Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 3f9b65c25c7cd628bf4418ebe153e3b3e84e0c59 / . / src / session_client_tls.c
blob: 26b22e4200efce3791bf6c41837dd1b8bf6c3e56 [file] [log] [blame]
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]1/**
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]2 * @file session_client_tls.c
3 * @author Radek Krejci <rkrejci@cesnet.cz>
4 * @author Michal Vasko <mvasko@cesnet.cz>
5 * @brief libnetconf2 - TLS specific session client transport functions
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]6 *
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]7 * This source is compiled only with libssl.
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]8 *
Michal Vasko95ea9ff2021-11-09 12:29:14 +0100[diff] [blame]9 * @copyright
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]10 * Copyright (c) 2015 CESNET, z.s.p.o.
11 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]12 * This source code is licensed under BSD 3-Clause License (the "License").
13 * You may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +0100[diff] [blame]15 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +0100[diff] [blame]16 * https://opensource.org/licenses/BSD-3-Clause
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]17 */
18
Michal Vaskoba9f3582023-02-22 10:26:32 +0100[diff] [blame]19#define _GNU_SOURCE /* pthread_rwlock_t, strdup */
20
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]21#include <assert.h>
22#include <errno.h>
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]23#include <string.h>
24#include <unistd.h>
25
26#include <libyang/libyang.h>
Michal Vasko086311b2016-01-08 09:53:11 +0100[diff] [blame]27#include <openssl/err.h>
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]28#include <openssl/ossl_typ.h>
Michal Vaskodae48322016-02-25 14:49:48 +0100[diff] [blame]29#include <openssl/x509.h>
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]30
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]31#include "config.h"
32#include "log_p.h"
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]33#include "session_client.h"
34#include "session_client_ch.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]35#include "session_p.h"
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]36
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]37#if OPENSSL_VERSION_NUMBER < 0x10100000L
38#define X509_STORE_CTX_get_by_subject X509_STORE_get_by_subject
39#endif
40
Radek Krejci62aa0642017-05-25 16:33:49 +0200[diff] [blame]41struct nc_client_context *nc_client_context_location(void);
42
43#define client_opts nc_client_context_location()->opts
44#define tls_opts nc_client_context_location()->tls_opts
45#define tls_ch_opts nc_client_context_location()->tls_ch_opts
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]46
47static int tlsauth_ch;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]48
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]49#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
50
51static int
52tlsauth_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
53{
54 X509_STORE_CTX *store_ctx;
55 X509_OBJECT *obj;
56 X509_NAME *subject, *issuer;
57 X509 *cert;
58 X509_CRL *crl;
59 X509_REVOKED *revoked;
60 EVP_PKEY *pubkey;
61 int i, n, rc;
62 const ASN1_TIME *next_update = NULL;
63 struct nc_client_tls_opts *opts;
64
65 if (!preverify_ok) {
66 return 0;
67 }
68
69 opts = (tlsauth_ch ? &tls_ch_opts : &tls_opts);
70
71 if (!opts->crl_store) {
72 /* nothing to check */
73 return 1;
74 }
75
76 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
77 subject = X509_get_subject_name(cert);
78 issuer = X509_get_issuer_name(cert);
79
80 /* try to retrieve a CRL corresponding to the _subject_ of
81 * the current certificate in order to verify it's integrity */
82 store_ctx = X509_STORE_CTX_new();
83 obj = X509_OBJECT_new();
84 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]85 rc = X509_STORE_CTX_get_by_subject(store_ctx, X509_LU_CRL, subject, obj);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]86 X509_STORE_CTX_free(store_ctx);
87 crl = X509_OBJECT_get0_X509_CRL(obj);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]88 if ((rc > 0) && crl) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]89 next_update = X509_CRL_get0_nextUpdate(crl);
90
91 /* verify the signature on this CRL */
92 pubkey = X509_get_pubkey(cert);
93 if (X509_CRL_verify(crl, pubkey) <= 0) {
94 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
95 X509_OBJECT_free(obj);
96 if (pubkey) {
97 EVP_PKEY_free(pubkey);
98 }
99 return 0; /* fail */
100 }
101 if (pubkey) {
102 EVP_PKEY_free(pubkey);
103 }
104
105 /* check date of CRL to make sure it's not expired */
106 if (!next_update) {
107 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
108 X509_OBJECT_free(obj);
109 return 0; /* fail */
110 }
111 if (X509_cmp_current_time(next_update) < 0) {
112 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
113 X509_OBJECT_free(obj);
114 return 0; /* fail */
115 }
116 X509_OBJECT_free(obj);
117 }
118
119 /* try to retrieve a CRL corresponding to the _issuer_ of
120 * the current certificate in order to check for revocation */
121 store_ctx = X509_STORE_CTX_new();
122 obj = X509_OBJECT_new();
123 X509_STORE_CTX_init(store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]124 rc = X509_STORE_CTX_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj);
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]125 X509_STORE_CTX_free(store_ctx);
126 crl = X509_OBJECT_get0_X509_CRL(obj);
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]127 if ((rc > 0) && crl) {
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]128 /* check if the current certificate is revoked by this CRL */
129 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
130 for (i = 0; i < n; i++) {
131 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
132 if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), X509_get_serialNumber(cert)) == 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]133 ERR(NULL, "Certificate revoked!");
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]134 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
135 X509_OBJECT_free(obj);
136 return 0; /* fail */
137 }
138 }
139 X509_OBJECT_free(obj);
140 }
141
142 return 1; /* success */
143}
144
145#else
146
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]147static int
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]148tlsauth_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]149{
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]150 X509_STORE_CTX store_ctx;
151 X509_OBJECT obj;
152 X509_NAME *subject, *issuer;
153 X509 *cert;
154 X509_CRL *crl;
155 X509_REVOKED *revoked;
156 EVP_PKEY *pubkey;
157 int i, n, rc;
158 ASN1_TIME *next_update = NULL;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]159 struct nc_client_tls_opts *opts;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]160
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]161 if (!preverify_ok) {
162 return 0;
163 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]164
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]165 opts = (tlsauth_ch ? &tls_ch_opts : &tls_opts);
166
167 if (!opts->crl_store) {
168 /* nothing to check */
169 return 1;
170 }
171
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]172 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
173 subject = X509_get_subject_name(cert);
174 issuer = X509_get_issuer_name(cert);
175
176 /* try to retrieve a CRL corresponding to the _subject_ of
177 * the current certificate in order to verify it's integrity */
178 memset((char *)&obj, 0, sizeof obj);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]179 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]180 rc = X509_STORE_CTX_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]181 X509_STORE_CTX_cleanup(&store_ctx);
182 crl = obj.data.crl;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]183 if ((rc > 0) && crl) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]184 next_update = X509_CRL_get_nextUpdate(crl);
185
186 /* verify the signature on this CRL */
187 pubkey = X509_get_pubkey(cert);
188 if (X509_CRL_verify(crl, pubkey) <= 0) {
189 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
190 X509_OBJECT_free_contents(&obj);
191 if (pubkey) {
192 EVP_PKEY_free(pubkey);
193 }
194 return 0; /* fail */
195 }
196 if (pubkey) {
197 EVP_PKEY_free(pubkey);
198 }
199
200 /* check date of CRL to make sure it's not expired */
201 if (!next_update) {
202 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
203 X509_OBJECT_free_contents(&obj);
204 return 0; /* fail */
205 }
206 if (X509_cmp_current_time(next_update) < 0) {
207 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
208 X509_OBJECT_free_contents(&obj);
209 return 0; /* fail */
210 }
211 X509_OBJECT_free_contents(&obj);
212 }
213
214 /* try to retrieve a CRL corresponding to the _issuer_ of
215 * the current certificate in order to check for revocation */
216 memset((char *)&obj, 0, sizeof obj);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]217 X509_STORE_CTX_init(&store_ctx, opts->crl_store, NULL, NULL);
Rosen Penev4f552d62019-06-26 16:10:43 -0700[diff] [blame]218 rc = X509_STORE_CTX_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]219 X509_STORE_CTX_cleanup(&store_ctx);
220 crl = obj.data.crl;
Michal Vaskob83a3fa2021-05-26 09:53:42 +0200[diff] [blame]221 if ((rc > 0) && crl) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]222 /* check if the current certificate is revoked by this CRL */
223 n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
224 for (i = 0; i < n; i++) {
225 revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
226 if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]227 ERR(NULL, "Certificate revoked!");
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]228 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
229 X509_OBJECT_free_contents(&obj);
230 return 0; /* fail */
231 }
232 }
233 X509_OBJECT_free_contents(&obj);
234 }
235
236 return 1; /* success */
237}
238
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]239#endif
240
Kevin Barrettd37d2fb2019-08-28 14:25:34 -0400[diff] [blame]241void
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]242_nc_client_tls_destroy_opts(struct nc_client_tls_opts *opts)
243{
244 free(opts->cert_path);
245 free(opts->key_path);
246 free(opts->ca_file);
247 free(opts->ca_dir);
248 SSL_CTX_free(opts->tls_ctx);
249
250 free(opts->crl_file);
251 free(opts->crl_dir);
252 X509_STORE_free(opts->crl_store);
Radek Krejci5cebc6b2017-05-26 13:24:38 +0200[diff] [blame]253
254 memset(opts, 0, sizeof *opts);
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]255}
256
Michal Vaskob7558c52016-02-26 15:04:19 +0100[diff] [blame]257void
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]258nc_client_tls_destroy_opts(void)
259{
260 _nc_client_tls_destroy_opts(&tls_opts);
261 _nc_client_tls_destroy_opts(&tls_ch_opts);
262}
263
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]264static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]265_nc_client_tls_set_cert_key_paths(const char *client_cert, const char *client_key, struct nc_client_tls_opts *opts)
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]266{
roman40672412023-05-04 11:10:22 +0200[diff] [blame]267 NC_CHECK_ARG_RET(NULL, client_cert, -1);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]268
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]269 free(opts->cert_path);
270 free(opts->key_path);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]271
Michal Vasko9db2a6f2016-02-01 13:26:03 +0100[diff] [blame]272 opts->cert_path = strdup(client_cert);
273 if (!opts->cert_path) {
274 ERRMEM;
275 return -1;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]276 }
277
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]278 if (client_key) {
279 opts->key_path = strdup(client_key);
Michal Vasko9db2a6f2016-02-01 13:26:03 +0100[diff] [blame]280 if (!opts->key_path) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]281 ERRMEM;
282 return -1;
283 }
284 } else {
285 opts->key_path = NULL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]286 }
287
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]288 opts->tls_ctx_change = 1;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]289
Michal Vasko7f1c78b2016-01-19 09:52:14 +0100[diff] [blame]290 return 0;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]291}
292
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]293API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]294nc_client_tls_set_cert_key_paths(const char *client_cert, const char *client_key)
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]295{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]296 return _nc_client_tls_set_cert_key_paths(client_cert, client_key, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]297}
298
299API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]300nc_client_tls_ch_set_cert_key_paths(const char *client_cert, const char *client_key)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]301{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]302 return _nc_client_tls_set_cert_key_paths(client_cert, client_key, &tls_ch_opts);
303}
304
305static void
306_nc_client_tls_get_cert_key_paths(const char **client_cert, const char **client_key, struct nc_client_tls_opts *opts)
307{
308 if (!client_cert && !client_key) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]309 ERRARG(NULL, "client_cert and client_key");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]310 return;
311 }
312
313 if (client_cert) {
314 *client_cert = opts->cert_path;
315 }
316 if (client_key) {
317 *client_key = opts->key_path;
318 }
319}
320
321API void
322nc_client_tls_get_cert_key_paths(const char **client_cert, const char **client_key)
323{
324 _nc_client_tls_get_cert_key_paths(client_cert, client_key, &tls_opts);
325}
326
327API void
328nc_client_tls_ch_get_cert_key_paths(const char **client_cert, const char **client_key)
329{
330 _nc_client_tls_get_cert_key_paths(client_cert, client_key, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]331}
332
333static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]334_nc_client_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir, struct nc_client_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]335{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]336 if (!ca_file && !ca_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]337 ERRARG(NULL, "ca_file and ca_dir");
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]338 return -1;
339 }
340
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]341 free(opts->ca_file);
342 free(opts->ca_dir);
343
344 if (ca_file) {
345 opts->ca_file = strdup(ca_file);
346 if (!opts->ca_file) {
347 ERRMEM;
348 return -1;
349 }
350 } else {
351 opts->ca_file = NULL;
352 }
353
354 if (ca_dir) {
355 opts->ca_dir = strdup(ca_dir);
356 if (!opts->ca_dir) {
357 ERRMEM;
358 return -1;
359 }
360 } else {
361 opts->ca_dir = NULL;
362 }
363
364 opts->tls_ctx_change = 1;
365
366 return 0;
367}
368
369API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]370nc_client_tls_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]371{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]372 return _nc_client_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]373}
374
375API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]376nc_client_tls_ch_set_trusted_ca_paths(const char *ca_file, const char *ca_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]377{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]378 return _nc_client_tls_set_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
379}
380
381static void
382_nc_client_tls_get_trusted_ca_paths(const char **ca_file, const char **ca_dir, struct nc_client_tls_opts *opts)
383{
384 if (!ca_file && !ca_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]385 ERRARG(NULL, "ca_file and ca_dir");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]386 return;
387 }
388
389 if (ca_file) {
390 *ca_file = opts->ca_file;
391 }
392 if (ca_dir) {
393 *ca_dir = opts->ca_dir;
394 }
395}
396
397API void
398nc_client_tls_get_trusted_ca_paths(const char **ca_file, const char **ca_dir)
399{
400 _nc_client_tls_get_trusted_ca_paths(ca_file, ca_dir, &tls_opts);
401}
402
403API void
404nc_client_tls_ch_get_trusted_ca_paths(const char **ca_file, const char **ca_dir)
405{
406 _nc_client_tls_get_trusted_ca_paths(ca_file, ca_dir, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]407}
408
409static int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]410_nc_client_tls_set_crl_paths(const char *crl_file, const char *crl_dir, struct nc_client_tls_opts *opts)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]411{
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]412 if (!crl_file && !crl_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]413 ERRARG(NULL, "crl_file and crl_dir");
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]414 return -1;
415 }
416
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]417 free(opts->crl_file);
418 free(opts->crl_dir);
419
420 if (crl_file) {
421 opts->crl_file = strdup(crl_file);
422 if (!opts->crl_file) {
423 ERRMEM;
424 return -1;
425 }
426 } else {
427 opts->crl_file = NULL;
428 }
429
430 if (crl_dir) {
431 opts->crl_dir = strdup(crl_dir);
432 if (!opts->crl_dir) {
433 ERRMEM;
434 return -1;
435 }
436 } else {
437 opts->crl_dir = NULL;
438 }
439
440 opts->crl_store_change = 1;
441
442 return 0;
443}
444
445API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]446nc_client_tls_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]447{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]448 return _nc_client_tls_set_crl_paths(crl_file, crl_dir, &tls_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]449}
450
451API int
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]452nc_client_tls_ch_set_crl_paths(const char *crl_file, const char *crl_dir)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]453{
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]454 return _nc_client_tls_set_crl_paths(crl_file, crl_dir, &tls_ch_opts);
455}
456
457static void
458_nc_client_tls_get_crl_paths(const char **crl_file, const char **crl_dir, struct nc_client_tls_opts *opts)
459{
460 if (!crl_file && !crl_dir) {
roman40672412023-05-04 11:10:22 +0200[diff] [blame]461 ERRARG(NULL, "crl_file and crl_dir");
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]462 return;
463 }
464
465 if (crl_file) {
466 *crl_file = opts->crl_file;
467 }
468 if (crl_dir) {
469 *crl_dir = opts->crl_dir;
470 }
471}
472
473API void
474nc_client_tls_get_crl_paths(const char **crl_file, const char **crl_dir)
475{
476 _nc_client_tls_get_crl_paths(crl_file, crl_dir, &tls_opts);
477}
478
479API void
480nc_client_tls_ch_get_crl_paths(const char **crl_file, const char **crl_dir)
481{
482 _nc_client_tls_get_crl_paths(crl_file, crl_dir, &tls_ch_opts);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]483}
484
485API int
486nc_client_tls_ch_add_bind_listen(const char *address, uint16_t port)
487{
Michal Vasko9d4cca52022-09-07 11:19:57 +0200[diff] [blame]488 return nc_client_ch_add_bind_listen(address, port, NULL, NC_TI_OPENSSL);
489}
490
491API int
492nc_client_tls_ch_add_bind_hostname_listen(const char *address, uint16_t port, const char *hostname)
493{
494 return nc_client_ch_add_bind_listen(address, port, hostname, NC_TI_OPENSSL);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]495}
496
497API int
498nc_client_tls_ch_del_bind(const char *address, uint16_t port)
499{
500 return nc_client_ch_del_bind(address, port, NC_TI_OPENSSL);
501}
502
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]503static int
Michal Vasko55ce24a2022-09-07 09:24:43 +0200[diff] [blame]504nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]505{
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]506 int rc = 0;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]507 char *key;
508 X509_LOOKUP *lookup;
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]509 X509_VERIFY_PARAM *vpm = NULL;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]510
511 if (!opts->tls_ctx || opts->tls_ctx_change) {
Michal Vaskoe22c6732016-01-29 11:03:02 +0100[diff] [blame]512 SSL_CTX_free(opts->tls_ctx);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]513
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]514#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
515 /* prepare global SSL context, highest available method is negotiated autmatically */
516 if (!(opts->tls_ctx = SSL_CTX_new(TLS_client_method())))
517#else
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]518 /* prepare global SSL context, allow only mandatory TLS 1.2 */
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]519 if (!(opts->tls_ctx = SSL_CTX_new(TLSv1_2_client_method())))
520#endif
521 {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]522 ERR(NULL, "Unable to create OpenSSL context (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]523 rc = -1;
524 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]525 }
526 SSL_CTX_set_verify(opts->tls_ctx, SSL_VERIFY_PEER, tlsauth_verify_callback);
527
528 /* get peer certificate */
529 if (SSL_CTX_use_certificate_file(opts->tls_ctx, opts->cert_path, SSL_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]530 ERR(NULL, "Loading the client certificate from \'%s\' failed (%s).", opts->cert_path,
531 ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]532 rc = -1;
533 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]534 }
535
536 /* if the file with private key not specified, expect that the private key is stored with the certificate */
537 if (!opts->key_path) {
538 key = opts->cert_path;
539 } else {
540 key = opts->key_path;
541 }
542 if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) {
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]543 ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key,
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]544 ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]545 rc = -1;
546 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]547 }
548
549 if (!SSL_CTX_load_verify_locations(opts->tls_ctx, opts->ca_file, opts->ca_dir)) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]550 ERR(NULL, "Failed to load the locations of trusted CA certificates (%s).",
551 ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]552 rc = -1;
553 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]554 }
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]555
556#if OPENSSL_VERSION_NUMBER >= 0x10100000L // >= 1.1.0
Michal Vasko55ce24a2022-09-07 09:24:43 +0200[diff] [blame]557 if (peername) {
558 /* server identity (hostname) verification */
559 vpm = X509_VERIFY_PARAM_new();
560 if (!X509_VERIFY_PARAM_set1_host(vpm, peername, 0)) {
561 ERR(NULL, "Failed to set expected server hostname (%s).", ERR_reason_error_string(ERR_get_error()));
562 rc = -1;
563 goto cleanup;
564 }
565 if (!SSL_CTX_set1_param(opts->tls_ctx, vpm)) {
566 ERR(NULL, "Failed to set verify params (%s).", ERR_reason_error_string(ERR_get_error()));
567 rc = -1;
568 goto cleanup;
569 }
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]570 }
571#endif
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]572 }
573
574 if (opts->crl_store_change || (!opts->crl_store && (opts->crl_file || opts->crl_dir))) {
575 /* set the revocation store with the correct paths for the callback */
576 X509_STORE_free(opts->crl_store);
577
578 opts->crl_store = X509_STORE_new();
579 if (!opts->crl_store) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]580 ERR(NULL, "Unable to create a certificate store (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]581 rc = -1;
582 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]583 }
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]584
585#if OPENSSL_VERSION_NUMBER < 0x10100000L // < 1.1.0
586 /* whaveter this does... */
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]587 opts->crl_store->cache = 0;
Michal Vasko18aeb5d2017-02-17 09:23:56 +0100[diff] [blame]588#endif
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]589
590 if (opts->crl_file) {
591 if (!(lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_file()))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]592 ERR(NULL, "Failed to add lookup method to CRL checking.");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]593 rc = -1;
594 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]595 }
596 if (X509_LOOKUP_add_dir(lookup, opts->crl_file, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]597 ERR(NULL, "Failed to add the revocation lookup file \"%s\".", opts->crl_file);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]598 rc = -1;
599 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]600 }
601 }
602
603 if (opts->crl_dir) {
604 if (!(lookup = X509_STORE_add_lookup(opts->crl_store, X509_LOOKUP_hash_dir()))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]605 ERR(NULL, "Failed to add lookup method to CRL checking.");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]606 rc = -1;
607 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]608 }
609 if (X509_LOOKUP_add_dir(lookup, opts->crl_dir, X509_FILETYPE_PEM) != 1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]610 ERR(NULL, "Failed to add the revocation lookup directory \"%s\".", opts->crl_dir);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]611 rc = -1;
612 goto cleanup;
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]613 }
614 }
615 }
616
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]617cleanup:
618 X509_VERIFY_PARAM_free(vpm);
619 return rc;
620}
621
622static int
Michal Vaskoa82745b2022-09-07 11:48:12 +0200[diff] [blame]623nc_client_tls_connect_check(int connect_ret, SSL *tls, const char *peername)
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]624{
625 int verify;
626
627 /* check certificate verification result */
628 verify = SSL_get_verify_result(tls);
629 switch (verify) {
630 case X509_V_OK:
631 if (connect_ret == 1) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]632 VRB(NULL, "Server certificate verified (domain \"%s\").", peername);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]633 }
634 break;
635 default:
636 ERR(NULL, "Server certificate error (%s).", X509_verify_cert_error_string(verify));
637 }
638
639 /* check TLS connection result */
640 if (connect_ret != 1) {
641 switch (SSL_get_error(tls, connect_ret)) {
642 case SSL_ERROR_SYSCALL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]643 ERR(NULL, "SSL connect to \"%s\" failed (%s).", peername, errno ? strerror(errno) : "unexpected EOF");
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]644 break;
645 case SSL_ERROR_SSL:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]646 ERR(NULL, "SSL connect to \"%s\" failed (%s).", peername, ERR_reason_error_string(ERR_get_error()));
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]647 break;
648 default:
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]649 ERR(NULL, "SSL connect to \"%s\" failed.", peername);
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]650 break;
651 }
652 }
653
654 return connect_ret;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]655}
656
657API struct nc_session *
Michal Vasko9bee18d2015-12-08 14:41:42 +0100[diff] [blame]658nc_connect_tls(const char *host, unsigned short port, struct ly_ctx *ctx)
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]659{
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]660 struct nc_session *session = NULL;
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]661 int sock, ret;
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]662 struct timespec ts_timeout;
Michal Vasko66032bc2019-01-22 15:03:12 +0100[diff] [blame]663 char *ip_host = NULL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]664
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]665 if (!tls_opts.cert_path || (!tls_opts.ca_file && !tls_opts.ca_dir)) {
Michal Vasko45e53ae2016-04-07 11:46:03 +0200[diff] [blame]666 ERRINIT;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]667 return NULL;
668 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]669
670 /* process parameters */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]671 if (!host || (host[0] == '\0')) {
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]672 host = "localhost";
673 }
674
675 if (!port) {
676 port = NC_PORT_TLS;
677 }
678
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]679 /* create/update TLS structures */
Michal Vasko9af52322022-07-25 14:39:30 +0200[diff] [blame]680 if (nc_client_tls_update_opts(&tls_opts, host)) {
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]681 return NULL;
682 }
683
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]684 /* prepare session structure */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]685 session = nc_new_session(NC_CLIENT, 0);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]686 if (!session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]687 ERRMEM;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]688 return NULL;
689 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]690 session->status = NC_STATUS_STARTING;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]691
692 /* fill the session */
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]693 session->ti_type = NC_TI_OPENSSL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]694 if (!(session->ti.tls = SSL_new(tls_opts.tls_ctx))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]695 ERR(NULL, "Failed to create a new TLS session structure (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]696 goto fail;
697 }
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]698
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]699 /* create and assign socket */
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200[diff] [blame]700 sock = nc_sock_connect(host, port, -1, &client_opts.ka, NULL, &ip_host);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]701 if (sock == -1) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]702 ERR(NULL, "Unable to connect to %s:%u (%s).", host, port, strerror(errno));
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]703 goto fail;
704 }
705 SSL_set_fd(session->ti.tls, sock);
706
707 /* set the SSL_MODE_AUTO_RETRY flag to allow OpenSSL perform re-handshake automatically */
708 SSL_set_mode(session->ti.tls, SSL_MODE_AUTO_RETRY);
709
710 /* connect and perform the handshake */
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]711 nc_timeouttime_get(&ts_timeout, NC_TRANSPORT_TIMEOUT);
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]712 tlsauth_ch = 0;
Michal Vaskod51a2642021-09-03 13:03:24 +0200[diff] [blame]713 while (((ret = SSL_connect(session->ti.tls)) != 1) && (SSL_get_error(session->ti.tls, ret) == SSL_ERROR_WANT_READ)) {
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]714 usleep(NC_TIMEOUT_STEP);
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]715 if (nc_timeouttime_cur_diff(&ts_timeout) < 1) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]716 ERR(NULL, "SSL connect timeout.");
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]717 goto fail;
718 }
719 }
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]720
721 /* check for errors */
Michal Vaskoa82745b2022-09-07 11:48:12 +0200[diff] [blame]722 if (nc_client_tls_connect_check(ret, session->ti.tls, host) != 1) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]723 goto fail;
724 }
725
Michal Vasko78939072022-12-12 07:43:18 +0100[diff] [blame]726 if (nc_client_session_new_ctx(session, ctx) != EXIT_SUCCESS) {
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]727 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]728 }
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]729 ctx = session->ctx;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]730
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]731 /* NETCONF handshake */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]732 if (nc_handshake_io(session) != NC_MSG_HELLO) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]733 goto fail;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]734 }
Michal Vaskoad611702015-12-03 13:41:51 +0100[diff] [blame]735 session->status = NC_STATUS_RUNNING;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]736
Michal Vaskoef578332016-01-25 13:20:09 +0100[diff] [blame]737 if (nc_ctx_check_and_fill(session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +0100[diff] [blame]738 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]739 }
740
741 /* store information into session and the dictionary */
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]742 session->host = ip_host;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]743 session->port = port;
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]744 session->username = strdup("certificate-based");
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]745
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]746 return session;
747
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]748fail:
Michal Vasko66032bc2019-01-22 15:03:12 +0100[diff] [blame]749 free(ip_host);
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100[diff] [blame]750 nc_session_free(session, NULL);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]751 return NULL;
752}
753
754API struct nc_session *
755nc_connect_libssl(SSL *tls, struct ly_ctx *ctx)
756{
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]757 struct nc_session *session;
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]758
roman40672412023-05-04 11:10:22 +0200[diff] [blame]759 NC_CHECK_ARG_RET(NULL, tls, NULL);
760
761 if (!SSL_is_init_finished(tls)) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]762 ERR(NULL, "Supplied TLS session is not fully connected!");
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]763 return NULL;
764 }
765
766 /* prepare session structure */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]767 session = nc_new_session(NC_CLIENT, 0);
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]768 if (!session) {
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]769 ERRMEM;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]770 return NULL;
771 }
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]772 session->status = NC_STATUS_STARTING;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]773 session->ti_type = NC_TI_OPENSSL;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]774 session->ti.tls = tls;
775
Michal Vasko78939072022-12-12 07:43:18 +0100[diff] [blame]776 if (nc_client_session_new_ctx(session, ctx) != EXIT_SUCCESS) {
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]777 goto fail;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]778 }
Radek Krejcifd5b6682017-06-13 15:52:53 +0200[diff] [blame]779 ctx = session->ctx;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]780
781 /* NETCONF handshake */
Michal Vasko131120a2018-05-29 15:44:02 +0200[diff] [blame]782 if (nc_handshake_io(session) != NC_MSG_HELLO) {
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]783 goto fail;
784 }
Michal Vaskoad611702015-12-03 13:41:51 +0100[diff] [blame]785 session->status = NC_STATUS_RUNNING;
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]786
Michal Vaskoef578332016-01-25 13:20:09 +0100[diff] [blame]787 if (nc_ctx_check_and_fill(session) == -1) {
Michal Vasko57eb9402015-12-08 14:38:12 +0100[diff] [blame]788 goto fail;
Michal Vasko9e2d3a32015-11-10 13:09:18 +0100[diff] [blame]789 }
790
Michal Vasko11d4cdb2015-10-29 11:42:52 +0100[diff] [blame]791 return session;
792
793fail:
Michal Vaskob604ed52022-01-24 09:56:14 +0100[diff] [blame]794 session->ti_type = NC_TI_NONE;
Michal Vaskoa42a7f02021-07-02 08:43:12 +0200[diff] [blame]795 session->ti.tls = NULL;
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100[diff] [blame]796 nc_session_free(session, NULL);
Radek Krejci9f03b482015-10-22 16:02:10 +0200[diff] [blame]797 return NULL;
798}
799
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]800struct nc_session *
Michal Vasko9d4cca52022-09-07 11:19:57 +0200[diff] [blame]801nc_accept_callhome_tls_sock(int sock, const char *host, uint16_t port, struct ly_ctx *ctx, int timeout, const char *peername)
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]802{
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]803 int ret;
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]804 SSL *tls = NULL;
805 struct nc_session *session = NULL;
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]806 struct timespec ts_timeout;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]807
Michal Vasko9d4cca52022-09-07 11:19:57 +0200[diff] [blame]808 /* create/update TLS structures with explicit expected peername, if any set, the host is just the IP */
809 if (nc_client_tls_update_opts(&tls_ch_opts, peername)) {
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]810 goto cleanup;
Michal Vaskoc61c4492016-01-25 11:13:34 +0100[diff] [blame]811 }
812
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]813 if (!(tls = SSL_new(tls_ch_opts.tls_ctx))) {
Michal Vasko05532772021-06-03 12:12:38 +0200[diff] [blame]814 ERR(NULL, "Failed to create new TLS session structure (%s).", ERR_reason_error_string(ERR_get_error()));
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]815 goto cleanup;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]816 }
817
818 SSL_set_fd(tls, sock);
819
820 /* set the SSL_MODE_AUTO_RETRY flag to allow OpenSSL perform re-handshake automatically */
821 SSL_set_mode(tls, SSL_MODE_AUTO_RETRY);
822
823 /* connect and perform the handshake */
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]824 if (timeout > -1) {
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]825 nc_timeouttime_get(&ts_timeout, timeout);
Michal Vasko36c7be82017-02-22 13:37:59 +0100[diff] [blame]826 }
Michal Vasko3031aae2016-01-27 16:07:18 +0100[diff] [blame]827 tlsauth_ch = 1;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]828 while (((ret = SSL_connect(tls)) == -1) && (SSL_get_error(tls, ret) == SSL_ERROR_WANT_READ)) {
829 usleep(NC_TIMEOUT_STEP);
Michal Vaskod8a74192023-02-06 15:51:50 +0100[diff] [blame]830 if ((timeout > -1) && (nc_timeouttime_cur_diff(&ts_timeout) < 1)) {
Michal Vasko7ffcd142022-09-07 09:24:22 +0200[diff] [blame]831 ERR(NULL, "SSL connect timeout.");
roman6ece9c52022-06-22 09:29:17 +0200[diff] [blame]832 goto cleanup;
Michal Vasko0190bc32016-03-02 15:47:49 +0100[diff] [blame]833 }
834 }
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]835
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]836 /* check for errors */
Michal Vaskoa82745b2022-09-07 11:48:12 +0200[diff] [blame]837 if (nc_client_tls_connect_check(ret, tls, peername ? peername : host) != 1) {
Michal Vasko3cd55a72022-09-06 15:52:39 +0200[diff] [blame]838 goto cleanup;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]839 }
840
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]841 /* connect */
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]842 session = nc_connect_libssl(tls, ctx);
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]843 if (!session) {
844 goto cleanup;
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]845 }
846
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]847 session->flags |= NC_SESSION_CALLHOME;
848
849 /* store information into session and the dictionary */
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]850 session->host = strdup(host);
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]851 session->port = port;
Michal Vasko93224072021-11-09 12:14:28 +0100[diff] [blame]852 session->username = strdup("certificate-based");
Michal Vaskoc64c38c2021-07-02 08:43:53 +0200[diff] [blame]853
854cleanup:
855 if (!session) {
856 SSL_free(tls);
857 close(sock);
858 }
Michal Vasko80cad7f2015-12-08 14:42:27 +0100[diff] [blame]859 return session;
860}