir) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1207 ERRARG;
1208 return -1;
1209 }
1210
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1211 if (!opts->crl_store) {
1212 opts->crl_store = X509_STORE_new();
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1213 }
1214
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1215 if (crl_file) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1216 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1217 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1218 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1219 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1220 }
1221
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1222 if (X509_LOOKUP_load_file(lookup, crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1223 ERR("Failed to add a revocation lookup file (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1224 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1225 }
1226 }
1227
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1228 if (crl_dir) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1229 lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir());
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1230 if (!lookup) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1231 ERR("Failed to add a lookup method.");
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1232 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1233 }
1234
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1235 if (X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1236 ERR("Failed to add a revocation lookup directory (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1237 goto fail;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1238 }
1239 }
1240
1241 return 0;
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1242
1243fail:
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1244 return -1;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1245}
1246
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1247API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1248nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1249{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1250 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1251 struct nc_endpt *endpt;
1252
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1253 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1254 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1255 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1256 return -1;
1257 }
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1258 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1259 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1260 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1261
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1262 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1263}
1264
1265API int
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1266nc_server_tls_ch_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1267{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1268 int ret;
1269
1270 /* OPTS LOCK */
1271 pthread_mutex_lock(&tls_ch_opts_lock);
Michal Vasko96830e32016-02-01 10:54:18 +0100[diff] [blame]1272 ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, &tls_ch_opts);
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1273 /* OPTS UNLOCK */
1274 pthread_mutex_unlock(&tls_ch_opts_lock);
1275
1276 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1277}
1278
1279static void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1280nc_server_tls_clear_crls(struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1281{
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1282 if (!opts->crl_store) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1283 return;
1284 }
1285
1286 X509_STORE_free(opts->crl_store);
1287 opts->crl_store = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1288}
1289
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1290API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1291nc_server_tls_endpt_clear_crls(const char *endpt_name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1292{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1293 struct nc_endpt *endpt;
1294
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1295 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1296 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1297 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1298 return;
1299 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1300 nc_server_tls_clear_crls(endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1301 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1302 nc_server_endpt_unlock(endpt);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1303}
1304
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1305API void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1306nc_server_tls_ch_clear_crls(void)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1307{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1308 /* OPTS LOCK */
1309 pthread_mutex_lock(&tls_ch_opts_lock);
1310 nc_server_tls_clear_crls(&tls_ch_opts);
1311 /* OPTS UNLOCK */
1312 pthread_mutex_unlock(&tls_ch_opts_lock);
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1313}
1314
1315static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1316nc_server_tls_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1317{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1318 struct nc_ctn *ctn, *new;
1319
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1320 if (!fingerprint || !map_type || ((map_type == NC_TLS_CTN_SPECIFIED) && !name)
1321 || ((map_type != NC_TLS_CTN_SPECIFIED) && name)) {
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1322 ERRARG;
1323 return -1;
1324 }
1325
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1326 new = malloc(sizeof *new);
1327
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1328 new->fingerprint = lydict_insert(server_opts.ctx, fingerprint, 0);
1329 new->name = lydict_insert(server_opts.ctx, name, 0);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1330 new->id = id;
1331 new->map_type = map_type;
1332 new->next = NULL;
1333
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1334 if (!opts->ctn) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1335 /* the first item */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1336 opts->ctn = new;
1337 } else if (opts->ctn->id > id) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1338 /* insert at the beginning */
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1339 new->next = opts->ctn;
1340 opts->ctn = new;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1341 } else {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1342 for (ctn = opts->ctn; ctn->next && ctn->next->id <= id; ctn = ctn->next);
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1343 /* insert after ctn */
1344 new->next = ctn->next;
1345 ctn->next = new;
1346 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1347
1348 return 0;
1349}
1350
1351API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1352nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1353{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1354 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1355 struct nc_endpt *endpt;
1356
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1357 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1358 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1359 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1360 return -1;
1361 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1362 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1363 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1364 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1365
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1366 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1367}
1368
1369API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1370nc_server_tls_ch_add_ctn(uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1371{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1372 int ret;
1373
1374 /* OPTS LOCK */
1375 pthread_mutex_lock(&tls_ch_opts_lock);
1376 ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1377 /* OPTS UNLOCK */
1378 pthread_mutex_unlock(&tls_ch_opts_lock);
1379
1380 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1381}
1382
1383static int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1384nc_server_tls_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct nc_server_tls_opts *opts)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1385{
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1386 struct nc_ctn *ctn, *next, *prev;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1387 int ret = -1;
1388
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1389 if ((id < 0) && !fingerprint && !map_type && !name) {
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1390 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1391 while (ctn) {
1392 lydict_remove(server_opts.ctx, ctn->fingerprint);
1393 lydict_remove(server_opts.ctx, ctn->name);
1394
1395 next = ctn->next;
1396 free(ctn);
1397 ctn = next;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1398
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1399 ret = 0;
1400 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1401 opts->ctn = NULL;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1402 } else {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1403 prev = NULL;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1404 ctn = opts->ctn;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1405 while (ctn) {
1406 if (((id < 0) || (ctn->id == id))
1407 && (!fingerprint || !strcmp(ctn->fingerprint, fingerprint))
1408 && (!map_type || (ctn->map_type == map_type))
1409 && (!name || (ctn->name && !strcmp(ctn->name, name)))) {
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1410 lydict_remove(server_opts.ctx, ctn->fingerprint);
1411 lydict_remove(server_opts.ctx, ctn->name);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1412
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1413 if (prev) {
1414 prev->next = ctn->next;
1415 next = ctn->next;
1416 } else {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1417 opts->ctn = ctn->next;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1418 next = ctn->next;
1419 }
1420 free(ctn);
1421 ctn = next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1422
1423 ret = 0;
Michal Vasko5e3f3392016-01-20 11:13:01 +0100[diff] [blame]1424 } else {
1425 prev = ctn;
1426 ctn = ctn->next;
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1427 }
1428 }
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1429 }
1430
1431 return ret;
1432}
1433
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1434API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1435nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1436{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1437 int ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1438 struct nc_endpt *endpt;
1439
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1440 /* LOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1441 endpt = nc_server_endpt_lock(endpt_name, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1442 if (!endpt) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1443 return -1;
1444 }
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1445 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->ti_opts);
Michal Vasko51e514d2016-02-02 15:51:52 +0100[diff] [blame]1446 /* UNLOCK */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1447 nc_server_endpt_unlock(endpt);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1448
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1449 return ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1450}
1451
1452API int
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1453nc_server_tls_ch_del_ctn(int64_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name)
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1454{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1455 int ret;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1456
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1457 /* OPTS LOCK */
1458 pthread_mutex_lock(&tls_ch_opts_lock);
1459 ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, &tls_ch_opts);
1460 /* OPTS UNLOCK */
1461 pthread_mutex_unlock(&tls_ch_opts_lock);
1462
1463 return ret;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1464}
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1465
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1466void
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1467nc_server_tls_clear_opts(struct nc_server_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1468{
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1469 nc_server_tls_clear_certs(opts);
1470 nc_server_tls_clear_crls(opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1471 nc_server_tls_del_ctn(-1, NULL, 0, NULL, opts);
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]1472}
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1473
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100[diff] [blame]1474API void
1475nc_server_tls_ch_clear_opts(void)
1476{
1477 /* OPTS LOCK */
1478 pthread_mutex_lock(&tls_ch_opts_lock);
1479 nc_server_tls_clear_opts(&tls_ch_opts);
1480 /* OPTS UNLOCK */
1481 pthread_mutex_unlock(&tls_ch_opts_lock);
1482}
1483
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1484static void
1485nc_tls_make_verify_key(void)
1486{
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1487 pthread_key_create(&verify_key, NULL);
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1488}
1489
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1490API int
1491nc_connect_callhome_tls(const char *host, uint16_t port, int timeout, struct nc_session **session)
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1492{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1493 return nc_connect_callhome(host, port, NC_TI_OPENSSL, timeout, session);
1494}
1495
1496int
1497nc_accept_tls_session(struct nc_session *session, int sock, int timeout)
1498{
1499 struct nc_server_tls_opts *opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1500 struct pollfd pfd;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1501 struct timespec old_ts, new_ts;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1502 int ret, elapsed = 0;
1503
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]1504 opts = session->ti_opts;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1505
1506 pfd.fd = sock;
1507 pfd.events = POLLIN;
1508 pfd.revents = 0;
1509
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1510 if (timeout > 0) {
1511 clock_gettime(CLOCK_MONOTONIC_RAW, &old_ts);
1512 }
1513
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1514 /* poll for a new connection */
1515 errno = 0;
1516 ret = poll(&pfd, 1, timeout);
1517 if (!ret) {
1518 /* we timeouted */
1519 close(sock);
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1520 return 0;
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1521 } else if (ret == -1) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1522 ERR("poll failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1523 close(sock);
1524 return -1;
1525 }
1526
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1527 if (timeout > 0) {
1528 /* decrease timeout */
1529 clock_gettime(CLOCK_MONOTONIC_RAW, &new_ts);
1530
1531 elapsed = (new_ts.tv_sec - old_ts.tv_sec) * 1000;
1532 elapsed += (new_ts.tv_nsec - old_ts.tv_nsec) / 1000000;
1533 }
1534
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1535 /* data waiting, prepare session */
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1536 session->ti_type = NC_TI_OPENSSL;
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1537
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]1538 session->ti.tls = SSL_new(opts->tls_ctx);
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]1539
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1540 if (!session->ti.tls) {
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1541 ERR("Failed to create TLS structure from context.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1542 close(sock);
1543 return -1;
1544 }
1545
1546 SSL_set_fd(session->ti.tls, sock);
1547 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
1548
Michal Vasko6d292992016-01-18 09:42:38 +0100[diff] [blame]1549 /* store session on per-thread basis */
Michal Vasko5c2f7952016-01-22 13:16:31 +0100[diff] [blame]1550 pthread_once(&verify_once, nc_tls_make_verify_key);
1551 pthread_setspecific(verify_key, session);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1552
1553 ret = SSL_accept(session->ti.tls);
Michal Vaskob48aa812016-01-18 14:13:09 +0100[diff] [blame]1554
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1555 if (ret != 1) {
1556 switch (SSL_get_error(session->ti.tls, ret)) {
1557 case SSL_ERROR_SYSCALL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1558 ERR("SSL_accept failed (%s).", strerror(errno));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1559 break;
1560 case SSL_ERROR_SSL:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1561 ERR("SSL_accept failed (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1562 break;
1563 default:
Michal Vaskod083db62016-01-19 10:31:29 +0100[diff] [blame]1564 ERR("SSL_accept failed.");
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100[diff] [blame]1565 break;
1566 }
1567 return -1;
1568 }
1569
Michal Vasko1a38c862016-01-15 15:50:07 +0100[diff] [blame]1570 return 1;
Michal Vasko9e036d52016-01-08 10:49:26 +0100[diff] [blame]1571}