Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / a6bf6ab478cc689b5c617b9d6aab62972dc62e89 / . / src / session_client_tls.c
blob: 94b21b42fce010ad044e98905c381991788a2ec6 [file] [log] [blame]
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]1/**
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]2 * @file session_client_tls.c
3 * @author Radek Krejci <rkrejci@cesnet.cz>
4 * @author Michal Vasko <mvasko@cesnet.cz>
5 * @brief libnetconf2 - TLS specific session client transport functions
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]6 *
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]7 * This source is compiled only with libssl.
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]8 *
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]9 * @copyright
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]10 * Copyright (c) 2015 CESNET, z.s.p.o.
11 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]12 * This source code is licensed under BSD 3-Clause License (the "License").
13 * You may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]15 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]16 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]17 */
18
Michal Vaskoba9f3582023-02-22 10:26:32 +0100[diff] [blame]19#define _GNU_SOURCE /* pthread_rwlock_t, strdup */
20
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]21#include <assert.h>
22#include <errno.h>
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]23#include <string.h>
24#include <unistd.h>
25
26#include <libyang/libyang.h>
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]27#include <openssl/err.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]28#include <openssl/ossl_typ.h>
Michal Vaskodae48322016-02-25 14:49:48 +0100[diff] [blame]29#include <openssl/x509.h>
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]30
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]31#include "libnetconf.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]32#include "session_client.h"
33#include "session_client_ch.h"
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]34
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]35#if OPENSSL_VERSION_NUMBER < 0x10100000L
36#define X509_STORE_CTX_get_by_subject X509_STORE_get_by_subject
37#endif
38
Radek Krejci62aa0642017-05-25 16:33:49 +0200[diff] [blame]39struct nc_client_context *nc_client_context_location(void);
40
41#define client_opts nc_client_context_location()->opts
42#define tls_opts nc_client_context_location()->tls_opts
43#define tls_ch_opts nc_client_context_location()->tls_ch_opts
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]44
45static int tlsauth_ch;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]46
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]47#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
48
49static int
50tlsauth_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
51{
52 X509_STORE_CTX *store_ctx;
53 X509_OBJECT *obj;
54 X509_NAME *subject, *issuer;
55 X509 *cert;
56 X509_CRL *crl;
57 X509_REVOKED *revoked;
58 EVP_PKEY *pubkey;
59 int i, n, rc;
60 const ASN1_TIME *next_update = NULL;
61 struct nc_client_tls_opts *opts;
62
63 if (!preverify_ok) {
64 return 0;
65 }
66
67 opts = (tlsauth_ch ? &tls_ch_opts : &tls_opts);
68
69 if (!opts->crl_store) {
70 /* nothing to check */
71 return 1;
72 }
73
74 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
75 subject = X509_get_subject_name(cert);
76 issuer = X509_get_issuer_name(cert);
77
78 /* try to retrieve a CRL corresponding to the _subject_ of
79 * the current certificate in order to verify it's integrity */
80 store_ctx = X509_STORE_CTX_new();
81 obj = X509_OBJECT_new();
82 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]83 rc = X509_STORE_CTX_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]84 X509_STORE_CTX_free(store_ctx);
85 crl = X509_OBJECT_get0_X509_CRL(obj);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]86 if ((rc > 0) && crl) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]87 next_update = X509_CRL_get0_nextUpdate(crl);
88
89 /* verify the signature on this CRL */
90 pubkey = X509_get_pubkey(cert);
91 if (X509_CRL_verify(crl, pubkey) <= 0) {
92 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
93 X509_OBJECT_free(obj);
94 if (pubkey) {
95 EVP_PKEY_free(pubkey);
96 }
97 return 0; /* fail */
98 }
99 if (pubkey) {
100 EVP_PKEY_free(pubkey);
101 }
102
103 /* check date of CRL to make sure it's not expired */
104 if (!next_update) {
105 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
106 X509_OBJECT_free(obj);
107 return 0; /* fail */
108 }
109 if (X509_cmp_current_time(next_update) < 0) {
110 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
111 X509_OBJECT_free(obj);
112 return 0; /* fail */
113 }
114 X509_OBJECT_free(obj);
115 }
116
117 /* try to retrieve a CRL corresponding to the _issuer_ of
118 * the current certificate in order to check for revocation */
119 store_ctx = X509_STORE_CTX_new();
120 obj = X509_OBJECT_new();
121 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]122 rc = X509_STORE_CTX_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]123 X509_STORE_CTX_free(store_ctx);
124 crl = X509_OBJECT_get0_X509_CRL(obj);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]125 if ((rc > 0) && crl) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]126 /* check if the current certificate is revoked by this CRL */
127 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
128 for (i = 0; i < n; i++) {
129 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
130 if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), X509_get_serialNumber(cert)) == 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]131 ERR(NULL, "Certificate revoked!");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]132 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
133 X509_OBJECT_free(obj);
134 return 0; /* fail */
135 }
136 }
137 X509_OBJECT_free(obj);
138 }
139
140 return 1; /* success */
141}
142
143#else
144
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]145static int
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]146tlsauth_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]147{
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]148 X509_STORE_CTX store_ctx;
149 X509_OBJECT obj;
150 X509_NAME *subject, *issuer;
151 X509 *cert;
152 X509_CRL *crl;
153 X509_REVOKED *revoked;
154 EVP_PKEY *pubkey;
155 int i, n, rc;
156 ASN1_TIME *next_update = NULL;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]157 struct nc_client_tls_opts *opts;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]158
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]159 if (!preverify_ok) {
160 return 0;
161 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]162
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]163 opts = (tlsauth_ch ? &tls_ch_opts : &tls_opts);
164
165 if (!opts->crl_store) {
166 /* nothing to check */
167 return 1;
168 }
169
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]170 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
171 subject = X509_get_subject_name(cert);
172 issuer = X509_get_issuer_name(cert);
173
174 /* try to retrieve a CRL corresponding to the _subject_ of
175 * the current certificate in order to verify it's integrity */
176 memset((char *)&obj, 0, sizeof obj);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]177 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]178 rc = X509_STORE_CTX_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]179 X509_STORE_CTX_cleanup(&store_ctx);
180 crl = obj.data.crl;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]181 if ((rc > 0) && crl) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]182 next_update = X509_CRL_get_nextUpdate(crl);
183
184 /* verify the signature on this CRL */
185 pubkey = X509_get_pubkey(cert);
186 if (X509_CRL_verify(crl, pubkey) <= 0) {
187 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
188 X509_OBJECT_free_contents(&obj);
189 if (pubkey) {
190 EVP_PKEY_free(pubkey);
191 }
192 return 0; /* fail */
193 }
194 if (pubkey) {
195 EVP_PKEY_free(pubkey);
196 }
197
198 /* check date of CRL to make sure it's not expired */
199 if (!next_update) {
200 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
201 X509_OBJECT_free_contents(&obj);
202 return 0; /* fail */
203 }
204 if (X509_cmp_current_time(next_update) < 0) {
205 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
206 X509_OBJECT_free_contents(&obj);
207 return 0; /* fail */
208 }
209 X509_OBJECT_free_contents(&obj);
210 }
211
212 /* try to retrieve a CRL corresponding to the _issuer_ of
213 * the current certificate in order to check for revocation */
214 memset((char *)&obj, 0, sizeof obj);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]215 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]216 rc = X509_STORE_CTX_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]217 X509_STORE_CTX_cleanup(&store_ctx);
218 crl = obj.data.crl;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]219 if ((rc > 0) && crl) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]220 /* check if the current certificate is revoked by this CRL */
221 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
222 for (i = 0; i < n; i++) {
223 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
224 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]225 ERR(NULL, "Certificate revoked!");
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]226 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
227 X509_OBJECT_free_contents(&obj);
228 return 0; /* fail */
229 }
230 }
231 X509_OBJECT_free_contents(&obj);
232 }
233
234 return 1; /* success */
235}
236
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]237#endif
238
Kevin Barrettd37d2fb2019-08-28 14:25:34 -0400[diff] [blame]239void
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]240_nc_client_tls_destroy_opts(struct nc_client_tls_opts *opts)
241{
242 free(opts->cert_path);
243 free(opts->key_path);
244 free(opts->ca_file);
245 free(opts->ca_dir);
246 SSL_CTX_free(opts->tls_ctx);
247
248 free(opts->crl_file);
249 free(opts->crl_dir);
250 X509_STORE_free(opts->crl_store);
Radek Krejci5cebc6b2017-05-26 13:24:38 +0200[diff] [blame]251
252 memset(opts, 0, sizeof *opts);
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]253}
254
Michal Vaskob7558c52016-02-26 15:04:19 +0100[diff] [blame]255void
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]256nc_client_tls_destroy_opts(void)
257{
258 _nc_client_tls_destroy_opts(&tls_opts);
259 _nc_client_tls_destroy_opts(&tls_ch_opts);
260}
261
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]262static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]263_nc_client_tls_set_cert_key_paths(const char *client_cert, const char *client_key, struct nc_client_tls_opts *opts)
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]264{
roman40672412023-05-04 11:10:22 +0200[diff] [blame]265 NC_CHECK_ARG_RET(NULL, client_cert, -1);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]266
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]267 free(opts->cert_path);
268 free(opts->key_path);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]269
Michal Vasko9db2a6f2016-02-01 13:26:03 +0100[diff] [blame]270 opts->cert_path = strdup(client_cert);
271 if (!opts->cert_path) {
272 ERRMEM;
273 return -1;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]274 }
275
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]276 if (client_key) {
277 opts->key_path = strdup(client_key);
Michal Vasko9db2a6f2016-02-01 13:26:03 +0100[diff] [blame]278 if (!opts->key_path) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]279 ERRMEM;
280 return -1;
281 }
282 } else {
283 opts->key_path = NULL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]284 }
285
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]286 opts->tls_ctx_change = 1;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]287
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]288 return 0;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]289}
290
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]291API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]292nc_client_tls_set_cert_key_paths(const char *client_cert, const char *client_key)
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]293{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]294 return _nc_client_tls_set_cert_key_paths(client_cert, client_key, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]295}
296
297API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]298nc_client_tls_ch_set_cert_key_paths(const char *client_cert, const char *client_key)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]299{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]300 return _nc_client_tls_set_cert_key_paths(client_cert, client_key, &tls_ch_opts);
301}
302
303static void
304_nc_client_tls_get_cert_key_paths(const char **client_cert, const char **client_key, struct nc_client_tls_opts *opts)
305{
306 if (!client_cert && !client_key) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]307 ERRARG(NULL, "client_cert and client_key");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]308 return;
309 }
310
311 if (client_cert) {
312 *client_cert = opts->cert_path;
313 }
314 if (client_key) {
315 *client_key = opts->key_path;
316 }
317}
318
319API void
320nc_client_tls_get_cert_key_paths(const char **client_cert, const char **client_key)
321{
322 _nc_client_tls_get_cert_key_paths(client_cert, client_key, &tls_opts);
323}
324
325API void
326nc_client_tls_ch_get_cert_key_paths(const char **client_cert, const char **client_key)
327{
328 _nc_client_tls_get_cert_key_paths(client_cert, client_key, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]329}
330
331static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]332_nc_client_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_client_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]333{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]334 if (!ca_file && !ca_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]335 ERRARG(NULL, "ca_file and ca_dir");
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]336 return -1;
337 }
338
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]339 free(opts->ca_file);
340 free(opts->ca_dir);
341
342 if (ca_file) {
343 opts->ca_file = strdup(ca_file);
344 if (!opts->ca_file) {
345 ERRMEM;
346 return -1;
347 }
348 } else {
349 opts->ca_file = NULL;
350 }
351
352 if (ca_dir) {
353 opts->ca_dir = strdup(ca_dir);
354 if (!opts->ca_dir) {
355 ERRMEM;
356 return -1;
357 }
358 } else {
359 opts->ca_dir = NULL;
360 }
361
362 opts->tls_ctx_change = 1;
363
364 return 0;
365}
366
367API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]368nc_client_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]369{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]370 return _nc_client_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]371}
372
373API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]374nc_client_tls_ch_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]375{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]376 return _nc_client_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
377}
378
379static void
380_nc_client_tls_get_trusted_ca_paths(const char **ca_file, const char **ca_dir, struct nc_client_tls_opts *opts)
381{
382 if (!ca_file && !ca_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]383 ERRARG(NULL, "ca_file and ca_dir");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]384 return;
385 }
386
387 if (ca_file) {
388 *ca_file = opts->ca_file;
389 }
390 if (ca_dir) {
391 *ca_dir = opts->ca_dir;
392 }
393}
394
395API void
396nc_client_tls_get_trusted_ca_paths(const char **ca_file, const char **ca_dir)
397{
398 _nc_client_tls_get_trusted_ca_paths(ca_file, ca_dir, &tls_opts);
399}
400
401API void
402nc_client_tls_ch_get_trusted_ca_paths(const char **ca_file, const char **ca_dir)
403{
404 _nc_client_tls_get_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]405}
406
407static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]408_nc_client_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_client_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]409{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]410 if (!crl_file && !crl_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]411 ERRARG(NULL, "crl_file and crl_dir");
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]412 return -1;
413 }
414
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]415 free(opts->crl_file);
416 free(opts->crl_dir);
417
418 if (crl_file) {
419 opts->crl_file = strdup(crl_file);
420 if (!opts->crl_file) {
421 ERRMEM;
422 return -1;
423 }
424 } else {
425 opts->crl_file = NULL;
426 }
427
428 if (crl_dir) {
429 opts->crl_dir = strdup(crl_dir);
430 if (!opts->crl_dir) {
431 ERRMEM;
432 return -1;
433 }
434 } else {
435 opts->crl_dir = NULL;
436 }
437
438 opts->crl_store_change = 1;
439
440 return 0;
441}
442
443API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]444nc_client_tls_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]445{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]446 return _nc_client_tls_set_crl_paths(crl_file, crl_dir, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]447}
448
449API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]450nc_client_tls_ch_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]451{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]452 return _nc_client_tls_set_crl_paths(crl_file, crl_dir, &tls_ch_opts);
453}
454
455static void
456_nc_client_tls_get_crl_paths(const char **crl_file, const char **crl_dir, struct nc_client_tls_opts *opts)
457{
458 if (!crl_file && !crl_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]459 ERRARG(NULL, "crl_file and crl_dir");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]460 return;
461 }
462
463 if (crl_file) {
464 *crl_file = opts->crl_file;
465 }
466 if (crl_dir) {
467 *crl_dir = opts->crl_dir;
468 }
469}
470
471API void
472nc_client_tls_get_crl_paths(const char **crl_file, const char **crl_dir)
473{
474 _nc_client_tls_get_crl_paths(crl_file, crl_dir, &tls_opts);
475}
476
477API void
478nc_client_tls_ch_get_crl_paths(const char **crl_file, const char **crl_dir)
479{
480 _nc_client_tls_get_crl_paths(crl_file, crl_dir, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]481}
482
483API int
484nc_client_tls_ch_add_bind_listen(const char *address, uint16_t port)
485{
Michal Vasko9d4cca52022-09-07 11:19:57 +0200[diff] [blame]486 return nc_client_ch_add_bind_listen(address, port, NULL, NC_TI_OPENSSL);
487}
488
489API int
490nc_client_tls_ch_add_bind_hostname_listen(const char *address, uint16_t port, const char *hostname)
491{
492 return nc_client_ch_add_bind_listen(address, port, hostname, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]493}
494
495API int
496nc_client_tls_ch_del_bind(const char *address, uint16_t port)
497{
498 return nc_client_ch_del_bind(address, port, NC_TI_OPENSSL);
499}
500
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]501static int
Michal Vasko55ce24a2022-09-07 09:24:43 +0200[diff] [blame]502nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]503{
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]504 int rc = 0;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]505 char *key;
506 X509_LOOKUP *lookup;
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]507 X509_VERIFY_PARAM *vpm = NULL;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]508
509 if (!opts->tls_ctx || opts->tls_ctx_change) {
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]510 SSL_CTX_free(opts->tls_ctx);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]511
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]512#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
513 /* prepare global SSL context, highest available method is negotiated autmatically */
514 if (!(opts->tls_ctx = SSL_CTX_new(TLS_client_method())))
515#else
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]516 /* prepare global SSL context, allow only mandatory TLS 1.2 */
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]517 if (!(opts->tls_ctx = SSL_CTX_new(TLSv1_2_client_method())))
518#endif
519 {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]520 ERR(NULL, "Unable to create OpenSSL context (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]521 rc = -1;
522 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]523 }
524 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER, tlsauth_verify_callback);
525
526 /* get peer certificate */
527 if (SSL_CTX_use_certificate_file(opts->tls_ctx, opts->cert_path, SSL_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]528 ERR(NULL, "Loading the client certificate from \'%s\' failed (%s).", opts->cert_path,
529 ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]530 rc = -1;
531 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]532 }
533
534 /* if the file with private key not specified, expect that the private key is stored with the certificate */
535 if (!opts->key_path) {
536 key = opts->cert_path;
537 } else {
538 key = opts->key_path;
539 }
540 if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) {
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]541 ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key,
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]542 ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]543 rc = -1;
544 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]545 }
546
547 if (!SSL_CTX_load_verify_locations(opts->tls_ctx, opts->ca_file, opts->ca_dir)) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]548 ERR(NULL, "Failed to load the locations of trusted CA certificates (%s).",
549 ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]550 rc = -1;
551 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]552 }
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]553
554#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
Michal Vasko55ce24a2022-09-07 09:24:43 +0200[diff] [blame]555 if (peername) {
556 /* server identity (hostname) verification */
557 vpm = X509_VERIFY_PARAM_new();
558 if (!X509_VERIFY_PARAM_set1_host(vpm, peername, 0)) {
559 ERR(NULL, "Failed to set expected server hostname (%s).", ERR_reason_error_string(ERR_get_error()));
560 rc = -1;
561 goto cleanup;
562 }
563 if (!SSL_CTX_set1_param(opts->tls_ctx, vpm)) {
564 ERR(NULL, "Failed to set verify params (%s).", ERR_reason_error_string(ERR_get_error()));
565 rc = -1;
566 goto cleanup;
567 }
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]568 }
569#endif
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]570 }
571
572 if (opts->crl_store_change || (!opts->crl_store && (opts->crl_file || opts->crl_dir))) {
573 /* set the revocation store with the correct paths for the callback */
574 X509_STORE_free(opts->crl_store);
575
576 opts->crl_store = X509_STORE_new();
577 if (!opts->crl_store) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]578 ERR(NULL, "Unable to create a certificate store (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]579 rc = -1;
580 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]581 }
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]582
583#if OPENSSL_VERSION_NUMBER < 0x10100000L // < 1.1.0
584 /* whaveter this does... */
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]585 opts->crl_store->cache = 0;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]586#endif
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]587
588 if (opts->crl_file) {
589 if (!(lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file()))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]590 ERR(NULL, "Failed to add lookup method to CRL checking.");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]591 rc = -1;
592 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]593 }
594 if (X509_LOOKUP_add_dir(lookup, opts->crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]595 ERR(NULL, "Failed to add the revocation lookup file \"%s\".", opts->crl_file);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]596 rc = -1;
597 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]598 }
599 }
600
601 if (opts->crl_dir) {
602 if (!(lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir()))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]603 ERR(NULL, "Failed to add lookup method to CRL checking.");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]604 rc = -1;
605 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]606 }
607 if (X509_LOOKUP_add_dir(lookup, opts->crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]608 ERR(NULL, "Failed to add the revocation lookup directory \"%s\".", opts->crl_dir);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]609 rc = -1;
610 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]611 }
612 }
613 }
614
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]615cleanup:
616 X509_VERIFY_PARAM_free(vpm);
617 return rc;
618}
619
620static int
Michal Vaskoa82745b2022-09-07 11:48:12 +0200[diff] [blame]621nc_client_tls_connect_check(int connect_ret, SSL *tls, const char *peername)
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]622{
623 int verify;
624
625 /* check certificate verification result */
626 verify = SSL_get_verify_result(tls);
627 switch (verify) {
628 case X509_V_OK:
629 if (connect_ret == 1) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]630 VRB(NULL, "Server certificate verified (domain \"%s\").", peername);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]631 }
632 break;
633 default:
634 ERR(NULL, "Server certificate error (%s).", X509_verify_cert_error_string(verify));
635 }
636
637 /* check TLS connection result */
638 if (connect_ret != 1) {
639 switch (SSL_get_error(tls, connect_ret)) {
640 case SSL_ERROR_SYSCALL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]641 ERR(NULL, "SSL connect to \"%s\" failed (%s).", peername, errno ? strerror(errno) : "unexpected EOF");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]642 break;
643 case SSL_ERROR_SSL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]644 ERR(NULL, "SSL connect to \"%s\" failed (%s).", peername, ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]645 break;
646 default:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]647 ERR(NULL, "SSL connect to \"%s\" failed.", peername);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]648 break;
649 }
650 }
651
652 return connect_ret;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]653}
654
655API struct nc_session *
Michal Vasko9bee18d2015-12-08 14:41:42 +0100[diff] [blame]656nc_connect_tls(const char *host, unsigned short port, struct ly_ctx *ctx)
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]657{
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]658 struct nc_session *session = NULL;
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]659 int sock, ret;
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]660 struct timespec ts_timeout;
Michal Vasko66032bc2019-01-22 15:03:12 +0100[diff] [blame]661 char *ip_host = NULL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]662
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]663 if (!tls_opts.cert_path || (!tls_opts.ca_file && !tls_opts.ca_dir)) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]664 ERRINIT;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]665 return NULL;
666 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]667
668 /* process parameters */
669 if (!host || strisempty(host)) {
670 host = "localhost";
671 }
672
673 if (!port) {
674 port = NC_PORT_TLS;
675 }
676
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]677 /* create/update TLS structures */
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]678 if (nc_client_tls_update_opts(&tls_opts, host)) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]679 return NULL;
680 }
681
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]682 /* prepare session structure */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]683 session = nc_new_session(NC_CLIENT, 0);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]684 if (!session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]685 ERRMEM;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]686 return NULL;
687 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]688 session->status = NC_STATUS_STARTING;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]689
690 /* fill the session */
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]691 session->ti_type = NC_TI_OPENSSL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]692 if (!(session->ti.tls = SSL_new(tls_opts.tls_ctx))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]693 ERR(NULL, "Failed to create a new TLS session structure (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]694 goto fail;
695 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]696
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]697 /* create and assign socket */
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200[diff] [blame]698 sock = nc_sock_connect(host, port, -1, &client_opts.ka, NULL, &ip_host);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]699 if (sock == -1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]700 ERR(NULL, "Unable to connect to %s:%u (%s).", host, port, strerror(errno));
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]701 goto fail;
702 }
703 SSL_set_fd(session->ti.tls, sock);
704
705 /* set the SSL_MODE_AUTO_RETRY flag to allow OpenSSL perform re-handshake automatically */
706 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
707
708 /* connect and perform the handshake */
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]709 nc_timeouttime_get(&ts_timeout, NC_TRANSPORT_TIMEOUT);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]710 tlsauth_ch = 0;
Michal Vaskod51a2642021-09-03 13:03:24 +0200[diff] [blame]711 while (((ret = SSL_connect(session->ti.tls)) != 1) && (SSL_get_error(session->ti.tls, ret) == SSL_ERROR_WANT_READ)) {
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]712 usleep(NC_TIMEOUT_STEP);
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]713 if (nc_timeouttime_cur_diff(&ts_timeout) < 1) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]714 ERR(NULL, "SSL connect timeout.");
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]715 goto fail;
716 }
717 }
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]718
719 /* check for errors */
Michal Vaskoa82745b2022-09-07 11:48:12 +0200[diff] [blame]720 if (nc_client_tls_connect_check(ret, session->ti.tls, host) != 1) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]721 goto fail;
722 }
723
Michal Vasko78939072022-12-12 07:43:18 +0100[diff] [blame]724 if (nc_client_session_new_ctx(session, ctx) != EXIT_SUCCESS) {
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]725 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]726 }
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]727 ctx = session->ctx;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]728
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]729 /* NETCONF handshake */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]730 if (nc_handshake_io(session) != NC_MSG_HELLO) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]731 goto fail;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]732 }
Michal Vaskoad611702015-12-03 13:41:51 +0100[diff] [blame]733 session->status = NC_STATUS_RUNNING;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]734
Michal Vaskoef578332016-01-25 13:20:09 +0100[diff] [blame]735 if (nc_ctx_check_and_fill(session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +0100[diff] [blame]736 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]737 }
738
739 /* store information into session and the dictionary */
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]740 session->host = ip_host;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]741 session->port = port;
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]742 session->username = strdup("certificate-based");
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]743
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]744 return session;
745
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]746fail:
Michal Vasko66032bc2019-01-22 15:03:12 +0100[diff] [blame]747 free(ip_host);
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100[diff] [blame]748 nc_session_free(session, NULL);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]749 return NULL;
750}
751
752API struct nc_session *
753nc_connect_libssl(SSL *tls, struct ly_ctx *ctx)
754{
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]755 struct nc_session *session;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]756
roman40672412023-05-04 11:10:22 +0200[diff] [blame]757 NC_CHECK_ARG_RET(NULL, tls, NULL);
758
759 if (!SSL_is_init_finished(tls)) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]760 ERR(NULL, "Supplied TLS session is not fully connected!");
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]761 return NULL;
762 }
763
764 /* prepare session structure */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]765 session = nc_new_session(NC_CLIENT, 0);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]766 if (!session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]767 ERRMEM;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]768 return NULL;
769 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]770 session->status = NC_STATUS_STARTING;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]771 session->ti_type = NC_TI_OPENSSL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]772 session->ti.tls = tls;
773
Michal Vasko78939072022-12-12 07:43:18 +0100[diff] [blame]774 if (nc_client_session_new_ctx(session, ctx) != EXIT_SUCCESS) {
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]775 goto fail;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]776 }
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]777 ctx = session->ctx;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]778
779 /* NETCONF handshake */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]780 if (nc_handshake_io(session) != NC_MSG_HELLO) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]781 goto fail;
782 }
Michal Vaskoad611702015-12-03 13:41:51 +0100[diff] [blame]783 session->status = NC_STATUS_RUNNING;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]784
Michal Vaskoef578332016-01-25 13:20:09 +0100[diff] [blame]785 if (nc_ctx_check_and_fill(session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +0100[diff] [blame]786 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]787 }
788
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]789 return session;
790
791fail:
Michal Vaskob604ed52022-01-24 09:56:14 +0100[diff] [blame]792 session->ti_type = NC_TI_NONE;
Michal Vaskoa42a7f02021-07-02 08:43:12 +0200[diff] [blame]793 session->ti.tls = NULL;
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100[diff] [blame]794 nc_session_free(session, NULL);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]795 return NULL;
796}
797
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]798struct nc_session *
Michal Vasko9d4cca52022-09-07 11:19:57 +0200[diff] [blame]799nc_accept_callhome_tls_sock(int sock, const char *host, uint16_t port, struct ly_ctx *ctx, int timeout, const char *peername)
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]800{
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]801 int ret;
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]802 SSL *tls = NULL;
803 struct nc_session *session = NULL;
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]804 struct timespec ts_timeout;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]805
Michal Vasko9d4cca52022-09-07 11:19:57 +0200[diff] [blame]806 /* create/update TLS structures with explicit expected peername, if any set, the host is just the IP */
807 if (nc_client_tls_update_opts(&tls_ch_opts, peername)) {
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]808 goto cleanup;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]809 }
810
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]811 if (!(tls = SSL_new(tls_ch_opts.tls_ctx))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]812 ERR(NULL, "Failed to create new TLS session structure (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]813 goto cleanup;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]814 }
815
816 SSL_set_fd(tls, sock);
817
818 /* set the SSL_MODE_AUTO_RETRY flag to allow OpenSSL perform re-handshake automatically */
819 SSL_set_mode(tls, SSL_MODE_AUTO_RETRY);
820
821 /* connect and perform the handshake */
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]822 if (timeout > -1) {
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]823 nc_timeouttime_get(&ts_timeout, timeout);
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]824 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]825 tlsauth_ch = 1;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]826 while (((ret = SSL_connect(tls)) == -1) && (SSL_get_error(tls, ret) == SSL_ERROR_WANT_READ)) {
827 usleep(NC_TIMEOUT_STEP);
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]828 if ((timeout > -1) && (nc_timeouttime_cur_diff(&ts_timeout) < 1)) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]829 ERR(NULL, "SSL connect timeout.");
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]830 goto cleanup;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]831 }
832 }
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]833
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]834 /* check for errors */
Michal Vaskoa82745b2022-09-07 11:48:12 +0200[diff] [blame]835 if (nc_client_tls_connect_check(ret, tls, peername ? peername : host) != 1) {
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]836 goto cleanup;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]837 }
838
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]839 /* connect */
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]840 session = nc_connect_libssl(tls, ctx);
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]841 if (!session) {
842 goto cleanup;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]843 }
844
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]845 session->flags |= NC_SESSION_CALLHOME;
846
847 /* store information into session and the dictionary */
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]848 session->host = strdup(host);
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]849 session->port = port;
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]850 session->username = strdup("certificate-based");
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]851
852cleanup:
853 if (!session) {
854 SSL_free(tls);
855 close(sock);
856 }
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]857 return session;
858}